OWASP TOP 10 SECURITY ISSUE within 'RadControl for asp.net Ajax'

2 posts, 1 answers
  1. Michele Riva
    Michele  Riva avatar
    1 posts
    Member since:
    Jul 2009

    Posted 09 May 2012 Link to this post

    Hi, we have just analized the 'Telerik.Web.UI' source code we the commercial tool owned by our final costumer: Parasoft DotTEST 9.3.

    We carriedout a Security Check of the source code as recommended OWAS TOP 10, the result has been discouraging, we found nearly 500 violations serious (level 1):

    [494]   Security (BD.SECURITY) 

            [438]   Prevent exposure of sensitive data (BD.SECURITY.SENS-1) 

            [10]   Protect against file name injection (BD.SECURITY.TDFNAMES-1) 

            [8]   Protect against network resource injection (BD.SECURITY.TDNET-1) 

            [2]   Protect against HTTP response splitting (BD.SECURITY.TDRESP-1) 

            [36]   Protect against XSS vulnerabilities (BD.SECURITY.TDXSS-1) 

      [1]   Security inspection (CS.SEC) 

            [1]   Use SecureString instead of String for password (CS.SEC.SSFP-2) 

      [28]   Security Inspection (License Required) (SEC) 

            [28]   Always cleanup before an exception filtering method is invoked (SEC.ACWFB-3) 


    This situation could cause rejection by the customer of your product (Rad Control for asp.net Ajax).

    I'm sure you've already dealt with similar situations, we are sure Telerik has a justification for this behavior that reassures our customer on the quality of your product.

    Please tell us how solve this problem.

    Could you notify me a email address where send the detailed violations report?

    Thank you in advance,
    Federico
  2. Answer
    Niko
    Admin
    Niko avatar
    404 posts

    Posted 11 May 2012 Link to this post

    Hello Michele,

    Throughout the years we have striven to provide not only functional, but also secure controls. There have been many reports on security matter and some of them have captured actual vulnerabilities. For that we address any report with the respective caution and attention, as the security topic is a very important one.

    Nevertheless currently the controls do not expose any severe vulnerabilities that we are aware of.

    Please, note that many of the issues in your report are false alerts that actually are not security weaknesses. No tool is perfect in determining the real state-of-the-art of the code it analyses (common disclaimer for any such tool).

    Still we will go through the list thoroughly and if we notice disturbing issues we will address them in due time. For that matter if you have concrete example of a vulnerability and how an adversary can take advantage of it, this would speed things up.

    Thank you for your the efforts you are putting into this.

    Kind regards,
    Niko
    the Telerik team
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
Back to Top