Skip to main content

Security Audit Findings (SAST)

[!WARNING] Audit Status: Completed Scope: Static Code Analysis of WepNG_MVC Date: 2026-01-09

Executive Summary

The audit identified High-Risk vulnerabilities in Authentication and Data Protection (GDPR), along with significant tech-debt related security flaws (XSS/CSRF).

Risk ClassFindingSeverityStatus
GDPRCleartext Medical Data in DatabaseCRITICAL🔴 Confirmed
AuthLegacy Login Backdoor (SQL Auth)HIGH🔴 Confirmed
Configdebug="true" enabled in Production (BO)HIGH🔴 Confirmed
InjectionSQL Injection in FinancialTransactionImporterMEDIUM🟡 Confirmed
WebGlobal XSS Protection DisabledHIGH🔴 Confirmed
WebMissing Anti-CSRF Tokens in BO POSTsMEDIUM🔴 Confirmed

Detailed Findings

1. GDPR: Cleartext Health Data

  • Location: EITWEP.EntityClasses.Customer.cs
  • Compliance Violation: GDPR Article 9 (Special Categories of Personal Data).
  • Evidence: Properties CUSTMedicalTreatmentDetail, CUSTAllergyDetail, CUSTDietDetail are standard strings with NO encryption attributes or getters/setters handling decryption.
  • Impact: Database compromise leads to direct exposure of sensitive minor's health data.
  • Reach: Data is exposed in _MedicalInfosSummary.cshtml (WepAccess/OMGT).

2. Auth: Legacy Login Bypass ("The Zombie Backdoor")

  • Location: WepNG_BO.Controllers.AccountController.cs (Line 186)
  • Vulnerability: The LogOn POST method checks legacy Membership.ValidateUser first before attempting Azure AD logic.
  • Scenario: An attacker (or former employee) with old SQL credentials can log in even if their Azure AD account is disabled, effectively bypassing SSO policies.
  • Code Evidence: 
    if (Membership.ValidateUser(model.UserName, model.Password)) { ... SignInAsync ... }

3. Insecure Configuration

  • Location: WepNG_BO/Web.config
  • Setting: <compilation debug="true" ... />
  • Risk:
    1. Memory Overhead (High).
    2. Detailed Error Pages (Information Leakage).
    3. Code Optimization Disabled.
  • Mitigation: Must be set to false in Web.Release.config.

4. SQL Injection (Internal Tool)

  • Location: FinancialTransactionImporter.cs (Line 593)
  • Code: 
    string updateQuery = "UPDATE ... WHERE Date >= '" + removeFromDate.ToString(...) + "' ...";
    this._dbContext.Database.ExecuteSqlCommand(updateQuery);
  • Analysis: While removeFromDate is a DateTime (low risk of injection), the pattern of concatenating strings into ExecuteSqlCommand is dangerous and prevalent.
  • Good News: WAStoredProcedure.cs correctly uses @Parameters.

5. Global XSS Vulnerability

  • Location: WepNG_BO/Web.config
  • Setting: <httpRuntime requestValidationMode="2.0" />
  • Impact: Disables ASP.NET 4.0+ Request Validation.
  • Aggravating Factor: [ValidateInput(false)] found on multiple Controllers, allowing raw HTML submission without sanitization.

6. Missing CSRF Protection

  • Location: WepNG_BO Controllers
  • Evidence: Grep scan for [ValidateAntiForgeryToken] returned 0 results in BO controllers.
  • Impact: Attackers can trick authenticated admins into performing actions (e.g., creating users, changing statuses) without their consent via malicious links.

Recommendations

Immediate Actions (Quick Wins)

  1. Disable Legacy Auth: In AccountController, wrap Membership.ValidateUser in if (ConfigurationManager.AppSettings["AllowLegacyAuth"] == "true"). Set to false in Prod.
  2. Fix Web.config: Set debug="false" and requestValidationMode="4.5".

Strategic Actions (Roadmap)

  1. GDPR Remediation: Implement Column-Level Encryption (Always Encrypted in SQL Server or App-Level AES) for Medical/Diet fields.
  2. Security Sprint: Add [ValidateAntiForgeryToken] to all POST actions in BO.