1

I am Sitecore developer and in our website we have a form carrying Re-Captcha. When we are validating our solution in Veracode, at GetResponse the CWE 918 flaw is raised. Adding the code below.

public bool IsReCaptchValid()  
{  
    var result = false;  
    var captchaResponse = Request.Form["g-recaptcha-response"];  
    var secretKey = ConfigurationManager.AppSettings["SecretKey"];  
    var apiUrl = "https://www.google.com/recaptcha/api/siteverify?secret={0}&response={1}";  
    var requestUri = string.Format(apiUrl, secretKey, captchaResponse);  
    var request = (HttpWebRequest)WebRequest.Create(requestUri);  
  
    using(WebResponse response = request.GetResponse())  
    {  
        using (StreamReader stream = new StreamReader(response.GetResponseStream()))  
        {  
            JObject jResponse = JObject.Parse(stream.ReadToEnd());  
            var isSuccess = jResponse.Value<bool>("success");  
            result = (isSuccess) ? true : false;  
        }  
    }  
    return result;  
}

The flaw is thrown in the first line of the code, "request.GetResponse()". How to validate the Response? Thanks in advance.

user2310343
  • 11
  • 2
  • Please read [ask] and show what you have tried. Also show what Veracode tells you about the issue. Also, show the code that actually builds the request, so you can validate whether it's got a point or is a blanket statement. Also, see https://stackoverflow.com/questions/62358911/unable-to-fix-veracode-cwe-id-918-flaw-ssrf-when-using-api-gateway-pattern-in. – CodeCaster Oct 15 '20 at 15:28
  • I have updated my code. – user2310343 Oct 16 '20 at 13:41

0 Answers0