Frameworks & libraries scanned
We test fixture coverage on these frameworks. New patterns are added with each builtin rule release.
Top CWE classes detected
These CWE classes appear most often in modern codebases of this language. StaticCodeAudit ships dedicated rules for each, mapped to OWASP Top 10 / ISO 27001 / ASVS where relevant.
CWE-89
SQL Injection
String concatenation in SqlCommand.CommandText, Dapper Execute($"..."), EF Core FromSqlRaw with interpolation, NHibernate HQL with concat.
Detected by SCA rule: sql_injection_concat_csharp
CWE-78
OS Command Injection
Process.Start(new ProcessStartInfo { FileName = "cmd", Arguments = userInput }) with shell parsing. UseShellExecute = true increases attack surface.
Detected by SCA rule: command_injection_csharp
CWE-502
Insecure Deserialization
BinaryFormatter.Deserialize (obsolete since .NET 5 but still found), NetDataContractSerializer, SoapFormatter on untrusted streams.
Detected by SCA rule: unsafe_deserialization
CWE-79
Cross-Site Scripting (XSS)
Razor @Html.Raw(model.Bio) with untrusted data, MVC HttpUtility.HtmlEncode bypassed, Blazor MarkupString on user input.
Detected by SCA rule: xss_raw_html
CWE-798
Hardcoded Credentials
Connection strings in appsettings.json committed, JWT signing key as const string, Azure secrets in web.config.
Detected by SCA rule: hardcoded_secret
CWE-352
CSRF
[ValidateAntiForgeryToken] missing on POST actions, options.SuppressXFrameOptionsHeader = true in Startup.
Detected by SCA rule: csrf_missing_aspnet
Vulnerable vs. clean — three quick examples
CWE-89
Detected by SCA rule: sql_injection_concat_csharp
// Vulnerable — SqlCommand concat
var cmd = new SqlCommand(
$"SELECT * FROM users WHERE name = \'{name}\'", conn);
var reader = cmd.ExecuteReader();// Clean — parameterized
var cmd = new SqlCommand(
"SELECT * FROM users WHERE name = @name", conn);
cmd.Parameters.AddWithValue("@name", name);
var reader = cmd.ExecuteReader();CWE-502
Detected by SCA rule: unsafe_deserialization
// Vulnerable — BinaryFormatter on untrusted stream
var bf = new BinaryFormatter();
var obj = bf.Deserialize(networkStream);// Clean — System.Text.Json with known schema
var obj = JsonSerializer.Deserialize<UserDto>(
networkStream,
new JsonSerializerOptions { PropertyNameCaseInsensitive = true });CWE-79
Detected by SCA rule: xss_raw_html
// Vulnerable — Razor @Html.Raw on user data
@Html.Raw(Model.Bio)// Clean — default-encoded output
@Model.BioWhat StaticCodeAudit detects (this language)
- SQL injection in
SqlCommandconcat, Dapper interpolation, EF CoreFromSqlRaw, NHibernate HQL concat - XSS in Razor
@Html.Raw, BlazorMarkupString, MVC manual encoding bypass - Command injection in
Process.Startwith shell parsing BinaryFormatterdeserialization on untrusted streams (still appears despite .NET deprecation)- Hardcoded secrets in
appsettings.json,web.configcommitted - CSRF:
[ValidateAntiForgeryToken]missing on POST actions - Insecure cookies (
CookieOptions.Secure,HttpOnly,SameSiteoff) - Path traversal in
File.ReadAllBytes,Path.Combinewith user paths - XXE in
XmlDocument,XmlReaderSettings.DtdProcessing = Parse - Insecure crypto (MD5/SHA1 for security, ECB mode, hardcoded keys)
- JWT none algorithm, hardcoded HS256 secret, no expiration claim
- Open redirect via
Redirect(Request.Query["url"]) - Deprecated APIs (BinaryFormatter, NetDataContractSerializer, SHA1Managed)
- CI/CD misconfigurations (.gitlab-ci, GitHub Actions, NuGet feed insecure)
Audit your codebase
Audit ASP.NET Core, Entity Framework, Dapper and NHibernate for OWASP Top 10 vulnerabilities, deserialization gadgets, and configuration drift — without leaving your machine.
Download demo binary Book a walkthrough