Page tree

Summary: This document provides information about the extension providing ASP.NET Web API support for C#.

Extension ID


What's new?

See: ASP.NET Web API Framework and Security Rules - 1.4 - Release Notes for more information.


This extension provides support for ASP.NET Web API. This extension will create links between server side APIs and client calls for HttpGet, httpPut, HttpPost, and HttpDelete methods.

In what situation should you install this extension?

CAST recommends that this extension is installed whenever you are analyzing a .NET application. When using CAST AIP Console, the extension is automatically installed whenever a .NET application is delivered.

ASP.NET Web API support

The following frameworks are supported by this extension:

Web API 2(tick)
ASP.NET Core Web API(tick)
ASHX / ASMX (see below)(tick)

Files analyzed




.NET Razor*.cshtml



JSON*.json, *.jsonld



-Configurationweb.config, appsettings.jsonThis extension broadcasts an XML parser for others extensions to analyze web.config files.

Function Point, Quality and Sizing support

This extension provides the following support:

  • Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
  • Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
Function Points
Quality and Sizing

AIP Core compatibility

This extension is compatible with:

CAST AIP release

Supported DBMS servers

This extension is compatible with the following DBMS servers:





(tick)An installation of any compatible release of AIP Core (see table above)

Download and installation instructions

A specific version of the ASP.NET Web API Framework extension is shipped with AIP Core. However, this release may not be the release you want to use, therefore you should check before beginning the analysis that the correct extension release is being used. You can see the list of shipped extensions for each release of AIP Core here: Technology coverage changes in CAST AIP 8.3.x.

If you need to change the release use the Included interface in AIP Console:

CAST Transaction Configuration Center (TCC) configuration

If you are using the extension with CAST AIP ≥ 8.3.x, a set of ASP.NET WebAPI specific items are now automatically imported when the extension is installed. These items will be available in the CAST Transaction Configuration Center (click to enlarge):

Packaging, delivering and analyzing your source code

Once the extension is installed, no further configuration changes are required before you can package your source code and run an analysis. The process of packaging, delivering and analyzing your source code does not change in any way:

  • Package and deliver your .NET application (that includes source code which uses ASP.NET Web API) in the exact same way as you always have.
  • Analyze your delivered .NET application source code in the CAST Management Studio in the exact same way as you always have - the source code which uses ASP.NET Web API will be detected and handled correctly.

By default, (i.e. out of the box without the ASP.NET Web API extension installed) ASP.NET Web API object types are automatically “captured” by a default configuration provided by the HTML5/JavaScript extension (“Standard Entry Point - HTML5 AspDotNet”). After installation of the ASP.NET WebAPI extension you will find that the "Standard Entry Point - HTML5 AspDotNet" set no longer captures any objects. Instead the ASP.NET objects will be captured by the "Standard Entry Point - Dotnet AspDotNet" set provided in the ASP.NET WebAPI extension.

Therefore you need to update TCC configuration if you are using the "Standard Entry Point - HTML5 AspDotNet" configuration in your sets and layers.

What results can you expect?

Once the analysis/snapshot generation has completed, you can view the results in the normal manner. The following objects and links will be displayed in CAST Enlighten:


All objects are represented under the Class browser folders in CAST Enlighten:


DotNet Get Operation

DotNet Delete Operation

DotNet Post Operation

DotNet Put Operation

DotNet Patch Operation

DotNet Any Operation

DotNet Controller Action

A DotNet Controller Action is created for each controller method, and a call link is created from this action to the method:

These controller actions may be directly called from clients through HTML5 Razor method calls present in cshtml files:

     @Html.ActionLink("Details", "Details", new { id = item.DepartmentID })

One or more DotNet operations are created for one DotNet Controller Action, because the DotNet Server may be called by other clients than Razor clients. From HTML files or sections of HTML in .cshtml files:

<div href="Department/Details">

Controller actions are therefore always present in transactions, but operations are present only for purely HTMLclients (not clients using razor). As the same controller action may be called for several types of HTML5 resource services, and even several types of  URLs (e.g: department/details, department/details/{}, ...), operations which are not called from a client are deleted at the end of analysis. In many cases clients are written in razor, as such it would not be a ideal to keep all operations as it would produce false transactions.

ASHX/ASMX support


In ashx/asmx file:

<%@ WebHandler Language="C#" class="PREFIX.TaxServerInfo" %>

In IISHandler1.vb:

Imports System.Web
Public Class IISHandler1
    Implements IHttpHandler

    Public Sub ProcessRequest(ByVal context As HttpContext) Implements IHttpHandler.ProcessRequest

        ' Write your handler implementation here.

    End Sub
End Class

Will create an operation:


In asmx file:

<%@ WebService Language="vb" CodeBehind="WebService1.asmx.vb" class="WebApplication1.WebService1" %>

In vb file:

Imports System.Web.Services
Imports System.Web.Services.Protocols
Imports System.ComponentModel

' To allow this Web Service to be called from script, using ASP.NET AJAX, uncomment the following line.
' <System.Web.Script.Services.ScriptService()> _
<System.Web.Services.WebService(Namespace:="")> _
<System.Web.Services.WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _
<ToolboxItem(False)> _
Public Class WebService1
    Inherits System.Web.Services.WebService

    <WebMethod()> _
    Public Function HelloWorld() As String
       Return "Hello World"
    End Function

End Class

Will create an operation for each WebMethod annotated methods:



  • URLs present in annotations, which are in a variable, are not supported.
  • No labels