diff --git a/generate_profiles/BuildXmlFiles.groovy b/generate_profiles/BuildXmlFiles.groovy index 528dfb66..7353d7bc 100644 --- a/generate_profiles/BuildXmlFiles.groovy +++ b/generate_profiles/BuildXmlFiles.groovy @@ -122,41 +122,23 @@ def writeRules(String rulesSetName,List plugins,List includedBug configKey(pattern.attribute("type")) description(pattern.Details.text().trim()) - //OWASP TOP 10 2013 - if (pattern.Details.text().toLowerCase().contains('injection') || pattern.Details.text().contains('A1-Injection')) { + //OWASP TOP 10 2017 + if (pattern.Details.text().toLowerCase().contains('injection') || pattern.Details.text().contains('2017_A1-Injection')) { tag("owasp-a1") tag("injection") } - if (pattern.Details.text().contains('A2-Broken_Authentication_and_Session_Management')) { - tag("owasp-a2") - } - if (pattern.attribute("type").contains("XSS") || pattern.Details.text().contains('A3-Cross-Site_Scripting')) { - tag("owasp-a3") - } - if (pattern.Details.text().contains('A4-Insecure_Direct_Object_References') || pattern.Details.text().contains('Path_Traversal')) { - tag("owasp-a4") + if (pattern.attribute("type").contains("XSS") || pattern.Details.text().contains('2017_A7-Cross-Site_Scripting')) { + tag("owasp-a7") } - if (pattern.Details.text().contains('A5-Security_Misconfiguration')) { + if (pattern.Details.text().contains('Path_Traversal')) { tag("owasp-a5") } if (pattern.attribute('type').equals('HARD_CODE_PASSWORD') || pattern.attribute("type") in cryptoBugs || - pattern.Details.text().contains('A6-Sensitive_Data_Exposure')) { - tag("owasp-a6") + pattern.Details.text().contains('2017_A3-Sensitive_Data_Exposure')) { + tag("owasp-a3") tag("cryptography") } - if (pattern.Details.text().contains('A7-Missing_Function_Level_Access_Control')) { - tag("owasp-a7") - } - if (pattern.Details.text().toLowerCase().contains('A8-Cross-Site_Request_Forgery')) { - tag("owasp-a8") - } - if (pattern.Details.text().toLowerCase().contains('A9-Using_Components_with_Known_Vulnerabilities')) { - tag("owasp-a9") - } - if (pattern.Details.text().toLowerCase().contains('A10-Unvalidated_Redirects_and_Forwards')) { - tag("owasp-a10") - } //Misc tags diff --git a/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml b/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml index 75c9d835..39bbdc28 100644 --- a/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml +++ b/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml @@ -150,7 +150,7 @@ If SpotBugs found <em>any</em>, you <em>almost certainly</e vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool. </p> - owasp-a3 + owasp-a7 security @@ -165,7 +165,7 @@ If SpotBugs found <em>any</em>, you <em>almost certainly</e vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool. </p> - owasp-a3 + owasp-a7 security diff --git a/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml b/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml index d44e6c41..a4ea6b17 100644 --- a/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml +++ b/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml @@ -81,8 +81,8 @@ The HTTP header Content-Type can be controlled by the client. As such, its value Security - Untrusted Hostname header SERVLET_SERVER_NAME - <p>The hostname header can be controlled by the client. As such, its value should not be used in any security critical decisions. -Both <code>ServletRequest.getServerName()</code> and <code>HttpServletRequest.getHeader("Host")</code> have the same + <p>The hostname header can be controlled by the client. As such, its value should not be used in any security critical decisions. +Both <code>ServletRequest.getServerName()</code> and <code>HttpServletRequest.getHeader("Host")</code> have the same behavior which is to extract the <code>Host</code> header.</p> <pre> GET /testpage HTTP/1.1 @@ -109,7 +109,7 @@ The method <a href="http://docs.oracle.com/javaee/6/api/javax/servlet/http/Ht typically returns the value of the cookie <code>JSESSIONID</code>. This value is normally only accessed by the session management logic and not normal developer code. </p> <p> -The value passed to the client is generally an alphanumeric value (e.g., <code>JSESSIONID=jp6q31lq2myn</code>). However, the value can be altered by the client. +The value passed to the client is generally an alphanumeric value (e.g., <code>JSESSIONID=jp6q31lq2myn</code>). However, the value can be altered by the client. The following HTTP request illustrates the potential modification. <pre> GET /somePage HTTP/1.1 @@ -118,8 +118,8 @@ User-Agent: Mozilla/5.0 Cookie: JSESSIONID=Any value of the user&#39;s choice!!??'''&quot;&gt; </pre> </p> -<p>As such, the JSESSIONID should only be used to see if its value matches an existing session ID. If it does not, the user should be -considered an unauthenticated user. In addition, the session ID value should never be logged. If it is, then the log file could contain +<p>As such, the JSESSIONID should only be used to see if its value matches an existing session ID. If it does not, the user should be +considered an unauthenticated user. In addition, the session ID value should never be logged. If it is, then the log file could contain valid active session IDs, allowing an insider to hijack any sessions whose IDs have been logged and are still active. </p> <br/> @@ -138,9 +138,9 @@ valid active session IDs, allowing an insider to hijack any sessions whose IDs h <p>The query string is the concatenation of the GET parameter names and values. Parameters other than those intended can be passed in.</p> <p>For the URL request <code>/app/servlet.htm?a=1&b=2</code>, the query string extract will be <code>a=1&b=2</code></p> -<p>Just as is true for individual parameter values retrieved via methods like <code>HttpServletRequest.getParameter()</code>, +<p>Just as is true for individual parameter values retrieved via methods like <code>HttpServletRequest.getParameter()</code>, the value obtained from <code>HttpServletRequest.getQueryString()</code> should be considered unsafe. -You may need to validate or sanitize anything pulled from the query string before passing it to sensitive APIs. +You may need to validate or sanitize anything pulled from the query string before passing it to sensitive APIs. </p> <br/> <p> @@ -153,8 +153,8 @@ You may need to validate or sanitize anything pulled from the query string befor Security - HTTP headers untrusted SERVLET_HEADER - <p>Request headers can easily be altered by the requesting user. In general, no assumption should be made that -the request came from a regular browser without modification by an attacker. As such, it is recommended that you + <p>Request headers can easily be altered by the requesting user. In general, no assumption should be made that +the request came from a regular browser without modification by an attacker. As such, it is recommended that you not trust this value in any security decisions you make with respect to a request.</p> <br/> <p> @@ -219,7 +219,7 @@ and referenced by the user's session cookie. See HttpSession (<code>HttpSe Security - Potential Path Traversal (file read) PATH_TRAVERSAL_IN - <p>A file is opened to read its content. The filename comes from an <b>input</b> parameter. + <p>A file is opened to read its content. The filename comes from an <b>input</b> parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read.</p> <p>This rule identifies <b>potential</b> path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. If that is the case, the reported instance is a false positive.</p> @@ -267,7 +267,7 @@ public Response getImage(@javax.ws.rs.PathParam("image") String image) { <a href="http://capec.mitre.org/data/definitions/126.html">CAPEC-126: Path Traversal</a><br/> <a href="http://cwe.mitre.org/data/definitions/22.html">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</a> </p> - owasp-a4 + owasp-a5 wasc cwe security @@ -275,7 +275,7 @@ public Response getImage(@javax.ws.rs.PathParam("image") String image) { Security - Potential Path Traversal (file write) PATH_TRAVERSAL_OUT - <p>A file is opened to write to its contents. The filename comes from an <b>input</b> parameter. + <p>A file is opened to write to its contents. The filename comes from an <b>input</b> parameter. If an unfiltered parameter is passed to this file API, files at an arbitrary filesystem location could be modified.</p> <p>This rule identifies <b>potential</b> path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. If that is the case, the reported instance is a false positive.</p> @@ -287,7 +287,7 @@ by the user. If that is the case, the reported instance is a false positive.< <a href="http://capec.mitre.org/data/definitions/126.html">CAPEC-126: Path Traversal</a><br/> <a href="http://cwe.mitre.org/data/definitions/22.html">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</a> </p> - owasp-a4 + owasp-a5 wasc cwe security @@ -308,6 +308,7 @@ r.exec("/bin/sh -c some_tool" + input);</pre> <b>References</b><br/> <a href="https://www.owasp.org/index.php/Command_Injection">OWASP: Command Injection</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/78.html">CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')</a> </p> owasp-a1 @@ -325,7 +326,7 @@ though Java itself doesn't care about null bytes or treat them special. This OS that looks at the end of the filename (e.g., ends with <code>".log"</code>) to make sure it's a safe file to access.</p> <p>To fix this, two things are recommended: <ul> -<li>Upgrade to Java 7 update 40 or later, or Java 8+ since +<li>Upgrade to Java 7 update 40 or later, or Java 8+ since <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846">NULL byte injection in filenames is fixed in those versions</a>.</li> <li>Strongly validate any filenames provided by untrusted users to make sure they are valid (i.e., don't contain null, don't include path characters, etc).</li> </ul> @@ -397,7 +398,7 @@ sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(),null); <a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection">WASC-04: Insufficient Transport Layer Protection</a><br/> <a href="http://cwe.mitre.org/data/definitions/295.html">CWE-295: Improper Certificate Validation</a> </p> - owasp-a6 + owasp-a3 cryptography wasc cwe @@ -446,7 +447,7 @@ sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(),null); <a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection">WASC-04: Insufficient Transport Layer Protection</a><br/> <a href="http://cwe.mitre.org/data/definitions/295.html">CWE-295: Improper Certificate Validation</a> </p> - owasp-a6 + owasp-a3 cryptography wasc cwe @@ -612,7 +613,7 @@ mapped in this way are properly validated before they are used.</p> <a href="https://stackoverflow.com/q/22580853/89769">Stackoverflow: Reliable implementation of PBKDF2-HMAC-SHA256 for Java</a><br/> <a href="http://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky Cryptographic Algorithm</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -677,7 +678,7 @@ uses. <b>PBKDF2</b> should be used to hash password for example.< <a href="https://stackoverflow.com/q/22580853/89769">Stackoverflow: Reliable implementation of PBKDF2-HMAC-SHA256 for Java</a><br/> <a href="http://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky Cryptographic Algorithm</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -721,7 +722,7 @@ Upgrade your implementation to use one of the recommended constructs and configu <b>References</b><br/> <a href="https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https">Diagnosing TLS, SSL, and HTTPS</a> </p> - owasp-a6 + owasp-a3 cryptography security @@ -745,7 +746,7 @@ Upgrade your implementation to the following, and configure <code>https.pr <b>References</b><br/> <a href="https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https">Diagnosing TLS, SSL, and HTTPS</a> </p> - owasp-a6 + owasp-a3 cryptography security @@ -789,7 +790,7 @@ sha256Digest.update(password.getBytes());</pre> <a href="http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html">NIST Approved Hashing Algorithms</a><br/> <a href="http://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky Cryptographic Algorithm</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -803,8 +804,8 @@ sha256Digest.update(password.getBytes());</pre> <li><code>"../../../config/overide_file"</code></li> <li><code>"shell.jsp\u0000expected.gif"</code></li> </ul> -<p>Therefore, such values should not be passed directly to the filesystem API. If acceptable, the application should generate its -own file names and use those. Otherwise, the provided filename should be properly validated to ensure it's properly structured, +<p>Therefore, such values should not be passed directly to the filesystem API. If acceptable, the application should generate its +own file names and use those. Otherwise, the provided filename should be properly validated to ensure it's properly structured, contains no unauthorized path characters (e.g., / \), and refers to an authorized file.</p> <br/> <p> @@ -816,7 +817,7 @@ contains no unauthorized path characters (e.g., / \), and refers to an authorize <a href="http://capec.mitre.org/data/definitions/126.html">CAPEC-126: Path Traversal</a><br/> <a href="http://cwe.mitre.org/data/definitions/22.html">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</a> </p> - owasp-a4 + owasp-a5 wasc cwe security @@ -1469,6 +1470,7 @@ could be exposed. This could allow an attacker to access unauthorized data or ma <b>References</b><br/> <a href="http://projects.webappsec.org/w/page/13246963/SQL%20Injection">WASC-39: XPath Injection</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/643.html">CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')</a><br/> <a href="https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250">CERT: IDS09-J. Prevent XPath Injection (archive)</a><br/> <a href="http://media.blackhat.com/bh-eu-12/Siddharth/bh-eu-12-Siddharth-Xpath-WP.pdf">Black Hat Europe 2012: Hacking XPath 2.0</a><br/> @@ -1484,7 +1486,7 @@ could be exposed. This could allow an attacker to access unauthorized data or ma Security - Found Struts 1 endpoint STRUTS1_ENDPOINT <p>This class is a Struts 1 Action.</p> -<p>Once a request is routed to this controller, a Form object will automatically be instantiated that contains the HTTP parameters. +<p>Once a request is routed to this controller, a Form object will automatically be instantiated that contains the HTTP parameters. The use of these parameters should be reviewed to make sure they are used safely.</p> security @@ -1493,7 +1495,7 @@ The use of these parameters should be reviewed to make sure they are used safely STRUTS2_ENDPOINT <p>In Struts 2, the endpoints are Plain Old Java Objects (POJO) which means no Interface/Class needs to be implemented/extended.</p> <p>When a request is routed to its controller (like the selected class), the supplied HTTP parameters are automatically mapped to setters for -the class. Therefore, all setters of this class should be considered as untrusted input even if the form doesn't include those values. +the class. Therefore, all setters of this class should be considered as untrusted input even if the form doesn't include those values. An attacker can simply provide additional values in the request, and they will be set in the object anyway, as long as that object has such a setter. The use of these parameters should be reviewed to make sure they are used safely.</p> security @@ -1641,6 +1643,7 @@ createQuery("select * from User where id = '"+Encoder.encodeForSQL(inputId)+"'") <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1697,6 +1700,7 @@ BasePeer.executeQuery("select * from Customer where id = '"+Encoder.encodeForSQL <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1749,6 +1753,7 @@ q.execute();</pre> <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1791,6 +1796,7 @@ q.execute(input);</pre> <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1836,6 +1842,7 @@ UserEntity res = q.getSingleResult();</pre> <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1873,6 +1880,7 @@ int count = jdbc.queryForObject("select count(*) from Users where name = ?", Int <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1912,6 +1920,7 @@ updateSales.setString(2, coffeeName);</pre> <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1952,6 +1961,7 @@ Cursor cursor = this.getReadableDatabase().rawQuery(query,new String[] {userInpu <a href="http://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p> @@ -1979,6 +1989,7 @@ Therefore, the primary defense against LDAP injection is strong input validation <b>References</b><br/> <a href="http://projects.webappsec.org/w/page/13246947/LDAP%20Injection">WASC-29: LDAP Injection</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP: Top 10 2017-A1-Injection</a><br/> <a href="http://cwe.mitre.org/data/definitions/90.html">CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')</a><br/> <a href="http://www.veracode.com/security/ldap-injection">LDAP Injection Guide: Learn How to Detect LDAP Injections and Improve LDAP Security</a> </p> @@ -2287,7 +2298,7 @@ The project <a href="https://github.com/javabeanz/owasp-security-logging"> EXTERNAL_CONFIG_CONTROL <p> Allowing external control of system settings can disrupt service or cause an application - to behave in unexpected, and potentially malicious ways. + to behave in unexpected, and potentially malicious ways. An attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database. </p> @@ -2322,7 +2333,7 @@ for(byte b :resultBytes) { return stringBuilder.toString();</pre> </p> <p> -This mistake weakens the hash value computed since it introduces more collisions. +This mistake weakens the hash value computed since it introduces more collisions. For example, the hash values "0x0679" and "0x6709" would both output as "679" for the above function. </p> @@ -2350,7 +2361,7 @@ In this situation, the method <code>Integer.toHexString()</code> sho <a href="http://docs.hazelcast.org/docs/3.5/manual/html/encryption.html">Hazelcast Documentation: Encryption</a><br/> <a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a> </p> - owasp-a6 + owasp-a3 cryptography wasc cwe @@ -2360,7 +2371,7 @@ In this situation, the method <code>Integer.toHexString()</code> sho Security - NullCipher is insecure NULL_CIPHER <p> -The NullCipher is rarely used intentionally in production applications. It implements the Cipher interface by returning ciphertext +The NullCipher is rarely used intentionally in production applications. It implements the Cipher interface by returning ciphertext identical to the supplied plaintext. In a few contexts, such as testing, a NullCipher may be appropriate. </p> <p> @@ -2379,7 +2390,7 @@ byte[] cipherText = c.doFinal(plainText);</pre> <b>Reference</b><br/> <a href="http://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky Cryptographic Algorithm</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2409,11 +2420,12 @@ to do this correctly. <b>References</b><br/> <a href="https://www.owasp.org/index.php/Top_10_2010-A9">OWASP: Top 10 2010-A9-Insufficient Transport Layer Protection</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure">OWASP: Top 10 2013-A6-Sensitive Data Exposure</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP: Top 10 2017-A3-Sensitive Data Exposure</a><br/> <a href="https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet">OWASP: Transport Layer Protection Cheat Sheet</a><br/> <a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection">WASC-04: Insufficient Transport Layer Protection</a><br/> <a href="http://cwe.mitre.org/data/definitions/319.html">CWE-319: Cleartext Transmission of Sensitive Information</a> </p> - owasp-a6 + owasp-a3 cryptography wasc cwe @@ -2444,11 +2456,12 @@ to do this correctly. <b>References</b><br/> <a href="https://www.owasp.org/index.php/Top_10_2010-A9">OWASP: Top 10 2010-A9-Insufficient Transport Layer Protection</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure">OWASP: Top 10 2013-A6-Sensitive Data Exposure</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP: Top 10 2017-A3-Sensitive Data Exposure</a><br/> <a href="https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet">OWASP: Transport Layer Protection Cheat Sheet</a><br/> <a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection">WASC-04: Insufficient Transport Layer Protection</a><br/> <a href="http://cwe.mitre.org/data/definitions/319.html">CWE-319: Cleartext Transmission of Sensitive Information</a> </p> - owasp-a6 + owasp-a3 cryptography wasc cwe @@ -2479,7 +2492,7 @@ byte[] cipherText = c.doFinal(plainText);</pre> <a href="http://www.nist.gov/itl/fips/060205_des.cfm">NIST Withdraws Outdated Data Encryption Standard</a><br/> <a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2509,7 +2522,7 @@ byte[] cipherText = c.doFinal(plainText);</pre> <a href="http://www.nist.gov/itl/fips/060205_des.cfm">NIST Withdraws Outdated Data Encryption Standard</a><br/> <a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2535,7 +2548,7 @@ The code should be replaced with:<br/> <a href="http://cwe.mitre.org/data/definitions/780.html">CWE-780: Use of RSA Algorithm without OAEP</a><br/> <a href="http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/">Root Labs: Why RSA encryption padding is critical</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2561,7 +2574,7 @@ props.put(Context.SECURITY_CREDENTIALS, "p@ssw0rd");</pre> <b>References</b><br/> <a href="http://cwe.mitre.org/data/definitions/259.html">CWE-259: Use of Hard-coded Password</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2581,7 +2594,7 @@ certainly shared in open source. To be managed safely, passwords and secret keys SecretKeySpec spec = new SecretKeySpec(key, "AES"); Cipher aes = Cipher.getInstance("AES"); aes.init(Cipher.ENCRYPT_MODE, spec); -return aesCipher.doFinal(secretData);</pre> +return aesCipher.doFinal(secretData);</pre> </p> <br/> <p> @@ -2623,7 +2636,7 @@ if(MessageDigest.isEqual(userInput.getBytes(),actualHash.getBytes())) { <b>References</b><br/> <a href="https://cwe.mitre.org/data/definitions/203.html">CWE-203: Information Exposure Through DiscrepancyKey</a><br/> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2693,9 +2706,10 @@ the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet. <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2017-A7: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a> </p> - owasp-a3 + owasp-a7 wasc cwe security @@ -2726,7 +2740,7 @@ keyGen.init(128);</pre> <a href="http://en.wikipedia.org/wiki/Blowfish_(cipher)">Blowfish (cipher)</a><br/> <a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2767,7 +2781,7 @@ keyGen.initialize(2048); <a href="http://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a><br/> <a href="http://www.keylength.com/en/compare/">Keylength.com (BlueKrypt): Aggregate key length recommendations.</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -2975,7 +2989,7 @@ A potential XSS was found. It could be used to execute unwanted JavaScript in a }</pre> </p> <p> -The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider: +The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider: HTML, JavaScript, CSS (styles), and URLs. Please follow the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet, which explains these defenses in significant detail. </p> @@ -2988,10 +3002,11 @@ which explains these defenses in significant detail. <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2017-A7: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="https://code.google.com/p/owasp-java-encoder/">OWASP Java Encoder</a><br/> </p> - owasp-a3 + owasp-a7 wasc cwe security @@ -3079,7 +3094,7 @@ public void encrypt(String message) throws Exception { <a href="http://cwe.mitre.org/data/definitions/329.html">CWE-329: Not Using a Random IV with CBC Mode</a><br/> <a href="https://defuse.ca/cbcmodeiv.htm">Encryption - CBC Mode IV: Secret or Not?</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -3114,7 +3129,7 @@ byte[] cipherText = c.doFinal(plainText);</pre> <a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29">Wikipedia: Block cipher modes of operation</a><br/> <a href="http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf">NIST: Recommendation for Block Cipher Modes of Operation</a> </p> - owasp-a6 + owasp-a3 cryptography security @@ -3147,7 +3162,7 @@ byte[] cipherText = c.doFinal(plainText);</pre> <a href="http://capec.mitre.org/data/definitions/463.html">CAPEC: Padding Oracle Crypto Attack</a><br/> <a href="http://cwe.mitre.org/data/definitions/696.html">CWE-696: Incorrect Behavior Order</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -3156,7 +3171,7 @@ byte[] cipherText = c.doFinal(plainText);</pre> Security - Cipher with no integrity CIPHER_INTEGRITY <p> - The ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the + The ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the data has been tampered with. If the ciphertext can be controlled by an attacker, it could be altered without detection. </p> <p> @@ -3201,7 +3216,7 @@ In the example solution above, the GCM mode introduces an HMAC into the resultin <a href="http://www.thoughtcrime.org/blog/the-cryptographic-doom-principle/">Moxie Marlinspike's blog: The Cryptographic Doom Principle</a><br/> <a href="http://cwe.mitre.org/data/definitions/353.html">CWE-353: Missing Support for Integrity Check</a> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -3512,9 +3527,10 @@ function updateDescription(newDescription) { <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> + <a href="https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2017-A7: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a> </p> - owasp-a3 + owasp-a7 wasc cwe android @@ -3869,9 +3885,9 @@ Path traversal <sup>[3][4]</sup> are not possible. <p> <b>References</b><br/> [1] <a href="https://en.wikipedia.org/wiki/XSLT">Wikipedia: XSLT (Extensible Stylesheet Language Transformations)</a><br/> -<a href="https://prezi.com/y_fuybfudgnd/offensive-xslt/">Offensive XSLT</a> by Nicolas Grégoire<br/> -[2] <a href="http://www.agarri.fr/kom/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html">From XSLT code execution to Meterpreter shells</a> by Nicolas Grégoire<br/> -<a href="http://xhe.myxwiki.org/xwiki/bin/view/Main/">XSLT Hacking Encyclopedia</a> by Nicolas Grégoire<br/> +<a href="https://prezi.com/y_fuybfudgnd/offensive-xslt/">Offensive XSLT</a> by Nicolas Grégoire<br/> +[2] <a href="http://www.agarri.fr/kom/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html">From XSLT code execution to Meterpreter shells</a> by Nicolas Grégoire<br/> +<a href="http://xhe.myxwiki.org/xwiki/bin/view/Main/">XSLT Hacking Encyclopedia</a> by Nicolas Grégoire<br/> <a href="http://www.acunetix.com/blog/articles/the-hidden-dangers-of-xsltprocessor-remote-xsl-injection/">Acunetix.com : The hidden dangers of XSLTProcessor - Remote XSL injection</a><br/> <a href="https://www.w3.org/TR/xslt">w3.org XSL Transformations (XSLT) Version 1.0</a> : w3c specification<br/> [3] <a href="http://projects.webappsec.org/w/page/13246952/Path%20Traversal">WASC: Path Traversal</a><br/> @@ -3879,7 +3895,7 @@ Path traversal <sup>[3][4]</sup> are not possible. </p> owasp-a1 injection - owasp-a4 + owasp-a5 wasc security @@ -4129,8 +4145,8 @@ URL rewriting has significant security risks. Since session ID appears in the UR </p> <p> <b>Vulnerable Code:</b><br/> -<pre>out.println("Click &lt;a href=" + - res.encodeURL(HttpUtils.getRequestURL(req).toString()) + +<pre>out.println("Click &lt;a href=" + + res.encodeURL(HttpUtils.getRequestURL(req).toString()) + "&gt;here&lt;/a&gt;");</pre> </p> <p> @@ -4143,6 +4159,7 @@ Avoid using those methods. If you are looking to encode a URL String or form par <a href="https://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management">OWASP Top 10 2010-A3-Broken Authentication and Session Management</a><br/> </p> security + owasp-a3 Security - Insecure SMTP SSL connection @@ -4177,7 +4194,7 @@ Please add the following check to verify the server certificate: <b>References</b><br/> <a href="https://cwe.mitre.org/data/definitions/297.html">CWE-297: Improper Validation of Certificate with Host Mismatch</a><br/> </p> - owasp-a6 + owasp-a3 cryptography cwe security @@ -4257,9 +4274,9 @@ An attacker may be able to forge a request parameter to match sensitive file loc </p> <p> <b>Vulnerable Code:</b><br/> -<pre>... -String returnURL = request.getParameter("returnURL"); -Return new ActionForward(returnURL); +<pre>... +String returnURL = request.getParameter("returnURL"); +Return new ActionForward(returnURL); ...</pre> </p> <p> @@ -4283,9 +4300,9 @@ An attacker may be able to forge a request parameter to match sensitive file loc </p> <p> <b>Vulnerable Code:</b><br/> -<pre>... +<pre>... String returnURL = request.getParameter("returnURL"); -return new ModelAndView(returnURL); +return new ModelAndView(returnURL); ...</pre> </p> <p> @@ -4485,4 +4502,4 @@ add(new Label("someLabel").setEscapeModelStrings(false)); cwe security - \ No newline at end of file + diff --git a/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml b/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml index c0a2bc12..36654b61 100644 --- a/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml +++ b/src/main/resources/org/sonar/plugins/findbugs/rules-jsp.xml @@ -82,10 +82,11 @@ attacker gets the ability to execute any code. <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2017-A7: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="http://docs.oracle.com/javaee/5/jstl/1.1/docs/tlddocs/c/out.html">JSTL Javadoc: Out tag</a><br/> </p> - owasp-a3 + owasp-a7 wasc cwe jsp @@ -115,7 +116,7 @@ String taintedInput = (String) request.getAttribute("input"); </pre> </p> <p> -The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider: +The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider: HTML, JavaScript, CSS (styles), and URLs. Please follow the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet, which explains these defenses in significant detail. </p> @@ -125,10 +126,11 @@ which explains these defenses in significant detail. <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> +<a href="https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2017-A7: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="https://code.google.com/p/owasp-java-encoder/">OWASP Java Encoder</a><br/> </p> - owasp-a3 + owasp-a7 wasc cwe jsp @@ -167,7 +169,7 @@ Path traversal <sup>[3][4]</sup> are not possible. </p> owasp-a1 injection - owasp-a4 + owasp-a5 wasc jsp security @@ -183,8 +185,8 @@ If SpotBugs found <em>any</em>, you <em>almost certainly</e vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool. </p> - owasp-a3 + owasp-a7 jsp security - \ No newline at end of file +