Early Vulnerability Detection for Supporting Secure Programming

Dear reader,

I was wondering if you could spend some minutes of your precious time by helping me. As part of my dissertation entitled “Early Vulnerability Detection for Supporting Secure Programming“, I developed an Eclipse plug-in (still just a prototype) that performs security vulnerability detection while the developer is creating/editing the source code.You can install the plug-in as you usually do when working with Eclipse, however, if you have any doubts on “How to Install the plug-in”, there is a How-To in the attached pdf.

The plug-in’s link:
https://marketplace.eclipse.org/content/early-security-vulnerability-detector-esvd/

You can test the plug-in with some of your own projects, however, if you want you can download, import and test a sample project created by me which contains dozens of known security vulnerabilities. More about this project in the attached pdf.

The sample’s link:
https://esvd.thecodemaster.net/plugin/latest/WebDemo.zip

I would really appreciate your feedback on regards to ANYTHING. The images used, the text to inform the vulnerabilities, the options provided by the plug-in, the English words, false positives, false negatives and anything else that comes to your mind.

Supported vulnerabilities:

01 – Command Injection
02 – Cookie Poisoning
03 – Cross-Site Scripting (XSS)
04 – HTTP Response Splitting
05 – LDAP Injection
06 – Log Forging
07 – Path Traversal
08 – Reflection Injection
09 – Security Misconfiguration
10 – SQL Injection
11 – XPath Injection

Tutorials about the plug-in.
How to Install the plug-in / User Interface / WebDemo Project

Thank you in advance,
Luciano Sampaio

16 thoughts on “Early Vulnerability Detection for Supporting Secure Programming”

  1. Hi Luciano,
    Downloading the plugin into eclipse Kepler running on Mac OS works fine, even though when I try to download using an eclipse Helios running on Windows 7 the error above happen:

    Unable to connect to repository http://www.inf.puc-rio.br/~lsampaio/plugin/early_vulnerability_detector/latest/content.xml
    Unable to connect to repository http://www.inf.puc-rio.br/~lsampaio/plugin/early_vulnerability_detector/latest/content.xml
    Connection refused: connect

    Is it possible to update the post wih a link to your dissertation?

    Regards
    Flavio

    Reply

    1. Hi Flavio,

      Actually, it only works on Kepler or newer. I use some libraries that are not available on Helios. Sorry!

      About the link to my dissertation, I am still writing it, as soon as I finish it I will make it available, ok! 🙂

      So, do you have any feedback about the plug-in ? Did it find any vulnerabilities in your projects ? Any suggestion ?

      Thank you,
      Luciano Sampaio

      Reply
  2. Pingback: Which methods should be considered "Sources", "Sinks" or "Sanitization" ? - The Code Master
  3. Pingback: Java Plug-in that checks vulnerability state (Featured Guest) | ODS3 Cyber Security Academy

  4. I installed the Plugin in a current Eclipse to check my php code. Sadly, the Security Vulnerability Window stays empty although the plugin is enabled and the code has severe flaws. any idea, why the plugin does not seem to do anything at all?

    Reply

    1. Hi Newbie,

      The current version of the plugin only understands Java. Sorry about that.

      Best regards,
      Luciano Sampaio

      Reply

    1. Awesome!!! Let me know what you think! Just remember it is still a prototype, ok ?! 😀

      Reply

  6. Hi Luciano,

    Keep going bro, it is really an interesting project, don’t let it fall apart.

    Good luck,
    Regards.

    Reply

  7. Hi Luciano,

    I’m using Kepler eclipse, When I try to install the “Early security Vulnerability plugin” from eclipse marketplace, I’m getting the issues as “No repository found at “http://thecodemaster.net/plugin/early_vulnerability_detector/latest/”.

    Can you please help on this.

    Thanks & Regards,
    Sangeetha K

    Reply

    1. Hi Sangeetha K,

      I’m having some problems with the Eclipse MarketPlace, sorry about that. If you want to download the plugin directly from my website you can do it from http://esvd.thecodemaster.net/plugin/latest/ESVD.zip. After that you will have perform some steps:
      01 – Unzip the file.
      02 – Go to Eclipse and try to install the plugin but pointing to the folder you have just created.
      03 – Accept the prompts from the Eclipse.

      Let me know if you could successfully install the plugin.

      Reply

    1. Hi Luís,

      I’m having some problems with the Eclipse MarketPlace, sorry about that. If you want to download the plugin directly from my website you can do it from http://esvd.thecodemaster.net/plugin/latest/ESVD.zip. After that you will have perform some steps:
      01 – Unzip the file.
      02 – Go to Eclipse and try to install the plugin by pointing to the folder you have just created.
      03 – Accept the prompts from the Eclipse.

      Let me know if you could successfully install the plugin.

      Reply

  9. HI,

    I unzipped the archive and thenvia Install new software i tried for the plugin configuration. It shows No software site found.

    Reply

    1. Hi,

      You have to install from file, not from Url because I am having problems allowing Eclipse download directly from my website. Let me know if from file worked.

      Reply

  10. same here.. whatever option I chose for the plugin installation it says ‘No software site found’. I am using Eclipse Version: Neon.3 Release (4.6.3)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.