Early Vulnerability Detection for Supporting Secure Programming

Dear reader,

I was wondering if you could spend some minutes of your precious time by helping me. As part of my dissertation entitled “Early Vulnerability Detection for Supporting Secure Programming“, I developed an Eclipse plug-in (still just a prototype) that performs security vulnerability detection while the developer is creating/editing the source code.You can install the plug-in as you usually do when working with Eclipse, however, if you have any doubts on “How to Install the plug-in”, there is a How-To in the attached pdf.

The plug-in’s link:
https://marketplace.eclipse.org/content/early-security-vulnerability-detector-esvd/

You can test the plug-in with some of your own projects, however, if you want you can download, import and test a sample project created by me which contains dozens of known security vulnerabilities. More about this project in the attached pdf.

The sample’s link:
http://www.inf.puc-rio.br/~lsampaio/plugin/early_vulnerability_detector/latest/WebDemo.zip

I would really appreciate your feedback on regards to ANYTHING. The images used, the text to inform the vulnerabilities, the options provided by the plug-in, the English words, false positives, false negatives and anything else that comes to your mind.

Supported vulnerabilities:

01 – Command Injection
02 – Cookie Poisoning
03 – Cross-Site Scripting (XSS)
04 – HTTP Response Splitting
05 – LDAP Injection
06 – Log Forging
07 – Path Traversal
08 – Reflection Injection
09 – Security Misconfiguration
10 – SQL Injection
11 – XPath Injection

Tutorials about the plug-in.
How to Install the plug-in / User Interface / WebDemo Project

Thank you in advance,
Luciano Sampaio

15 Responses to “Early Vulnerability Detection for Supporting Secure Programming”

  1. Flavio Says:

    Hi Luciano,
    Downloading the plugin into eclipse Kepler running on Mac OS works fine, even though when I try to download using an eclipse Helios running on Windows 7 the error above happen:

    Unable to connect to repository http://www.inf.puc-rio.br/~lsampaio/plugin/early_vulnerability_detector/latest/content.xml
    Unable to connect to repository http://www.inf.puc-rio.br/~lsampaio/plugin/early_vulnerability_detector/latest/content.xml
    Connection refused: connect

    Is it possible to update the post wih a link to your dissertation?

    Regards
    Flavio

  2. Luciano Sampaio Says:

    Hi Flavio,

    Actually, it only works on Kepler or newer. I use some libraries that are not available on Helios. Sorry!

    About the link to my dissertation, I am still writing it, as soon as I finish it I will make it available, ok! 🙂

    So, do you have any feedback about the plug-in ? Did it find any vulnerabilities in your projects ? Any suggestion ?

    Thank you,
    Luciano Sampaio

  3. Which methods should be considered "Sources", "Sinks" or "Sanitization" ? - The Code Master Says:

    […] Early Vulnerability Detection for Supporting Secure Programming […]

  4. Java Plug-in that checks vulnerability state (Featured Guest) | ODS3 Cyber Security Academy Says:

    […] http://thecodemaster.net/early-vulnerability-detection-supporting-secure-programming/ […]

  5. newbie Says:

    I installed the Plugin in a current Eclipse to check my php code. Sadly, the Security Vulnerability Window stays empty although the plugin is enabled and the code has severe flaws. any idea, why the plugin does not seem to do anything at all?

  6. Luciano Sampaio Says:

    Hi Newbie,

    The current version of the plugin only understands Java. Sorry about that.

    Best regards,
    Luciano Sampaio

  7. Kamal SABBAR Says:

    Hi Luciano,

    I integrated ESVD successfully in my eclipse, it seems interesting.

    Regards.

  8. Luciano Sampaio Says:

    Awesome!!! Let me know what you think! Just remember it is still a prototype, ok ?! 😀

  9. Kamal SABBAR Says:

    Hi Luciano,

    Keep going bro, it is really an interesting project, don’t let it fall apart.

    Good luck,
    Regards.

  10. Sangeetha K Says:

    Hi Luciano,

    I’m using Kepler eclipse, When I try to install the “Early security Vulnerability plugin” from eclipse marketplace, I’m getting the issues as “No repository found at “http://thecodemaster.net/plugin/early_vulnerability_detector/latest/”.

    Can you please help on this.

    Thanks & Regards,
    Sangeetha K

  11. Luciano Sampaio Says:

    Hi Sangeetha K,

    I’m having some problems with the Eclipse MarketPlace, sorry about that. If you want to download the plugin directly from my website you can do it from http://esvd.thecodemaster.net/plugin/latest/ESVD.zip. After that you will have perform some steps:
    01 – Unzip the file.
    02 – Go to Eclipse and try to install the plugin but pointing to the folder you have just created.
    03 – Accept the prompts from the Eclipse.

    Let me know if you could successfully install the plugin.

  12. Luís Says:

    Hi, Luciano,

    I’m using Neon eclipse here, and experiencing similar error Sangeetha K pointed above:

    Error
    Thu Jan 04 15:01:04 BRST 2018
    No repository found at http://esvd.thecodemaster.net/plugin/latest/.

    eclipse.buildId=4.6.3.M20170301-0400
    java.version=1.8.0_66
    java.vendor=Oracle Corporation

    Thanks (obrigado 🙂 ),
    Luís Pacheco

  13. Luciano Sampaio Says:

    Hi Luís,

    I’m having some problems with the Eclipse MarketPlace, sorry about that. If you want to download the plugin directly from my website you can do it from http://esvd.thecodemaster.net/plugin/latest/ESVD.zip. After that you will have perform some steps:
    01 – Unzip the file.
    02 – Go to Eclipse and try to install the plugin by pointing to the folder you have just created.
    03 – Accept the prompts from the Eclipse.

    Let me know if you could successfully install the plugin.

  14. Priya Says:

    HI,

    I unzipped the archive and thenvia Install new software i tried for the plugin configuration. It shows No software site found.

  15. Luciano Sampaio Says:

    Hi,

    You have to install from file, not from Url because I am having problems allowing Eclipse download directly from my website. Let me know if from file worked.

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.