One thing I noticed when I first started testing security applications, was that each one, had their own understanding of what is a security vulnerability and which methods should be verified and flagged as vulnerable. I later found out this page (https://www.owasp.org/index.php/Searching_for_Code_in_J2EE/Java) on OWASP. It contains some methods that should be sanitized but I believe it is not the full list.
So, I have created my own list from what I found on other applications, blogs and etc and I was wondering if you (my reader) could help me make this list perfect. If we manage to do this, I think it would be great to update OWASP page. What do you think ?
With this list of methods I performed an evaluation on 5 applications (BlueBlog, PersonaBlog, WebGoat, Roller and Pebble) using 4 Eclipse plug-ins (ASIDE, CodePro, Lapse+ and ESVD(my plug-in)). I got some very promising results. I am really excited.
Do you think there are methods missing or some of these methods should be removed from the list ?
My plug-in is still a prototype but I am receiving some very good feedback. You can see more on:
01 – early-vulnerability-detection-supporting-secure-programming
02 – https://marketplace.eclipse.org/content/early-security-vulnerability-detector-esvd/
My list of “Sources“, “Sinks” and “Sanitization” methods:
Cross Site Scripting
HTTP Response Splitting
13 thoughts on “Which methods should be considered “Sources”, “Sinks” or “Sanitization” ?”
I tried ESVD & its very good. I would like to add one suggestion –
When user click on the security marker, some option related to the vulnerability appears on the hover.
Can we have a message on top stating the vulnerability like – “This element should be sanitized to avoid Cross-Site Scripting(XSS)”. Can we have this title representing the vulnerability for all 11 violations? Right now I guess it is only for Cross Site Scripting.
In Security view, How is the priority numbers defined?
Thank you for downloading and for your suggestions.
01 – My bad!!!! I hardcoded the message “… to avoid Cross-Site Scripting(XSS)”, it should be the name of the found vulnerability. I will change that. Thank you!
02 – Because ESVD is still just a prototype, we already predefined all the numbers, they were based on the OWASP Risk Factor Summary (https://www.owasp.org/index.php/Top_10_2013-Details_About_Risk_Factors). We plan to add the option, in which developers can change them as they see fit. However, currently this is not possible.
How do you like the priority numbers ? Do you think they help ?
Thanks for your quick response 🙂
Priority numbers, if description is available somewhere, it will be helpful. The link you shared is confusing me.I am not able to find what priority no 11 stands for 🙁
Few more suggestions from my side to make ESVD more usable –
1) An Explicit option to clear the violation icons from the java files.
2) An option to clear the violations from the Security view
3) Priority is not explained in the document. Detailed explanation of priority numbers & its corresponding violations will definitely be helpful.
4) On all hovers, mentioning about the found violation at the top of the message will be helpful.
5) Export to PDF\Excel option will be a great value add.
6) Instead of setting Run on Save option in Preferences section, if its available on right click of the project, it will be handy & easy.
The link I shared was to show how I got the priority numbers. From the OWASP Risk Factor Summary (https://www.owasp.org/index.php/Top_10_2013-Details_About_Risk_Factors) I created my own Risk Factor (http://thecodemaster.net/wp-content/uploads/2014/10/Risk-Factor.png). Take a look and see if it is better to understand now.
01 – What do you mean by “an explicit option” ? Because we do have an option. Check image:
02 – I agree, we don’t have this.
03 – I agree.
04 – I agree.
05 – If you right click on the warnings (just one, several or all of them) it should appear a dialog with the option “Copy to clipboard”. If you paste it on the Excel it should be fine. Try it and let me know.
06 – We do not have a “Run” and “Stop” button, this is true, but we do have an “Enable” and “Disable” button, which is almost the same, don’t you agree ? 🙂
Talk to you soon.
I would like to know when is the next release of the plugin & what are the proposed enhancements\changes?
The plug-in is just a proof of concept, until I finish my thesis, I will not have time to work on it. I did find several places where I can improve it in order to make ESVD better. However, that will have to wait a little bit.
Thanks for your elaborate explanation on my queries on ESVD. Your response is helpful.
Hope to see ESVD updated version soon 🙂
Just curious to know whether you have uploaded the source code in git\svn?
So far the source code is only available to the members of my research group.
Can you give me the list of reference materials you went through for creating this plugin ? I would also like to know if any parser has been used for finding the security violation.
The main references were these 4.
01 – https://wiki.eclipse.org/Eclipse_Corner
02 – http://www.vogella.com/tutorials/eclipse.html
03 – Eclipse 4 Plug-in Development by Example
04 – Eclipse Plug-ins Third Edition Dec 2008
I created my own parser.
Thanks and let me know if there is anything else I can help you with.
All sources and sinks provide the ability to open a new stream for reading or writing. By default, other operations are all implemented by calling one of these methods to get a stream, doing something, and then ensuring that the stream is closed.