How to solve a Trust Boundary Violation issue?

Question

What is a good way to resolve a trust bound violation in asp.net c# when assigning a string to a asp.net session variable. I have tried HttpUtility.HtmlEncode and AntiXssEncoder.HtmlEncode with no luck. Anything special needed to sanitize/validate with session variables?

Answer 1

From Checkmarx documentation:

Code that reads from Session variables may trust them as server-side variables, but user inputs may have tainted them. This can lead to tampering with parameters used to authenticate or authorize users. Further, tainted Session variables offer an additional attack surface against the application - if untrusted data taints a Session variable, and that Session variable is then used elsewhere without sanitization as if it were trusted, it could lead to further attacks such as Cross-Site Scripting, SQL Injection and more.

Server-side Session variables, or objects, are values assigned to a specific session, which is associated with a specific user. Often, they hold data relevant to that user's session, such as specific identifiers, user types, authorization, authentication information, and more. As such, the paradigm often associated with the Session object is that its contents can be trusted, as users cannot generally set these values themselves.

If your application places user input, which is untrusted data, in the server-side Session object, which is considered a trusted location. This could lead developers to treat untrusted data as trusted and is flagged as Trust_Boundary_Violation by Checkmarx.

Recommendations:

1. Validate and sanitize all input, regardless of source. Validation should be based on an allow-list. Accept only data fitting a specified structure rather than reject bad patterns. Check for:

• Data type
• Size
• Range
• Format
• Expected values

2. Don’t mix untrusted user input with trusted data.