generalinformation-405746-security-security-scanner-alerts-and-false-positive-reports.md
As you may know, third-party security scanners and services often rely on generic signatures. These signatures can trigger alerts that do not represent legitimate security risks.
This help topic documents/describes known false-positive scanner alerts. Each section explains scope and the technical reasoning behind our analysis/conclusion.
CWE-79Improper Neutralization of Input During Web Page GenerationCWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page
Warning
A test payload generated a syntax error within the Web Application. This often points to a problem with input validation routines or lack of filters on user-supplied content.
Warning
The test successfully embedded a script in the response as part of an existing JavaScript content. When the original script is executed, the injected script will be executed as well. This means that the application is vulnerable to Cross-Site Scripting attacks.
Warning
A malicious user may be able to create a denial of service, serious error, or exploit depending on the error encountered by the Web application.
WAS flags hidden input fields with the _State suffix as potentially dangerous based on underlying scanner signature matching:
<input type="hidden" name="ASPxGridView1" id="ASPxGridView1_State" value="{...}">
<input type="hidden" name="ASPxPopupControl1" id="ASPxPopupControl1_State" value="{...}">
<input type="hidden" name="ASPxPageControl1" id="ASPxPageControl1_State" value="{...}">
Veracode reports this issue when an encoded value that contains a script can be assigned to an input element (for example, 1234%27A-alert%2889%29%2F%2F):
<!-- ASPxComboBox -->
<table class="dxeButtonEditSys dxeButtonEdit" id="ASPxComboBox1">
<input class="dxeEditArea dxeEditAreaSys"
id="ASPxComboBox1_I"
name="ASPxComboBox1"
type="text"
autocomplete="off" ...>
These alerts do not indicate executable XSS. Server-side validation blocks script execution.
CWE-89Improper Neutralization of Special Elements used in an SQL CommandCAPEC-7Blind SQL Injection
Warning
Using the GET HTTP method, SiteLock found that : + The following resources may be vulnerable to blind SQL injection : + The ‘r’ parameter of the /DXR.axd CGI
Warning
Using the GET HTTP method, SiteLock found that : + The following resources may be vulnerable to blind SQL injection (time based) : + The ‘r’ parameter of the /DXR.axd CGI
DXR.axd request parametersDevExpress.Data internal SQL APIDXSE) and Filter Row (DXFREditor) parametersDXR.axd URLs and Parameters
DXR.axd is the default DevExpress HTTP handler used in ASP.NET applications. It serves embedded DevExpress resources (images, JavaScript files, and CSS styles). These resources are packaged inside DevExpress assemblies and are requested by the browser through the DXR.axd endpoint. The handler resolves the request, retrieves the resource from the assembly, and sends it to the client.
These embedded resources are intended for public access. They do not expose sensitive information or server-side code and do not interact with databases.
The DevExpress HTTP handler validates resource keys.
Direct SQL APIs
InternalExecSql, InternalGetScalar, and InternalGetData methods of ConnectionProviderSql accept SQL commands, which are fully controlled by the application developer.
To avoid dynamically SQL construction, execute direct SQL queries against a database and return results as scalar values, result sets, or object collections.
Search Panel and Filter Row (Application Configuration)
DXFREditor and DXSE parameters transfer Search Panel and Filter Row editor values to filter data displayed in grid-based UI controls (for example, ASPxGridView, ASPxTreeList, and ASPxCardView).
In standard binding mode, filters apply at the control level. The Data Controller validates values before applying the filter. These values never reach the database.
In server mode, values are sanitized before query execution. Injected SQL cannot execute at the database level.
DXR.axd does not expose database access.Warning
Veracode Alert : Improper Restriction of XML External Entity Reference (‘XXE’)
XML content converts to internal file objects (FileManagerFile). The ASPxFileManager renders markup from these objects.
An attack requires direct access to the storage provider. Users cannot supply arbitrary XML sources.
This issue does not expose XXE risk in real deployments.
Internal code uses the GetTempFileName method to access system temporary files. Temporarily files never reach the client.
No external access exists.
CWE-201Insertion of Sensitive Information Into Sent DataCWE-540Inclusion of Sensitive Information in Source CodeCWE-615Inclusion of Sensitive Information in Source Code Comments
Warning
Veracode Alert : Information Exposure Through Sent Data
DXR.axd request parametersDXR.axd URLs and Parameters
DXR.axd is the default DevExpress HTTP handler used in ASP.NET applications. It serves embedded DevExpress resources (images, JavaScript files, and CSS styles). These embedded resources are intended for public access. They do not expose sensitive information or server-side code.
The word “password“ in these files does not indicate stored or transmitted credentials. It refers only to HTML input elements of type password.
ASPxPivotGridUploadString(string data) and UploadStringAsync(string, object) methods handle data uploads. These methods process all information on the server.
Passwords and sensitive information are not sent to the client. No confidential information exposure occurs.
The ADSSYS account is a built-in administrator account for Advantage Database Server.
Using ADSSYS in this context does not introduce security risks.
Warning
Veracode Alert : Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)
ASPxHttpHandlerModuleThe WriteFolderToResponse and WriteFileToResponse methods validate requested public resources by file extension. Only .css and .js files are allowed. The API cannot be used to access arbitrary files.ASPxSpreadsheetThe CreateImageBox method accepts an image index. The server generates this index internally. Client input cannot alter the value or reference other data. Header manipulation is not possible through this method.
User input cannot alter headers or access other resources.
The following classes store document protection metadata. This data prevents accidental edits. This information is not considered sensitive.
DevExpress.XtraRichEdit.Commands.ProtectionInfoDevExpress.XtraRichEdit.AuthenticationOptionsThe alert does not indicate sensitive data exposure.
Veracode flags the use of weak or risky cryptographic algorithms (such as MD5 and SHA-1). DevExpress components use these algorithms in contexts where standards or file format specifications require them (not for general-purpose cryptography).
Modern .NET components include an internal HashCodeHelper class to provide secure alternatives. Some legacy scenarios still rely on algorithms that Veracode marks as potentially unsafe.
RichEdit
MD5 is required by the ECMA-376 standard for document protection (article 2.15.1.28).
Method : CheckOpenXmlDocumentProtectionPassword(PasswordHashCodeCalculator calculator, string password)
Spreadsheet (XLS Export)
MD5 is mandated by the Excel Binary File Format specification (article 2.3.6.1).
Method : MD5Hash.CreateMD5()
Office Crypto (XLS Export)
Required for compliance with the Office Document Cryptography Structure (article 2.3.4).
Method : CipherInfo.GetAlgorithm()
PDF Export and PDF LibrariesMD5 is required by the PDF specification for encryption (article 7.6).ZIP Archives
AES in ECB mode is used for decrypting legacy ZIP archives (standard ZIP encryption is weak).
Method : ICryptoTransform CreateAesCryptoTransform(string, byte[], byte[])
PDF Digital SignaturesSHA-1 is required by the PDF specification for digital signatures (article 12.8).
These algorithms are used only to meet file format or standard compliance requirements. They do not expose DevExpress applications to security risks in typical usage scenarios.
RichEditThe FileDocumentImageSource constructor accepts a file path as part of the RichEdit public API. This behavior enables application developers to load document images from custom locations.ChartsThe HolidaysLoader.LoadHolidaysCollection method allows applications to load holiday definitions from an XML file. The method safely processes XML content. Because this API is public, the library cannot restrict the file path value. Path validation and access control must be implemented by the application.
These APIs themselves do not introduce vulnerabilities. Security depends on how the application supplies and validates file paths.
GoogleDrivePersonalHelperOneDrivePersonalHelperGoogleDrivePersonalHelper and OneDrivePersonalHelper classes call the HttpContext.Current.Response.Redirect method with URLs constructed exclusively from server-side values. These values are defined by the application logic and do not incorporate client input.
Open redirect is not possible.
DevExpress.Web.Internal.ThemesProvider.LoadCustomThemeAssemblyByPathThe LoadCustomThemeAssemblyByPath method calls System.Reflection.Assembly.LoadFile. This method is invoked only by the ASPxThemeDeployer tool on a developer machine. It is used to extract DevExpress theme resources for deployment within an application.
The LoadCustomThemeAssemblyByPath method is not executed at runtime in deployed applications. Users or threat actors cannot trigger it.
Unsafe reflection does not introduce a risk in deployed applications.
Warning
Veracode Alert : Insufficient Entropy
The Next(int) method is used internally by the ASPxCaptcha component.
Captcha requests occur at varying times, and image recognition introduces additional variability. These factors increase entropy and make it infeasible for a threat actor to predict generated values.
The ASPxCaptcha component maintains sufficient randomness to prevent abuse. In practice, predicting values is impossible.
Warning
Scanner Alert : Response headers include the HTTP Content-Security-Policy security header with the following security issues:
Security scanners report a security mechanism failure when HTTP Content-Security-Policy (CSP) headers appear overly permissive.
DevExpress ASP.NET Web Forms controls and MVC extensions rely on legacy JavaScript libraries. These libraries dynamically load scripts and execute eval or Function methods. To function correctly, the framework requires the following CSP directive:
script-src 'unsafe-inline' 'unsafe-eval' 'self'
unsafe-inline allows in-page scripts and event handlers.unsafe-eval permits execution of dynamic code via eval() or Function().self restricts script loading to the same origin.These directives match standard ASP.NET Web Forms behavior. The same requirements apply to ASP.NET MVC extensions, which share the same core framework.
This requirement matches standard ASP.NET behavior. DevExpress does not plan to remove these directives due to implementation complexity.
For strict CSP compliance, consider migrating to a modern platform. Refer to the following help topics for additional information:
DevExpress WinForms PDF Viewer, WPF PDF Viewer, and PdfDocumentProcessor, do not use the vulnerable functionality.
DevExpress components are not impacted by security issues described in CVEs. No mitigation or code changes are required.
DXR.axd request parametersDXR.axd URLs and ParametersDXR.axd is the default DevExpress HTTP handler used in ASP.NET applications. It serves embedded DevExpress resources (images, JavaScript files, and CSS styles). These embedded resources are intended for public access. They do not expose sensitive information or server-side code.
HTTP verb manipulation cannot compromise security or access confidential data.
Warning
Scanner Alerts :
Input values may be modified before posting to the server. All values are encoded when rendered as client-side programmatic objects. The EncodeHtml property (enabled by default) ensures that all rendered HTML entries are safe from injection attacks.
Warning
Custom errors: Fail
Warning
Request validation: Fail
These settings must be configured at the application level. Some DevExpress ASP.NET demo applications explicitly disable request validation to allow entry of all characters. This is safe for demos but should be managed appropriately in production environments.
See Also