Semgrep rules¶
Boost is maintaining its own set of Semgrep rules. Below is the list of available rules per languages.
c, cpp¶
| Name | Identifiers | Description |
|---|---|---|
| Use of deprecated function (gets) | c_buffer_rule-gets--getts, CWE-120 | Severity: High The gets() function reads a line from stdin into the provided buffer until either a terminating newline or EOF. This terminating newline or EOF is replaced with a null byte Usage of For more information please see: fgets OWASP:
|
| Insufficient protection against buffer overflow (getwd) | c_buffer_rule-getwd, CWE-120 | Severity: High
For more information please see: getcwd OWASP:
|
| scanf() functions may allow format string based overflows | c_buffer_rule-scanf-vscanf, CWE-120 | Severity: High Format specifiers can take optional field widths, which should be used to limit how many characters are copied into the target buffer. For more information please see: scanf Example: If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: scanf-s-scanf-s-l-wscanf-s-wscanf-s-l OWASP:
|
| Potential format string vulnerability | c_format_rule-fprintf-vfprintf, CWE-134 | Severity: High Format string vulnerabilities allow an attacker to read or in some cases, potentially write data to and from locations in the processes' memory. To prevent against format string attacks, do not allow users or un-validated input to provide the format specification. Consider using a constant for the format specification, or only allow specific characters to be provided to the format argument for the For more information please see: fprintf For more information on format string attacks please see OWASP's attack guide: Format_string_attack OWASP:
|
| Potential format string vulnerability | c_format_rule-printf-vprintf, CWE-134 | Severity: High Format string vulnerabilities allow an attacker to read or in some cases, potentially write data to and from locations in the processes' memory. To prevent against format string attacks, do not allow users or un-validated input to provide the format specification. Consider using a constant for the format specification, or only allow specific characters to be provided to the format argument for the For more information please see: fprintf For more information on format string attacks please see OWASP's attack guide: Format_string_attack OWASP:
|
| Potential format string vulnerability | c_format_rule-snprintf-vsnprintf, CWE-134 | Severity: High Format string vulnerabilities allow an attacker to read or in some cases, potentially write data to and from locations in the processes' memory. To prevent against format string attacks, do not allow users or un-validated input to provide the format specification. Consider using a constant for the format specification, or strip all format specifiers from the input prior to calling the Note that some variations of this function do not always null terminate the strings. For more information on using snprintf please see: snprintf For more information on format string attacks please see OWASP's attack guide: Format_string_attack OWASP:
|
| Potential format string vulnerability in syslog call | c_format_rule-syslog, CWE-134 | Severity: High Format string vulnerabilities allow an attacker to read or in some cases, potentially write data to and from locations in the processes' memory. To prevent against format string attacks, do not allow users or un-validated input to provide the format specification. Consider using a constant for the format specification, or strip all format specifiers from the input prior to calling the For more information please see: 67.html OWASP:
|
| Possible executable path hijacking (CreateProcess) | c_shell_rule-CreateProcess, CWE-78 | Severity: High Due to how Ensure that quotation marks around the executable path are used, such as: For more information, please see MSDNs documentation at: nf-processthreadsapi-createprocessa OWASP:
|
| Possible executable path hijacking (CreateProcessAsUser / CreateProcessWithLogon) | c_shell_rule-CreateProcessAsUser-CreateProcessWithLogon, CWE-78 | Severity: High Due to how Ensure that quotation marks around the executable path are used, such as: For more information, please see MSDNs documentation at: nf-processthreadsapi-createprocessasusera OWASP:
|
| Potential for OS command injection | c_shell_rule-execl-execlp, CWE-78 | Severity: High It is generally not recommended to call out to the operating system to execute commands. When the application is executing file system based commands, user input should never be used in constructing commands or command arguments. If possible, determine if a library can be used instead to provide the same functionality. Otherwise, consider hard coding both the command and arguments to be used, or at the very least restricting which arguments can be passed to the command execution function. Please see the compliant solutions in the following page: viewpage.action OWASP:
|
| Potential for OS command injection | c_shell_rule-system, CWE-78 | Severity: High It is generally not recommended to call out to the operating system to execute commands. When the application is executing file system based commands, user input should never be used in constructing commands or command arguments. If possible, determine if a library can be used instead to provide the same functionality. Otherwise, consider hard coding both the command and arguments to be used, or at the very least restricting which arguments can be passed to the command execution function. For more information please see: viewpage.action OWASP:
|
| Insecure encryption algorithm (DES) | c_crypto_rule-EVP-des-ecb-EVP-des-cbc, CWE-327 | Severity: Medium The DES algorithm has not been recommended for over 15 years and was withdrawn from NIST (FIPS Consider using libsodium's For more information please see: secretbox. If you must be FIPS compliant, consider using OpenSSLs AES or 3DES ciphers. OWASP:
|
| Insecure stream cipher (RC4) | c_crypto_rule-EVP-rc4-40-EVP-rc2-40-cbc, CWE-327 | Severity: Medium The RC4 algorithm is vulnerable to many attacks and should no longer be used for encrypting data streams. Consider using libsodium's If you must be FIPS compliant, consider using OpenSSLs AES or 3DES ciphers. OWASP:
|
| Insecure hashing algorithm | c_crypto_rule-crypt-crypt-r, CWE-327 | Severity: Medium The crypt functions are not recommended due to the significantly small key space. Modern hardware can crack crypt produced passwords relatively quickly. Consider using the Argon2id password hashing algorithm provided by libsodium. For more information please see: password_hashing. OWASP:
|
| Use of deprecated function (mktemp) | c_tmpfile_rule-mktemp, CWE-377 | Severity: Medium The Consider using the For more information on temporary files please see: viewpage.action OWASP:
|
| Potential time of check time of use vulnerability (tmpnam / tempnam) | c_tmpfile_rule-tmpnam-tempnam, CWE-377 | Severity: Medium There exists a possible race condition in between the time that Consider using the For more information on temporary files please see: viewpage.action OWASP:
|
csharp¶
| Name | Identifiers | Description |
|---|---|---|
| Deserialization of potentially untrusted data | csharp_deserialization_rule-InsecureDeserialization, CWE-502 | Severity: High Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to:
Microsoft recommends no longer using the following serialization formats:
Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. Additionally, when deserializing, never deserialize to base object types like To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. For more information see Microsoft's deserialization security guide: binaryformatter-security-guide For more details on deserialization attacks in general, see OWASP's guide: Deserialization_Cheat_Sheet.html It should be noted that tools exist to automatically create exploit code for these vulnerabilities. OWASP:
|
| Improper neutralization of special elements used in an OS command ('OS Command Injection') | csharp_injection_rule-CommandInjection, CWE-78 | Severity: High OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed. User input should never be used in constructing commands or command arguments to functions which execute OS commands. This includes filenames supplied by user uploads or downloads. Ensure your application does not:
The application should have a hardcoded set of arguments that are to be passed to OS commands. If filenames are being passed to these functions, it is recommended that a hash of the filename be used instead, or some other unique identifier. It is strongly recommended that a native library that implements the same functionality be used instead of using OS system commands, due to the risk of unknown attacks against third party commands. When specifying the OS command, ensure the application uses the full path information, otherwise the OS may attempt to look up which process to execute and could be vulnerable to untrusted search path vulnerabilities (CWE-426). Example of safely executing an OS command: For more information on OS command injection, see OWASP's guide: OS_Command_Injection_Defense_Cheat_Sheet.html OWASP:
|
| XML injection (aka Blind XPath injection) | csharp_other_rule-UnsafeXSLTSettingUsed, CWE-91 | Severity: High By setting For increased security:
If the application must calculate values from XML input, instead of using XSL scripts to execute functions, modify the XML document prior to running the Example of modifying the XML prior to running
|
| Certificate validation disabled | csharp_crypto_rule-CertificateValidationDisabled, CWE-295 | Severity: Medium The This allows for an adversary who is in between the application and the target host to intercept potentially sensitive information or transmit malicious data. Remove the callback function that is returning true to allow normal certificate validation to proceed. When no callback is provided, the client will validate that the certificate name matches the hostname that was used when creating the request. For more information on the
|
| Use of a broken or risky cryptographic algorithm | csharp_crypto_rule-WeakCipherAlgorithm, CWE-327 | Severity: Medium DES, TripleDES and RC2 are all considered broken or insecure cryptographic algorithms. If using .NET Framework greater than version 6.0 consider using For older applications, Example using Example using
|
| Use of a broken or risky cryptographic algorithm | csharp_crypto_rule-WeakCipherMode, CWE-327 | Severity: Medium Cryptographic algorithms provide many different modes of operation, only some of which provide message integrity. Without message integrity it could be possible for an adversary to attempt to tamper with the ciphertext which could lead to compromising the encryption key. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Instead of using an algorithm that requires configuring a For older applications, Example using Example using
|
| Use of a broken or risky cryptographic algorithm (SHA1 / MD5) | csharp_crypto_rule-WeakHashingFunction, CWE-327 | Severity: Medium Both MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. Currently there is no vetted Argon2id implementation for C# so it is recommended that PBKDF2 be used until one is available. Example using PBKDF2 to generate and compare passwords: For more information on PBKDF2 see: system.security.cryptography.rfc2898derivebytes For more information on secure password storage see OWASP: Password_Storage_Cheat_Sheet.html OWASP:
|
| Use of cryptographically weak Pseudo-Random Number Generator (PRNG) | csharp_crypto_rule-WeakRNG, CWE-338 | Severity: Medium Depending on the context, generating weak random numbers may expose cryptographic functions which rely on these numbers to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the Example For more information see: system.security.cryptography.randomnumbergenerator OWASP:
|
| Potential Cross-Site Request Forgery (CSRF) | csharp_csrf_rule-Csrf, CWE-352 | Severity: Medium The application failed to protect against Cross-Site Request Forgery (CSRF) The vulnerability can be exploited by an adversary creating a link or form on a third party site and tricking an authenticated victim to access them. Add the Alternatively, applications can enable a global For more information on ValidateAntiForgeryToken and other CSRF protections in .NET see the following URL: anti-request-forgery Additionally, consider setting all session cookies to have the For more information on CSRF see OWASP's guide: csrf OWASP:
|
| Improper neutralization of special elements used in an LDAP query ('LDAP Injection') | csharp_injection_rule-LdapInjection, CWE-90 | Severity: Medium LDAP injection attacks exploit LDAP queries to influence how data is returned by the LDAP, or in this case an Active Directory server. It is recommended that newer applications use the It is recommended that all input passed to LDAP querying systems encode the following values:
Example code that safely encodes input for use in an LDAP query using the The same encoding method shown in For more information see OWASP's guide: LDAP_Injection_Prevention_Cheat_Sheet.html OWASP:
|
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | csharp_injection_rule-SQLInjection, CWE-89 | Severity: Medium SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code. Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user supplied key. For example, some database drivers do not allow parameterized queries for Example using parameterized queries with For more information on SQL Injection see OWASP: SQL_Injection_Prevention_Cheat_Sheet.html OWASP:
|
| Improper neutralization of data within XPath expressions ('XPath Injection') | csharp_injection_rule-XPathInjection, CWE-643 | Severity: Medium XPath injection is a vulnerability that can allow an adversary to inject or modify how an XML query is structured. Depending on the logic of the original query, this could lead to adversaries extracting unauthorized information or in rare cases bypassing authorization checks. It is recommended that LINQ to XML is used instead of XPath for querying XML documents. Care must be taken to <strong>not</strong> call these LINQ functions with user input as they can still lead to XPath injection:
Example using LINQ to XML to safely extract the first user from a list of users: For more information on LINQ to XML security see: linq-xml-security For more information on XML security see OWASP's guide: XML_External_Entity_Prevention_Cheat_Sheet.html OWASP:
|
| Improper restriction of XML external entity reference ('XXE') | csharp_injection_rule-XmlDocumentXXEInjection, CWE-611 | Severity: Medium External XML entities are a feature of XML parsers that allow documents to contain references to other documents or data. This feature can be abused to read files, communicate with external hosts, exfiltrate data, or cause a Denial of Service (DoS). XML parsers and document loaders must be configured to not resolve entities. This can be done by: Example of safely loading an XML file using For more information on XML security, see OWASP's guide: XML_External_Entity_Prevention_Cheat_Sheet.html OWASP:
|
| Improper restriction of XML external entity reference ('XXE') | csharp_injection_rule-XmlReaderXXEInjection, CWE-611 | Severity: Medium External XML entities are a feature of XML parsers that allow documents to contain references to other documents or data. This feature can be abused to read files, communicate with external hosts, exfiltrate data, or cause a Denial of Service (DoS). XML parsers and document loaders must be configured to not resolve entities. This can be done by: Example of safely loading an XML file using For more information on XML security, see OWASP's guide: XML_External_Entity_Prevention_Cheat_Sheet.html OWASP:
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | csharp_path_rule-PathTraversal, CWE-22 | Severity: Medium The application dynamically constructs file or path information. If the path information comes from user input, it could be abused to read sensitive files, access other users data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible consider hashing user input or replacing it with unique values and use Example using For more information on path traversal issues see OWASP: Path_Traversal OWASP:
|
| Improper neutralization of input during web page generation ('Cross-site Scripting') | csharp_xss_rule-HtmlElementXss, CWE-79 | Severity: Medium Cross Site Scripting (XSS) is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in. There are at least six context types:
It is NOT advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. Consider using built-in framework capabilities for automatically encoding user input. Depending on output context, consider using the following For more information on protecting ASP.NET Core applications from XSS see: cross-site-scripting OWASP:*
|
| Improper neutralization of input during web page generation ('Cross-site Scripting') | csharp_xss_rule-ScriptXss, CWE-79 | Severity: Medium Cross Site Scripting (XSS) is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in. User input that is used within the application scripts must be encoded, sanitized or validated to ensure it cannot change the behavior of the Javascript code. It is NOT advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. Consider using built-in framework capabilities for automatically encoding user input. Depending on output context, consider using the following For more information on protecting ASP.NET Core applications from XSS see: cross-site-scripting OWASP: |
| Sensitive cookie without 'HttpOnly' flag | csharp_cookies_rule-CookieWithoutHttpOnlyFlag, CWE-1004 | Severity: Low The Example of protecting an HttpCookie: For more information see: system.web.httpcookie.httponly Session cookies should be configured with the following security directives: OWASP:
|
| Sensitive cookie in HTTPS session without 'Secure' attribute | csharp_cookies_rule-CookieWithoutSSLFlag, CWE-614 | Severity: Low The Example of protecting an HttpCookie: For more information see: system.web.httpcookie.secure Session cookies should be configured with the following security directives: OWASP:
|
| URL redirection to untrusted site 'open redirect' | csharp_endpoint_rule-UnvalidatedRedirect, CWE-601 | Severity: Info The application may allow open redirects if created using user supplied input. Open redirects are commonly abused in phishing attacks where the original domain or URL looks like a legitimate link, but then redirects a user to a malicious site. An example would be Never redirect a client based on user input. It is recommended that the list of target links to redirect a user to are contained server side, and retrieved using a numerical value as an index to return the link to be redirected to. For example, For more information on open redirects see OWASP's guide: Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html OWASP:
|
| Weak password requirements | csharp_password_rule-PasswordComplexity, CWE-521 | Severity: Info The application's Example of setting the RequiredLength to 8 in ASP.NET Core Identity: For more information on configuring ASP.NET Core Identity see: identity-configuration OWASP:
|
| ASP.NET input validation disabled | csharp_validation_rule-InputValidation, CWE-554 | Severity: Info By using the If possible, re-enable validation by using For more information on protecting ASP.NET Core applications from XSS see: cross-site-scripting Example of enabling For more information on ASP.NET request validation see OWASP: ASP-NET_Request_Validation OWASP:
|
generic¶
| Name | Identifiers | Description |
|---|---|---|
| Use of potentially dangerous function | rules_lgpl_oc_other_rule-ios-self-signed-ssl, CWE-676 | Severity: Critical App allows self signed or invalid SSL certificates. App is
|
| Improper certificate validation | rules_lgpl_oc_other_rule-ios-webview-ignore-ssl, CWE-295 | Severity: Critical UIWebView in App ignore SSL errors and accept any SSL Certificate.
|
go¶
| Name | Identifiers | Description |
|---|---|---|
| Improper neutralization of special elements used in an SQL command ('SQL Injection') | go_sql_rule-concat-sqli, CWE-89 | Severity: High SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to or in some circumstances, being able to execute OS functionality or code. Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user supplied key. For example, some database drivers do not allow parameterized queries for Example using parameterized queries with For more information on SQL Injection see OWASP: SQL_Injection_Prevention_Cheat_Sheet.html OWASP:
|
| Improper neutralization of special elements used in an OS command ('OS Command Injection') | go_subproc_rule-subproc, CWE-78 | Severity: High OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed. User input should never be used in constructing commands or command arguments to functions which execute OS commands. This includes filenames supplied by user uploads or downloads. Ensure your application does not:
The application should have a hardcoded set of arguments that are to be passed to OS commands. If filenames are being passed to these functions, it is recommended that a hash of the filename be used instead, or some other unique identifier. It is strongly recommended that a native library that implements the same functionality be used instead of using OS system commands, due to the risk of unknown attacks against third party commands. If operating in Windows environments, when specifying the OS command, ensure the application uses the full path information, otherwise the OS may attempt to look up which process to execute and could be vulnerable to untrusted search path vulnerabilities (CWE-426). Example of safely executing an OS command: For more information on OS command injection, see OWASP's guide: OS_Command_Injection_Defense_Cheat_Sheet.html OWASP:*
|
| Use of inherently dangerous function (unsafe package) | go_unsafe_rule-unsafe, CWE-242 | Severity: High The While powerful, access to these functions can lead to many security related issues
Unless required, all calls to the
|
| Use of a broken or risky cryptographic algorithm | go_blocklist_rule-blocklist-des, CWE-327 | Severity: Medium The DES algorithm has not been recommended for over 15 years and was withdrawn from NIST (FIPS For older applications, Example using Example using AES-256-GCM:
|
| Use of a broken or risky cryptographic algorithm | go_blocklist_rule-blocklist-md5, CWE-327 | Severity: Medium The MD5 message-digest algorithm has been cryptographically broken and is unsuitable for further use. The MD5 hash algorithm has been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. It is recommended that the SHA-3 or BLAKE2 family of algorithms be used for non-password based cryptographic hashes instead. For password based cryptographic hashes, consider using the bcrypt or Argon2id family of cryptographic hashes. Hashing values using BLAKE2: Hashing and securely comparing passwords using For more information on password storage see OWASP's guide: Password_Storage_Cheat_Sheet.html OWASP:
|
| Use of a broken or risky cryptographic algorithm | go_blocklist_rule-blocklist-rc4, CWE-327 | Severity: Medium The RC4 stream-cipher has been cryptographically broken and is unsuitable for use in production. It is recommended that ChaCha20 or Advanced Encryption Standard (AES) be used instead. Consider using For older applications, Example using Example using AES-256-GCM:
|
| Use of a broken or risky cryptographic algorithm | go_blocklist_rule-blocklist-sha1, CWE-327 | Severity: Medium The SHA-1 message-digest algorithm has been cryptographically broken and is unsuitable for further use. It is recommended that the SHA-3, or BLAKE2 family of algorithms be used for non-password based cryptographic hashes instead. For password based cryptographic hashes, consider using the bcrypt or Argon2id family of cryptographic hashes. Hashing values using BLAKE2: Hashing and securely comparing passwords using For more information on password storage see OWASP's guide: Password_Storage_Cheat_Sheet.html OWASP:
|
| Use of a broken or risky cryptographic algorithm | go_crypto_rule-badtlssettings, CWE-327 | Severity: Medium Usage of a cryptographically insecure cipher suite has been detected. It is recommended that alternative ciphers be used instead. It is strongly recommended that all TLS connections use TLS 1.3 as Go will automatically choose the most secure cipher when negotiating the TLS handshake with client or servers. TLS 1.3 cipher suites are configured to require Perfect Forward Secrecy (PFS). PFS is an important property as it will ensure that past encrypted transmissions could not be decrypted if the TLS certificate was compromised. Example using TLS 1.3 for a Go server: If TLS 1.0-1.2 must be used, then the following list of ciphers should be chosen as they support Perfect Forward Secrecy (PFS):
Example For more information on cipher suites in Go see: tls-cipher-suites OWASP:
|
| Key exchange without entity authentication | go_crypto_rule-insecure-ignore-host-key, CWE-322 | Severity: Medium The application was found to ignore host keys. Host keys are important as they provide assurance that the client can prove that the host is trusted. By ignoring these host keys, it is impossible for the client to validate the connection is to a trusted host. For the Example configuration connecting to a known, trusted host:
|
| Use of deprecated TLS version | go_crypto_rule-tlsversion, CWE-310 | Severity: Medium TLS versions 1.1 and 1.0 were deprecated by the IETF in June 2018 due to Example using TLS 1.3 for a Go server:
|
| Inadequate encryption strength | go_crypto_rule-weakkeystrength, CWE-326 | Severity: Medium The application is generating an RSA key that is less than the recommended 2048 bits. The National Institute of Standards and Technology (NIST) deprecated signing Digital Certificates that contained RSA Public Keys of 1024 bits in December 2010. While To generate an RSA key of 2048 pass the number of bits as the second parameter to the
|
| Use of cryptographically weak Pseudo-Random Number Generator (PRNG) | go_crypto_rule-weakrandsource, CWE-338 | Severity: Medium Go's Replace all imports of
|
| Incorrect permission assignment for critical resource | go_file-permissions_rule-fileperm, CWE-732 | Severity: Medium The application was found setting file permissions to overly permissive values. Consider using the following values if the application user is the only process to access the file:
Example creating a file with read/write permissions for the application user: For all other values please see: File-system_permissions OWASP:
|
| Incorrect permission assignment for critical resource | go_file-permissions_rule-mkdir, CWE-732 | Severity: Medium The application was found setting directory permissions to overly permissive values. Consider using the following values if the application user is the only process to access files in the directory specified: Another common value is Example creating a directory with read/write permissions for only the application user: For all other values please see: File-system_permissions OWASP:
|
| Improper handling of highly compressed data | go_filesystem_rule-decompression-bomb, CWE-409 | Severity: Medium Directly decompressing files or buffers may lead to a potential Denial of Service (DoS) To protect against decompression bombs, an Example using
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | go_filesystem_rule-fileread, CWE-22 | Severity: Medium The application dynamically constructs file or path information. If the path information comes from user input, it could be abused to read sensitive files, access other users data or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or replacing it with unique values. Additionally, use Example using For more information on path traversal issues see OWASP: Path_Traversal OWASP:
|
| Files or directories accessible to external parties | go_filesystem_rule-httprootdir, CWE-552 | Severity: Medium The application is potentially exposing the entire filesystem by mounting the root directory Restrict the Example server only allowing directory listing on a public directory:
|
| Incorrect default permissions | go_filesystem_rule-poorwritepermissions, CWE-276 | Severity: Medium The application was found setting file permissions to overly permissive values. Consider using the following values if the application user is the only process to access the file:
Example writing file contents with read/write permissions for the application user: For all other values please see: File-system_permissions OWASP:
|
| Creation of temporary file with insecure permissions | go_filesystem_rule-tempfiles, CWE-378 | Severity: Medium The application was found creating files in shared system temporary directories Example using
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | go_filesystem_rule-ziparchive, CWE-22 | Severity: Medium The application may be vulnerable to a path traversal if it extracts untrusted archive files. This vulnerability is colloquially known as 'Zip Slip'. Archive files may contain folders which, when extracted, may write outside of the intended directory. This is exploited by including path traversal characters such as Extra care must be taken when extracting archive files as there are numerous concerns:
Example of securely processing an archive file: If the application must process directory names as well, use the following code:
|
| Server Side Request Forgery (SSRF) | go_injection_rule-ssrf, CWE-918 | Severity: Medium Server-Side-Request-Forgery (SSRF) exploits backend systems that initiate requests to third parties. If user input is used in constructing or sending these requests, an attacker could supply malicious data to force the request to other systems or modify request data to cause unwanted actions. Ensure user input is not used directly in constructing URLs or URIs when initiating requests to third party systems from back end systems. Care must also be taken when constructing payloads using user input. Where possible restrict to known URIs or payloads. Consider using a server side map where key's are used to return URLs such as If you must use user supplied input for requesting URLs, it is strongly recommended that the HTTP client chosen allows you to customize and block certain IP ranges at the network level. By blocking RFC 1918 If you can not block address ranges at the client level, you may want to run the HTTP client as a protected user, or in a protected network where you can apply IP Table or firewall rules to block access to dangerous addresses. Finally, if none of the above protections are available, you could also run a custom HTTP proxy and force all requests through it to handle blocking dangerous addresses. Example HTTP client that disallows access to loopback and RFC-1918 addresses For more information on SSRF see OWASP: Server_Side_Request_Forgery OWASP:*
|
| Improper neutralization of input during web page generation ('Cross-site Scripting') | go_injection_rule-template-injection, CWE-79 | Severity: Medium Cross Site Scripting (XSS) is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in. There are at least six context types:
Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as Javascript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 77 }} which may execute client-side templating features. It is NOT advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. Use of the following template types with user input denotes a security risk: Either remove these types from the application or hardcode as const strings prior to conversion:
|
| Active debug code (pprof enabled) | go_leak_rule-pprof-endpoint, CWE-489 | Severity: Medium Go has a built in profiling service that is enabled by starting an HTTP server with To remediate this, remove the
|
| Integer overflow or wraparound | go_memory_rule-integer-overflow, CWE-190 | Severity: Medium Golang's Prior to running any type conversion, check that the value returned from Example of checking the return value before type conversion: For more information on integer min/max constants see: math OWASP:
|
| Allocation of resources without limits or throttling | go_http_rule-http-serve, CWE-770 | Severity: Low Go's To protect against this style of resource consumption attack, timeouts should be set in the Example setting timeouts on a For more information on the For information on setting request based timeouts, see: http For more information on the Slowloris attack see: Slowloris_(computer_security) OWASP:
|
| Binding to an unrestricted IP address | go_network_rule-bind-to-all-interfaces, CWE-1327 | Severity: Low Binding to all network interfaces can potentially open up a service to traffic on unintended interfaces, that may not be properly documented or secured. By passing "0.0.0.0" as the address to the Consider passing in the interface ip address through an environment variable, configuration file, or by determining the primary interface(s) IP address. Example getting the IP address from an environment variable
|
| Incorrect access of indexable resource ('Range Error') | go_memory_rule-memoryaliasing, CWE-118 | Severity: Info Go's This can be fixed by: Example not referencing the address: Example reassigning the iteration variable to a new variable: Example using the address of the indexed variable: For more information on how the
|
html¶
| Name | Identifiers | Description |
|---|---|---|
| Improper neutralization of user input rendered in HTML ('XSS') | html_django_rule_reflected_xss, CWE-79 | Severity: High Global disabling of autoescape in Django HTML Template with {% autoescape off/None %} can lead to reflected XSS attacks if a user controlled input is used in the template.
|
| Improper neutralization of user input rendered in HTML ('XSS') | html_generic_rule_reflected_xss, CWE-79 | Severity: High User controlled variable in <script> tags get executed in document.write() or eval() methods, leading to XSS vulnerability.
|
| Improper neutralization of user input rendered in HTML ('XSS') | html_tornado_rule_reflected_xss, CWE-79 | Severity: High Global disabling of autoescaping in Tornado HTML templates with {% autoescape None %} can lead to XSS attack if the template contains user-controlled input. Avoid global unescaping, prefer disabling locally.
|
java¶
| Name | Identifiers | Description |
|---|---|---|
| Use of hard-coded password | java_password_rule-ConstantDBPassword, CWE-259 | Severity: Critical A potential hard-coded password was identified in a database connection string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in:
|
| Missing authentication for critical function (database) | java_password_rule-EmptyDBPassword, CWE-306 | Severity: Critical The application does not provide authentication when communicating a database server. It is strongly recommended that the database server be configured with authentication and restrict what queries users can execute. Please see your database server's documentation on how to configure a password. Additionally, passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in:
|
| Exposed dangerous method or function | rules_lgpl_java_webview_rule-webview-external-storage, CWE-749 | Severity: Critical WebView load files from external storage. Files in external storage can be modified by any application. Loading files from external storage in a WebView can introduce security risks, To fix this security issue, you should avoid loading files directly from external Here's a general approach to fix this problem: In the above code, we define the URI of a Content Provider that provides access to files
|
| Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') | java_cookie_rule-HttpResponseSplitting, CWE-113 | Severity: High HTTP Response Splitting is a vulnerability where Carriage Return (CR Some Java application servers such as Apache Tomcat as of version Example of validating cookies to only allow valid characters: Alternatively, you could use a string escape package such as For more information on response splitting attacks see OWASP: HTTP_Response_Splitting OWASP:
|
| Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') | java_cookie_rule-RequestParamToHeader, CWE-113 | Severity: High HTTP Response Splitting is a vulnerability where Carriage Return (CR Some Java application servers such as Apache Tomcat will automatically encode characters from being set in response headers as a space Example of validating headers to only allow valid characters: Alternatively, you could use a string escape package such as For more information on response splitting attacks see OWASP: HTTP_Response_Splitting OWASP:
|
| Improper neutralization of special elements used in an OS command ('OS Command Injection') | java_inject_rule-CommandInjection, CWE-78 | Severity: High OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed. User input should never be used in constructing commands or command arguments to functions which execute OS commands. This includes filenames supplied by user uploads or downloads. Ensure your application does not:
The application should have a hardcoded set of arguments that are to be passed to OS commands. If filenames are being passed to these functions, it is recommended that a hash of the filename be used instead, or some other unique identifier. It is strongly recommended that a native library that implements the same functionality be used instead of using OS system commands, due to the risk of unknown attacks against third party commands. When specifying the OS command, ensure the application uses the full path information, otherwise the OS may attempt to look up which process to execute and could be vulnerable to untrusted search path vulnerabilities (CWE-426). Example of safely executing an OS command: For more information on OS command injection, see OWASP's guide: OS_Command_Injection_Defense_Cheat_Sheet.html OWASP:
|
| Files or directories accessible to external parties | java_inject_rule-FileDisclosureRequestDispatcher, CWE-552 | Severity: High The Never pass user-supplied input directly to any of these methods. Use a lookup table or hardcode which views or paths the user should be directed to. Another option is to use a simple HTTP redirect by returning an empty response body with a 301 status code and a Example using a redirect instead of a
|
| Files or directories accessible to external parties | java_inject_rule-FileDisclosureSpringFramework, CWE-552 | Severity: High The The ModelAndView class looks up a view by name to resolve a Use a lookup table or hardcode which views or paths the user should be directed to. Example using a lookup table to resolve a view from a Spring MVC application: Example using a redirect instead of a
|
| Expression injection (OGNL) | java_inject_rule-OgnlInjection, CWE-917 | Severity: High The Object Graph Navigation Language (OGNL) is an expression language that allows access to Java objects and properties stored in an ActionContext. Usage of these low-level functions is discouraged because they can effectively execute strings as code, leading to remote code execution vulnerabilities. Consider using struts tags when processing user-supplied input and templates. Much like the Struts security guide recommending to not use raw
For more information on Struts2 security see: OWASP:
|
| Missing authentication for critical function (LDAP) | java_ldap_rule-AnonymousLDAP, CWE-306 | Severity: High The application does not provide authentication when communicating an LDAP server. It is strongly recommended that the LDAP server be configured with authentication and restrict what queries users can execute. Example code that authenticates with a remote LDAP server and encodes any user-supplied input: For information on enabling authentication, please see your LDAP server's documentation. For more information on LDAP Injection see OWASP: LDAP_Injection_Prevention_Cheat_Sheet.html OWASP:
|
| Use of hard-coded password | java_password_rule-HardcodePassword, CWE-259 | Severity: High A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in:
|
| Improper control of generation of code ('Code Injection') | java_script_rule-ScriptInjection, CWE-94 | Severity: High The application executes an argument using a Never pass user-supplied input directly to the Example using
|
| Improper neutralization of special elements used in an expression language statement ('Expression Language Injection') | java_script_rule-SpringSpelExpressionParser, CWE-917 | Severity: High The application was found calling SpringFramework's Never call Later versions of SpringFramework introduced a Example using For more information on SimpleEvaluationContext see: SimpleEvaluationContext.html OWASP:
|
| Improper control of generation of code ('Code Injection') | java_templateinjection_rule-TemplateInjection, CWE-94 | Severity: High The application may allow control over a template string. Providing user input directly in the template by dynamically creating template strings may allow an adversary to execute arbitrary Java code, including OS system commands. For Velocity, never call Example using Apache Velocity's For other templating engines, please see your framework's documentation. OWASP:
|
| Deserialization of untrusted data | java_xml_rule-XmlDecoder, CWE-502 | Severity: High Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to:
Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. Additionally, when deserializing, never deserialize to base object types like To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. Do note that For more information on XML security see OWASP's guide: XML_External_Entity_Prevention_Cheat_Sheet.html For more details on deserialization attacks in general, see OWASP's guide: Deserialization_Cheat_Sheet.html It should be noted that tools exist to automatically create exploit code for these vulnerabilities. OWASP:
|
| Inadequate encryption strength | java_crypto_rule-BlowfishKeySize, CWE-326 | Severity: Medium The Blowfish encryption algorithm was meant as a drop-in replacement for DES and was created in To remediate the small key size, pass a value such as 256 to the Example setting a larger key size and changing to Example setting a larger key size for Blowfish: For more information on Java Cryptography see: java-cryptography-architecture-jca-reference-guide.html OWASP:
|
| Inadequate encryption strength | java_crypto_rule-CipherDESInsecure, CWE-326 | Severity: Medium DES, TripleDES and RC2 are all considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using For older applications that don't have support for Example using For more information on Java Cryptography see: java-cryptography-architecture-jca-reference-guide.html OWASP:
|
| Use of a broken or risky cryptographic algorithm | java_crypto_rule-CipherDESedeInsecure, CWE-327 | Severity: Medium DES, TripleDES and RC2 are all considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using For older applications that don't have support for Example using For more information on Java Cryptography see: java-cryptography-architecture-jca-reference-guide.html OWASP:
|
| Use of a broken or risky cryptographic algorithm | java_crypto_rule-CipherECBMode, CWE-327 | Severity: Medium Cryptographic algorithms provide many different modes of operation, only some of which provide message integrity. Without message integrity it could be possible for an adversary to attempt to tamper with the ciphertext which could lead to compromising the encryption key. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Instead of using an algorithm that requires configuring a cipher mode, an algorithm that has built-in message integrity should be used. Consider using For older applications that don't have support for Example using For more information on Java Cryptography see: java-cryptography-architecture-jca-reference-guide.html OWASP:
|
| Use of a broken or risky cryptographic algorithm | java_crypto_rule-CipherIntegrity, CWE-327 | Severity: Medium Cryptographic algorithms provide many different modes of operation, only some of which provide message integrity. Without message integrity it could be possible for an adversary to attempt to tamper with the ciphertext which could lead to compromising the encryption key. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Instead of using an algorithm that requires configuring a cipher mode, an algorithm that has built-in message integrity should be used. Consider using For older applications that don't have support for Example using For more information on Java Cryptography see: java-cryptography-architecture-jca-reference-guide.html OWASP:
|
| Use of a broken or risky cryptographic algorithm | java_crypto_rule-CipherPaddingOracle, CWE-327 | Severity: Medium Cryptographic block ciphers can be configured to pad individual blocks if there is not enough input data to match the size of the block. This specific mode of CBC used in combination with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposed the difference between plaintext with invalid padding or valid padding. The distinction between valid and invalid padding is usually revealed through distinct error messages being returned for each condition. Consider switching to a more secure cipher that doesn't require padding and builds in message authentication integrity directly into the algorithm. Consider using For older applications that don't have support for Example using For more information on padding oracle attacks see: Padding_oracle_attack For more information on Java Cryptography see: java-cryptography-architecture-jca-reference-guide.html OWASP:
|
| Use of a broken or risky cryptographic algorithm | java_crypto_rule-CustomMessageDigest, CWE-327 | Severity: Medium The application was found implementing a custom Example of creating a SHA-384 hash:
|
| Inadequate encryption strength | java_crypto_rule-HazelcastSymmetricEncryption, CWE-326 | Severity: Medium The network communications for Hazelcast is configured to use a deprecated symmetric cipher. Consider using TLS/SSL when establishing communications across the Hazelcast cluster. For more information on configuring TLS/SSL for Hazelcast see: tls-ssl OWASP:
|
| Inadequate encryption strength | java_crypto_rule-InsufficientKeySizeRsa, CWE-326 | Severity: Medium The application is generating an RSA key that is less than the recommended 2048 bits. The National Institute of Standards and Technology (NIST) deprecated signing Digital Certificates that contained RSA Public Keys of 1024 bits in December 2010. While Consider upgrading to the newer asymmetric algorithm such as Otherwise use a key size greater than 2048 when generating RSA keys: For more information on Ed25519 see: For more information on Java Cryptography see: java-cryptography-architecture-jca-reference-guide.html OWASP:
|
| Use of a broken or risky cryptographic algorithm | java_crypto_rule-NullCipher, CWE-327 | Severity: Medium The application was found creating a Remove the NullCipher reference and replace with a legitimate Example using For more information on Java Cryptography see: java-cryptography-architecture-jca-reference-guide.html OWASP:
|
| Use of RSA algorithm without OAEP | java_crypto_rule-RsaNoPadding, CWE-780 | Severity: Medium The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP). By not enabling padding, the algorithm maybe vulnerable to chosen plaintext attacks. To enable OAEP mode, pass Example encrypting and decrypting a message using RSA with OAEP: More information on Optimal asymmetric encryption padding: Optimal_asymmetric_encryption_padding For more information on Java Cryptography see: java-cryptography-architecture-jca-reference-guide.html OWASP:
|
| Use of a broken or risky cryptographic algorithm (SHA1 / MD5) | java_crypto_rule-WeakMessageDigest, CWE-327 | Severity: Medium The application was found using an insecure or risky digest or signature algorithm. Both MD5 Example of creating a SHA-384 hash: For more information on secure password storage see OWASP: Password_Storage_Cheat_Sheet.html OWASP:
|
| Improper certificate validation | java_crypto_rule-WeakTLSProtocol-DefaultHttpClient, CWE-295 | Severity: Medium The This allows for an adversary who is in between the application and the target host to intercept potentially sensitive information or transmit malicious data. Do not use the Example connecting to a host that will automatically do TLS validation:
|
| Improper certificate validation | java_crypto_rule-WeakTLSProtocol-SSLContext, CWE-295 | Severity: Medium Avoid initializing SSLContext with insecure protocols like Instead, use secure protocols like
|
| Inadequate encryption strength | java_crypto_rule-WeakTLSProtocolVersion, CWE-326 | Severity: Medium The application was found enabling insecure TLS protocol versions. When enabling protocol versions for an To mitigate potential security risks, it is strongly advised to enforce TLS 1.2 as the minimum protocol version and disallow older versions such as TLS 1.0. Do note that newer versions of Java do not even support TLS 1.0 and will throw In many scenarios, relying on the default system configuration does not meet compliance standards. This is due to the application being deployed across diverse systems with varying configurations and Java versions. While the default value may be secure on modern and up-to-date systems, it may not hold true for older systems. Consequently, it is highly recommended to explicitly define a secure configuration in all cases. Example configuring an SSLContext with TLSv1.2:
|
| Improper certificate validation | java_endpoint_rule-HostnameVerifier, CWE-295 | Severity: Medium The To mitigate this vulnerability and enhance the security of your application, it is Implementing the default HostnameVerifier can be achieved with the following code For more information on TLS security, refer the following OWASP documentation: Transport_Layer_Protection_Cheat_Sheet.html OWASP:
|
| Improper certificate validation | java_endpoint_rule-X509TrustManager, CWE-295 | Severity: Medium The Consider using the For most applications, using the default TrustManager provided by the Java runtime is For more information on TLS security, refer the following OWASP documentation: Transport_Layer_Protection_Cheat_Sheet.html OWASP:
|
| Improper neutralization of argument delimiters in a command ('Argument Injection') | java_inject_rule-HttpParameterPollution, CWE-88 | Severity: Medium The application was found including unvalidated user input into a URL, which could lead to HTTP Parameter Pollution (HPP) or worse, Server Side Request Forgery (SSRF). This could allow an adversary to override the value of a URL or a request parameter. HTTP Parameter Pollution To remediate this issue, never allow user input directly into creation of a URL or URL parameter. Consider using a map to look up user-supplied information and return exact values to be used in the generation of requests. Example using a map to look up a key to be used in a HTTP request: If using a map is not possible, the user-supplied input must be encoded prior to use, and never allow full URLs: For more information on SSRF see OWASP: Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html For more information on HTTP Parameter Pollution see: HTTP_parameter_pollution OWASP:
|
| Improper neutralization of special elements used in an LDAP query ('LDAP Injection') | java_inject_rule-LDAPInjection, CWE-90 | Severity: Medium LDAP injection attacks exploit LDAP queries to influence how data is returned by the LDAP server. Later versions of Java's More details on the four argument To encode the string manually, it is recommended that all input passed to LDAP querying systems encode the following values:
Example function that safely encodes user-supplied input to be used in an LDAP query. Example code that using the For more information on LDAP Injection see OWASP: LDAP_Injection_Prevention_Cheat_Sheet.html OWASP:*
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | java_inject_rule-SpotbugsPathTraversalAbsolute, CWE-22 | Severity: Medium The application dynamically constructs file or path information. If the path information comes from user input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or replacing it with unique values and use Example using For more information on path traversal issues see OWASP: Path_Traversal OWASP:
|
| Incorrect permission assignment for critical resource | java_perm_rule-DangerousPermissions, CWE-732 | Severity: Medium The application was found to permit the By granting the By granting the For more information on For more information on
|
| Incorrect permission assignment for critical resource | java_perm_rule-OverlyPermissiveFilePermissionInline, CWE-732 | Severity: Medium The application was found setting file permissions to overly permissive values. Consider using the following values if the application user is the only process to access the file:
Example setting read/write permissions for only the owner of a For all other values please see: File-system_permissions OWASP:
|
| Improper validation of certificate with host mismatch | java_smtp_rule-InsecureSmtp, CWE-297 | Severity: Medium The Apache commons mail client by default does not enable TLS server identity. This allows for an adversary who is in between the application and the target host to intercept potentially sensitive information or transmit malicious data. Enable checking server identity by calling Example email client that enables TLS and server identity:
|
| Server-Side Request Forgery (SSRF) | java_ssrf_rule-SSRF, CWE-918 | Severity: Medium Server-Side-Request-Forgery (SSRF) exploits backend systems that initiate requests to third parties. If user input is used in constructing or sending these requests, an attacker could supply malicious data to force the request to other systems or modify request data to cause unwanted actions. Ensure user input is not used directly in constructing URLs or URIs when initiating requests to third party systems from back end systems. Care must also be taken when constructing payloads using user input. Where possible restrict to known URIs or payloads. Consider using a server-side map where keys are used to return URLs such as If you must use user-supplied input for requesting URLs, it is strongly recommended that the HTTP client chosen allows you to customize and block certain IP ranges at the network level. By blocking RFC 1918 If you cannot block address ranges at the client level, you may want to run the HTTP client as a protected user, or in a protected network where you can apply IP Table or firewall rules to block access to dangerous addresses. Finally, if none of the above protections are available, you could also run a custom HTTP proxy and force all requests through it to handle blocking dangerous addresses. Example using a map to look up a key to be used in a HTTP request: If using a map is not possible, the user-supplied input must be encoded prior to use, and never allow full URLs: For more information on SSRF see OWASP: Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html OWASP:
|
| Use of externally-controlled format string | java_strings_rule-FormatStringManipulation, CWE-134 | Severity: Medium The application allows user input to control format string parameters. By passing invalid format string specifiers an adversary could cause the application to throw exceptions or possibly leak internal information depending on application logic. Never allow user-supplied input to be used to create a format string. Replace all format string arguments with hardcoded format strings containing the necessary specifiers. Example of using
|
| Weak authentication | java_xml_rule-SAMLIgnoreComments, CWE-1390 | Severity: Medium SAML parses attestations as an XML document. By processing XML comments, comment fields can end up modifying the interpretation of input fields. This could allow an adversary to insert an XML comment to break up the attestation's username or other fields, allowing an attacker to bypass authorization or authentication checks. To remediate this issue, when using The default value of For more information on how this issue can be exploited see: a-breakdown-of-the-new-saml-authentication-bypass-vulnerability For more information on SAML security see OWASP: SAML_Security_Cheat_Sheet.html OWASP:
|
| XML injection (aka Blind XPath injection) | java_xml_rule-XsltTransform, CWE-91 | Severity: Medium The application performs XSLT translation with potentially malicious input. An adversary who is able to influence the loaded XSL document could call XSL functions or exploit External XML Entity (XXE) attacks that allow file retrieval or force the parser to connect to arbitrary servers to exfiltrate files. It is strongly recommended that an alternative approach is used to work with XML data. For increased security, never process user-supplied XSL style sheets. If XSLT processing is absolutely necessary, ensure that For more information on XML security see OWASP's guide: XML_External_Entity_Prevention_Cheat_Sheet.html
|
| Improper neutralization of input during web page generation ('Cross-site Scripting') | java_xss_rule-WicketXSS, CWE-79 | Severity: Medium The application is disabling Wicket's string escaping functionality by calling
Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as JavaScript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 77 }} which may execute client-side templating features. It is NOT advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. Use Wicket's built in escaping feature by calling
|
| Improper neutralization of input during web page generation ('Cross-site Scripting') | java_xss_rule-XSSReqParamToServletWriter, CWE-79 | Severity: Medium The application is returning user-supplied data from an HTTP request directly into an HTTP response output writer. This could lead to Cross Site Scripting (XSS) if the input were malicious script code and the application server is not properly validating the output. XSS is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in. There are at least six context types:
Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as Javascript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 77 }} which may execute client-side templating features. It is NOT advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. If possible do not use user input directly in the output to the response writer. If the application must output user-supplied input, it will need to encode the data depending on the output context. Consider using Apache Commons Text
|
| Improper restriction of XML external entity reference ('XXE') | java_xxe_rule-XMLRdr, CWE-611 | Severity: Medium External XML entities are a feature of XML parsers that allow documents to contain references to other documents or data. This feature can be abused to read files, communicate with external hosts, exfiltrate data, or cause a Denial of Service (DoS). The XMLReaderFactory has been deprecated. It is recommended that Example creating a SAXParser with disallowing the doctypes feature enabled: For more information on XML security see OWASP's guide: XML_External_Entity_Prevention_Cheat_Sheet.html OWASP:
|
| Improper certificate validation" | rules_lgpl_java_webview_rule-ignore-ssl-certificate-errors, CWE-295 | Severity: Medium Insecure WebView Implementation. leading to a security problem known as SSL certificate To fix this security issue, you should properly handle SSL errors and only proceed with
|
| Active debug code | rules_lgpl_java_webview_rule-webview-debugging, CWE-489 | Severity: Medium Remote WebView debugging is enabled. This allows an attacker with debugging access to interact with the webview and steal or corrupt data. To fix these security issues, it is recommended to disable remote
|
| External control of file name or path | rules_lgpl_java_webview_rule-webview-set-allow-file-access, CWE-73 | Severity: Medium WebView File System Access is enabled. An attacker able to inject To fix this security issue, you should disable file access in the
|
| XML injection (aka Blind XPath injection) | scala_xml_rule-XsltTransform, CWE-91 | Severity: Medium It is possible to attach malicious behavior to those style sheets. Therefore, if an attacker can control the content or the source of the style sheet, he might be able to trigger remote code execution. OWASP: |
| Sensitive cookie in HTTPS session without 'Secure' attribute | java_cookie_rule-CookieInsecure, CWE-614 | Severity: Low The Example of protecting a For more information see: cookie Session cookies should be configured with the following security directives: OWASP:
|
| Permissive cross-domain policy with untrusted domains | java_cors_rule-PermissiveCORSInjection, CWE-942 | Severity: Low This application potentially allows user-supplied input into the value of the For the above attack to work, the application would need to suffer from an additional vulnerability, such as Cross-Site Scripting (XSS). To remediate this issue, do not use user-supplied information when calling For more information on
|
| Improper neutralization of special elements used in a command | java_smtp_rule-SmtpClient, CWE-77 | Severity: Low The application was found calling To mitigate this issue, Example that escapes values that come from user input with
|
| External control of system or configuration setting | java_unsafe_rule-ExternalConfigControl, CWE-15 | Severity: Low The application was found using user-supplied input in a It is recommended to not use user-supplied input when selecting the database for an applications database connection. OWASP:
|
| Permissive Cross-domain Policy with Untrusted Domains | scala_cors_rule-PermissiveCORSInjection, CWE-942 | Severity: Low Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures that in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, cull through it, and communicate it back to the attacker. HTML5 makes it possible for JavaScript to access data across domains if a new HTTP header called Access-Control-Allow-Origin is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks. OWASP: |
| URL redirection to untrusted site ('Open Redirect') | java_endpoint_rule-UnvalidatedRedirect, CWE-601 | Severity: Info Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks. To avoid open redirect vulnerabilities in Java, one effective strategy is to only allow redirection to URLs that are pre-defined in a safe list. This safe list can be implemented using a collection like a Map, List, or Dictionary, where you store all the valid URLs or URL patterns. When a redirect request is made, you can check if the requested URL is in this safe list before proceeding
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | java_file_rule-FileUploadFileName, CWE-22 | Severity: Info The filename provided by the FileUpload API can be tampered with which could lead to unauthorized access or file inclusion vulnerabilities. To mitigate this risk, it is essential to conduct rigorous validation of the filenames provided by clients. This validation should ensure that the filename adheres to a predefined structure, is devoid of potentially dangerous characters For example, as a remediation strategy, the application could: Example remediation:
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | java_file_rule-FilenameUtils, CWE-22 | Severity: Info The filename provided by the FileUpload API can be tampered with by the client to reference unauthorized files. The provided filename should be properly validated to ensure it's properly structured, contains no unauthorized path characters (e.g., / ), and refers to an authorized file. The application was found to take a parameter from user input to construct a path name. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. When data from an unstrusted source is untrusted source is used to construct a file path, an attacker could potentially gain access to restrcited files locations outside the relevant context. For example, if the application tries to access the users profile picture based on their user name by concatenating the username to the filepath: "images/userprofiles/" + username The expected result of this would be "images/userprofiles/alice", however an attacker could use a malicious input such as "../../../etc/passwd" to gain access to and/or manipulate sensitive information Assume all input is malicious. Use an "accept known good" input validation strategy. Inputs can be sanitized by using the getName() method with concat() method to remove the Example of limiting path traversal using getName:
|
| Improper neutralization of special elements used in an expression language statement ('Expression Language Injection') | java_inject_rule-ELInjection, CWE-917 | Severity: Info This rule identifies potential Expression Language (EL) injection vulnerabilities within Java applications.
Similarly, Calling these method directly with user-supplied input may allow an adversary to execute arbitrary Java Secure example:
|
| Incorrect type conversion or cast | java_strings_rule-BadHexConversion, CWE-704 | Severity: Info The application is using Consider using the Example using For more information on DatatypeConverter see: DatatypeConverter.html OWASP:
|
| Collapse of data into unsafe value | java_strings_rule-ModifyAfterValidation, CWE-182 | Severity: Info The application was found matching a variable during a regular expression pattern match, and then calling string modification functions after validation has occurred. This is usually indicative of a poor input validation strategy as an adversary may attempt to exploit the removal of characters. For example a common mistake in attempting to remove path characters to protect against path traversal is to match '../' and then remove any matches. However, if an adversary were to include in their input: '....//' then the To remediate this issue always perform string modifications before any validation of a string. It is strongly recommended that strings be encoded instead of replaced or removed prior to validation. Example replaces For more information see Carnegie Mellon University's Secure Coding Guide: IDS11-J.+Perform+any+string+modifications+before+validation OWASP:
|
| Incorrect behavior order: validate before canonicalize | java_strings_rule-NormalizeAfterValidation, CWE-180 | Severity: Info The application was found matching a variable during a regular expression pattern match, and then calling a Unicode normalize function after validation has occurred. This is usually indicative of a poor input validation strategy as an adversary may attempt to exploit the normalization process. To remediate this issue, always perform Unicode normalization before any validation of a string. Example of normalizing a string before validation: For more information see Carnegie Mellon University's Secure Coding Guide: IDS01-J.+Normalize+strings+before+validating+them OWASP:
|
javascript¶
| Name | Identifiers | Description |
|---|---|---|
| Improper neutralization of special elements used in an SQL command (SQL Injection) | rules_lgpl_javascript_database_rule-node-knex-sqli-injection, CWE-89 | Severity: Critical Untrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection. OWASP:
|
| Improper neutralization of special elements in data query logic | rules_lgpl_javascript_database_rule-node-nosqli-injection, CWE-943 | Severity: Critical Untrusted user input in findOne() function can result in NoSQL Injection. OWASP:
|
| Improper neutralization of special elements in data query logic | rules_lgpl_javascript_database_rule-node-nosqli-js-injection, CWE-943 | Severity: Critical Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection. OWASP:
|
| Improper neutralization of special elements used in an SQL command (SQL Injection) | rules_lgpl_javascript_database_rule-node-sqli-injection, CWE-89 | Severity: Critical Untrusted input concatinated with raw SQL query can result in SQL Injection. OWASP:
|
| Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade) | rules_lgpl_javascript_database_rule-sequelize-weak-tls, CWE-757 | Severity: Critical 'The Sequelize connection string indicates that an older version of TLS is in use. TLS1.0 and TLS1.1 are deprecated and should be used. By default, Sequelize use TLSv1.2 but it''s recommended to use TLS1.3. Not applicable to SQLite database.' OWASP:
|
| Cleartext Transmission of Sensitive Information | rules_lgpl_javascript_electronjs_rule-electron-allow-http, CWE-319 | Severity: Critical Application can load content over HTTP and that makes the app vulnerable to Man in the middle attacks. OWASP:
|
| Origin validation error | rules_lgpl_javascript_electronjs_rule-electron-disable-websecurity, CWE-346 | Severity: Critical Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain. OWASP:
|
| Least privilege violation | rules_lgpl_javascript_electronjs_rule-electron-experimental-features, CWE-272 | Severity: Critical Experimental features are not expected to be in production ready applications. OWASP:
|
| Use of incorrectly-resolved name or reference | rules_lgpl_javascript_eval_rule-eval-require, CWE-706 | Severity: Critical Passing untrusted user input directly into the require() function without proper Following is an example of secure validation against allowlist to prevent the vulnerability:
|
| Improper control of generation of code (Code Injection) | rules_lgpl_javascript_eval_rule-sandbox-code-injection, CWE-94 | Severity: Critical Unrusted data in
|
| Improper control of generation of code (Code Injection) | rules_lgpl_javascript_eval_rule-server-side-template-injection, CWE-94 | Severity: Critical Untrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection. OWASP:
|
| Improper control of generation of code (Code Injection) | rules_lgpl_javascript_eval_rule-vm-code-injection, CWE-94 | Severity: Critical Untrusted user input reaching
|
| Improper control of generation of code (Code Injection) | rules_lgpl_javascript_eval_rule-vm-compilefunction-injection, CWE-94 | Severity: Critical Untrusted user input in
|
| Improper control of generation of code (Code Injection) | rules_lgpl_javascript_eval_rule-vm-runincontext-injection, CWE-94 | Severity: Critical Untrusted user input in
|
| Improper control of generation of code (Code Injection) | rules_lgpl_javascript_eval_rule-vm-runinnewcontext-injection, CWE-94 | Severity: Critical Untrusted user input in
|
| Improper control of generation of code (Code Injection) | rules_lgpl_javascript_eval_rule-vm2-code-injection, CWE-94 | Severity: Critical Untrusted user input reaching
|
| Improper control of generation of code (Code Injection) | rules_lgpl_javascript_eval_rule-vm2-context-injection, CWE-94 | Severity: Critical Untrusted user input reaching
|
| Improper neutralization of special elements used in an OS command ('OS Command Injection') | rules_lgpl_javascript_exec_rule-shelljs-os-command-exec, CWE-78 | Severity: Critical User controlled data in 'shelljs.exec()' can result in Remote OS Command Execution. OWASP:
|
| Improper neutralization of HTTP headers for scripting syntax | rules_lgpl_javascript_headers_rule-generic-header-injection, CWE-644 | Severity: Critical Untrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks. OWASP:
|
| Insufficiently protected credentials | rules_lgpl_javascript_jwt_rule-jwt-express-hardcoded, CWE-522 | Severity: Critical Hardcoded JWT secret or private key was found. Hardcoding secrets like JWT signing keys poses a significant security risk. Here are some recommended safe ways to access JWT secrets: sample code snippet of accessing JWT secret from env variables
|
| Use of a broken or risky cryptographic algorithm | rules_lgpl_javascript_jwt_rule-node-jwt-none-algorithm, CWE-327 | Severity: Critical Use of Using a secure algorithm can protect the integrity of the token information.
|
| URL redirection to untrusted site 'open redirect' | rules_lgpl_javascript_redirect_rule-express-open-redirect, CWE-601 | Severity: Critical Passing untrusted user input in
Following is an example of secure validation against allowlist to prevent the vulnerability:
|
| URL redirection to untrusted site 'open redirect' | rules_lgpl_javascript_redirect_rule-express-open-redirect2, CWE-601 | Severity: Critical Passing untrusted user input in
Following is an example of secure validation against allowlist to prevent the vulnerability:
|
| Server-side request forgery (SSRF) | rules_lgpl_javascript_ssrf_rule-phantom-ssrf, CWE-918 | Severity: Critical 'If unverified user data can reach the ' OWASP:
|
| Server-side request forgery (SSRF) | rules_lgpl_javascript_ssrf_rule-playwright-ssrf, CWE-918 | Severity: Critical If unverified user data can reach the
|
| Server-side request forgery (SSRF) | rules_lgpl_javascript_ssrf_rule-puppeteer-ssrf, CWE-918 | Severity: Critical If unverified user data can reach the
|
| Server-side request forgery (SSRF) | rules_lgpl_javascript_ssrf_rule-wkhtmltopdf-ssrf, CWE-918 | Severity: Critical User controlled URL reached to
|
| Improper restriction of recursive entity references in DTDs (XML Entity Expansion) | rules_lgpl_javascript_xml_rule-node-entity-expansion, CWE-776 | Severity: Critical User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS. OWASP:
|
| Improper neutralization of data within XPath expressions (XPath Injection) | rules_lgpl_javascript_xml_rule-node-xpath-injection, CWE-643 | Severity: Critical Passing untrusted user input in
Following is an example of secure validation against allowlist to prevent the vulnerability:
|
| Improper restriction of XML external entity reference | rules_lgpl_javascript_xml_rule-node-xxe, CWE-611 | Severity: Critical User controlled data in XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities OWASP:
|
| Improper restriction of XML external entity reference | rules_lgpl_javascript_xml_rule-xxe-expat, CWE-611 | Severity: Critical Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities. OWASP:
|
| Command injection using exec() from child_process | rule-js-ts-child-process-exec-injection, CWE-78 | Severity: High A Remote Command Injection vulnerability was found using Express or Node.js. A user-controlled input was directly used in exec() function from child_process. This gives the user shell access. Avoid using user-controlled variables in exec(), or use a whitelist to verify it. Alternatively, use spawn function from 'child_process'. OWASP:
|
| Improper certificate validation | rules_lgpl_javascript_database_rule-sequelize-tls-cert-validation, CWE-295 | Severity: High The Sequelize connection string indicates that TLS certificate validation
|
| Improper neutralization of directives in dynamically evaluated code ('Eval Injection') | rules_lgpl_javascript_eval_rule-eval-nodejs, CWE-95 | Severity: High User controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection OWASP:
|
| Use of hard-coded credentials | rules_lgpl_javascript_jwt_rule-hardcoded-jwt-secret, CWE-798 | Severity: High Hardcoded JWT secret or private key was found. Hardcoding secrets like JWT signing keys poses a significant security risk. Here are some recommended safe ways to access JWT secrets: sample code snippet of accessing JWT secret from env variables
|
| Insufficiently protected credentials | rules_lgpl_javascript_jwt_rule-jwt-exposed-credentials, CWE-522 | Severity: High The application is storing a password in the JWT token payload. Storing The password transmitted in the JWT payload is not encrypted and therefore Secure code example of secure JWT signing:
|
| Insufficiently protected credentials | rules_lgpl_javascript_jwt_rule-jwt-exposed-data, CWE-522 | Severity: High The object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload. OWASP:
|
| Insufficiently protected credentials | rules_lgpl_javascript_jwt_rule-jwt-not-revoked, CWE-522 | Severity: High No token revoking configured for
|
| Server-side request forgery (SSRF) | rules_lgpl_javascript_ssrf_rule-node-ssrf, CWE-918 | Severity: High This application allows user-controlled URLs to be passed directly to HTTP client libraries. Some risks of SSRF are:
To avoid this, try using hardcoded HTTP request calls or a whitelisting object to Here is an example: For more information on SSRF see OWASP: Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html OWASP:
|
| Out-of-bounds read | javascript_buf_rule-buffer-noassert-read, CWE-125 | Severity: Medium The application is using Buffer API methods with the To mitigate the issue, ensure that the Secure Code Example:
|
| Out-of-bounds write | javascript_buf_rule-buffer-noassert-write, CWE-787 | Severity: Medium The application is using Buffer API methods with the To mitigate the issue, ensure that the Secure Code Example:
|
| Observable timing discrepancy | javascript_timing_rule-possible-timing-attacks, CWE-208 | Severity: Medium The application was found executing string comparisons using one of To remediate this issue, use the Example using
|
| Use of a broken or risky cryptographic algorithm | rules_lgpl_javascript_crypto_rule-node-aes-ecb, CWE-327 | Severity: Medium AES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data. OWASP:
|
| Use of a broken or risky cryptographic algorithm | rules_lgpl_javascript_crypto_rule-node-aes-noiv, CWE-327 | Severity: Medium AES algorithms requires an initialization vector (IV). Providing no or null IV in some implementation results to a 0 IV. Use of a deterministic IV makes dictionary attacks easier. OWASP:
|
| Use of cryptographically weak pseudo-random number generator (PRNG) | rules_lgpl_javascript_crypto_rule-node-insecure-random-generator, CWE-338 | Severity: Medium This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like Mitigation strategy: Secure Code Example:
|
| Use of weak hash | rules_lgpl_javascript_crypto_rule-node-md5, CWE-328 | Severity: Medium The MD5 hashing algorithm is considered cryptographically weak and Remediation: Secure Code example :
|
| Use of weak hash | rules_lgpl_javascript_crypto_rule-node-sha1, CWE-328 | Severity: Medium The SHA-1 hashing algorithm is no longer considered secure for cryptographic applications due to its vulnerability to collision attacks, where two different inputs produce the same output hash. SHA-1's susceptibility to collision attacks undermines the security of cryptographic operations, allowing attackers to forge signatures or manipulate data without detection. This poses significant risks in authentication systems, data integrity validations, and secure communications. Remediation: To mitigate this vulnerability, replace the SHA1 hashing Secure Code example:
|
| Observable timing discrepancy | rules_lgpl_javascript_crypto_rule-node-timing-attack, CWE-208 | Severity: Medium 'String comparisons using ''==='', ''!'', ''!='' and '''' is vulnerable to timing attacks. More info: ' OWASP:
|
| Improper Certificate Validation | rules_lgpl_javascript_crypto_rule-node-tls-reject, CWE-295 | Severity: Medium The application sets NODE_TLS_REJECT_UNAUTHORIZED to '0', which instructs Node.js to disable TLS/SSL certificate validation. Mitigation Strategy: Secure Code Example:
|
| Use of a broken or risky cryptographic algorithm | rules_lgpl_javascript_crypto_rule-node-weak-crypto, CWE-327 | Severity: Medium A weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application. OWASP:
|
| Cleartext transmission of sensitive information | rules_lgpl_javascript_database_rule-sequelize-tls, CWE-319 | Severity: Medium 'The Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks.' OWASP:
|
| Unchecked input for loop condition | rules_lgpl_javascript_dos_rule-layer7-object-dos, CWE-606 | Severity: Medium This application is looping over user controlled objects, which can lead to a layer 7 denial of service vulnerability. A layer 7 denial of service attack refers to overloading the application layer of the OSI model, typically layer 7. For example, if a user can control the size of an array or object passed into the application, To prevent this, limits should be set on the number of iterations, input sizes, recursion depth, etc. Sample case of secure array looped over with user-controlled input Implementing protections against layer 7 denial of service attacks is important for securing modern web applications and APIs. OWASP:
|
| Incorrect regular expression | rules_lgpl_javascript_dos_rule-regex-dos, CWE-185 | Severity: Medium Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. OWASP:
|
| Least privilege violation | rules_lgpl_javascript_electronjs_rule-electron-blink-integration, CWE-272 | Severity: Medium Blink's expirimental features are enabled in this application. Some of the features may affect the security of the application. OWASP:
|
| Improperly controlled modification of object prototype attributes ('Prototype Pollution') | rules_lgpl_javascript_electronjs_rule-electron-context-isolation, CWE-1321 | Severity: Medium Disabling context isolation can introduce Prototype Pollution vulnerabilities. OWASP:
|
| Least privilege violation | rules_lgpl_javascript_electronjs_rule-electron-nodejs-integration, CWE-272 | Severity: Medium Node integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS). OWASP:
|
| Sensitive cookie without 'HttpOnly' flag | rules_lgpl_javascript_headers_rule-cookie-session-no-httponly, CWE-1004 | Severity: Medium 'Session middleware settings:
|
| Sensitive cookie with improper SameSite attribute | rules_lgpl_javascript_headers_rule-cookie-session-no-samesite, CWE-1275 | Severity: Medium 'Default session middleware settings:
|
| Sensitive cookie in HTTPS session without 'Secure' attribute | rules_lgpl_javascript_headers_rule-cookie-session-no-secure, CWE-614 | Severity: Medium 'Default session middleware settings:
|
| Origin validation error | rules_lgpl_javascript_headers_rule-express-cors, CWE-346 | Severity: Medium Access-Control-Allow-Origin response header is set to "". This will disable CORS Same Origin Policy restrictions. OWASP:*
|
| Origin validation error | rules_lgpl_javascript_headers_rule-generic-cors, CWE-346 | Severity: Medium Access-Control-Allow-Origin response header is set to "". This will disable CORS Same Origin Policy restrictions. OWASP:*
|
| Improperly implemented security check for standard | rules_lgpl_javascript_headers_rule-header-xss-generic, CWE-358 | Severity: Medium X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter. OWASP:
|
| Improperly implemented security check for standard | rules_lgpl_javascript_headers_rule-header-xss-lusca, CWE-358 | Severity: Medium X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter. OWASP:
|
| Improperly implemented security check for standard | rules_lgpl_javascript_headers_rule-helmet-feature-disabled, CWE-358 | Severity: Medium One or more Security Response header is explicitly disabled in Helmet. OWASP:
|
| Use of less trusted source | rules_lgpl_javascript_headers_rule-host-header-injection, CWE-348 | Severity: Medium Using untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning. OWASP:
|
| Server-side request forgery (SSRF) | rules_lgpl_javascript_ssrf_rule-wkhtmltoimage-ssrf, CWE-918 | Severity: Medium This rule detects instances where user-controlled URLs are passed directly to the To mitigate this vulnerability, ensure that URLs are safe and intended for Secure Code Example:
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | rules_lgpl_javascript_traversal_rule-admzip-path-overwrite, CWE-22 | Severity: Medium Insecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection. OWASP:
|
| Relative path traversal | rules_lgpl_javascript_traversal_rule-express-lfr, CWE-23 | Severity: Medium This application is using untrusted user input in express render() function. Rendering templates with untrusted user input enables arbitrary file read An attacker can craft malicious input that traverses the filesystem and exposes sensitive files. Sample safe use of express.render function For more details see: Path_Traversal OWASP:
|
| Relative path traversal | rules_lgpl_javascript_traversal_rule-express-lfr-warning, CWE-23 | Severity: Medium Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used. OWASP:
|
| Relative path traversal | rules_lgpl_javascript_traversal_rule-generic-path-traversal, CWE-23 | Severity: Medium This application is using untrusted user input with the readFile() and readFileSync() functions. For more details see: Path_Traversal OWASP:
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | rules_lgpl_javascript_traversal_rule-join-resolve-path-traversal, CWE-22 | Severity: Medium 'Path constructed with user input can result in Path Traversal. Ensure that user input does not reach
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | rules_lgpl_javascript_traversal_rule-tar-path-overwrite, CWE-22 | Severity: Medium Insecure TAR archive extraction can result in arbitrary path over write and can result in code injection. OWASP:
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | rules_lgpl_javascript_traversal_rule-zip-path-overwrite, CWE-22 | Severity: Medium This application is extracting ZIP archives without sanitizing paths or writing files to a dedicated extraction directory. To fix, sanitize all paths from ZIP archives before writing extracted files using path.basename and path.join. Example of extracting tar files safely: Write extracted files only to a dedicated extraction directory, not the global filesystem. Limit extracts to allowed file type. See OWASP Path Traversal (https://owasp.org/www-community/attacks/Path_Traversal) and Unrestricted Upload of File with
|
| Improper neutralization of input during web page generation ('Cross-site Scripting') | rules_lgpl_javascript_xss_rule-express-xss, CWE-79 | Severity: Medium This application accepts user input directly from the client side without validation. XSS is an attack that exploits a web application or system to treat user input as markup or script code.
|
| Improper neutralization of script-related HTML tags in a web page (basic XSS) | rules_lgpl_javascript_xss_rule-handlebars-noescape, CWE-80 | Severity: Medium This application is compiling strings with By default, Example of using Handlebars.compile safely:
|
| Improper neutralization of input during web page generation (Cross-site Scripting) | rules_lgpl_javascript_xss_rule-handlebars-safestring, CWE-79 | Severity: Medium This application is using a vulnerable method XSS attacks are a type of security breach that occurs when an attacker manages to Consider using the
|
| Improper neutralization of input during web page generation ('Cross-site Scripting') | rules_lgpl_javascript_xss_rule-squirrelly-autoescape, CWE-79 | Severity: Medium This application is rendering HTML with vulnerable This could lead to Cross Site Scripting (XSS) if the input is malicious XSS is an attack that exploits a web application or system to treat user input as markup or script code. By default, squirrelly autoEscaping(true) escapes input values to prevent XSS attacks.
|
| Improper encoding or escaping of output | rules_lgpl_javascript_xss_rule-xss-disable-mustache-escape, CWE-116 | Severity: Medium Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks. OWASP:
|
| Improper neutralization of script-related HTML tags in a web page (basic XSS) | rules_lgpl_javascript_xss_rule-xss-serialize-javascript, CWE-80 | Severity: Medium This application is serializing Javascript objects with vulnerable This could lead to Cross Site Scripting (XSS) if the input was malicious XSS is an attack which exploits a web application or system to treat user input as markup or script code. By default, serialize-javascript encodes input values to prevent XSS attacks.
|
| Insufficiently protected credentials | rules_lgpl_javascript_headers_rule-cookie-session-default, CWE-522 | Severity: Info Consider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly. OWASP:
|
| Insufficiently protected credentials | rules_lgpl_javascript_headers_rule-cookie-session-no-domain, CWE-522 | Severity: Info 'Default session middleware settings:
|
| Insufficient session expiration | rules_lgpl_javascript_headers_rule-cookie-session-no-maxage, CWE-613 | Severity: Info 'Session middleware settings:
|
| Insufficiently protected credentials | rules_lgpl_javascript_headers_rule-cookie-session-no-path, CWE-522 | Severity: Info 'Default session middleware settings:
|
javascript, typescript¶
| Name | Identifiers | Description |
|---|---|---|
| Deserialization of Untrusted Data | rules_lgpl_javascript_eval_rule-grpc-insecure-connection, CWE-502 | Severity: Critical Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. OWASP:
|
| Deserialization of Untrusted Data | rules_lgpl_javascript_eval_rule-node-deserialize, CWE-502 | Severity: Critical User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection. OWASP:
|
| Deserialization of Untrusted Data | rules_lgpl_javascript_eval_rule-serializetojs-deserialize, CWE-502 | Severity: Critical User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection. OWASP:
|
| Deserialization of Untrusted Data | rules_lgpl_javascript_eval_rule-yaml-deserialize, CWE-502 | Severity: Critical User controlled data in 'yaml.load()' function can result in Remote Code Injection. OWASP:
|
| Improper neutralization of directives in dynamically evaluated code ('Eval Injection') | javascript_eval_rule-eval-with-expression, CWE-95 | Severity: High The application was found calling the variables or strings or functions passed to these methods contains user-supplied input, an adversary could attempt to execute arbitrary JavaScript code. This could lead to a full system compromise in Node applications or Cross-site Scripting (XSS) in web applications. To remediate this issue, remove all calls to above methods and consider alternative methods for executing the necessary business logic. There is almost no safe method of calling user-supplied input. Instead, consider alternative methods such as using property accessors to dynamically access values. Example using property accessors to dynamically access an object's property:
|
| Allocation of resources without limits or throttling | javascript_buf_rule-detect-new-buffer, CWE-770 | Severity: Medium The application was found calling the Other issues also exist with the To remediate this issue, use Example using
|
| Regular expression with non-literal value | javascript_dos_rule-non-literal-regexp, CWE-185 | Severity: Medium The To remediate this issue, never allow user-supplied regular expressions. Instead, the regular Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | javascript_pathtraversal_rule-non-literal-fs-filename, CWE-22 | Severity: Medium The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use Example using For more information on path traversal issues see OWASP: Path_Traversal OWASP:
|
| Use of cryptographically weak pseudo-random number generator (PRNG) | javascript_random_rule-pseudo-random-bytes, CWE-338 | Severity: Medium Depending on the context, generating weak random numbers may expose cryptographic functions, which rely on these numbers, to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the Example using For more information on JavaScript Cryptography see: crypto.html OWASP:
|
| Improper neutralization of input during web page generation ('Cross-site Scripting') | javascript_react_rule-dangerouslysetinnerhtml, CWE-79 | Severity: Medium The application was found calling XSS is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data, depending on the specific context it is used in. There are at least six context types:
Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as Javascript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 77 }} which may execute client-side templating features. It is NOT advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. Remove the call to
|
| Improper neutralization of input during web page generation (XSS) | javascript_xss_rule-mustache-escape, CWE-79 | Severity: Medium Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks. OWASP:
|
| Improper neutralization of directives in dynamically evaluated code ('Eval Injection') | javascript_require_rule-non-literal-require, CWE-95 | Severity: Low The application was found to dynamically import a module by calling To remediate this issue, use a hardcoded string literal when calling
|
kotlin¶
| Name | Identifiers | Description |
|---|---|---|
| Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') | kotlin_cookie_rule-RequestParamToHeader, CWE-113 | Severity: Critical This code directly writes an HTTP parameter to an HTTP header, which allows for a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information. OWASP:
|
| Permissive cross-domain policy with untrusted domains | kotlin_cors_rule-PermissiveCORSInjection, CWE-942 | Severity: Critical Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures that in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, cull through it, and communicate it back to the attacker. HTML5 makes it possible for JavaScript to access data across domains if a new HTTP header called Access-Control-Allow-Origin is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks. OWASP:
|
| Inadequate Encryption Strength | kotlin_crypto_rule-CipherECBMode, CWE-326 | Severity: Critical An authentication cipher mode which provides better confidentiality of the encrypted data should be used instead of Electronic Code Book (ECB) mode, which does not provide good confidentiality. Specifically, ECB mode produces the same output for the same input each time. This allows an attacker to intercept and replay the data. OWASP: |
| Use of a broken or risky cryptographic algorithm | kotlin_crypto_rule-CipherIntegrity, CWE-327 | Severity: Critical The ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the data has been tampered with. If the ciphertext can be controlled by an attacker, it could be altered without detection. OWASP:
|
| Use of a broken or risky cryptographic algorithm | kotlin_crypto_rule-CipherPaddingOracle, CWE-327 | Severity: Critical This specific mode of CBC with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposed the difference between plaintext with invalid padding or valid padding. The distinction between valid and invalid padding is usually revealed through distinct error messages being returned for each condition. OWASP:
|
| URL redirection to untrusted site ('Open Redirect') | kotlin_endpoint_rule-UnvalidatedRedirect, CWE-601 | Severity: Critical Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks. OWASP:
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | kotlin_file_rule-FileUploadFileName, CWE-22 | Severity: Critical The filename provided by the FileUpload API can be tampered with by the client to reference unauthorized files. The provided filename should be properly validated to ensure it's properly structured, contains no unauthorized path characters (e.g., / ), and refers to an authorized file. OWASP:
|
| Files or directories accessible to external parties | kotlin_inject_rule-FileDisclosure, CWE-552 | Severity: Critical Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. OWASP:
|
| Improper neutralization of argument delimiters in a command ('Argument Injection') | kotlin_inject_rule-HttpParameterPollution, CWE-88 | Severity: Critical Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request parameter. Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach. HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user may compromise the logic of the application to perform either client-side or server-side attacks. OWASP:
|
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | kotlin_inject_rule-SqlInjection, CWE-89 | Severity: Critical The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. OWASP:
|
| Use of hard-coded password | kotlin_password_rule-ConstantDBPassword, CWE-259 | Severity: Critical A potential hard-coded password was identified in a database connection string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in:
|
| Missing authentication for critical function (database) | kotlin_password_rule-EmptyDBPassword, CWE-306 | Severity: Critical The application does not provide authentication when communicating a database server. It is strongly recommended that the database server be configured with authentication and restrict what queries users can execute. Please see your database server's documentation on how to configure a password. Additionally, passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in:
|
| Improper control of generation of code ('Code Injection') | kotlin_script_rule-ScriptInjection, CWE-94 | Severity: Critical The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. OWASP:
|
| Improper validation of certificate with host mismatch | kotlin_smtp_rule-InsecureSmtp, CWE-297 | Severity: Critical Server identity verification is disabled when making SSL connections. OWASP:
|
| Improper neutralization of special elements used in a command | kotlin_smtp_rule-SmtpClient, CWE-77 | Severity: Critical Simple Mail Transfer Protocol (SMTP) is a the text based protocol used for email delivery. Like with HTTP, headers are separate by new line separator. If kuser input is place in a header line, the application should remove or replace new line characters (CR / LF). You should use a safe wrapper such as Apache Common Email and Simple Java Mail which filter special characters that can lead to header injection. OWASP:
|
| Server-Side Request Forgery (SSRF) | kotlin_ssrf_rule-SSRF, CWE-918 | Severity: Critical Server-Side Request Forgery occur when a web server executes a request to a user supplied destination parameter that is not validated. Such vulnerabilities could allow an attacker to access internal services or to launch attacks from your web server. OWASP:
|
| Use of externally-controlled format string | kotlin_strings_rule-FormatStringManipulation, CWE-134 | Severity: Critical Allowing user input to control format parameters could enable an attacker to cause exceptions to be thrown or leak information.Attackers may be able to modify the format string argument, such that an exception is thrown. If this exception is left uncaught, it may crash the application. Alternatively, if sensitive information is used within the unused arguments, attackers may change the format string to reveal this information. OWASP:
|
| Improper control of generation of code ('Code Injection') | kotlin_templateinjection_rule-TemplateInjection, CWE-94 | Severity: Critical A malicious user in control of a template can run malicious code on the server-side. Velocity templates should be seen as scripts. OWASP:
|
| Improper neutralization of data within XPath expressions ('XPath Injection') | kotlin_xpathi_rule-XpathInjection, CWE-643 | Severity: Critical The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. OWASP:
|
| Improper restriction of XML external entity reference ('XXE') | kotlin_xxe_rule-SaxParserXXE, CWE-611 | Severity: Critical XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. OWASP:
|
| Improper restriction of XML external entity reference ('XXE') | kotlin_xxe_rule-XMLRdr, CWE-611 | Severity: Critical XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. OWASP:
|
| Improper restriction of XML external entity reference ('XXE') | kotlin_xxe_rule-XMLStreamRdr, CWE-611 | Severity: Critical XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. OWASP:
|
| Use of hard-coded password | kotlin_password_rule-HardcodePassword, CWE-259 | Severity: High A potential hard-coded password was identified in the source code. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in:
|
| Sensitive cookie without 'HttpOnly' flag | kotlin_cookie_rule-CookieHTTPOnly, CWE-1004 | Severity: Medium A new cookie is created without the HttpOnly flag set. The HttpOnly flag is a directive to the browser to make sure that the cookie can not be red by malicious script. When a user is the target of a "Cross-Site Scripting", the attacker would benefit greatly from getting the session id for example. OWASP:
|
| Sensitive cookie in HTTPS session without 'Secure' attribute | kotlin_cookie_rule-CookieInsecure, CWE-614 | Severity: Medium "A new cookie is created without the Secure flag set. The Secure flag is a
|
| Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') | kotlin_cookie_rule-HttpResponseSplitting, CWE-113 | Severity: Medium When an HTTP request contains unexpected CR and LF characters, the server may respond with an output stream that is interpreted as two different HTTP responses (instead of one). An attacker can control the second response and mount attacks such as cross-site scripting and cache poisoning attacks. OWASP:
|
| Inadequate encryption strength | kotlin_crypto_rule-BlowfishKeySize, CWE-326 | Severity: Medium A small key size makes the ciphertext vulnerable to brute force attacks. At least 128 bits of entropy should be used when generating the key if use of Blowfish is required. OWASP:
|
| Inadequate encryption strength | kotlin_crypto_rule-CipherDESInsecure, CWE-326 | Severity: Medium DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. OWASP:
|
| Use of a broken or risky cryptographic algorithm | kotlin_crypto_rule-CipherDESedeInsecure, CWE-327 | Severity: Medium Triple DES (also known as 3DES or DESede) is considered strong ciphers for modern applications. NIST recommends the usage of AES block ciphers instead of 3DES. OWASP:
|
| Use of a broken or risky cryptographic algorithm | kotlin_crypto_rule-CustomMessageDigest, CWE-327 | Severity: Medium Implementing a custom MessageDigest is error-prone. National Institute of Standards and Technology(NIST) recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256. OWASP:
|
| Inadequate encryption strength | kotlin_crypto_rule-HazelcastSymmetricEncryption, CWE-326 | Severity: Medium The network communications for Hazelcast is configured to use a symmetric cipher (probably DES or Blowfish). Those ciphers alone do not provide integrity or secure authentication. The use of asymmetric encryption is preferred. OWASP:
|
| Inadequate encryption strength | kotlin_crypto_rule-InsufficientKeySizeRsa, CWE-326 | Severity: Medium Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher. OWASP:
|
| Use of a broken or risky cryptographic algorithm | kotlin_crypto_rule-NullCipher, CWE-327 | Severity: Medium The NullCipher implements the Cipher interface by returning ciphertext identical to the supplied plaintext. In a few contexts, such as testing, a NullCipher may be appropriate. Avoid using the NullCipher. Its accidental use can introduce a significant confidentiality risk. OWASP:
|
| Use of RSA algorithm without OAEP | kotlin_crypto_rule-RsaNoPadding, CWE-780 | Severity: Medium The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. OWASP:
|
| Use of a broken or risky cryptographic algorithm (SHA1 / MD5) | kotlin_crypto_rule-WeakMessageDigest, CWE-327 | Severity: Medium DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. OWASP:
|
| Improper certificate validation | kotlin_crypto_rule-WeakTLSProtocol, CWE-295 | Severity: Medium A HostnameVerifier that accept any host are often use because of certificate reuse on many hosts. As a consequence, this is vulnerable to Man-in-the-middleattacks attacks since the client will trust any certificate. OWASP:
|
| Inadequate encryption strength | kotlin_crypto_rule-WeakTLSProtocolVersion, CWE-326 | Severity: Medium The application was found enabling insecure TLS protocol versions. When enabling protocol versions for an To mitigate potential security risks, it is strongly advised to enforce TLS 1.2 as the minimum protocol version and disallow older versions such as TLS 1.0. Do note that newer versions of Java do not even support TLS 1.0 and will throw In many scenarios, relying on the default system configuration does not meet compliance standards. This is due to the application being deployed across diverse systems with varying configurations and Java versions. While the default value may be secure on modern and up-to-date systems, it may not hold true for older systems. Consequently, it is highly recommended to explicitly define a secure configuration in all cases. Example configuring an SSLContext with TLSv1.2:
|
| Cross-Site Request Forgery (CSRF) | kotlin_csrf_rule-SpringCSRFDisabled, CWE-352 | Severity: Medium The application fails to protect against Cross-Site Request Forgery (CSRF)
|
| Improper Certificate Validation | kotlin_endpoint_rule-WeakHostNameVerification, CWE-295 | Severity: Medium A HostnameVerifier that accept any host are often use because of certificate reuse on many hosts. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate. OWASP: |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | kotlin_file_rule-FilenameUtils, CWE-22 | Severity: Medium A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. OWASP:
|
| Improper neutralization of special elements used in an OS command ('OS Command Injection') | kotlin_inject_rule-CommandInjection, CWE-78 | Severity: Medium The highlighted API is used to execute a system command. If unfiltered input is passed to this API, it can lead to arbitrary command execution. OWASP:
|
| Improper neutralization of special elements used in an expression language statement ('Expression Language Injection') | kotlin_inject_rule-ELInjection, CWE-917 | Severity: Medium An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. OWASP:
|
| Improper neutralization of special elements used in an LDAP query ('LDAP Injection') | kotlin_inject_rule-LDAPInjection, CWE-90 | Severity: Medium Just like SQL, all inputs passed to an LDAP query need to be passed in safely. Unfortunately, LDAP doesn't have prepared statement interfaces like SQL. Therefore, the primary defense against LDAP injection is strong input validation of any untrusted data before including it in an LDAP query. OWASP:
|
| Expression injection (OGNL) | kotlin_inject_rule-OgnlInjection, CWE-917 | Severity: Medium "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." OWASP: |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | kotlin_inject_rule-SpotbugsPathTraversalAbsolute, CWE-22 | Severity: Medium The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as
|
| Missing authentication for critical function (LDAP) | kotlin_ldap_rule-AnonymousLDAP, CWE-306 | Severity: Medium Without proper access control, executing an LDAP statement that contains a user-controlled value can allow an attacker to abuse poorly configured LDAP context OWASP:
|
| Insecure inherited permissions | kotlin_perm_rule-DangerousPermissions, CWE-277 | Severity: Medium Do not grant dangerous combinations of permissions. OWASP:
|
| Incorrect permission assignment for critical resource | kotlin_perm_rule-OverlyPermissiveFilePermissionInline, CWE-732 | Severity: Medium Overly permissive file permission OWASP:
|
| Incorrect type conversion or cast | kotlin_strings_rule-BadHexConversion, CWE-704 | Severity: Medium When converting a byte array containing a hash signature to a human readable string, a conversion mistake can be made if the array is read byte by byte. OWASP:
|
| Collapse of data into unsafe value | kotlin_strings_rule-ModifyAfterValidation, CWE-182 | Severity: Medium CERT: IDS11-J. Perform any string modifications before validation OWASP:
|
| Incorrect behavior order: validate before canonicalize | kotlin_strings_rule-NormalizeAfterValidation, CWE-180 | Severity: Medium IDS01-J. Normalize strings before validating them OWASP:
|
| External control of system or configuration setting | kotlin_unsafe_rule-ExternalConfigControl, CWE-15 | Severity: Medium Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways. An attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database. OWASP:
|
| Weak authentication | kotlin_xml_rule-SAMLIgnoreComments, CWE-1390 | Severity: Medium Ignoring XML comments in SAML may lead to authentication bypass OWASP:
|
| Deserialization of untrusted data | kotlin_xml_rule-XmlDecoder, CWE-502 | Severity: Medium Avoid using XMLDecoder to parse content from an untrusted source. OWASP:
|
| XML injection (aka Blind XPath injection) | kotlin_xml_rule-XsltTransform, CWE-91 | Severity: Medium It is possible to attach malicious behavior to those style sheets. Therefore, if an attacker can control the content or the source of the style sheet, he might be able to trigger remote code execution. OWASP:
|
| Improper neutralization of input during web page generation ('Cross-site Scripting') | kotlin_xss_rule-WicketXSS, CWE-79 | Severity: Medium Disabling HTML escaping put the application at risk for Cross-Site Scripting (XSS). OWASP:
|
| Improper neutralization of input during web page generation ('Cross-site Scripting') | kotlin_xss_rule-XSSReqParamToServletWriter, CWE-79 | Severity: Medium Servlet reflected cross site scripting vulnerability OWASP:
|
| Leftover debug code | rules_lgpl_kotlin_other_rule-android-kotlin-webview-debug, CWE-489 | Severity: Medium Remote WebView debugging is enabled.This can introduce security To fix this security issue, you should disable remote WebView
|
python¶
| Name | Identifiers | Description |
|---|---|---|
| Improper neutralization of user input rendered in HTML ('XSS') | pyramid_jinja2_reflected_xss, CWE-79 | Severity: High Untrusted user input is passed to Pyramid's template rendering functions without proper sanitization, creating a reflected XSS vulnerability. Even though templates typically auto-escape variables, this protection can be bypassed. Never include untrusted user data directly in templates or with auto-escaping disabled. Always pass user data through context dictionaries. If necessary, sanitize user input before passing it to templates using Pyramid's escape_html, MarkupSafe's escape, Jinja2's escape, html.escape(), or bleach.clean(). Be especially careful with template features that disable auto-escaping (like safe filters or raw blocks) when working with user-controlled data. OWASP:
|
| Improper neutralization of user input rendered in HTML ('XSS') | pyramid_unsafe_user_input, CWE-79 | Severity: High Untrusted user input from request objects (params, GET, POST, json_body, matchdict) is directly embedded in a Pyramid Response without proper sanitization, creating a reflected XSS vulnerability. Always sanitize user input before including it in HTML responses using Pyramid's escape_html, MarkupSafe's escape, html.escape(), or bleach.clean(). Consider using Pyramid's template engines which automatically escape variables by default instead of manually constructing HTML. Remember that HTML escaping is not sufficient for JavaScript contexts, CSS contexts, or URL attributes - use context-specific sanitization for these cases. OWASP:
|
| Deserialization of untrusted data | python_deserialization_rule-cpickle, CWE-502 | Severity: High The application was found using
Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. Example JSON deserializer using an intermediary type that is validated against a schema to ensure it is safe from mass assignment:
|
| Deserialization of untrusted data | python_deserialization_rule-dill, CWE-502 | Severity: High The application was found using
Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. Example JSON deserializer using an intermediary type that is validated against a schema to ensure it is safe from mass assignment:
|
| Deserialization of untrusted data | python_deserialization_rule-marshal, CWE-502 | Severity: High The application was found using
Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. Example JSON deserializer using an intermediary type that is validated against a schema to ensure it is safe from mass assignment:
|
| Deserialization of untrusted data | python_deserialization_rule-pickle, CWE-502 | Severity: High The application was found using
Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. Example JSON deserializer using an intermediary type that is validated against a schema to ensure it is safe from mass assignment:
|
| Deserialization of untrusted data | python_deserialization_rule-shelve, CWE-502 | Severity: High The application was found using
Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. Example JSON deserializer using an intermediary type that is validated against a schema to ensure it is safe from mass assignment:
|
| Deserialization of untrusted data | python_deserialization_rule-yaml-load, CWE-502 | Severity: High The application was found using an unsafe version of
To remediate this issue, use Example loading YAML using
|
| Improper neutralization of special elements used in an SQL Command ('SQL Injection') | python_django_rule-django-extra-used, CWE-89 | Severity: High SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code. Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user supplied key. For example, some database drivers do not allow parameterized queries for The To remediate this issue, do not use While not recommended due to potential SQL Injection, below is an example using
|
| Improper neutralization of user input rendered in HTML ('XSS') | python_django_rule_reflected_xss_csp, CWE-79 | Severity: High Unsecure Content Security Policy detected in Django. Avoid usage of 'unsafe-inline', 'unsafe-eval' or 'unsafe-hashes' in the CSP.
|
| Improper neutralization of user input rendered in HTML ('XSS') in Django | python_django_rule_reflected_xss_global, CWE-79 | Severity: High A reflected XSS vulnerability was detected in Django due to an insecure global parameter: either the security headers SECURE_BROWSER_XSS_FILTER or SECURE_CONTENT_TYPE_NOSNIFF were set to False (they should be True), ALLOWED_HOSTS was overly permissive (e.g., '' instead of 'self' or an allowlist), auto-escaping was disabled globally (autoescape: False), or a class was incorrectly decorated with @html_safe (which bypasses escaping for all its string output, risking XSS if the class processes untrusted data). OWASP:*
|
| Improper neutralization of user input rendered in HTML ('XSS') in Django | python_django_rule_reflected_xss_httpresponse, CWE-79 | Severity: High A reflected Cross-Site Scripting (XSS) vulnerability was identified in Django. By default, Django’s HttpResponse bypasses Django's automatic escaping, making it unsafe to use with unescaped user-controlled input.
|
| Improper neutralization of user input rendered in HTML ('XSS') | python_django_rule_reflected_xss_render, CWE-79 | Severity: High A user controlled input is used in Django's render() function but the auto escaping has been disabled with django.utils.safestring.mark_safe|SafeString. Hence the user controlled input is directly embedded in the HTML template, creating an XSS vulnerability.
|
| Improper neutralization of directives in dynamically evaluated code ('Eval Injection') | python_eval_rule-eval, CWE-95 | Severity: High The application was found calling the To remediate this issue, remove all calls to If the application only needs to convert strings into objects, consider using Example using `json.loads`` to load in arbitrary data to create data structures:
|
| Improper neutralization of special elements used in an OS command ('OS Command Injection') | python_exec_rule-exec-used, CWE-78 | Severity: High The application was found calling the To remediate this issue, remove all calls to If the application only needs to convert strings into objects, consider using Example using `json.loads`` to load in arbitrary data to create data structures:
|
| Improper neutralization of wildcards or matching symbols | python_exec_rule-linux-command-wildcard-injection, CWE-155 | Severity: High Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. For instance, a file named For example, the below code uses the glob module to expand the wildcard and get a list of all
|
| Improper neutralization of special elements used in an OS Command ('OS Command Injection') | python_exec_rule-os-path, CWE-78 | Severity: High Starting a process with a shell; seems safe, but may be changed in the future, consider rewriting without shell OWASP:
|
| Improper neutralization of special elements used in an OS Command ('OS Command Injection') | python_exec_rule-os-popen2, CWE-78 | Severity: High Starting a process with a shell; seems safe, but may be changed in the future, consider rewriting without shell OWASP:
|
| Improper neutralization of special elements used in an OS Command ('OS Command Injection') | python_exec_rule-start-process-with-no-shell, CWE-78 | Severity: High Found dynamic content when spawning a process. This is dangerous if externaldata can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here. OWASP:
|
| Improper neutralization of special elements used in an OS Command ('OS Command Injection') | python_exec_rule-subprocess-call, CWE-78 | Severity: High Python possesses many mechanisms to invoke an external executable. However, doing so may present a security issue if appropriate care is not taken to sanitize any user provided or variable input. This plugin test is part of a family of tests built to check for process spawning and warn appropriately. Specifically, this test looks for the spawning of a subprocess without the use of a command shell. This type of subprocess invocation is not vulnerable to shell injection attacks, but care should still be taken to ensure validity of input. OWASP:
|
| Improper neutralization of special elements used in an OS Command ('OS Command Injection') | python_exec_rule-subprocess-popen-shell-true, CWE-78 | Severity: High Found
|
| Improper neutralization of special elements used in an OS Command ('OS Command Injection') | python_exec_rule-subprocess-shell-TRUE, CWE-78 | Severity: High subprocess call - check for execution of untrusted input OWASP:
|
| Improper neutralization of user input rendered in HTML (XSS) | python_flask_rule_reflected_xss_make_response, CWE-79 | Severity: High Untrusted user input from request objects is directly inserted into an HTML response created with make_response() without proper sanitization, creating a reflected XSS vulnerability. Always sanitize user input before including it in HTML responses using Flask's escape function, MarkupSafe's escape, html.escape(), or bleach.clean(). Use Flask's render_template() with Jinja2 templates instead of manually constructing HTML with make_response(), as templates automatically escape variables. Remember that HTML escaping is not sufficient for JavaScript contexts, CSS contexts, or URL attributes - use context-specific sanitization for these cases. OWASP:
|
| Improper neutralization of user input rendered in HTML (XSS) | python_flask_rule_reflected_xss_render, CWE-79 | Severity: High Untrusted user input is directly inserted into an HTML template string passed to render_template_string(), creating a reflected XSS vulnerability. While Jinja2 templates automatically escape variables, this protection is bypassed when user input is embedded in the template string itself or when the |safe filter is used. Never construct template strings dynamically with user input - always pass user data as context variables to the template instead. If you must include user data in dynamic templates, sanitize it first with Flask's escape function, MarkupSafe's escape, or html.escape(). Never use the |safe filter with untrusted data, and consider using render_template() with static template files instead of render_template_string(). OWASP:
|
| Improper neutralization of user input rendered in HTML (XSS) | python_flask_rule_reflected_xss_user_input, CWE-79 | Severity: High User input from request objects (args, form, values, json) is directly used in HTML output without proper sanitization, creating a reflected XSS vulnerability. Always sanitize user input before including it in HTML responses using Flask's escape function, MarkupSafe's escape, html.escape(), or bleach.clean(). Use Flask templates (Jinja2) which automatically escape variables by default instead of manually constructing HTML. For JavaScript contexts or URL attributes, use additional context-specific sanitization as HTML escaping alone is insufficient. OWASP:
|
| Improper control of generation of code ('Code Injection') | python_log_rule-logging-config-insecure-listen, CWE-94 | Severity: High The application was found calling the To remediate the issue, remove the call to
|
| Improper neutralization of special elements used in an SQL Command ('SQL Injection') | python_sql_rule-hardcoded-sql-expression, CWE-89 | Severity: High SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code. Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user supplied key. For example, some database drivers do not allow parameterized queries for Example using For more information on SQL Injection see OWASP: SQL_Injection_Prevention_Cheat_Sheet.html OWASP:
|
| Improper neutralization of user input rendered in Tornado ('XSS') | python_tornado_rule_reflected_xss, CWE-79 | Severity: High User controlled input given to Tornado self.write() or self.redirect() methods can lead to XSS attacks as they do not escape the variable. Prefer using tornado.web.RequestHandler render() methods which auto escapes variables rendered in the Template.
|
| Improper neutralization of user input rendered in HTML ('XSS') | python_tornado_rule_reflected_xss_csp, CWE-79 | Severity: High Unsecure Content Security Policy in Tornado. Avoid using unsafe-inline, unsafe-eval and unsafe-hashes, as they can lead to XSS attacks.
|
| Improper neutralization of user input rendered in HTML ('XSS') | python_tornado_rule_reflected_xss_global, CWE-79 | Severity: HighReflected XSS vulnerability in DjangoOWASP:
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-cipher-modes, CWE-327 | Severity: Medium Cryptographic algorithms provide many different modes of operation, only some of which provide message integrity. Without message integrity it could be possible for an adversary to attempt to tamper with the ciphertext which could lead to compromising the encryption key. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Instead of using an algorithm that requires configuring a cipher mode, an algorithm that has built-in message integrity should be used. Consider using For older applications that don't have support for Example using Example using
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-crypto-cipher-blowfish, CWE-327 | Severity: Medium The Blowfish encryption algorithm was meant as a drop-in replacement for DES and was created in For older applications that don't have support for Note that the Example using Example using
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-crypto-cipher-des, CWE-327 | Severity: Medium DES, TripleDES, RC2 and RC4 are all considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using For older applications that don't have support for Note that the Example using Example using
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-crypto-cipher-rc2, CWE-327 | Severity: Medium DES, TripleDES, RC2 and RC4 are all considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using For older applications that don't have support for Note that the Example using Example using
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-crypto-cipher-rc4, CWE-327 | Severity: Medium DES, TripleDES, RC2 and RC4 are all considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using For older applications that don't have support for Note that the Example using Example using
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-crypto-cipher-xor, CWE-327 | Severity: Medium The application was found using the For older applications that don't have support for Note that the Example using Example using
|
| Inadequate encryption strength | python_crypto_rule-crypto-encrypt-dsa-rsa, CWE-326 | Severity: Medium The application is generating an RSA key that is less than the recommended 2048 bits. The National Institute of Standards and Technology (NIST) deprecated signing Digital Certificates that contained RSA Public Keys of 1024 bits in December 2010. While Consider upgrading to the newer asymmetric algorithm such as Otherwise use a key size greater than 2048 when generating RSA keys:
|
| Inadequate encryption strength | python_crypto_rule-crypto-encrypt-ec, CWE-326 | Severity: Medium The application was found using an insufficient curve size for the Elliptical Cryptography (EC) asymmetric algorithm. NIST recommends using a key size of To remediate this issue, replace the current key size with Example using
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-crypto-hash-md5, CWE-327 | Severity: Medium The application was found using an insecure or risky digest or signature algorithm. MD5 This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. It is strongly recommended that a standard digest algorithm be chosen instead as implementing a custom algorithm is prone to errors. Note that the Example of creating a SHA-384 hash using the
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-crypto-hash-sha1, CWE-327 | Severity: Medium The application was found using an insecure or risky digest or signature algorithm. MD5 This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. It is strongly recommended that a standard digest algorithm be chosen instead as implementing a custom algorithm is prone to errors. Note that the Example of creating a SHA-384 hash using the
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-crypto-hazmat-cipher-arc4, CWE-327 | Severity: Medium DES, TripleDES, RC2 and RC4 are all considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using For older applications that don't have support for Example using Example using
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-crypto-hazmat-cipher-blowfish, CWE-327 | Severity: Medium The Blowfish encryption algorithm was meant as a drop-in replacement for DES and was created in For older applications that don't have support for Example using Example using
|
| Use of a Broken or Risky Cryptographic Algorithm | python_crypto_rule-crypto-hazmat-cipher-idea, CWE-327 | Severity: Medium The IDEA encryption algorithm was meant as a drop-in replacement for DES and was created in For older applications that don't have support for Example using Example using
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-crypto.hazmat-hash-md5, CWE-327 | Severity: Medium The application was found using an insecure or risky digest or signature algorithm. MD2, MD5 This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. It is strongly recommended that a standard digest algorithm be chosen instead as implementing a custom algorithm is prone to errors. Example of creating a SHA-384 hash using the
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-crypto.hazmat-hash-sha1, CWE-327 | Severity: Medium The application was found using an insecure or risky digest or signature algorithm. MD2, MD5 This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. It is strongly recommended that a standard digest algorithm be chosen instead as implementing a custom algorithm is prone to error. Example of creating a SHA-384 hash using the
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-hash-md2, CWE-327 | Severity: Medium The application was found using an insecure or risky digest or signature algorithm. MD2, MD5 This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. Note that the Example of creating a SHA-384 hash using the
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-hash-md4, CWE-327 | Severity: Medium The application was found using an insecure or risky digest or signature algorithm. MD2, MD4, This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. Note that the Example of creating a SHA-384 hash using the
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-hash-md5, CWE-327 | Severity: Medium The application was found using an insecure or risky digest or signature algorithm. MD2, MD4, This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. Note that the Example of creating a SHA-384 hash using the
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-hash-sha1, CWE-327 | Severity: Medium The application was found using an insecure or risky digest or signature algorithm. MD2, MD4, This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. Note that the Example of creating a SHA-384 hash using the
|
| Use of a broken or risky cryptographic algorithm | python_crypto_rule-hashlib-new-insecure-functions, CWE-327 | Severity: Medium The application was found using an insecure or risky digest or signature algorithm. MD2, MD4, MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. It is strongly recommended that a standard digest algorithm be chosen instead as implementing a custom algorithm is prone to errors. Example using
|
| Use of unmaintained third party components | python_crypto_rule-import-pycrypto, CWE-1104 | Severity: Medium The application was detected importing To remediate this issue, consider using the cryptography
|
| Improper encoding or escaping of output | python_escaping_rule-jinja2-autoescape-false, CWE-116 | Severity: Medium The application was found using Jinja2 Unfortunately, Jinja2 does not support context-aware escaping, meaning it is insufficient to protect against XSS for the various web contexts. It is important to encode the data depending on the specific context it is used in. There are at least six context types:
Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as Javascript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 77 }} which may execute client-side templating features. It is NOT advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. To handle different contexts, one approach would be to write custom Jinja2 filters. Below is an example that escapes or encodes links and potentially malicious script, note this does not include other contexts such as CSS or attributes:
|
| Improper neutralization of input during web page generation ('Cross-site Scripting') | python_escaping_rule-use-of-mako-templates, CWE-79 | Severity: Medium The application was found using mako templates without Unfortunately, Jinja2 does not support context-aware escaping, meaning it is insufficient to protect against XSS for the various web contexts. It is
Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed It is NOT advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. To handle different contexts, one approach would be to write custom mako filters. Below is an example that escapes or encodes links and
|
| Incorrect permission assignment for critical resource | python_file-permissions_rule-general-bad-permission, CWE-732 | Severity: Medium The application was found setting file permissions to overly permissive values. Consider using the following values if the application user is the only process to access the file:
Example creating a file with read/write permissions for the application user: For all other values please see: File-system_permissions OWASP:
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | python_files_rule-tarfile-unsafe-members, CWE-22 | Severity: Medium The application may be vulnerable to a path traversal if it extracts untrusted archive files. This vulnerability is colloquially known as 'Zip Slip'. Archive files may contain folders which, when extracted, may write outside of the intended directory. This is exploited by including path traversal characters such as Extra care must be taken when extracting archive files as there are numerous concerns:
Example of securely processing an archive file:
|
| Active debug code | python_flask_rule-app-debug, CWE-489 | Severity: Medium The Flask application is running with Additionally, it is not recommended to run a Flask application using
|
| Cleartext transmission of sensitive information | python_ftp_rule-ftplib, CWE-319 | Severity: Medium The application was found using an FTP library. As FTP does not provide encryption, it is strongly recommended that any file transfers be done over a more secure transport such as SSH. The paramiko library can be used with an SCP module to allow secure file transfers. Example using
|
| Allocation of resources without limits or throttling | python_requests_rule-request-without-timeout, CWE-770 | Severity: Medium The application was found using the To remediate this issue, pass in a Example using a timeout for an HTTP GET request:
|
| Cleartext transmission of sensitive information | python_snmp_rule-insecure-snmp-version, CWE-319 | Severity: Medium Pysnmp was detected using versions SNMPv1 or SNMPv2. SNPMv1 and SNMPv2 are insecure and should no longer be used as they do not offer encryption. If possible, query SNMP devices using SNMPv3 instead. Example querying a device using SNMPv3 with SHA-AES:
|
| Cleartext transmission of sensitive information | python_snmp_rule-snmp-weak-cryptography, CWE-319 | Severity: Medium Pysnmp was detected using SNMPv3 without authentication or encryption protections enabled.
To enhance the security of your SNMP communications, it is recommended to use both authentication and privacy features in SNMPv3:
Example of secure
|
| Key exchange without entity authentication | python_ssh_rule-ssh-nohost-key-verification, CWE-322 | Severity: Medium The application was found to ignore host keys. Host keys are important as they provide assurance that the client can prove that the host is trusted. By ignoring these host keys, it is impossible for the client to validate the connection is to a trusted host. To remediate this issue, remove the call to Example configuration connecting to a known, trusted host, and not allowing connections to unknown hosts:
|
| Improper certificate validation | python_ssl_rule-req-no-certvalid, CWE-295 | Severity: Medium The application was found using the This allows for an adversary who is in between the application and the target host to intercept potentially sensitive information or transmit malicious data. To remediate this issue either remove the Example verifying server certificates for an HTTP GET request:
|
| Inadequate encryption strength | python_ssl_rule-ssl-no-version, CWE-326 | Severity: Medium The application was found calling To remediate this issue, create a new TLS context and pass in Example creating a TLS 1.3 client socket connection by using a newer version of Python
|
| Inadequate Encryption Strength | python_ssl_rule-ssl-with-bad-version, CWE-326 | Severity: Medium The application was found calling an SSL module with SSL or TLS protocols that have known deficiencies. It is strongly recommended that newer applications use TLS 1.2 or 1.3 and If using the To remediate this issue for the Example creating a TLS 1.3 client socket connection by using a newer version of Python
|
| Improper certificate validation | python_ssl_rule-unverified-context, CWE-295 | Severity: Medium The application was found creating a SSL context using the This allows for an adversary who is in between the application and the target host to intercept potentially sensitive information or transmit malicious data. To remediate this issue remove the call to Example creating a TLS 1.3 client socket connection by using a newer version of Python Unverified SSL context detected. This will permit insecure connections without
|
| Cleartext transmission of sensitive information | python_telnet_rule-import-telnib, CWE-319 | Severity: Medium The application was found using a telnet library. As telnet does not provide encryption, it is strongly recommended that communications use a more secure transport such as SSH. The paramiko library can be used to initiate SSH connections. Example using
|
| Insecure temporary file | python_tmpdir_rule-hardcodedtmp, CWE-377 | Severity: Medium The application was found creating files in shared system temporary directories Example using
|
| Insecure temporary file | python_tmpdir_rule-mktemp-q, CWE-377 | Severity: Medium The application was found creating temporary files with the insecure To remediate this issue consider using Example using
|
| Improper authorization in handler for custom URL scheme | python_urlopen_rule-urllib-urlopen, CWE-939 | Severity: Medium The application was found passing in a non-literal value to the To remediate this issue either hardcode the URLs being used in urllib or use the Example using the
|
| Improper restriction of XML external entity reference | python_xml_rule-celement, CWE-611 | Severity: Medium The application was found using the The To remediate the above issues, consider using the Example parsing an XML document using defusedxml:
|
| Improper restriction of XML external entity reference | python_xml_rule-element, CWE-611 | Severity: Medium The application was found using the The To remediate the above issues, consider using the Example parsing an XML document using defusedxml:
|
| Improper restriction of XML external entity reference | python_xml_rule-etree, CWE-611 | Severity: Medium The application was found using the The To remediate the above issues, consider using the Example parsing an XML document using defusedxml:
|
| Improper restriction of XML external entity reference | python_xml_rule-expatbuilder, CWE-611 | Severity: Medium The application was found using the The To remediate the above issues, consider using the Example parsing an XML document using defusedxml:
|
| Improper restriction of XML external entity reference | python_xml_rule-expatreader, CWE-611 | Severity: Medium The application was found using the The To remediate the above issues, consider using the Example parsing an XML document using defusedxml:
|
| Improper restriction of XML external entity reference | python_xml_rule-minidom, CWE-611 | Severity: Medium The application was found using the The To remediate the above issues, consider using the Example parsing an XML document using defusedxml:
|
| Improper restriction of XML external entity reference | python_xml_rule-pulldom, CWE-611 | Severity: Medium The application was found using the The To remediate the above issues, consider using the Example parsing an XML document using defusedxml:
|
| Improper restriction of XML external entity reference | python_xml_rule-sax, CWE-611 | Severity: Medium The application was found using the The To remediate the above issues, consider using the Example parsing an XML document using defusedxml:
|
| Binding to an unrestricted IP address | python_bind-all-interfaces_rule-general-bindall-interfaces, CWE-1327 | Severity: Low Binding to all network interfaces can potentially open up a service to traffic on unintended interfaces, that may not be properly documented or secured. By passing "0.0.0.0", "::" or an empty string as the address to the Consider passing in the interface ip address through an environment variable, configuration file, or by determining the primary interface(s) IP address. Example getting the IP address from an environment variable
|
| Use of cryptographically weak pseudo-random number generator (PRNG) | python_random_rule-random, CWE-338 | Severity: Low Depending on the context, generating weak random numbers may expose cryptographic functions, which rely on these numbers, to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the Example using the secrets module:
|
| Improper check for unusual or exceptional conditions | python_assert_rule-assert-used, CWE-754 | Severity: Info The application was found using To remediate this issue, remove the Example using
|
scala¶
| Name | Identifiers | Description |
|---|---|---|
| Use of Hard-coded Password | scala_password_rule-ConstantDBPassword, CWE-259 | Severity: Critical A potential hard-coded password was identified in a database connection string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in:
|
| Use of Hard-coded Password | scala_password_rule-EmptyDBPassword, CWE-259 | Severity: Critical The application does not provide authentication when communicating a database server. It is strongly recommended that the database server be configured with authentication and restrict what queries users can execute. Please see your database server's documentation on how to configure a password. Additionally, passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in:
|
| Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') | scala_cookie_rule-HttpResponseSplitting, CWE-113 | Severity: High When an HTTP request contains unexpected CR and LF characters, the server may respond with an output stream that is interpreted as two different HTTP responses (instead of one). An attacker can control the second response and mount attacks such as cross-site scripting and cache poisoning attacks. OWASP: |
| Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') | scala_cookie_rule-RequestParamToHeader, CWE-113 | Severity: High This code directly writes an HTTP parameter to an HTTP header, which allows for a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information. OWASP: |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | scala_inject_rule-CustomInjectionSQLString, CWE-89 | Severity: High The method identified is susceptible to injection. The input should be validated and properly escaped. OWASP: |
| Improper Control of Generation of Code ('Code Injection') | scala_inject_rule-ELInjection, CWE-94 | Severity: High An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. OWASP: |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | scala_inject_rule-PathTraversalOut, CWE-22 | Severity: High A file is opened to write to its contents. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files at an arbitrary filesystem location could be modified. This rule identifies potential path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. OWASP:
|
| Improperly implemented security check for standard | scala_ldap_rule-EntryPoisoning, CWE-358 | Severity: High Without proper access control, executing an LDAP statement that contains a user-controlled value can allow an attacker to abuse poorly configured LDAP context OWASP: |
| Use of Hard-coded Password | scala_password_rule-HardcodePassword, CWE-259 | Severity: High A potential hard-coded password was identified in the source code. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in:
|
| Incorrect Permission Assignment for Critical Resource | scala_perm_rule-OverlyPermissiveFilePermissionInline, CWE-732 | Severity: High Overly permissive file permission OWASP: |
| Improper Validation of Certificate with Host Mismatch | scala_smtp_rule-InsecureSmtp, CWE-297 | Severity: High Server identity verification is disabled when making SSL connections. OWASP:
|
| Improper Neutralization of Special Elements used in a Command | scala_smtp_rule-SmtpClient, CWE-77 | Severity: High Simple Mail Transfer Protocol (SMTP) is a the text based protocol used for email delivery. Like with HTTP, headers are separate by new line separator. If kuser input is place in a header line, the application should remove or replace new line characters (CR / LF). You should use a safe wrapper such as Apache Common Email and Simple Java Mail which filter special characters that can lead to header injection. OWASP: |
| External Control of System or Configuration Setting | scala_unsafe_rule-ExternalConfigControl, CWE-15 | Severity: High Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways. An attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database. OWASP: |
| Deserialization of Untrusted Data | scala_xml_rule-XmlDecoder, CWE-502 | Severity: High Avoid using XMLDecoder to parse content from an untrusted source. OWASP: |
| Inadequate Encryption Strength | scala_crypto_rule-BlowfishKeySize, CWE-326 | Severity: Medium A small key size makes the ciphertext vulnerable to brute force attacks. At least 128 bits of entropy should be used when generating the key if use of Blowfish is required. OWASP: |
| Inadequate Encryption Strength | scala_crypto_rule-CipherDESInsecure, CWE-326 | Severity: Medium DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. OWASP: |
| Inadequate Encryption Strength | scala_crypto_rule-CipherDESedeInsecure, CWE-326 | Severity: Medium Triple DES (also known as 3DES or DESede) is considered strong ciphers for modern applications. NIST recommends the usage of AES block ciphers instead of 3DES. OWASP: |
| Inadequate Encryption Strength | scala_crypto_rule-CipherECBMode, CWE-326 | Severity: Medium An authentication cipher mode which provides better confidentiality of the encrypted data should be used instead of Electronic Code Book (ECB) mode, which does not provide good confidentiality. Specifically, ECB mode produces the same output for the same input each time. This allows an attacker to intercept and replay the data. OWASP: |
| Missing Support for Integrity Check | scala_crypto_rule-CipherIntegrity, CWE-353 | Severity: Medium The ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the data has been tampered with. If the ciphertext can be controlled by an attacker, it could be altered without detection. OWASP: |
| Incorrect Behavior Order | scala_crypto_rule-CipherPaddingOracle, CWE-696 | Severity: Medium This specific mode of CBC with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposed the difference between plaintext with invalid padding or valid padding. The distinction between valid and invalid padding is usually revealed through distinct error messages being returned for each condition. OWASP: |
| Use of a Broken or Risky Cryptographic Algorithm | scala_crypto_rule-CustomMessageDigest, CWE-327 | Severity: Medium Implementing a custom MessageDigest is error-prone. National Institute of Standards and Technology(NIST) recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256. OWASP: |
| Inadequate Encryption Strength | scala_crypto_rule-HazelcastSymmetricEncryption, CWE-326 | Severity: Medium The network communications for Hazelcast is configured to use a symmetric cipher (probably DES or Blowfish). Those ciphers alone do not provide integrity or secure authentication. The use of asymmetric encryption is preferred. OWASP: |
| Inadequate Encryption Strength | scala_crypto_rule-InsufficientKeySizeRsa, CWE-326 | Severity: Medium Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher. OWASP: |
| Use of a Broken or Risky Cryptographic Algorithm | scala_crypto_rule-NullCipher, CWE-327 | Severity: Medium The NullCipher implements the Cipher interface by returning ciphertext identical to the supplied plaintext. In a few contexts, such as testing, a NullCipher may be appropriate. Avoid using the NullCipher. Its accidental use can introduce a significant confidentiality risk. OWASP: |
| Use of RSA Algorithm without OAEP | scala_crypto_rule-RsaNoPadding, CWE-780 | Severity: Medium The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. OWASP:
|
| Inadequate Encryption Strength | scala_crypto_rule-WeakMessageDigest, CWE-326 | Severity: Medium DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. OWASP: |
| Improper Certificate Validation | scala_crypto_rule-WeakTLSProtocol, CWE-295 | Severity: Medium A HostnameVerifier that accept any host are often use because of certificate reuse on many hosts. As a consequence, this is vulnerable to Man-in-the-middleattacks attacks since the client will trust any certificate. OWASP: |
| Use of less trusted source | scala_endpoint_rule-JaxRsEndpoint, CWE-348 | Severity: Medium This method is part of a REST Web Service (JSR311). The security of this web service should be analyzed. For example: |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | scala_file_rule-FilenameUtils, CWE-22 | Severity: Medium A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. OWASP:
|
| Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | scala_inject_rule-LDAPInjection, CWE-90 | Severity: Medium Just like SQL, all inputs passed to an LDAP query need to be passed in safely. Unfortunately, LDAP doesn't have prepared statement interfaces like SQL. Therefore, the primary defense against LDAP injection is strong input validation of any untrusted data before including it in an LDAP query. OWASP: |
| Expression injection (OGNL) | scala_inject_rule-OgnlInjection, CWE-917 | Severity: Medium "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." OWASP: |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | scala_inject_rule-PathTraversalIn, CWE-22 | Severity: Medium A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. This rule identifies potential path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. OWASP:
|
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | scala_inject_rule-SqlInjection, CWE-89 | Severity: Medium The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. OWASP:
|
| Incorrect Permission Assignment for Critical Resource | scala_perm_rule-OverlyPermissiveFilePermissionObj, CWE-732 | Severity: Medium Overly permissive file permission OWASP: |
| Improper Control of Generation of Code ('Code Injection') | scala_script_rule-SpelView, CWE-94 | Severity: Medium The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. OWASP:
|
| Server-Side Request Forgery (SSRF) | scala_ssrf_rule-PlaySSRF, CWE-918 | Severity: Medium Server-Side Request Forgery occur when a web server executes a request to a user supplied destination parameter that is not validated. Such vulnerabilities could allow an attacker to access internal services or to launch attacks from your web server. OWASP: |
| Incorrect Type Conversion or Cast | scala_strings_rule-BadHexConversion, CWE-704 | Severity: Medium When converting a byte array containing a hash signature to a human readable string, a conversion mistake can be made if the array is read byte by byte. OWASP: |
| Improper Handling of Unicode Encoding | scala_strings_rule-ImproperUnicode, CWE-176 | Severity: Medium Improper Handling of Unicode Encoding OWASP: |
| Weak authentication | scala_xml_rule-SAMLIgnoreComments, CWE-1390 | Severity: Medium Ignoring XML comments in SAML may lead to authentication bypass OWASP: |
| Improper Restriction of XML External Entity Reference ('XXE') | scala_xpathi_rule-XpathInjection, CWE-611 | Severity: Medium The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. OWASP: |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | scala_xss_rule-RequestWrapper, CWE-79 | Severity: Medium Avoid using custom XSS filtering. Please use standard sanitization functions. OWASP: |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | scala_xss_rule-WicketXSS, CWE-79 | Severity: Medium Disabling HTML escaping put the application at risk for Cross-Site Scripting (XSS). OWASP: |
| Improper Neutralization of Input During Web Page Generation | scala_xss_rule-XSSReqParamToServletWriter, CWE-79 | Severity: Medium Servlet reflected cross site scripting vulnerability OWASP: |
| Improper Restriction of XML External Entity Reference ('XXE') | scala_xxe_rule-Document, CWE-611 | Severity: Medium XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. OWASP: |
| Improper Restriction of XML External Entity Reference ('XXE') | scala_xxe_rule-Trans, CWE-611 | Severity: Medium XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. OWASP: |
| Improper Restriction of XML External Entity Reference ('XXE') | scala_xxe_rule-XMLRdr, CWE-611 | Severity: Medium XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. OWASP: |
| Improper Restriction of XML External Entity Reference ('XXE') | scala_xxe_rule-XMLStreamRdr, CWE-611 | Severity: Medium XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. OWASP: |
| Improper Restriction of XML External Entity Reference ('XXE') | scala_xxe_rule-XPathXXE, CWE-611 | Severity: Medium XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. OWASP: |
| Sensitive Cookie Without 'HttpOnly' Flag | scala_cookie_rule-CookieHTTPOnly, CWE-1004 | Severity: Low A new cookie is created without the HttpOnly flag set. The HttpOnly flag is a directive to the browser to make sure that the cookie can not be red by malicious script. When a user is the target of a "Cross-Site Scripting", the attacker would benefit greatly from getting the session id for example. OWASP: |
| Information Exposure Through Persistent Cookies | scala_cookie_rule-CookieInsecure, CWE-539 | Severity: Low "A new cookie is created without the Secure flag set. The Secure flag is a |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | scala_inject_rule-CustomInjection, CWE-89 | Severity: Low The method identified is susceptible to injection. The input should be validated and properly escaped. OWASP: |
| Server-Side Request Forgery (SSRF) | scala_ssrf_rule-SSRF, CWE-918 | Severity: Low Server-Side Request Forgery occur when a web server executes a request to a user supplied destination parameter that is not validated. Such vulnerabilities could allow an attacker to access internal services or to launch attacks from your web server. OWASP: |
| Information Exposure Through an Error Message | scala_unsafe_rule-InformationExposure, CWE-209 | Severity: Low The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided by the server to launch another more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. OWASP: |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | scala_cookie_rule-CookiePersistent, CWE-614 | Severity: Info "Storing sensitive data in a persistent cookie for an extended period can lead to a breach of confidentiality or account compromise." OWASP: |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | scala_cookie_rule-CookieUsage, CWE-614 | Severity: Info The information stored in a custom cookie should not be sensitive or related to the session. In most cases, sensitive data should only be stored in session and referenced by the user's session cookie. OWASP: |
| Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') | scala_cookie_rule-RequestParamToCookie, CWE-113 | Severity: Info This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information. OWASP: |
| Trust Boundary Violation | scala_cookie_rule-TrustBoundaryViolation, CWE-501 | Severity: Info A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data. OWASP: |
| Permissive Cross-domain Policy with Untrusted Domains | scala_cors_rule-PermissiveCORS, CWE-942 | Severity: Info Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures that in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, cull through it, and communicate it back to the attacker. HTML5 makes it possible for JavaScript to access data across domains if a new HTTP header called Access-Control-Allow-Origin is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks. OWASP: |
| Inadequate encryption strength | scala_crypto_rule-DefaultHTTPClient, CWE-326 | Severity: Info DefaultHttpClient with default constructor is not compatible with TLS 1.2 OWASP: |
| Use of less trusted source | scala_endpoint_rule-JaxWsEndpoint, CWE-348 | Severity: Info This method is part of a SOAP Web Service (JSR224). The security of this web service should be analyzed. For example:
|
| Cleartext transmission of sensitive information | scala_endpoint_rule-UnencryptedSocket, CWE-319 | Severity: Info Beyond using an SSL socket, you need to make sure your use of SSLSocketFactory does all the appropriate certificate validation checks to make sure you are not subject to man-in-the-middle attacks. Please read the OWASP Transport Layer Protection Cheat Sheet for details on how to do this correctly. OWASP:
|
| URL Redirection to Untrusted Site ('Open Redirect') | scala_endpoint_rule-UnvalidatedRedirect, CWE-601 | Severity: Info Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks. OWASP: |
| Improper Certificate Validation | scala_endpoint_rule-WeakHostNameVerification, CWE-295 | Severity: Info A HostnameVerifier that accept any host are often use because of certificate reuse on many hosts. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate. OWASP: |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | scala_file_rule-FileUploadFileName, CWE-22 | Severity: Info The filename provided by the FileUpload API can be tampered with by the client to reference unauthorized files. The provided filename should be properly validated to ensure it's properly structured, contains no unauthorized path characters (e.g., / ), and refers to an authorized file. OWASP:
|
| Improper validation of unsafe equivalence in input | scala_form_rule-FormValidate, CWE-1289 | Severity: Info Form inputs should have minimal input validation. Preventive validation helps provide defense in depth against a variety of risks. OWASP: |
| Improper Neutralization of Special Elements in Data Query Logic | scala_inject_rule-AWSQueryInjection, CWE-943 | Severity: Info Constructing SimpleDB queries containing user input can allow an attacker to view unauthorized records. OWASP: |
| External Control of System or Configuration Setting | scala_inject_rule-BeanPropertyInjection, CWE-15 | Severity: Info An attacker can set arbitrary bean properties that can compromise system integrity. An attacker can leverage this functionality to access special bean properties like class.classLoader that will allow them to override system properties and potentially execute arbitrary code. OWASP: |
| Improper Neutralization of CRLF Sequences ('CRLF Injection') | scala_inject_rule-CLRFInjectionLogs, CWE-93 | Severity: Info When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content. Inserted false entries could be used to skew statistics, distract the administrator or even to implicate another party in the commission of a malicious act. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. An attacker may also inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility (e.g. command injection or XSS). OWASP: |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | scala_inject_rule-CommandInjection, CWE-78 | Severity: Info The highlighted API is used to execute a system command. If unfiltered input is passed to this API, it can lead to arbitrary command execution. OWASP: |
| Files or Directories Accessible to External Parties | scala_inject_rule-FileDisclosure, CWE-552 | Severity: Info Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. OWASP: |
| Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | scala_inject_rule-HttpParameterPollution, CWE-88 | Severity: Info Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request parameter. Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach. HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user may compromise the logic of the application to perform either client-side or server-side attacks. OWASP: |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | scala_inject_rule-SpotbugsPathTraversalAbsolute, CWE-22 | Severity: Info "The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as
|
| Improper limitation of a pathname to a restricted directory ('Path Traversal') | scala_inject_rule-SpotbugsPathTraversalRelative, CWE-22 | Severity: Info "The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. See http://cwe.mitre.org/data/definitions/23.html for more information." OWASP:
|
| Improperly implemented security check for standard | scala_ldap_rule-AnonymousLDAP, CWE-358 | Severity: Info Without proper access control, executing an LDAP statement that contains a user-controlled value can allow an attacker to abuse poorly configured LDAP context OWASP: |
| Insecure inherited permissions | scala_perm_rule-DangerousPermissions, CWE-277 | Severity: Info Do not grant dangerous combinations of permissions. OWASP: |
| Improper Control of Generation of Code ('Code Injection') | scala_script_rule-ScriptInjection, CWE-94 | Severity: Info The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. OWASP:
|
| Use of Externally-Controlled Format String | scala_strings_rule-FormatStringManipulation, CWE-134 | Severity: Info Allowing user input to control format parameters could enable an attacker to cause exceptions to be thrown or leak information.Attackers may be able to modify the format string argument, such that an exception is thrown. If this exception is left uncaught, it may crash the application. Alternatively, if sensitive information is used within the unused arguments, attackers may change the format string to reveal this information. OWASP: |
| Collapse of data into unsafe value | scala_strings_rule-ModifyAfterValidation, CWE-182 | Severity: Info CERT: IDS11-J. Perform any string modifications before validation OWASP: |
| Collapse of data into unsafe value | scala_strings_rule-NormalizeAfterValidation, CWE-182 | Severity: Info IDS01-J. Normalize strings before validating them OWASP: |
| Improper Control of Generation of Code ('Code Injection') | scala_templateinjection_rule-TemplateInjection, CWE-94 | Severity: Info A malicious user in control of a template can run malicious code on the server-side. Velocity templates should be seen as scripts. OWASP: |
| Exposure of sensitive system information to an unauthorized control sphere | scala_unsafe_rule-SensitiveDataExposure, CWE-497 | Severity: Info Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Pages that provide different responses based on the validity of the data can lead to Information Leakage; |
| Deserialization of Untrusted Data | scala_xml_rule-ApacheXmlRpc, CWE-502 | Severity: Info Enabling extensions in Apache XML RPC server or client can lead to deserialization vulnerability which would allow an attacker to execute arbitrary code. OWASP: |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | scala_xss_rule-MVCApi, CWE-79 | Severity: Info Disabling HTML escaping put the application at risk for Cross-Site Scripting (XSS). OWASP: |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | scala_xss_rule-XSSServlet, CWE-79 | Severity: Info A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. OWASP: |
| Improper Restriction of XML External Entity Reference ('XXE') | scala_xxe_rule-SaxParserXXE, CWE-611 | Severity: Info XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. OWASP: |
swift¶
| Name | Identifiers | Description |
|---|---|---|
| Authentication bypass by primary weakness | rules_lgpl_swift_other_rule-ios-biometric-acl, CWE-305 | Severity: Critical Weak biometric ACL flag is associated with a key stored in Keychain. Here's an example of how to fix the problem by using .biometryCurrentSet
|
| Cleartext storage of sensitive information | rules_lgpl_swift_other_rule-ios-file-no-special, CWE-312 | Severity: Critical The file has no special protections associated with it. Using .noFileProtection or FileProtectionType.none for Here's an example of how to fix the problem:
|
| Selection of less-secure algorithm during negotiation ('algorithm downgrade') | rules_lgpl_swift_other_rule-ios-tls3-not-used, CWE-757 | Severity: Critical The app uses TLS 1.0, TLS 1.1 or TLS 1.2. TLS 1.3 should be used instead. TLS versions 1.1 and 1.0 were deprecated by the IETF in June 2018 due to TLS 1.3 includes several security improvements over previous versions, such as stronger cryptographic algorithms and negotiation mechanisms, reducing Example using TLS 1.3:
|
| Selection of less-secure algorithm during negotiation ('algorithm downgrade') | rules_lgpl_swift_other_rule-ios-dtls1-used, CWE-757 | Severity: Medium DTLS 1.2 should be used. Detected old version - DTLS 1.0. DTLS (Datagram Transport Layer Security) 1.0 suffers from Here's an example of how to use DTLS 1.2:
|
| Authentication bypass by primary weakness | rules_lgpl_swift_other_rule-ios-keychain-weak-accessibility-value, CWE-305 | Severity: Medium A key stored in the Keychain is using a weak accessibility value. kSecAttrAccessibleAlways allows access to the keychain item at all To mitigate these security risks, it's important to use the appropriate Here's an example code that fixes the problem by using the
|