From 5d168f2f70585225446cfec648c56c8ebe1cf47b Mon Sep 17 00:00:00 2001 From: Maxime Date: Fri, 21 Dec 2018 10:42:33 +0100 Subject: [PATCH 1/2] change owasp 2013 to owasp 2017 --- generate_profiles/BuildXmlFiles.groovy | 26 ++++---- pom.xml | 2 +- .../sonar/plugins/findbugs/rules-findbugs.xml | 4 +- .../plugins/findbugs/rules-findsecbugs.xml | 61 ++++++++++--------- .../org/sonar/plugins/findbugs/rules-jsp.xml | 8 +-- 5 files changed, 52 insertions(+), 49 deletions(-) diff --git a/generate_profiles/BuildXmlFiles.groovy b/generate_profiles/BuildXmlFiles.groovy index 66f566b7..bbf316b3 100644 --- a/generate_profiles/BuildXmlFiles.groovy +++ b/generate_profiles/BuildXmlFiles.groovy @@ -122,7 +122,7 @@ def writeRules(String rulesSetName,List plugins,List includedBug configKey(pattern.attribute("type")) description(pattern.Details.text().trim()) - //OWASP TOP 10 2013 + //OWASP TOP 10 2017 if (pattern.Details.text().toLowerCase().contains('injection') || pattern.Details.text().contains('A1-Injection')) { tag("owasp-a1") tag("injection") @@ -131,32 +131,34 @@ def writeRules(String rulesSetName,List plugins,List includedBug tag("owasp-a2") } if (pattern.attribute("type").contains("XSS") || pattern.Details.text().contains('A3-Cross-Site_Scripting')) { - tag("owasp-a3") + tag("owasp-a7") } if (pattern.Details.text().contains('A4-Insecure_Direct_Object_References') || pattern.Details.text().contains('Path_Traversal')) { - tag("owasp-a4") + tag("owasp-a5") } if (pattern.Details.text().contains('A5-Security_Misconfiguration')) { - tag("owasp-a5") + tag("owasp-a6") } if (pattern.attribute('type').equals('HARD_CODE_PASSWORD') || pattern.attribute("type") in cryptoBugs || pattern.Details.text().contains('A6-Sensitive_Data_Exposure')) { - tag("owasp-a6") + tag("owasp-a3") tag("cryptography") } if (pattern.Details.text().contains('A7-Missing_Function_Level_Access_Control')) { - tag("owasp-a7") - } - if (pattern.Details.text().toLowerCase().contains('A8-Cross-Site_Request_Forgery')) { - tag("owasp-a8") + tag("owasp-a4") } +// no exist in owasp 2017 +// if (pattern.Details.text().toLowerCase().contains('A8-Cross-Site_Request_Forgery')) { +// tag("owasp-a8") +// } if (pattern.Details.text().toLowerCase().contains('A9-Using_Components_with_Known_Vulnerabilities')) { tag("owasp-a9") } - if (pattern.Details.text().toLowerCase().contains('A10-Unvalidated_Redirects_and_Forwards')) { - tag("owasp-a10") - } +// no exist in owasp 2017 +// if (pattern.Details.text().toLowerCase().contains('A10-Unvalidated_Redirects_and_Forwards')) { +// tag("owasp-a10") +// } //Misc tags diff --git a/pom.xml b/pom.xml index 34617ccc..64ab0d06 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ com.github.spotbugs sonar-findbugs-plugin - 3.10.0-SNAPSHOT + 3.11-SNAPSHOT sonar-plugin SonarQube SpotBugs Plugin diff --git a/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml b/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml index 63dd000c..99160de0 100644 --- a/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml +++ b/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml @@ -150,7 +150,7 @@ If SpotBugs found <em>any</em>, you <em>almost certainly</e vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool. </p> - owasp-a3 + owasp-a7 security @@ -165,7 +165,7 @@ If SpotBugs found <em>any</em>, you <em>almost certainly</e vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool. </p> - owasp-a3 + owasp-a7 security diff --git a/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml b/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml index 5e4b500a..3d6a039b 100644 --- a/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml +++ b/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml @@ -267,7 +267,7 @@ public Response getImage(@javax.ws.rs.PathParam("image") String image) { <a href="http://capec.mitre.org/data/definitions/126.html">CAPEC-126: Path Traversal</a><br/> <a href="http://cwe.mitre.org/data/definitions/22.html">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</a> </p> - owasp-a4 + owasp-a5 wasc cwe security @@ -287,7 +287,7 @@ by the user. If that is the case, the reported instance is a false positive.< <a href="http://capec.mitre.org/data/definitions/126.html">CAPEC-126: Path Traversal</a><br/> <a href="http://cwe.mitre.org/data/definitions/22.html">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</a> </p> - owasp-a4 + owasp-a5 wasc cwe security @@ -397,7 +397,7 @@ sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(),null); <a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection">WASC-04: Insufficient Transport Layer Protection</a><br/> <a href="http://cwe.mitre.org/data/definitions/295.html">CWE-295: Improper Certificate Validation</a> </p> - owasp-a6 + owasp-a3 cryptography wasc cwe @@ -446,7 +446,7 @@ sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(),null); <a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection">WASC-04: Insufficient Transport Layer Protection</a><br/> <a href="http://cwe.mitre.org/data/definitions/295.html">CWE-295: Improper Certificate Validation</a> </p> - owasp-a6 + owasp-a3 cryptography wasc cwe @@ -612,7 +612,7 @@ mapped in this way are properly validated before they are used.</p> <a href="https://stackoverflow.com/q/22580853/89769">Stackoverflow: Reliable implementation of PBKDF2-HMAC-SHA256 for Java</a><br/> <a href="http://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky Cryptographic Algorithm</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -677,7 +677,7 @@ uses. <b>PBKDF2</b> should be used to hash password for example.< <a href="https://stackoverflow.com/q/22580853/89769">Stackoverflow: Reliable implementation of PBKDF2-HMAC-SHA256 for Java</a><br/> <a href="http://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky Cryptographic Algorithm</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -729,7 +729,7 @@ Upgrade your implementation to use one of the recommended constructs and configu <b>References</b><br/> <a href="https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https">Diagnosing TLS, SSL, and HTTPS</a> </p> - owasp-a6 + owasp-a3 cryptography security @@ -756,7 +756,7 @@ Upgrade your implementation to the following, and configure https.protocols JVM <b>References</b><br/> <a href="https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https">Diagnosing TLS, SSL, and HTTPS</a> </p> - owasp-a6 + owasp-a3 cryptography security @@ -800,7 +800,7 @@ sha256Digest.update(password.getBytes());</pre> <a href="http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html">NIST Approved Hashing Algorithms</a><br/> <a href="http://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky Cryptographic Algorithm</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -827,7 +827,7 @@ contains no unauthorized path characters (e.g., / \), and refers to an authorize <a href="http://capec.mitre.org/data/definitions/126.html">CAPEC-126: Path Traversal</a><br/> <a href="http://cwe.mitre.org/data/definitions/22.html">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</a> </p> - owasp-a4 + owasp-a5 wasc cwe security @@ -2362,7 +2362,7 @@ In this situation, the use of toHexString() should be replaced with String.forma <a href="http://docs.hazelcast.org/docs/3.5/manual/html/encryption.html">Hazelcast Documentation: Encryption</a><br/> <a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a> </p> - owasp-a6 + owasp-a3 cryptography wasc cwe @@ -2391,7 +2391,7 @@ byte[] cipherText = c.doFinal(plainText);</pre> <b>Reference</b><br/> <a href="http://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky Cryptographic Algorithm</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2425,7 +2425,7 @@ to do this correctly. <a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection">WASC-04: Insufficient Transport Layer Protection</a><br/> <a href="http://cwe.mitre.org/data/definitions/319.html">CWE-319: Cleartext Transmission of Sensitive Information</a> </p> - owasp-a6 + owasp-a3 cryptography wasc cwe @@ -2460,7 +2460,7 @@ to do this correctly. <a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection">WASC-04: Insufficient Transport Layer Protection</a><br/> <a href="http://cwe.mitre.org/data/definitions/319.html">CWE-319: Cleartext Transmission of Sensitive Information</a> </p> - owasp-a6 + owasp-a3 cryptography wasc cwe @@ -2491,7 +2491,7 @@ byte[] cipherText = c.doFinal(plainText);</pre> <a href="http://www.nist.gov/itl/fips/060205_des.cfm">NIST Withdraws Outdated Data Encryption Standard</a><br/> <a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2521,7 +2521,7 @@ byte[] cipherText = c.doFinal(plainText);</pre> <a href="http://www.nist.gov/itl/fips/060205_des.cfm">NIST Withdraws Outdated Data Encryption Standard</a><br/> <a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2547,7 +2547,7 @@ The code should be replaced with:<br/> <a href="http://cwe.mitre.org/data/definitions/780.html">CWE-780: Use of RSA Algorithm without OAEP</a><br/> <a href="http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/">Root Labs: Why RSA encryption padding is critical</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2573,7 +2573,7 @@ props.put(Context.SECURITY_CREDENTIALS, "p@ssw0rd");</pre> <b>References</b><br/> <a href="http://cwe.mitre.org/data/definitions/259.html">CWE-259: Use of Hard-coded Password</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2635,7 +2635,7 @@ if(MessageDigest.isEqual(userInput.getBytes(),actualHash.getBytes())) { <b>References</b><br/> <a href="https://cwe.mitre.org/data/definitions/203.html">CWE-203: Information Exposure Through DiscrepancyKey</a><br/> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2707,7 +2707,7 @@ the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet. <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a> </p> - owasp-a3 + owasp-a7 wasc cwe security @@ -2738,7 +2738,7 @@ keyGen.init(128);</pre> <a href="http://en.wikipedia.org/wiki/Blowfish_(cipher)">Blowfish (cipher)</a><br/> <a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2779,7 +2779,7 @@ keyGen.initialize(2048); <a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a><br/> <a href="http://www.keylength.com/en/compare/">Keylength.com (BlueKrypt): Aggregate key length recommendations.</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2963,7 +2963,7 @@ which explains these defenses in significant detail. <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="https://code.google.com/p/owasp-java-encoder/">OWASP Java Encoder</a><br/> </p> - owasp-a3 + owasp-a7 wasc cwe security @@ -3051,7 +3051,7 @@ public void encrypt(String message) throws Exception { <a href="http://cwe.mitre.org/data/definitions/329.html">CWE-329: Not Using a Random IV with CBC Mode</a><br/> <a href="https://defuse.ca/cbcmodeiv.htm">Encryption - CBC Mode IV: Secret or Not?</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -3086,7 +3086,7 @@ byte[] cipherText = c.doFinal(plainText);</pre> <a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29">Wikipedia: Block cipher modes of operation</a><br/> <a href="http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf">NIST: Recommendation for Block Cipher Modes of Operation</a> </p> - owasp-a6 + owasp-a3 cryptography security @@ -3119,7 +3119,7 @@ byte[] cipherText = c.doFinal(plainText);</pre> <a href="http://capec.mitre.org/data/definitions/463.html">CAPEC: Padding Oracle Crypto Attack</a><br/> <a href="http://cwe.mitre.org/data/definitions/696.html">CWE-696: Incorrect Behavior Order</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -3173,7 +3173,7 @@ In the example solution above, the GCM mode introduces an HMAC into the resultin <a href="http://www.thoughtcrime.org/blog/the-cryptographic-doom-principle/">Moxie Marlinspike's blog: The Cryptographic Doom Principle</a><br/> <a href="http://cwe.mitre.org/data/definitions/353.html">CWE-353: Missing Support for Integrity Check</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -3486,7 +3486,7 @@ function updateDescription(newDescription) { <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a> </p> - owasp-a3 + owasp-a7 wasc cwe android @@ -3840,7 +3840,7 @@ Path traversal <sup>[3][4]</sup> are not possible. </p> owasp-a1 injection - owasp-a4 + owasp-a5 wasc security @@ -4102,6 +4102,7 @@ Avoid using those methods. If you are looking to encode a URL String or form par <a href="https://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management">OWASP Top 10 2010-A3-Broken Authentication and Session Management</a><br/> </p> security + owasp-a3 Security - Insecure SMTP SSL connection @@ -4134,7 +4135,7 @@ Please add the following check to verify the server cerfiticate: <b>References</b><br/> <a href="https://cwe.mitre.org/data/definitions/297.html">CWE-297: Improper Validation of Certificate with Host Mismatch</a><br/> </p> - owasp-a6 + owasp-a3 cryptography cwe security diff --git a/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml b/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml index efb4b174..72f2bd25 100644 --- a/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml +++ b/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml @@ -85,7 +85,7 @@ attacker gets the ability to execute any code. <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="http://docs.oracle.com/javaee/5/jstl/1.1/docs/tlddocs/c/out.html">JSTL Javadoc: Out tag</a><br/> </p> - owasp-a3 + owasp-a7 wasc cwe jsp @@ -128,7 +128,7 @@ which explains these defenses in significant detail. <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="https://code.google.com/p/owasp-java-encoder/">OWASP Java Encoder</a><br/> </p> - owasp-a3 + owasp-a7 wasc cwe jsp @@ -167,7 +167,7 @@ Path traversal <sup>[3][4]</sup> are not possible. </p> owasp-a1 injection - owasp-a4 + owasp-a5 wasc jsp security @@ -183,7 +183,7 @@ If SpotBugs found <em>any</em>, you <em>almost certainly</e vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool. </p> - owasp-a3 + owasp-a7 jsp security From 9bd010009c9795b8281f595298064089f1c7689b Mon Sep 17 00:00:00 2001 From: Maxime Date: Wed, 2 Jan 2019 14:48:05 +0100 Subject: [PATCH 2/2] add description owasp 2017 --- generate_profiles/BuildXmlFiles.groovy | 28 +---- .../plugins/findbugs/rules-findsecbugs.xml | 116 ++++++++++-------- .../org/sonar/plugins/findbugs/rules-jsp.xml | 6 +- 3 files changed, 74 insertions(+), 76 deletions(-) diff --git a/generate_profiles/BuildXmlFiles.groovy b/generate_profiles/BuildXmlFiles.groovy index bbf316b3..49660cea 100644 --- a/generate_profiles/BuildXmlFiles.groovy +++ b/generate_profiles/BuildXmlFiles.groovy @@ -123,42 +123,22 @@ def writeRules(String rulesSetName,List plugins,List includedBug description(pattern.Details.text().trim()) //OWASP TOP 10 2017 - if (pattern.Details.text().toLowerCase().contains('injection') || pattern.Details.text().contains('A1-Injection')) { + if (pattern.Details.text().toLowerCase().contains('injection') || pattern.Details.text().contains('2017_A1-Injection')) { tag("owasp-a1") tag("injection") } - if (pattern.Details.text().contains('A2-Broken_Authentication_and_Session_Management')) { - tag("owasp-a2") - } - if (pattern.attribute("type").contains("XSS") || pattern.Details.text().contains('A3-Cross-Site_Scripting')) { + if (pattern.attribute("type").contains("XSS") || pattern.Details.text().contains('2017_A7-Cross-Site_Scripting')) { tag("owasp-a7") } - if (pattern.Details.text().contains('A4-Insecure_Direct_Object_References') || pattern.Details.text().contains('Path_Traversal')) { + if (pattern.Details.text().contains('Path_Traversal')) { tag("owasp-a5") } - if (pattern.Details.text().contains('A5-Security_Misconfiguration')) { - tag("owasp-a6") - } if (pattern.attribute('type').equals('HARD_CODE_PASSWORD') || pattern.attribute("type") in cryptoBugs || - pattern.Details.text().contains('A6-Sensitive_Data_Exposure')) { + pattern.Details.text().contains('2017_A3-Sensitive_Data_Exposure')) { tag("owasp-a3") tag("cryptography") } - if (pattern.Details.text().contains('A7-Missing_Function_Level_Access_Control')) { - tag("owasp-a4") - } -// no exist in owasp 2017 -// if (pattern.Details.text().toLowerCase().contains('A8-Cross-Site_Request_Forgery')) { -// tag("owasp-a8") -// } - if (pattern.Details.text().toLowerCase().contains('A9-Using_Components_with_Known_Vulnerabilities')) { - tag("owasp-a9") - } -// no exist in owasp 2017 -// if (pattern.Details.text().toLowerCase().contains('A10-Unvalidated_Redirects_and_Forwards')) { -// tag("owasp-a10") -// } //Misc tags diff --git a/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml b/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml index 3d6a039b..abb614ee 100644 --- a/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml +++ b/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml @@ -81,8 +81,8 @@ The HTTP header Content-Type can be controlled by the client. As such, its value Security - Untrusted Hostname header SERVLET_SERVER_NAME - <p>The hostname header can be controlled by the client. As such, its value should not be used in any security critical decisions. -Both <code>ServletRequest.getServerName()</code> and <code>HttpServletRequest.getHeader("Host")</code> have the same + <p>The hostname header can be controlled by the client. As such, its value should not be used in any security critical decisions. +Both <code>ServletRequest.getServerName()</code> and <code>HttpServletRequest.getHeader("Host")</code> have the same behavior which is to extract the <code>Host</code> header.</p> <pre> GET /testpage HTTP/1.1 @@ -109,7 +109,7 @@ The method <a href="http://docs.oracle.com/javaee/6/api/javax/servlet/http/Ht typically returns the value of the cookie <code>JSESSIONID</code>. This value is normally only accessed by the session management logic and not normal developer code. </p> <p> -The value passed to the client is generally an alphanumeric value (e.g., <code>JSESSIONID=jp6q31lq2myn</code>). However, the value can be altered by the client. +The value passed to the client is generally an alphanumeric value (e.g., <code>JSESSIONID=jp6q31lq2myn</code>). However, the value can be altered by the client. The following HTTP request illustrates the potential modification. <pre> GET /somePage HTTP/1.1 @@ -118,8 +118,8 @@ User-Agent: Mozilla/5.0 Cookie: JSESSIONID=Any value of the user&#39;s choice!!??'''&quot;&gt; </pre> </p> -<p>As such, the JSESSIONID should only be used to see if its value matches an existing session ID. If it does not, the user should be -considered an unauthenticated user. In addition, the session ID value should never be logged. If it is, then the log file could contain +<p>As such, the JSESSIONID should only be used to see if its value matches an existing session ID. If it does not, the user should be +considered an unauthenticated user. In addition, the session ID value should never be logged. If it is, then the log file could contain valid active session IDs, allowing an insider to hijack any sessions whose IDs have been logged and are still active. </p> <br/> @@ -138,9 +138,9 @@ valid active session IDs, allowing an insider to hijack any sessions whose IDs h <p>The query string is the concatenation of the GET parameter names and values. Parameters other than those intended can be passed in.</p> <p>For the URL request <code>/app/servlet.htm?a=1&b=2</code>, the query string extract will be <code>a=1&b=2</code></p> -<p>Just as is true for individual parameter values retrieved via methods like <code>HttpServletRequest.getParameter()</code>, +<p>Just as is true for individual parameter values retrieved via methods like <code>HttpServletRequest.getParameter()</code>, the value obtained from <code>HttpServletRequest.getQueryString()</code> should be considered unsafe. -You may need to validate or sanitize anything pulled from the query string before passing it to sensitive APIs. +You may need to validate or sanitize anything pulled from the query string before passing it to sensitive APIs. </p> <br/> <p> @@ -153,8 +153,8 @@ You may need to validate or sanitize anything pulled from the query string befor Security - HTTP headers untrusted SERVLET_HEADER - <p>Request headers can easily be altered by the requesting user. In general, no assumption should be made that -the request came from a regular browser without modification by an attacker. As such, it is recommended that you + <p>Request headers can easily be altered by the requesting user. In general, no assumption should be made that +the request came from a regular browser without modification by an attacker. As such, it is recommended that you not trust this value in any security decisions you make with respect to a request.</p> <br/> <p> @@ -219,7 +219,7 @@ and referenced by the user's session cookie. See HttpSession (HttpServletRequest Security - Potential Path Traversal (file read) PATH_TRAVERSAL_IN - <p>A file is opened to read its content. The filename comes from an <b>input</b> parameter. + <p>A file is opened to read its content. The filename comes from an <b>input</b> parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read.</p> <p>This rule identifies <b>potential</b> path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. If that is the case, the reported instance is a false positive.</p> @@ -275,7 +275,7 @@ public Response getImage(@javax.ws.rs.PathParam("image") String image) { Security - Potential Path Traversal (file write) PATH_TRAVERSAL_OUT - <p>A file is opened to write to its contents. The filename comes from an <b>input</b> parameter. + <p>A file is opened to write to its contents. The filename comes from an <b>input</b> parameter. If an unfiltered parameter is passed to this file API, files at an arbitrary filesystem location could be modified.</p> <p>This rule identifies <b>potential</b> path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. If that is the case, the reported instance is a false positive.</p> @@ -308,6 +308,7 @@ r.exec("/bin/sh -c some_tool" + input);</pre> <b>References</b><br/> <a href="https://www.owasp.org/index.php/Command_Injection">OWASP: Command Injection</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/78.html">CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')</a> </p> owasp-a1 @@ -321,11 +322,11 @@ r.exec("/bin/sh -c some_tool" + input);</pre> <p>Some FilenameUtils' methods don't filter NULL bytes (<code>0x00</code>).</p> <p>If a null byte is injected into a filename, if this filename is passed to the underlying OS, the file retrieved will be the name of the file that is specified prior to the NULL byte, since at the OS level, all strings are terminated by a null byte even -though Java itself doesn't care about null bytes or treat them special. This OS behavior can be used to bypass filename validation +though Java itself doesn't care about null bytes or treat them special. This OS behavior can be used to bypass filename validation that looks at the end of the filename (e.g., endswith ".log") to make sure its a safe file to access.</p> <p>To fix this, two things are recommended: <ul> -<li>Upgrade to Java 7 update 40 or later, or Java 8+ since +<li>Upgrade to Java 7 update 40 or later, or Java 8+ since <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846">NULL byte injection in filenames is fixed in those versions</a>.</li> <li>Strongly validate any filenames provided by untrusted users to make sure they are valid (i.e., don't contain null, don't include path characters, etc.)</li> </ul> @@ -504,8 +505,8 @@ sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(),null); Security - Found Tapestry page TAPESTRY_ENDPOINT - <p>A Tapestry endpoint was discovered at application startup. Tapestry apps are structured with a backing Java class and a corresponding -Tapestry Markup Language page (a .tml file) for each page. When a request is received, the GET/POST parameters are mapped to specific + <p>A Tapestry endpoint was discovered at application startup. Tapestry apps are structured with a backing Java class and a corresponding +Tapestry Markup Language page (a .tml file) for each page. When a request is received, the GET/POST parameters are mapped to specific inputs in the backing Java class. The mapping is either done with fieldName:</p> <pre><code> [...] @@ -524,7 +525,7 @@ inputs in the backing Java class. The mapping is either done with fieldName:< [...] </code></pre> <p>The page is mapped to the view <code>[/resources/package/PageName].tml.</code></p> -<p>Each Tapestry page in this application should be researched to make sure all inputs that are automatically +<p>Each Tapestry page in this application should be researched to make sure all inputs that are automatically mapped in this way are properly validated before they are used.</p> <br/> <p> @@ -538,9 +539,9 @@ mapped in this way are properly validated before they are used.</p> Security - Found Wicket WebPage WICKET_ENDPOINT - <p>This class represents a Wicket WebPage. Input is automatically read from a PageParameters instance passed to the constructor. + <p>This class represents a Wicket WebPage. Input is automatically read from a PageParameters instance passed to the constructor. The current page is mapped to the view [/package/WebPageName].html.</p> -<p>Each Wicket page in this application should be researched to make sure all inputs that are automatically +<p>Each Wicket page in this application should be researched to make sure all inputs that are automatically mapped in this way are properly validated before they are used.</p> <br/> <p> @@ -814,8 +815,8 @@ sha256Digest.update(password.getBytes());</pre> <li><code>"../../../config/overide_file"</code></li> <li><code>"shell.jsp\u0000expected.gif"</code></li> </ul> -<p>Therefore, such values should not be passed directly to the filesystem API. If acceptable, the application should generate its -own file names and use those. Otherwise, the provided filename should be properly validated to ensure it's properly structured, +<p>Therefore, such values should not be passed directly to the filesystem API. If acceptable, the application should generate its +own file names and use those. Otherwise, the provided filename should be properly validated to ensure it's properly structured, contains no unauthorized path characters (e.g., / \), and refers to an authorized file.</p> <br/> <p> @@ -836,17 +837,17 @@ contains no unauthorized path characters (e.g., / \), and refers to an authorize Security - Regex DOS (ReDOS) REDOS <p> - Regular expressions (regexs) are frequently subject to Denial of Service (DOS) attacks (called ReDOS). This is due to the fact that regex engines + Regular expressions (regexs) are frequently subject to Denial of Service (DOS) attacks (called ReDOS). This is due to the fact that regex engines may take a large amount of time when analyzing certain strings, depending on how the regex is defined. <p> - For example, for the regex: <b>^(a+)+$</b>, the input "<code>aaaaaaaaaaaaaaaaX</code>" will cause the regex engine to analyze 65536 + For example, for the regex: <b>^(a+)+$</b>, the input "<code>aaaaaaaaaaaaaaaaX</code>" will cause the regex engine to analyze 65536 different paths.<sup>[1] Example taken from OWASP references</sup></p> <p> -Therefore, it is possible that a single request may cause a large amount of computation on the server side. -The problem with this regex, and others like it, is that there are two different ways the same input character can be accepted by the -Regex due to the + (or a *) inside the parenthesis, and the + (or a *) outside the parenthesis. The way this is written, either + could -consume the character 'a'. To fix this, the regex should be rewritten to eliminate the ambiguity. For example, this could simply be -rewritten as: <b>^a+$</b>, which is presumably what the author meant anyway (any number of a's). Assuming that's what the original +Therefore, it is possible that a single request may cause a large amount of computation on the server side. +The problem with this regex, and others like it, is that there are two different ways the same input character can be accepted by the +Regex due to the + (or a *) inside the parenthesis, and the + (or a *) outside the parenthesis. The way this is written, either + could +consume the character 'a'. To fix this, the regex should be rewritten to eliminate the ambiguity. For example, this could simply be +rewritten as: <b>^a+$</b>, which is presumably what the author meant anyway (any number of a's). Assuming that's what the original regex meant, this new regex can be evaluated quickly, and is not subject to ReDOS. </p> <br/> @@ -1480,6 +1481,7 @@ could be exposed. This could allow an attacker to access unauthorized data or ma <b>References</b><br/> <a href="http://projects.webappsec.org/w/page/13246963/SQL%20Injection">WASC-39: XPath Injection</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/643.html">CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')</a><br/> <a href="https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250">CERT: IDS09-J. Prevent XPath Injection (archive)</a><br/> <a href="http://media.blackhat.com/bh-eu-12/Siddharth/bh-eu-12-Siddharth-Xpath-WP.pdf">Black Hat Europe 2012: Hacking XPath 2.0</a><br/> @@ -1495,7 +1497,7 @@ could be exposed. This could allow an attacker to access unauthorized data or ma Security - Found Struts 1 endpoint STRUTS1_ENDPOINT <p>This class is a Struts 1 Action.</p> -<p>Once a request is routed to this controller, a Form object will automatically be instantiated that contains the HTTP parameters. +<p>Once a request is routed to this controller, a Form object will automatically be instantiated that contains the HTTP parameters. The use of these parameters should be reviewed to make sure they are used safely.</p> security @@ -1504,7 +1506,7 @@ The use of these parameters should be reviewed to make sure they are used safely STRUTS2_ENDPOINT <p>In Struts 2, the endpoints are Plain Old Java Objects (POJOs) which means no Interface/Class needs to be implemented/extended.</p> <p>When a request is routed to its controller (like the selected class), the supplied HTTP parameters are automatically mapped to setters for -the class. Therefore, all setters of this class should be considered as untrusted input even if the form doesn't include those values. +the class. Therefore, all setters of this class should be considered as untrusted input even if the form doesn't include those values. An attacker can simply provide additional values in the request, and they will be set in the object anyway, as long as that object has such a setter. The use of these parameters should be reviewed to make sure they are used safely.</p> security @@ -1652,6 +1654,7 @@ createQuery("select * from User where id = '"+Encoder.encodeForSQL(inputId)+"'") <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1708,6 +1711,7 @@ BasePeer.executeQuery("select * from Customer where id = '"+Encoder.encodeForSQL <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1760,6 +1764,7 @@ q.execute();</pre> <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1802,6 +1807,7 @@ q.execute(input);</pre> <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1847,6 +1853,7 @@ UserEntity res = q.getSingleResult();</pre> <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1884,6 +1891,7 @@ int count = jdbc.queryForObject("select count(*) from Users where name = ?", Int <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1923,6 +1931,7 @@ updateSales.setString(2, coffeeName);</pre> <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1963,6 +1972,7 @@ Cursor cursor = this.getReadableDatabase().rawQuery(query,new String[] {userInpu <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1990,6 +2000,7 @@ Therefore, the primary defense against LDAP injection is strong input validation <b>References</b><br/> <a href="http://projects.webappsec.org/w/page/13246947/LDAP%20Injection">WASC-29: LDAP Injection</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/90.html">CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')</a><br/> <a href="http://www.veracode.com/security/ldap-injection">LDAP Injection Guide: Learn How to Detect LDAP Injections and Improve LDAP Security</a> </p> @@ -2299,7 +2310,7 @@ The project <a href="https://github.com/javabeanz/owasp-security-logging"> EXTERNAL_CONFIG_CONTROL <p> Allowing external control of system settings can disrupt service or cause an application - to behave in unexpected, and potentially malicious ways. + to behave in unexpected, and potentially malicious ways. An attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database. </p> @@ -2319,7 +2330,7 @@ The project <a href="https://github.com/javabeanz/owasp-security-logging"> Security - Bad hexadecimal concatenation BAD_HEXA_CONVERSION - <p>When converting a byte array containing a hash signature to a human readable string, a conversion mistake can be made if + <p>When converting a byte array containing a hash signature to a human readable string, a conversion mistake can be made if the array is read byte by byte. The following sample illustrates the use of Integer.toHexString() which will trim any leading zeroes from each byte of the computed hash value. <pre> @@ -2334,7 +2345,7 @@ for(byte b :resultBytes) { return stringBuilder.toString();</pre> </p> <p> -This mistake weakens the hash value computed since it introduces more collisions. +This mistake weakens the hash value computed since it introduces more collisions. For example, the hash values "0x0679" and "0x6709" would both output as "679" for the above function. </p> @@ -2372,7 +2383,7 @@ In this situation, the use of toHexString() should be replaced with String.forma Security - NullCipher is insecure NULL_CIPHER <p> -The NullCipher is rarely used intentionally in production applications. It implements the Cipher interface by returning ciphertext +The NullCipher is rarely used intentionally in production applications. It implements the Cipher interface by returning ciphertext identical to the supplied plaintext. In a few contexts, such as testing, a NullCipher may be appropriate. </p> <p> @@ -2421,6 +2432,7 @@ to do this correctly. <b>References</b><br/> <a href="https://www.owasp.org/index.php/Top_10_2010-A9">OWASP: Top 10 2010-A9-Insufficient Transport Layer Protection</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure">OWASP: Top 10 2013-A6-Sensitive Data Exposure</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP: Top 10 2017-A3-Sensitive Data Exposure</a><br/> <a href="https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet">OWASP: Transport Layer Protection Cheat Sheet</a><br/> <a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection">WASC-04: Insufficient Transport Layer Protection</a><br/> <a href="http://cwe.mitre.org/data/definitions/319.html">CWE-319: Cleartext Transmission of Sensitive Information</a> @@ -2456,6 +2468,7 @@ to do this correctly. <b>References</b><br/> <a href="https://www.owasp.org/index.php/Top_10_2010-A9">OWASP: Top 10 2010-A9-Insufficient Transport Layer Protection</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure">OWASP: Top 10 2013-A6-Sensitive Data Exposure</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP: Top 10 2017-A3-Sensitive Data Exposure</a><br/> <a href="https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet">OWASP: Transport Layer Protection Cheat Sheet</a><br/> <a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection">WASC-04: Insufficient Transport Layer Protection</a><br/> <a href="http://cwe.mitre.org/data/definitions/319.html">CWE-319: Cleartext Transmission of Sensitive Information</a> @@ -2593,7 +2606,7 @@ certainly shared in open source. To be managed safely, passwords and secret keys SecretKeySpec spec = new SecretKeySpec(key, "AES"); Cipher aes = Cipher.getInstance("AES"); aes.init(Cipher.ENCRYPT_MODE, spec); -return aesCipher.doFinal(secretData);</pre> +return aesCipher.doFinal(secretData);</pre> </p> <br/> <p> @@ -2705,6 +2718,7 @@ the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet. <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2017-A7: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a> </p> owasp-a7 @@ -2947,11 +2961,11 @@ A potential XSS was found. It could be used to execute unwanted JavaScript in a }</pre> </p> <p> -The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider: +The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider: HTML, JavaScript, CSS (styles), and URLs. Please follow the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet, which explains these defenses in significant detail. </p> -<p>Note that this XSS in Servlet rule looks for similar issues, but looks for them in a different way than the existing +<p>Note that this XSS in Servlet rule looks for similar issues, but looks for them in a different way than the existing 'XSS: Servlet reflected cross site scripting vulnerability' and 'XSS: Servlet reflected cross site scripting vulnerability in error page' rules in FindBugs. </p> <br/> @@ -2960,6 +2974,7 @@ which explains these defenses in significant detail. <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2017-A7: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="https://code.google.com/p/owasp-java-encoder/">OWASP Java Encoder</a><br/> </p> @@ -3059,9 +3074,9 @@ public void encrypt(String message) throws Exception { Security - ECB mode is insecure ECB_MODE - <p>An authentication cipher mode which provides better confidentiality of the encrypted data should be used instead of Electronic Codebook (ECB) mode, -which does not provide good confidentiality. Specifically, ECB mode produces the same output for the same input each time. So, -for example, if a user is sending a password, the encrypted value is the same each time. This allows an attacker to intercept + <p>An authentication cipher mode which provides better confidentiality of the encrypted data should be used instead of Electronic Codebook (ECB) mode, +which does not provide good confidentiality. Specifically, ECB mode produces the same output for the same input each time. So, +for example, if a user is sending a password, the encrypted value is the same each time. This allows an attacker to intercept and replay the data.</p> <p> To fix this, something like Galois/Counter Mode (GCM) should be used instead. @@ -3128,11 +3143,11 @@ byte[] cipherText = c.doFinal(plainText);</pre> Security - Cipher with no integrity CIPHER_INTEGRITY <p> - The ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the + The ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the data has been tampered with. If the ciphertext can be controlled by an attacker, it could be altered without detection. </p> <p> - The solution is to used a cipher that includes a Hash based Message Authentication Code (HMAC) to sign the data. Combining a HMAC function to the + The solution is to used a cipher that includes a Hash based Message Authentication Code (HMAC) to sign the data. Combining a HMAC function to the existing cipher is prone to error <sup><a href="http://www.thoughtcrime.org/blog/the-cryptographic-doom-principle/">[1]</a></sup>. Specifically, it is always recommended that you be able to verify the HMAC first, and only if the data is unmodified, do you then perform any cryptographic functions on the data. @@ -3484,6 +3499,7 @@ function updateDescription(newDescription) { <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> + <a href="https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2017-A7: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a> </p> owasp-a7 @@ -4043,7 +4059,7 @@ ctx.search(query, filter, Security - Persistent Cookie Usage COOKIE_PERSISTENT <p> -Storing sensitive data in a persistent cookie for an extended period of time can lead to a breach of confidentiality or account compromise. +Storing sensitive data in a persistent cookie for an extended period of time can lead to a breach of confidentiality or account compromise. </p> <p> <b>Explanation:</b><br/> @@ -4088,8 +4104,8 @@ URL rewriting has significant security risks. Since session ID appears in the UR </p> <p> <b>Vulnerable Code:</b><br/> -<pre>out.println("Click &lt;a href=" + - res.encodeURL(HttpUtils.getRequestURL(req).toString()) + +<pre>out.println("Click &lt;a href=" + + res.encodeURL(HttpUtils.getRequestURL(req).toString()) + "&gt;here&lt;/a&gt;");</pre> </p> <p> @@ -4213,9 +4229,9 @@ An attacker may be able to forge a request parameter to match sensitive file loc </p> <p> <b>Vulnerable Code:</b><br/> -<pre>... -String returnURL = request.getParameter("returnURL"); -Return new ActionForward(returnURL); +<pre>... +String returnURL = request.getParameter("returnURL"); +Return new ActionForward(returnURL); ...</pre> </p> <p> @@ -4239,9 +4255,9 @@ An attacker may be able to forge a request parameter to match sensitive file loc </p> <p> <b>Vulnerable Code:</b><br/> -<pre>... +<pre>... String returnURL = request.getParameter("returnURL"); -return new ModelAndView(returnURL); +return new ModelAndView(returnURL); ...</pre> </p> <p> @@ -4394,4 +4410,4 @@ Transport.send(message); cwe security - \ No newline at end of file + diff --git a/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml b/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml index 72f2bd25..80aa2a03 100644 --- a/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml +++ b/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml @@ -82,6 +82,7 @@ attacker gets the ability to execute any code. <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2017-A7: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="http://docs.oracle.com/javaee/5/jstl/1.1/docs/tlddocs/c/out.html">JSTL Javadoc: Out tag</a><br/> </p> @@ -115,7 +116,7 @@ String taintedInput = (String) request.getAttribute("input"); </pre> </p> <p> -The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider: +The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider: HTML, JavaScript, CSS (styles), and URLs. Please follow the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet, which explains these defenses in significant detail. </p> @@ -125,6 +126,7 @@ which explains these defenses in significant detail. <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2017-A7: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="https://code.google.com/p/owasp-java-encoder/">OWASP Java Encoder</a><br/> </p> @@ -187,4 +189,4 @@ consider using a commercial static analysis or pen-testing tool. jsp security - \ No newline at end of file +