Application Security Vulnerability Detection

by

Application security vulnerabilities have different classifications. The following explains how CAST software intelligence helps identify application security vulnerabilities as applications are being developed across these different application security vulnerability classes. All the categories, rules, and related description are referenced from CWE/SANS and CWE/SANS Top 25 Most Dangerous Software Errors.

CWE Application Security Vulnerability: Insecure Interaction between Components

These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.

Rank CWE ID Name Recommendation How CAST Covers the Application Security Vulnerability
[1] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Checking for SQL Injection by Pre-built rule in AIP – 2663 - Avoid SQL injection vulnerabilities
[2] CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Checking for OS Command Injection Pre-built rule in AIP – 2661 - Avoid OS command injection vulnerabilities
[4] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Checking for Cross-site scripting Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities
[9] CWE-434 Unrestricted Upload of File with Dangerous Type Input Validation In CAST AIP 8.0, we trigger this rulevia PATH Manipulation. Extend the following existing rules –· 2437 - Avoid non-standard file extensions· 2659 - Avoid file path manipulation vulnerabilities· 2660 - Avoid XPath injection vulnerabilities
[12] CWE-352 Cross-Site Request Forgery (CSRF) Ensure that application is free of cross-site scripting issues (CWE-79), because most CSRF defences can be bypassed using attacker-controlled script. Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities
[22] CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Checking for Cross-site scripting Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities


CWE Application Security Vulnerability: Risky Resource Management

CWE application security vulnerability in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.

Rank CWE ID Name Recommendation How CAST Covers the Application Security Vulnerability
[3] CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. This rule is handled through a combination of existing quality rules around memory handling listed below–· 2282 - Avoid using getopt() function,· 2327 - Never use sprintf() function or vsprintf() function· Never perform C cast between incompatible class pointers· 2413 - Avoid using static_cast on class/struct pointers
[13] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Checking for file path manipulation Pre-built rule in AIP – 2659 - Avoid file path manipulation vulnerabilities
[14] CWE-494 Download of Code Without Integrity Check Check Download Code Integrity We manage this using Input Validationapproach–· 2437 - Avoid non-standard file extensions· 2659 - Avoid file path manipulation vulnerabilities· 2660 - Avoid XPath injection vulnerabilities
[16] CWE-829 Inclusion of Functionality from Untrusted Control Sphere When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numericIDs) to the actual filenames or URLs, and reject all other inputs. This is handled by checking every internet library for vulnerability and maintaining a whitelist. Normally we can check the HTML code and parse the URL to verify the domain.Extend the existing rule 2660 - Avoid XPath injection vulnerabilities
[18] CWE-676 Use of Potentially Dangerous Function Checking for programming best practices Pre-built rule in AIP –· 2279 - Avoid using snprintf() function· 2280 - Avoid using realpath() function· 2325 - Avoid using the scanf() function
[20] CWE-131 Incorrect Calculation of Buffer Size Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. This is handled through a combination of existing quality rules listed below:· 2327 - Never use sprintf() function or vsprintf() function· Never perform C cast between incompatible class pointers· 2413 - Avoid using static_cast on class/struct pointers
[23] CWE-134 Uncontrolled Format String Checking for programming best practices Checking for programming best practicesPre-built inCAST AIP rule. Extend the following existing rules –· 8098 - Uncontrolled format string
[24] CWE-190 Integer Overflow or Wraparound Performcheck on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. These rules require using DF with Arithmetics. This will be handled by extending the existing rule, 2282 - Avoid using getopt() function


CWE Application Security Vulnerability: Porous Defences

CWE Application Security Vulnerabilities in this category are related to defensive techniques that are often misused, abused, or just plain ignored.

Rank CWE ID Name Recommendation How CAST Covers the Application Security Vulnerability
[5] CWE-306 Missing Authentication for Critical Function avoid implementing custom authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. This requirement is achieved using DF andUser input security and extending existing rules –· 2284 - Avoid cross-site scripting vulnerabilities,· 2662 - Avoid LDAP injection vulnerabilities
[6] CWE-862 Missing Authorization Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. This requirement is achieved using DF andUser input security and extending existing rules –· 2284 - Avoid cross-site scripting vulnerabilities· 2662 - Avoid LDAP injection vulnerabilities
[8] CWE-311 Missing Encryption of Sensitive Data Periodically ensure that you aren't using obsolete cryptography. Avoid using old encryption techniques using MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. Checking of encryption can be handled using custom rules that check for the use of known encryption functions and/or libraries -· 2284 - Avoid cross-site scripting vulnerabilities· 2662 - Avoid LDAP injection vulnerabilities
[10] CWE-807 Reliance on Untrusted Inputs in a Security Decision Consider getcookies as unsafe Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities
[11] CWE-250 Execution with Unnecessary Privileges Checking for privileges being appropriately implemented based on the scenario/use case. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This is more linked to dynamic analysis and not directly handled byCAST AIP today.We can extend existing rules to cover part of this requirement –· 2284 - Avoid cross-site scripting vulnerabilities· 2662 - Avoid LDAP injection vulnerabilities
[15] CWE-863 Incorrect Authorization Consider getcookies as unsafe Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities
[17] CWE-732 Incorrect Permission Assignment for Critical Resource Path manipulation Pre-built rule in AIP – 2659 - Avoid file path manipulation vulnerabilities
[19] CWE-327 Use of a Broken or Risky Cryptographic Algorithm Validating encryption algorithms This will be addressed by creating a blacklist of functions considered risky or broken (Handle via maintaining blacklist of well known and crypto algorithms) and applying custom architectural rules to check for the use of appropriate functions.
[21] CWE-307 Improper Restriction of Excessive Authentication Attempts Check login implementation This will be handled by extending the following existing rules –· 521 - Avoid direct access to database Procedures/Functions· 750 - User Interface elements must not use directly the database|
[25] CWE-759 Use of a One-Way Hash without a Salt Checking for programming best practices. Best practice, always use initialises that contain salt for Hash. Instead of calling Hashlib with just one parameter use additional parameters for salt. This will be addressed by blacklisting methods that do not contain the good initialization parameters. Extend the following existing rules –· 2785 - Avoid using Hashtable· 1035 - Avoid classes overriding only equals() or only hashCode()

 

Application Security Vulnerabilities (OWAPS / CWE) Detected by CAST

CWE Application Security Vulnerabilities in this category exist for reason outside the other CWE categories.

Rank CWE ID Name Recommendation How CAST Covers the Application Security Vulnerability
CWE-20: Improper Input Validation Checking for best programming practices Pre-built rule in AIP –· 2663 - Avoid SQL injection vulnerabilities· 2660 - Avoid XPath injection vulnerabilities· 2284 - Avoid cross-site scripting vulnerabilities
CWE-116: Improper Encoding or Escaping of Output Checking for best programming practices Pre-built rule in AIP –· 2663 - Avoid SQL injection vulnerabilities· 2661- Avoid OS command injection vulnerabilities· 2284 - Avoid cross-site scripting vulnerabilities
CWE-90 LDAP Injection Checking for LDAP injection Pre-built rule in AIP – 2662 - Avoid LDAP injection vulnerabilities
CWE-91 XPATH Injection Checking for XPATH injection Pre-built rule in AIP – 2660 - Avoid XPath injection vulnerabilities
CWE-73: External Control of File Name or Path Checking for file path manipulation Pre-built rule in AIP – 2659 - Avoid file path manipulation vulnerabilities
CWE-99: Improper Control of Resource Identifiers ('Resource Injection') Checking for best programming practices Pre-built rule in AIP – 2659 - Avoid file path manipulation vulnerabilities
CWE-117: Improper Output Neutralization for Logs Checking for log forging Pre-built rule in AIP – 2141 - Avoid Log forging vulnerabilities
CWE-252: The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. Supported from CAST AIP 8.0 onwards
CWE-681: When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. Avoid making conversion between numeric types. Always check for the allowed ranges. Supported from CAST AIP 8.0 onwards

CAST provides on-going support of OWASP Top Ten to provide users with the automated means to check that valid protection is in place and whenever possible to provide development teams detect places where vulnerability is left in the code. This guide describes CAST’s current support and future roadmap for OWASP's application security vulnerabilities.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Srinivas Kedarisetty
Srinivas Kedarisetty Security Product Owner
Srinivas has more than 18 years of experience in leading IT delivery teams across India, the U.S. and Europe while managing product security, microservices and SDK. Highly skilled in developing and driving products from conception through the entire product lifecycle, Srinivas has a track record of improving products and teams to create value for customers.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|