Application security vulnerabilities have different classifications. The following explains how CAST software intelligence helps identify application security vulnerabilities as applications are being developed across these different application security vulnerability classes. All the categories, rules, and related description are referenced from CWE/SANS and CWE/SANS Top 25 Most Dangerous Software Errors.
CWE Application Security Vulnerability: Insecure Interaction between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
| Rank | CWE ID | Name | Recommendation | How CAST Covers the Application Security Vulnerability |
| [1] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | Checking for SQL Injection by | Pre-built rule in AIP – 2663 - Avoid SQL injection vulnerabilities |
| [2] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | Checking for OS Command Injection | Pre-built rule in AIP – 2661 - Avoid OS command injection vulnerabilities |
| [4] | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | Checking for Cross-site scripting | Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities |
| [9] | CWE-434 | Unrestricted Upload of File with Dangerous Type | Input Validation | In CAST AIP 8.0, we trigger this rulevia PATH Manipulation. Extend the following existing rules –· 2437 - Avoid non-standard file extensions· 2659 - Avoid file path manipulation vulnerabilities· 2660 - Avoid XPath injection vulnerabilities |
| [12] | CWE-352 | Cross-Site Request Forgery (CSRF) | Ensure that application is free of cross-site scripting issues (CWE-79), because most CSRF defences can be bypassed using attacker-controlled script. | Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities |
| [22] | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | Checking for Cross-site scripting | Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities |
CWE Application Security Vulnerability: Risky Resource Management
CWE application security vulnerability in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.
| Rank | CWE ID | Name | Recommendation | How CAST Covers the Application Security Vulnerability |
| [3] | CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. | This rule is handled through a combination of existing quality rules around memory handling listed below–· 2282 - Avoid using getopt() function,· 2327 - Never use sprintf() function or vsprintf() function· Never perform C cast between incompatible class pointers· 2413 - Avoid using static_cast on class/struct pointers |
| [13] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Checking for file path manipulation | Pre-built rule in AIP – 2659 - Avoid file path manipulation vulnerabilities |
| [14] | CWE-494 | Download of Code Without Integrity Check | Check Download Code Integrity | We manage this using Input Validationapproach–· 2437 - Avoid non-standard file extensions· 2659 - Avoid file path manipulation vulnerabilities· 2660 - Avoid XPath injection vulnerabilities |
| [16] | CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numericIDs) to the actual filenames or URLs, and reject all other inputs. | This is handled by checking every internet library for vulnerability and maintaining a whitelist. Normally we can check the HTML code and parse the URL to verify the domain.Extend the existing rule 2660 - Avoid XPath injection vulnerabilities |
| [18] | CWE-676 | Use of Potentially Dangerous Function | Checking for programming best practices | Pre-built rule in AIP –· 2279 - Avoid using snprintf() function· 2280 - Avoid using realpath() function· 2325 - Avoid using the scanf() function |
| [20] | CWE-131 | Incorrect Calculation of Buffer Size | Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. | This is handled through a combination of existing quality rules listed below:· 2327 - Never use sprintf() function or vsprintf() function· Never perform C cast between incompatible class pointers· 2413 - Avoid using static_cast on class/struct pointers |
| [23] | CWE-134 | Uncontrolled Format String | Checking for programming best practices | Checking for programming best practicesPre-built inCAST AIP rule. Extend the following existing rules –· 8098 - Uncontrolled format string |
| [24] | CWE-190 | Integer Overflow or Wraparound | Performcheck on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. | These rules require using DF with Arithmetics. This will be handled by extending the existing rule, 2282 - Avoid using getopt() function |
CWE Application Security Vulnerability: Porous Defences
CWE Application Security Vulnerabilities in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
| Rank | CWE ID | Name | Recommendation | How CAST Covers the Application Security Vulnerability |
| [5] | CWE-306 | Missing Authentication for Critical Function | avoid implementing custom authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. | This requirement is achieved using DF andUser input security and extending existing rules –· 2284 - Avoid cross-site scripting vulnerabilities,· 2662 - Avoid LDAP injection vulnerabilities |
| [6] | CWE-862 | Missing Authorization | Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. | This requirement is achieved using DF andUser input security and extending existing rules –· 2284 - Avoid cross-site scripting vulnerabilities· 2662 - Avoid LDAP injection vulnerabilities |
| [8] | CWE-311 | Missing Encryption of Sensitive Data | Periodically ensure that you aren't using obsolete cryptography. Avoid using old encryption techniques using MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. | Checking of encryption can be handled using custom rules that check for the use of known encryption functions and/or libraries -· 2284 - Avoid cross-site scripting vulnerabilities· 2662 - Avoid LDAP injection vulnerabilities |
| [10] | CWE-807 | Reliance on Untrusted Inputs in a Security Decision | Consider getcookies as unsafe | Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities |
| [11] | CWE-250 | Execution with Unnecessary Privileges | Checking for privileges being appropriately implemented based on the scenario/use case. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. | This is more linked to dynamic analysis and not directly handled byCAST AIP today.We can extend existing rules to cover part of this requirement –· 2284 - Avoid cross-site scripting vulnerabilities· 2662 - Avoid LDAP injection vulnerabilities |
| [15] | CWE-863 | Incorrect Authorization | Consider getcookies as unsafe | Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities |
| [17] | CWE-732 | Incorrect Permission Assignment for Critical Resource | Path manipulation | Pre-built rule in AIP – 2659 - Avoid file path manipulation vulnerabilities |
| [19] | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | Validating encryption algorithms | This will be addressed by creating a blacklist of functions considered risky or broken (Handle via maintaining blacklist of well known and crypto algorithms) and applying custom architectural rules to check for the use of appropriate functions. |
| [21] | CWE-307 | Improper Restriction of Excessive Authentication Attempts | Check login implementation | This will be handled by extending the following existing rules –· 521 - Avoid direct access to database Procedures/Functions· 750 - User Interface elements must not use directly the database| |
| [25] | CWE-759 | Use of a One-Way Hash without a Salt | Checking for programming best practices. Best practice, always use initialises that contain salt for Hash. Instead of calling Hashlib with just one parameter use additional parameters for salt. | This will be addressed by blacklisting methods that do not contain the good initialization parameters. Extend the following existing rules –· 2785 - Avoid using Hashtable· 1035 - Avoid classes overriding only equals() or only hashCode() |
Application Security Vulnerabilities (OWAPS / CWE) Detected by CAST
CWE Application Security Vulnerabilities in this category exist for reason outside the other CWE categories.
| Rank | CWE ID | Name | Recommendation | How CAST Covers the Application Security Vulnerability |
| CWE-20: | Improper Input Validation | Checking for best programming practices | Pre-built rule in AIP –· 2663 - Avoid SQL injection vulnerabilities· 2660 - Avoid XPath injection vulnerabilities· 2284 - Avoid cross-site scripting vulnerabilities | |
| CWE-116: | Improper Encoding or Escaping of Output | Checking for best programming practices | Pre-built rule in AIP –· 2663 - Avoid SQL injection vulnerabilities· 2661- Avoid OS command injection vulnerabilities· 2284 - Avoid cross-site scripting vulnerabilities | |
| CWE-90 | LDAP Injection | Checking for LDAP injection | Pre-built rule in AIP – 2662 - Avoid LDAP injection vulnerabilities | |
| CWE-91 | XPATH Injection | Checking for XPATH injection | Pre-built rule in AIP – 2660 - Avoid XPath injection vulnerabilities | |
| CWE-73: | External Control of File Name or Path | Checking for file path manipulation | Pre-built rule in AIP – 2659 - Avoid file path manipulation vulnerabilities | |
| CWE-99: | Improper Control of Resource Identifiers ('Resource Injection') | Checking for best programming practices | Pre-built rule in AIP – 2659 - Avoid file path manipulation vulnerabilities | |
| CWE-117: | Improper Output Neutralization for Logs | Checking for log forging | Pre-built rule in AIP – 2141 - Avoid Log forging vulnerabilities | |
| CWE-252: | The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. | Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. | Supported from CAST AIP 8.0 onwards | |
| CWE-681: | When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. | Avoid making conversion between numeric types. Always check for the allowed ranges. | Supported from CAST AIP 8.0 onwards |
CAST provides on-going support of OWASP Top Ten to provide users with the automated means to check that valid protection is in place and whenever possible to provide development teams detect places where vulnerability is left in the code. This guide describes CAST’s current support and future roadmap for OWASP's application security vulnerabilities.
Srinivas Kedarisetty Security Product Owner
Srinivas has more than 18 years of experience in leading IT delivery teams across India, the U.S. and Europe while managing product security, microservices and SDK. Highly skilled in developing and driving products from conception through the entire product lifecycle, Srinivas has a track record of improving products and teams to create value for customers.
Write a review Average rating: