Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var AndroidRules []engine.Rule = []engine.Rule{ Rule{ And: []*regexp.Regexp{regexp.MustCompile(`\.crypto\.Cipher`), regexp.MustCompile(`Cipher\.getInstance\(\s*"RSA/.+/NoPadding`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`\.crypto\.Cipher`)}, CWE: "CWE-780", AverageCVSS: 5.9, Description: "This application uses RSA encryption without OAEP (Optimal Asymmetric Encryption Padding), OAEP has been standardized as PKCS # 1 v2 and RFC 2437. The padding scheme makes the operation 'semantically secure' and prevents some types of attacks, which would use the lack of padding as an attack vector.", Recomendation: "It is recommended to use RSA in conjunction with OAEP, the RSA-OAEP method makes padding attacks much more complex and often unviable.", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`\.crypto\.Cipher`), regexp.MustCompile(`Cipher\.getInstance\(`), regexp.MustCompile(`"DES"`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`\.crypto\.Cipher`)}, CWE: "CWE-327", AverageCVSS: 5.9, Description: "DES (Data Encryption Standard) is a symmetric key cryptographic algorithm. Its 56-bit key makes it insecure for modern applications, it was developed in 1970, approved as a standard in 1976 and in 1977 the first vulnerability was discovered. Today it can be broken in about 2 days with a modern graphics card.", Recomendation: "Whenever possible, the use of DES encryption should be avoided, the recommended encryption is AES (Advanced Encryption Standard) with 256 bits, which has been approved by the American security agency (NSA) for encrypting top secret information.", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`MODE_WORLD_WRITABLE|Context\.MODE_WORLD_WRITABLE`), regexp.MustCompile(`openFileOutput\(\s*".+"\s*,\s*2\s*\)`)}, CWE: "CWE-276", AverageCVSS: 6, Description: "The file is 'World Readable'. Any application can read the file.", Recomendation: "According to official Google documentation, MODE_WORLD_WRITABLE mode is deprecated. It is recommended to use MODE_PRIVATE.", }, Rule{ ExactMatch: regexp.MustCompile(`openFileOutput\(\s*".+"\s*,\s*3\s*\)`), CWE: "CWE-276", AverageCVSS: 6, Description: "The file is 'World Readable' and 'World Writable'. Any application can read the file.", Recomendation: "According to official Google documentation, both MODE_WORLD_WRITABLE and MODE_WORLD_READABLE modes are depreciated. It is recommended to use MODE_PRIVATE.", }, Rule{ ExactMatch: regexp.MustCompile(`MessageDigest\.getInstance\("*MD5"*\)|MessageDigest\.getInstance\("*md5"*\)|DigestUtils\.md5\(`), CWE: "CWE-327", AverageCVSS: 7.4, Description: "MD5 is a hash algorithm considered weak and can return the same result for two different contents, which can cause collisions and in extreme cases it can cause a security breach. https://en.wikipedia.org/wiki/Collision_resistance", Recomendation: "It is recommended to use some CHF (Cryptographic Hash Function), which is mathematically strong and not reversible. SHA512 would be the most recommended hash for storing the password and it is also important to adopt some type of Salt, so that the Hash is more secure.", }, Rule{ ExactMatch: regexp.MustCompile(`getInstance("md4")|getInstance("rc2")|getInstance("rc4")|getInstance("RC4")|getInstance("RC2")|getInstance("MD4")`), CWE: "CWE-327", AverageCVSS: 7.4, Description: "MD4 is a hash algorithm considered weak and can return the same result for two different contents, which can cause collisions and in extreme cases it can cause a security breach. https://en.wikipedia.org/wiki/Collision_resistance", Recomendation: "It is recommended to use some CHF (Cryptographic Hash Function), which is mathematically strong and not reversible. SHA512 would be the most recommended hash for storing the password and it is also important to adopt some type of Salt, so that the Hash is more secure.", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`.getExternalStorage`), regexp.MustCompile(`.getExternalFilesDir\(`)}, CWE: "CWE-276", AverageCVSS: 5.5, Description: "The application can read / write to external storage. External storage files can be modified by any application.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\.createTempFile\(`), CWE: "CWE-276", AverageCVSS: 5.5, Description: "The application creates a temporary file. Sensitive information should not be stored in temporary files.", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00`), regexp.MustCompile(`0x01,0x02,0x03,0x04,0x05,0x06,0x07`)}, CWE: "CWE-329", AverageCVSS: 9.8, Description: "The Application uses weak Initialization Vectors (weak IVs in encryption), such as '0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ' or '0x01,0x02,0x03,0x04,0x05,0x06 , 0x07 '. Failure to use random IVs makes the application vulnerable to dictionary attacks.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`onReceivedSslError\(WebView`), regexp.MustCompile(`\.proceed\(\);`), regexp.MustCompile(`webkit\.WebView`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`webkit\.WebView`)}, CWE: "CWE-295", AverageCVSS: 7.4, Description: "Insecure WebView implementation. WebView ignores SSL Certificate errors and accepts SSL. This application is vulnerable to MITM attacks.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`android\.database\.sqlite`), regexp.MustCompile(`execSQL\(|rawQuery\(`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`android\.database\.sqlite`)}, CWE: "CWE-89", AverageCVSS: 5.9, Description: "User input without validation can cause SQL Injection. All user input must be sanitized before performing the operation on the database.", Recomendation: "Always validate user inputs before the server executes the query and reject requests that contain characters that are not strictly necessary.", }, Rule{ ExactMatch: regexp.MustCompile(`SQLiteOpenHelper\.getWritableDatabase\(`), CWE: "CWE-312", AverageCVSS: 1, Description: "The application uses SQL Cipher, but the key may be contained in the source code (hardcoded).", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`android\.app\.DownloadManager`), regexp.MustCompile(`getSystemService\(DOWNLOAD_SERVICE\)`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`android\.app\.DownloadManager`)}, CWE: "CWE-494", AverageCVSS: 7.5, Description: "The application downloads files using the Android Download Manager.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`\.setWebContentsDebuggingEnabled\(true\)`), regexp.MustCompile(`webkit\.WebView`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`webkit\.WebView`)}, CWE: "CWE-215", AverageCVSS: 5.4, Description: "Remote WebView debugging is enabled.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`webkit\.WebView`), regexp.MustCompile(`(setJavaScriptEnabled\(true\))|(.addJavascriptInterface\()`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`webkit\.WebView`)}, CWE: "CWE-749", AverageCVSS: 8.8, Description: "Insecure WebView implementation. User-controlled code execution is a security hole.", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`content\.ClipboardManager`), regexp.MustCompile(`CLIPBOARD_SERVICE`), regexp.MustCompile(`ClipboardManager`)}, CWE: "CWE-200", AverageCVSS: 5, Description: "The classes in this file write or read data on the Clipboard. The transfer area is shared between all apps so attention is needed to data that is placed in this resource.", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`net\.JarURLConnection`), regexp.MustCompile(`JarURLConnection`), regexp.MustCompile(`jar:((?:http|https)://(?:[\w_-]+(?:(?:\.[\w_-]+)+))(?:[\w.,@?^=%&:/~+#-]*[\w@?^=%&/~+#-])?)`)}, CWE: "CWE-611", AverageCVSS: 5, Description: "This code uses jar url, this functionality could generate an XML vulnerability External Entities (XXE), XXE is listed as fourth place (A4) in the Top 10 OWASP 2017", Recomendation: "It is recommended to avoid using url jar when possible, there are other safer methods that can be used to consult the jar file.", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`\.crypto\.Cipher`), regexp.MustCompile(`Cipher\.getInstance\(`), regexp.MustCompile(`"AES"`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`\.crypto\.Cipher`)}, CWE: "CWE-326", AverageCVSS: 5, Description: "DES is a hash algorithm that is considered weak and can cause hash collisions.", Recomendation: "It is always recommended to use some CHF (Cryptographic Hash Function), which is mathematically strong and not reversible. SHA512 would be the most recommended hash for storing the password and it is also important to adopt some type of Salt, so that the Hash is more secure.", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`\.net\.ssl`), regexp.MustCompile(`TrustAllSSLSocket-Factory|AllTrustSSLSocketFactory|NonValidatingSSLSocketFactory|net\.SSLCertificateSocketFactory|ALLOW_ALL_HOSTNAME_VERIFIER|\.setDefaultHostnameVerifier\(|NullHostnameVerifier\(`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`\.net\.ssl`)}, CWE: "CWE-295", AverageCVSS: 7.4, Description: "Insecure implementation of SSL. Trusting any certificate or accepting self-signed certificates can cause a serious security breach, making the application vulnerable to MITM (Man In The Middle) attacks.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`\.loadUrl\(`), regexp.MustCompile(`webkit\.WebView`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`webkit\.WebView`)}, CWE: "CWE-919", AverageCVSS: 5, Description: "The WebView loads files from external storage. External storage files can be modified by any application.", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`MODE_WORLD_READABLE|Context\.MODE_WORLD_READABLE`), regexp.MustCompile(`openFileOutput\(\s*".+"\s*,\s*1\s*\)`)}, CWE: "CWE-276", AverageCVSS: 4, Description: "The file is 'World Readable'. Any application can read the file.", Recomendation: "According to official Google documentation, MODE_WORLD_READABLE mode is deprecated. It is recommended to use MODE_PRIVATE. In case your application needs to share private files with other applications, you must use a FileProvider with the attribute FLAG_GRANT_READ_URI_PERMISSION.", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`\.crypto\.Cipher`), regexp.MustCompile(`Cipher\.getInstance\(`), regexp.MustCompile(`"ECB"`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`\.crypto\.Cipher`)}, CWE: "CWE-327", AverageCVSS: 5.9, Description: "The application uses ECB as the 'block mode' of the encryption algorithm. ECB is considered a weak cryptographic algorithm, as it results in the same cipher for identical blocks of plain text.", Recomendation: "Whenever possible, avoid using the ECB mode, as it is predictable and can be broken with attacks such as frequency analysis. We recommend the use of Authenticated Encription (AE) and Authenticated Encryption with Associated Data (AEAD), which ensure both the confidentiality and authenticity of the data. Some recommended modes are GCM, EAX and OCB, CBC mode can also be used in combination with HMAC message authentication.", }, Rule{ ExactMatch: regexp.MustCompile(`Runtime\.getRuntime\(`), CWE: "CWE-78", AverageCVSS: 9, Description: "The application executes Commands directly on the Operating System. If using any user input, it must be sanitized to the maximum, cleaning any unnecessary characters. In general, it is recommended to never use calls to native commands, being recommended the JNI (Java Native Interface) for such low level operations.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`setVisibility\(View\.GONE\)|setVisibility\(View\.INVISIBLE\)`), CWE: "CWE-919", AverageCVSS: 4.3, Description: "Invisible elements in the view can be used to hide data from the user, but can still be leaked.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`dalvik\.system\.PathClassLoader|dalvik\.system\.DexFile|dalvik\.system\.DexPathList|dalvik\.system\.DexClassLoader|java\.security\.ClassLoader|java\.net\.URLClassLoader|java\.security\.SecureClassLoader`), regexp.MustCompile(`loadDex|loadClass|DexClassLoader|loadDexFile`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`dalvik\.system\.PathClassLoader|dalvik\.system\.DexFile|dalvik\.system\.DexPathList|dalvik\.system\.DexClassLoader|java\.security\.ClassLoader|java\.net\.URLClassLoader|java\.security\.SecureClassLoader`)}, CWE: "CWE-695", AverageCVSS: 4, Description: "The application loads and / or manipulates Dex files (Dexloading and dynamic classes). ", Recomendation: "It is not recommended to use APIs with low level of manipulation as this can facilitate the injection of code within the application. If the intention is to obfuscate the code, it is always important to take care of your obfuscator settings so as not to allow the loading of static files, which can easily be replaced by a forged file.", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`com\.fasterxml\.jackson\.databind\.ObjectMapper`), regexp.MustCompile(`\.enableDefaultTyping\(`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`com\.fasterxml\.jackson\.databind\.ObjectMapper`)}, CWE: "CWE-502", AverageCVSS: 7.5, Description: "The app uses jackson deserialization libraryDeserialization of untrusted input can result inarbitary code execution.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`MODE_PRIVATE|Context\.MODE_PRIVATE`), CWE: "CWE-919", AverageCVSS: 5, Description: "App can write to App Directory. Sensitive Information should be encrypted.", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`com\.noshufou\.android\.su`), regexp.MustCompile(`com\.thirdparty\.superuser`), regexp.MustCompile(`eu\.chainfire\.supersu`), regexp.MustCompile(`com\.koushikdutta\.superuser`), regexp.MustCompile(`eu\.chainfire\.`)}, CWE: "CWE-250", AverageCVSS: 7.5, Description: "This application has packages to access root privileges (Super User). A Super User on the user's device can do absolutely anything, making the application very powerful and possibly facilitating malicious actions. etc.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`WebView`), regexp.MustCompile(`loadData\(`), regexp.MustCompile(`android\.webkit`)}, NotOr: []*regexp.Regexp{regexp.MustCompile(`WebView`), regexp.MustCompile(`android\.webkit`)}, CWE: "CWE-749", AverageCVSS: 8, Description: "WebView request via GET. The Android WebViews API is very sensitive because it allows resources coming from the network to access data only available in the context of the application, making it easier for an attacker to execute Remote Code Execution, it is always necessary to ensure that the content sources presented in WebViews are encrypted and protected and user inputs are always sanitized.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`Log\.(v|d|i|w|e|f|s)|System\.out\.print|System\.err\.print`), CWE: "CWE-532", AverageCVSS: 3.2, Description: "The App logs information. Sensitive information should not be logged.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`java\.util\.Random`), regexp.MustCompile(`Random\(\)`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`java\.util\.Random`)}, CWE: "CWE-330", AverageCVSS: 1, Description: "The application uses a predictable, therefore insecure, random number generator.", Recomendation: "Instances of java.util.Random are not cryptographically secure. Consider instead using SecureRandom to get a cryptographically secure pseudo-random number generator for use by security-sensitive applications. https://docs.oracle.com/javase/8/docs/api/java/util/Random.html", }, Rule{ ExactMatch: regexp.MustCompile(`Random\..*\(.*\)|Random\(.*\)|\(.*\).random\(\)`), CWE: "CWE-330", AverageCVSS: 1, Description: "The application uses a predictable, therefore insecure, random number generator.", Recomendation: "Instances of java.util.Random are not cryptographically secure. Consider instead using SecureRandom to get a cryptographically secure pseudo-random number generator for use by security-sensitive applications. https://docs.oracle.com/javase/8/docs/api/java/util/Random.html", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`\.crypto\.Cipher`), regexp.MustCompile(`Cipher\.getInstance\(`), regexp.MustCompile(`"GCM"`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`\.crypto\.Cipher`)}, CWE: "CWE-326", AverageCVSS: 2, Description: "The application uses GCM as the 'block mode' of the encryption algorithm. GCM is considered a secure cryptographic algorithm as long as each encrypted block is indistinguishable from a random permutation, otherwise, it would only increase the value of IV (Initialization Vector) by 1, so the keys become predictable, when analyzing a block with a sufficient number of messages encrypted with the same key and / or IV. It may be vulnerable to 'Stream Cipher Attack'.", Recomendation: "Security depends on choosing a unique initialization vector (IV) for each encryption performed with the same key.", }, Rule{ ExactMatch: regexp.MustCompile(`MessageDigest\.getInstance\("*SHA-1"*\)|MessageDigest\.getInstance\("*sha-1"*\)|DigestUtils\.sha\(`), CWE: "CWE-327", AverageCVSS: 5.9, Description: "SHA-1 is a hash algorithm considered weak and can return the same result for two different contents, which can cause collisions and in extreme cases it can cause a security breach. https://en.wikipedia.org/wiki/Collision_resistance", Recomendation: "It is recommended to use some CHF (Cryptographic Hash Function), which is mathematically strong and not reversible. SHA512 would be the most recommended hash for storing the password and it is also important to adopt some type of Salt, so that the Hash is more secure.", }, }
View Source
var CoreRules []engine.Rule = []engine.Rule{ Rule{ ExactMatch: regexp.MustCompile(`\d{2,3}\.\d{2,3}\.\d{2,3}\.\d{2,3}`), CWE: "CWE-200", AverageCVSS: 7, Description: "Credentials must not be stored in the code, an attacker could decompile the application and obtain the credential.", Recomendation: "There are ‘Secrets Management’ solutions that can be used to store secrets.", }, Rule{ ExactMatch: regexp.MustCompile(`(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)aws(.{0,20})?(?-i)['"][0-9a-zA-Z/+]{40}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(chave\s*=\s*['|"]\w+['|"])|(\w*[tT]oken\s*=\s*['|"]\w+['|"])|(\w*[aA][uU][tT][hH]\w*\s*=\s*['|"]\w+['|"])|(username\s*=\s*['|"]\w+['|"])|(secret\s*=\s*['|"]\w+['|"])|(chave\s*=\s*['|"]\w+['|"])`), NotOr: []*regexp.Regexp{regexp.MustCompile(`(?mi)public.*[tT]oken`), regexp.MustCompile(`(?mi)public.*[kK]ey`)}, CWE: "CWE-312", AverageCVSS: 7.4, Description: "File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the Git code or repository. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`-----BEGIN PRIVATE KEY-----`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`AAAA(?:[0-9A-Za-z+/])+={0,3}(?:.+@.+)`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`-----BEGIN OPENSSH PRIVATE KEY-----`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`-----BEGIN PGP PRIVATE KEY BLOCK-----`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)(facebook|fb)(.{0,20})?(?-i)['"][0-9a-f]{32}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Facebook Secret Key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)(facebook|fb)(.{0,20})?['"][0-9]{13,17}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Facebook Client ID. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`EAACEdEose0cBA[0-9A-Za-z]+`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Facebook Access Token. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)twitter(.{0,20})?['"][0-9a-z]{35,44}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Twitter Secret Key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)twitter(.{0,20})?['"][0-9a-z]{18,25}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Twitter Client ID. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)github(.{0,20})?(?-i)['"][0-9a-zA-Z]{35,40}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "GitHub URL. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)linkedin(.{0,20})?(?-i)['"][0-9a-z]{12}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "LinkedIn Client ID. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)linkedin(.{0,20})?['"][0-9a-z]{16}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "LinkedIn Secret Key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`xox[baprs]-([0-9a-zA-Z]{10,48})?`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Slack API key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`-----BEGIN EC PRIVATE KEY-----`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "EC key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)api_key(.{0,20})?['"][0-9a-zA-Z]{32,45}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Generic API key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`AIza[0-9A-Za-z\-_]{35}`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Google API key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['"][AIza[0-9a-z\-_]{35}]['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Google Cloud Platform API key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)(google|gcp|auth)(.{0,20})?['"][0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Google OAuth. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`ya29\.[0-9A-Za-z\-_]+`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Google OAuth Access Token. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Heroku API key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "MailChimp API key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Mailgun API key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`[a-zA-Z]{3,10}://[^/\s:@]{3,20}:[^/\s:@]{3,20}@.{1,100}/?.?`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Password in URL. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "PayPal Braintree Access Token. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`sk_live_[0-9a-z]{32}`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Picatic API key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)stripe(.{0,20})?['"][sk|rk]_live_[0-9a-zA-Z]{24}`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Stripe API key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`sq0atp-[0-9A-Za-z\-_]{22}`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Square access token. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`sq0csp-[0-9A-Za-z\-_]{43}`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Square OAuth secret. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)twilio(.{0,20})?['"][0-9a-f]{32}['"]`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "Twilio API key. File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}`), CWE: "CWE-918", AverageCVSS: 7.5, Description: "Incoming Webhooks from Slack application ", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`(password\s*=\s*['|"](.*)+['|"])|(pass\s*=\s*['|"](.*)+['|"]\s)|(pwd\s*=\s*['|"](.*)+['|"]\s)|(passwd\s*=\s*['|"](.*)+['|"]\s)|(senha\s*=\s*['|"](.*)+['|"])`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the Git code or repository. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, Rule{ ExactMatch: regexp.MustCompile(`-----BEGIN CERTIFICATE-----`), CWE: "CWE-312", AverageCVSS: 7.4, Description: "File contains sensitive information written directly, such as usernames, passwords, keys, etc.", Recomendation: "Credentials must not be stored in the git code or repository, an attacker could decompile the application and obtain the credential. There are ‘Secrets Management’ solutions that can be used to store secrets or use Pipeline resources.", }, }
View Source
var CsharpRules []engine.Rule = []engine.Rule{ Rule{ ExactMatch: regexp.MustCompile(`.*=\s+new\sProcess\(\);(?: *.*)*(.*\.StartInfo\.Arguments\s+=\s+.*".*\+)`), CWE: "CWE-78", AverageCVSS: 3, Description: "The dynamic value passed for the execution of the command must be validated. https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.processstartinfo?view=netframework-4.8", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`(?:\bLogError|\bLogger|\blogger|\bLogging|\blogging|System\.Diagnostics\.Debug|System\.Diagnostics\.Trace).*\(.*\+\s*(?:pass|pwd|passwd|password|key|cert|privKey|privateKey)`), CWE: "CWE-532", AverageCVSS: 4, Description: "The application appears to write confidential information to log files, creating a risk of theft of credentials and / or private information. https://cwe.mitre.org/data/definitions/532.html.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`<pages(?:>|)\s+.*validateRequest=['"]+false`), CWE: "CWE-554", AverageCVSS: 6, Description: "Validation of user entries has been disabled. The ASP.NET request validation feature proactively prevents code injection attacks by not allowing unencrypted HTML content to be processed by the server, unless the developer decides to allow that content. When request validation is disabled, content can be sent to a page; it is the responsibility of the page developer to ensure that the content is encoded or processed correctly. https://docs.microsoft.com/en-us/aspnet/whitepapers/request-validation.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\bHtml\b\.Raw\(`), CWE: "CWE-79", AverageCVSS: 6, Description: "The application uses the potentially dangerous Html.Raw construct in conjunction with a user-supplied variable. The recommendation is to avoid using HTML assembly, but if it is extremely necessary to allow Html, we suggest the following: support only a fixed subset of Html, after the user submits content, analyze the Html and filter it in a whitelist of allowed tags and attributes. Be very careful when filtering and eliminating anything you are unsure of. https://owasp.org/www-community/attacks/xss/.", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`\s+var\s+\w+\s*=\s*"\s*\<\%\s*=\s*\w+\%\>";`), regexp.MustCompile(`\.innerHTML\s*=\s*.+`)}, CWE: "CWE-79", AverageCVSS: 7, Description: "The application appears to allow XSS through an unencrypted / unauthorized input variable. https://owasp.org/www-community/attacks/xss/.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`(?mi)\b(?:string|char\[)\s+(?:pass|pwd|passwd|password|key|cert|privKey|privateKey).*`), CWE: "CWE-316", AverageCVSS: 5, Description: "The code uses standard strings and byte arrays to store sensitive transient data, such as passwords and private encryption keys, instead of the SecureString class which is more secure because it encrypts the data at rest https://docs.microsoft. com / en-us / dotnet / api / system.security.securestring? view = netframework-4.8.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\bint\b\s*\w+\s*\=\s*\bunchecked\b\s+\(`), CWE: "CWE-129", AverageCVSS: 5, Description: "The code performs entire operations with a deliberate deactivation of defenses against overflow. As overflowing verification takes time, using unverified code in situations where there is no danger of overflow can improve performance. However, if overflow is a possibility, protection must be enabled or actively monitor the environment. https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/unchecked.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\.ProcessStartInfo\(`), CWE: "CWE-78", AverageCVSS: 6, Description: "The application appears to execute commands on the underlying system, check that no user-controlled variables are used without proper sanitation in this command. https://docs.microsoft.com/en-us/visualstudio/code-quality/ca3006?view=vs-2019.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\.(?:Deserialize|ReadObject)\(`), CWE: "CWE-502", AverageCVSS: 5, Description: "The code allows objects to be deserialized. This can allow potentially hostile objects to be instantiated directly from the data held in the file system. Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. An attack against an insecure deserializer can, for example, execute commands on the underlying operating system, communicate over the network, or delete files. https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300?view=vs-2019.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\bRandom\.(?:Next\(|NextBytes\()`), CWE: "CWE-330", AverageCVSS: 2, Description: "The code appears to use the Next () and / or NextBytes () functions. The resulting values, while seeming random to a casual observer, are predictable and can be enumerated by a skilled and determined attacker, although this is partially mitigated by a non-time-based seed. To generate a cryptographically secure random number suitable for creating a random password, use a method like RNGCryptoServiceProvider.GetBytes. https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rngcryptoserviceprovider.getbytes?view=netframework-4.8", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`=\s+File\.Open\(".*(?:\.|)(?:temp|tmp|temporary).*"(?:,|)`), CWE: "CWE-377", AverageCVSS: 4, Description: "The application appears to create a temporary file with a static, encoded name. This can cause security problems in the form of a classic race condition (an attacker creates a file with the same name between creating the application and attempting to use it) or a symbolic link attack in which an attacker creates a symbolic link at the location of the temporary file. We recommend using the Path.GetTempFileName method. https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`<\s*customErrors\s+mode\s*=\s*"Off"\s*/>`), CWE: "CWE-12", AverageCVSS: 2, Description: "The application is configured to display standard .NET errors. This can provide the attacker with useful information and should not be used in a production application. https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-getting-started/deploying-web-site-projects/displaying-a-custom-error-page-cs", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\bdebug\s*=\s*"\s*true\s*"`), CWE: "CWE-11", AverageCVSS: 2, Description: "ASP.NET allows remote debugging of Web applications, if configured to do so. By default, debugging is subject to access control and requires platform-level authentication. If an attacker can successfully initiate a remote debugging session, it is likely that it will disclose sensitive information about the web application and the supporting infrastructure that can be valuable in formulating targeted system attacks. To disable debugging, open the Web.config file for the application and find the <compilation> element in the <system.web> section. Set the debug attribute to 'false'. Note that it is also possible to enable debugging for all applications in the Machine.config file. You must confirm that the debug attribute in the <compilation> element has not been set to 'true' in the Machine.config file. https://support.microsoft.com/en-us/help/815157/how-to-disable-debugging-for-asp-net-applications", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`.*=\s+new\sXmlDocument\s*(?:\(\)|{.*});(?: *.*)*(.*\.SelectNodes\(\s*.*".*\+)`), CWE: "CWE-643", AverageCVSS: 3, Description: "The potentially unsafe HTTP request entry reaches an XPath query. The dynamic value passed to the XPath query must be validated. https://docs.microsoft.com/en-us/visualstudio/code-quality/ca3008?view=vs-2019", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`.*=\s+new\sXmlReaderSettings\s*(?:\(\)|{.*});(?: *.*)*(.*\s+=\s+DtdProcessing\.Parse;)`), CWE: "CWE-611", AverageCVSS: 5, Description: "If you use unsafe DtdProcessing instances or refer to sources from external entities, the analyzer can accept untrusted input and disclose confidential information to attackers. The operation may be vulnerable to processing XML eXternal Entity (XXE) .https: //docs.microsoft.com/en-us/visualstudio/code-quality/ca3075? View = vs-2019", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`using\sSystem\.Web\.Mvc;`), regexp.MustCompile(`using\sSystem\.Web;`), regexp.MustCompile(`.*\s+:\s+Controller`), regexp.MustCompile(`.*Server\.MapPath\(".*\+`)}, CWE: "CWE-23", AverageCVSS: 4, Description: "A path traversal attack (also known as directory traversal) has been detected. This attack aims to access files and directories stored outside the expected directory. The most effective way to avoid cross-file file path vulnerabilities is to avoid passing user-provided input to the file system APIs. Many application functions that do this can be rewritten to provide the same behavior more securely. https://portswigger.net/web-security/file-path-traversal", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`(?:public\sclass\s.*Controller|.*\s+:\s+Controller)(?: *.*)*return\s+.*".*\+`), CWE: "CWE-79", AverageCVSS: 6, Description: "A potential Cross-Site Scripting (XSS) was found. The endpoint returns a variable from the client entry that has not been coded. Always encode untrusted input before output, regardless of validation or cleaning performed. https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-3.1", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`.*=\s+new\sDirectorySearcher\s*(?:\(\)|{.*});(?: *.*)*(.*\.Filter\s+=\s+".*\+)`), CWE: "CWE-90", AverageCVSS: 8, Description: "The potentially unsafe HTTP request entry reaches an LDAP instruction. The dynamic value passed to the LDAP query must be validated. For the user-controlled portion of LDAP instructions, consider one of the following: Allow only a safe list of non-special characters; Do not allow special characters; Escape from special characters. https://docs.microsoft.com/en-us/visualstudio/code-quality/ca3005?view=vs-2019", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`new\s+PasswordValidator(?: *.*)*{`), CWE: "CWE-521", AverageCVSS: 3, Description: "A weak password can be guessed or forced. PasswordValidator must have at least four or five requirements to improve security (RequiredLength, RequireDigit, RequireLowercase, RequireUppercase and / or RequireNonLetterOrDigit).", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`.*\s+new\sOdbcCommand\(.*".*\+(?:.* *)*.ExecuteReader\(`), regexp.MustCompile(`.*\s+new\sSqlCommand\(.*".*\+`), regexp.MustCompile(`.*\.ExecuteDataSet\(.*".*\+`), regexp.MustCompile(`.*\.ExecuteQuery\(@".*\+`)}, CWE: "CWE-89", AverageCVSS: 9, Description: "A possible SQL Injection vulnerability was found. SQL injection failures are introduced when software developers create dynamic database queries that include user-supplied input. Always validate user input by testing type, length, shape and reach. When implementing precautions against malicious entry, consider your application's architecture and deployment scenarios. Remember that programs designed to run in a secure environment can eventually be copied to an unsafe environment.https: //docs.microsoft.com/en-us/sql/relational-databases/security/sql-injection? view = sql-server-ver15", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`=\s+new\s+Random\(\);`), CWE: "CWE-330", AverageCVSS: 3, Description: "The pseudo-random numbers generated are predictable. When the software generates predictable values in a context that requires unpredictability, it may be possible for an attacker to guess the next value that will be generated and use that guess to impersonate another user or access confidential information. To generate a cryptographically secure random number, such as the one suitable for creating a random password, use the RNGCryptoServiceProvider class or derive a class from System.Security.Cryptography.RandomNumberGenerator.https: //docs.microsoft.com/en-us/dotnet/ api / system.random? view = netframework-4.8", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`=\s+new\s+SHA1CryptoServiceProvider\(`), regexp.MustCompile(`=\s+new\s+MD5CryptoServiceProvider\(`)}, CWE: "CWE-326", AverageCVSS: 2, Description: "MD5 or SHA1 can cause collisions and are considered weak hashing algorithms. A weak encryption scheme may be subject to brute force attacks that have a reasonable chance of success using current methods and resources of attack. Use an encryption scheme that is currently considered strong by experts in the field. https://docs.microsoft.com/en-us/visualstudio/code-quality/ca5350?view=vs-2019 https://docs.microsoft.com/en-us/visualstudio/code-quality/ca5351?view = vs-2019", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`=\s+new\s+TripleDESCryptoServiceProvider\(`), regexp.MustCompile(`=\s+new\s+DESCryptoServiceProvider\(`), regexp.MustCompile(`=\s+TripleDES\.Create\(`), regexp.MustCompile(`=\s+DES\.Create\(`)}, CWE: "CWE-326", AverageCVSS: 4, Description: "DES / 3DES is considered a weak cipher for modern applications. A weak encryption scheme may be subject to brute force attacks that have a reasonable chance of success using current methods and resources of attack. Use an encryption scheme that is currently considered strong by experts in the field. Currently, NIST recommends using AES block ciphers. http://www.nist.gov/itl/fips/060205_des.cfm https://www.nist.gov/publications/advanced-encryption-standard-aes https://docs.microsoft.com/en-us/ visualstudio / code-quality / ca5351? view = vs-2019.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`=\s+CipherMode\.CBC`), CWE: "CWE-310", AverageCVSS: 4, Description: "Microsoft believes it is no longer safe to decrypt data encrypted with CBC (Cipher-Block-Chaining) symmetric encryption mode when verifiable padding was applied without first ensuring the integrity of the ciphertext, except in very specific circumstances. This judgment is based on currently known cryptographic research. The CBC mode is susceptible to attack from the padding oracle. The use of AES in CBC mode with an HMAC suffix is recommended, ensuring integrity and confidentiality. https://docs.microsoft.com/en-us/dotnet/standard/security/vulnerabilities-cbc-mode", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`=\s+CipherMode\.ECB`), CWE: "CWE-310", AverageCVSS: 4, Description: "This mode is not recommended because it opens the door to various security exploits. If the plain text to be encrypted contains substantial repetitions, it is possible that the cipher text will be broken one block at a time. You can also use block analysis to determine the encryption key. In addition, an active opponent can replace and exchange individual blocks without detection, which allows the blocks to be saved and inserted into the stream at other points without detection. ECB mode will produce the same result for identical blocks. The use of AES in CBC mode with an HMAC is recommended, ensuring integrity and confidentiality. https://docs.microsoft.com/en-us/visualstudio/code-quality/ca5358?view=vs-2019", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`=\s+CipherMode\.OFB`), CWE: "CWE-310", AverageCVSS: 4, Description: "OFB mode will produce the same result for identical blocks, this mode is vulnerable to attack and can cause exposure of confidential information. An attacker could guess the encrypted message. The use of AES in CBC mode with an HMAC is recommended, ensuring integrity and confidentiality. https://docs.microsoft.com/en-us/visualstudio/code-quality/ca5358?view=vs-2019&viewFallbackFrom=vs-2019", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`new\sHttpCookie(?:.* *)*\.Secure\s+=\s+false`), CWE: "CWE-614", AverageCVSS: 3, Description: "Secure Flag is a policy for the browser to ensure that the cookie is sent over an encrypted channel, using the SSL protocol, that is, only via HTTPS. To set the transmission of cookies using SSL for an entire application, enable it in the application's configuration file, Web.config, which resides in the application's root directory. https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie.secure?view=netframework-4.8", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`(?:.*\s+new\sHttpCookie(?:.* *)*.HttpOnly\s*=\s*false|httpOnlyCookies\s*=\s*"false")`), CWE: "CWE-79", AverageCVSS: 2, Description: "Cookies that do not have the HttpOnly flag set are available for JavaScript running on the same domain. The assigned value must be 'true' to enable the HttpOnly attribute and cannot be accessed through a client-side script; otherwise, 'false'. The default is 'false'. When a user is the target of an XSS attack, the attacker would benefit from obtaining confidential information or even progressing to a session hijack. https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie.httponly?view=netframework-4.8", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`viewStateEncryptionMode\s*=\s*"(?:Auto|Never)"`), CWE: "CWE-311", AverageCVSS: 3, Description: "Web Forms controls use hidden base64-encoded fields to store state information. If confidential information is stored, it can leak to the client side. https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.viewstateencryptionmode?view=netframework-4.8", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`(?:public\s+class\s+.*Controller|.*\s+:\s+Controller)(?: *.*)*\[ValidateInput\(false\)\]`), CWE: "CWE-20", AverageCVSS: 2, Description: "Request validation is disabled. Request validation allows filtering of some XSS standards sent to the application. https://docs.microsoft.com/en-us/dotnet/api/system.web.mvc.validateinputattribute?view=aspnet-mvc-5.2", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`validateRequest\s*=\s*"false"`), CWE: "CWE-20", AverageCVSS: 2, Description: "The validateRequest flag that provides additional protection against XSS is disabled, 'false', in the configuration file. ASP.NET examines the browser input for dangerous values when validateRequest 'true'. https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.pagessection.validaterequest?view=netframework-4.8", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`requestValidationMode\s*=\s*"(?:4.[1-9]|3.\d+|2.\d+|1.\d+|0.\d+)"`), CWE: "CWE-20", AverageCVSS: 2, Description: "The requestValidationMode that provides additional protection against XSS is enabled only for pages, not for all HTTP requests in the configuration file. The recommended value is '4.0'. https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.requestvalidationmode?view=netframework-4.8", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\.setPassword\("(.*?)"\)`), CWE: "CWE-259", AverageCVSS: 4, Description: "The password setting for this API appears to be encrypted. https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`new\s+PasswordValidator\(\)`), CWE: "CWE-521", AverageCVSS: 2, Description: "The 'RequiredLength' property is missing. 'RequiredLength' must be set to a minimum value of 8.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`new\s+PasswordValidator(?: *.*)*\{(?: *.*)*RequiredLength\s+=\s+[1-7]`), CWE: "CWE-521", AverageCVSS: 2, Description: "The 'RequiredLength' property must be set to a minimum value of 8.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`Convert\.ToBase64String\(`), CWE: "CWE-312", AverageCVSS: 1, Description: "The application uses Base64 encoding. The application stores confidential information in clear text in a resource that may be accessible to another sphere of control. Even if the information is encoded in a way that is not readable by humans, certain techniques can determine which encoding is being used and decode the information.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\bunsafe\b`), CWE: "CWE-787", AverageCVSS: 3, Description: "The application uses the 'not secure' directive, which allows the use of C-style pointers in the code. This code has a high risk of unexpected behavior, including buffer overflows, memory leaks and failures. https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/unsafe-code-pointers/", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`(?:public\s+class\s+.*Controller|.*\s+:\s+Controller)(?: *.*)*\[OutputCache\]`), CWE: "CWE-524", AverageCVSS: 2, Description: "The [OutputCache] annotation will disable the [Authorize] annotation for requests after the first.", Recomendation: "Do not store confidential information unnecessarily in the cache. Protect the information stored in the cache.", }, Rule{ ExactMatch: regexp.MustCompile(`(?:public\s+class\s+.*Controller|.*\s+:\s+Controller)(?: *.*)*`), NotOr: []*regexp.Regexp{regexp.MustCompile(`\[ValidateAntiForgeryToken\]`)}, CWE: "CWE-352", AverageCVSS: 2, Description: "The Anti-forgery token is missing. Without this validation, an attacker could send a link to the victim and, visiting the malicious link, a web page would trigger a POST request (because it is a blind attack - the attacker does not see a response to the triggered request and does not have the use of the GET request and GET requests must not change a server state by default) for the site. The victim would not be able to recognize that an action is taken in the background, but his cookie would be sent automatically if he was authenticated on the website. This attack requires no special interaction other than visiting a website.", Recomendation: `To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called request verification tokens. - The customer requests an HTML page that contains a form. - The server includes two tokens in the response. A token is sent as a cookie. The other is placed in a hidden form field. Tokens are generated randomly so that an opponent cannot guess the values. https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks - When the client submits the form, he must send the two tokens back to the server. The client sends the cookie token as a cookie and sends the form token within the form data. (A browser client does this automatically when the user submits the form.) - If a request does not include both tokens, the server will not allow the request.`, }, }
View Source
var IosRules []engine.Rule = []engine.Rule{ Rule{ ExactMatch: regexp.MustCompile(`NSTemporaryDirectory\(\),`), CWE: "CWE-22", AverageCVSS: 7.5, Description: `User use in "NSTemporaryDirectory ()" is unreliable, it can result in vulnerabilities in the directory.`, Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\w+.withUnsafeBytes\s*{.*`), CWE: "CWE-789", AverageCVSS: 4, Description: "Using this implementation of '.withUnsafeBytes' can lead to the compiler's decision to use unsafe APIs, such as _malloc and _strcpy, as the method calls closing with an UnsafeRawBufferPointer.", Recomendation: "Whenever possible, avoid using buffers or memory pointers that do not have a valid size.", }, Rule{ ExactMatch: regexp.MustCompile(`canAuthenticateAgainstProtectionSpace|continueWithoutCredentialForAuthenticationChallenge|kCFStreamSSLAllowsExpiredCertificates|kCFStreamSSLAllowsAnyRoot|kCFStreamSSLAllowsExpiredRoots|validatesSecureCertificate\s*=\s*(no|NO)|allowInvalidCertificates\s*=\s*(YES|yes)`), CWE: "CWE-295", AverageCVSS: 7.4, Description: "The application allows self-signed or invalid SSL certificates. The application is vulnerable to MITM (Man-In-The-Middle) attacks.", Recomendation: "Certificates must be carefully managed and verified to ensure that data is encrypted with the intended owner's public key.", }, Rule{ ExactMatch: regexp.MustCompile(`setAllowsAnyHTTPSCertificate:\s*YES|allowsAnyHTTPSCertificateForHost|loadingUnvalidatedHTTPSPage\s*=\s*(YES|yes)`), CWE: "CWE-295", AverageCVSS: 7.4, Description: "The in-app UIWebView ignores SSL errors and accepts any SSL certificate. The application is vulnerable to attacks from MITM (Man-In-The-Middle).", Recomendation: "Certificates must be carefully managed and verified to ensure that data is encrypted with the intended owner's public key.", }, Rule{ ExactMatch: regexp.MustCompile(`kSecAttrAccessibleWhenUnlocked|kSecAttrAccessibleAfterFirstUnlock|SecItemAdd|SecItemUpdate|NSDataWritingFileProtectionComplete`), CWE: "CWE-695", AverageCVSS: 5, Description: "Local File I/O Operations.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`loadRequest`), regexp.MustCompile(`WebView`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`WebView`)}, CWE: "CWE-749", AverageCVSS: 5, Description: "WebView Load Request.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`NSHTTPCookieStorage`), regexp.MustCompile(`sharedHTTPCookieStorage`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`NSHTTPCookieStorage`)}, CWE: "CWE-539", AverageCVSS: 5.3, Description: "Cookie Storage.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`CommonDigest.h`), regexp.MustCompile(`CC_MD5`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`CommonDigest.h`)}, CWE: "CWE-327", AverageCVSS: 7.4, Description: "MD5 is a weak hash, which can generate repeated hashes.", Recomendation: "When it is necessary to store or transmit sensitive data, give preference to modern encryption algorithms and check frequently that the algorithm used has not become obsolete.", }, Rule{ ExactMatch: regexp.MustCompile(`UIPasteboard.`), CWE: "CWE-200", AverageCVSS: 9.8, Description: "The application copies data to the UIPasteboard. Confidential data must not be copied to the UIPasteboard, as other applications can access it.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`loadHTMLString\(`), regexp.MustCompile(`WKWebView`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`WKWebView`)}, CWE: "CWE-95", AverageCVSS: 8.8, Description: "User input not sanitized in 'loadHTMLString' can result in an injection of JavaScript in the context of your application, allowing access to private data.", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`(?i)SHA1\(`), regexp.MustCompile(`CC_SHA1\(`)}, CWE: "CWE-327", AverageCVSS: 5.9, Description: "SHA1 is a weak hash, which can generate repeated hashes.", Recomendation: "When it is necessary to store or transmit sensitive data, give preference to modern encryption algorithms and check frequently that the algorithm used has not become obsolete.", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`kCCOptionECBMode`), regexp.MustCompile(`kCCAlgorithmAES`)}, CWE: "CWE-327", AverageCVSS: 5.9, Description: "The application uses ECB mode in the encryption algorithm. It is known that the ECB mode is weak, as it results in the same ciphertext for identical blocks of plain text.", Recomendation: "When it is necessary to store or transmit sensitive data, give preference to modern encryption algorithms and check frequently that the algorithm used has not become obsolete.", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`mach/mach_init.h`), regexp.MustCompile(`MACH_PORT_VALID|mach_task_self\(\)`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`mach/mach_init.h`)}, CWE: "CWE-215", AverageCVSS: 5, Description: "The application has anti-debugger using Mach Exception Ports.", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`CC_MD4_Init|CC_MD4_Update|CC_MD4_Final|CC_MD4|MD4_Init`), regexp.MustCompile(`MD4_Update|MD4_Final|CC_MD5_Init|CC_MD5_Update|CC_MD5_Final|CC_MD5|MD5_Init`), regexp.MustCompile(`MD5_Update|MD5_Final|MD5Init|MD5Update|MD5Final`)}, CWE: "CWE-327", AverageCVSS: 5.9, Description: "The app is using weak encryption APIs and / or that are known to have hash conflicts.", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`(?i)MD2\(`), regexp.MustCompile(`CC_MD2\(`)}, CWE: "CWE-327", AverageCVSS: 5.9, Description: "MD2 is a weak hash known to have hash collisions.", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`(?i)MD6\(`), regexp.MustCompile(`CC_MD6\(`)}, CWE: "CWE-327", AverageCVSS: 5.9, Description: "MD6 is a weak hash known to have hash collisions.", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`/Applications/Cydia.app`), regexp.MustCompile(`/Library/MobileSubstrate/MobileSubstrate.dylib`), regexp.MustCompile(`/usr/sbin/sshd`), regexp.MustCompile(`/etc/apt`), regexp.MustCompile(`cydia://`), regexp.MustCompile(`/var/lib/cydia`), regexp.MustCompile(`/Applications/FakeCarrier.app`), regexp.MustCompile(`/Applications/Icy.app`), regexp.MustCompile(`/Applications/IntelliScreen.app`), regexp.MustCompile(`/Applications/SBSettings.app`), regexp.MustCompile(`/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist`), regexp.MustCompile(`/System/Library/LaunchDaemons/com.ikey.bbot.plist`), regexp.MustCompile(`/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist`), regexp.MustCompile(`/etc/ssh/sshd_config`), regexp.MustCompile(`/private/var/tmp/cydia.log`), regexp.MustCompile(`/usr/libexec/ssh-keysign`), regexp.MustCompile(`/Applications/MxTube.app`), regexp.MustCompile(`/Applications/RockApp.app`), regexp.MustCompile(`/Applications/WinterBoard.app`), regexp.MustCompile(`/Applications/blackra1n.app`), regexp.MustCompile(`/Library/MobileSubstrate/DynamicLibraries/Veency.plist`), regexp.MustCompile(`/private/var/lib/apt`), regexp.MustCompile(`/private/var/lib/cydia`), regexp.MustCompile(`/private/var/mobile/Library/SBSettings/Themes`), regexp.MustCompile(`/private/var/stash`), regexp.MustCompile(`/usr/bin/sshd`), regexp.MustCompile(`/usr/libexec/sftp-server`), regexp.MustCompile(`/var/cache/apt`), regexp.MustCompile(`/var/lib/apt`), regexp.MustCompile(`/usr/sbin/frida-server`), regexp.MustCompile(`/usr/bin/cycript`), regexp.MustCompile(`/usr/local/bin/cycript`), regexp.MustCompile(`/usr/lib/libcycript.dylib`), regexp.MustCompile(`frida-server`)}, CWE: "CWE-693", AverageCVSS: 0, Description: "The application may contain Jailbreak detection mechanisms.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`UIPasteboard\(`), regexp.MustCompile(`.generalPasteboard`)}, CWE: "CWE-200", AverageCVSS: 5, Description: "Set or Read Clipboard", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`UIPasteboardChangedNotification|generalPasteboard\]\.string`), CWE: " CWE-200", AverageCVSS: 5, Description: "The application allows you to list the changes on the Clipboard. Some malware also lists changes to the Clipboard.", Recomendation: "", }, Rule{ Or: []*regexp.Regexp{regexp.MustCompile(`sqlite3_exec`), regexp.MustCompile(`sqlite3_finalize`)}, CWE: "CWE-922", AverageCVSS: 5.5, Description: "The application is using SQLite. Confidential information must be encrypted", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`NSLog\(|NSAssert\(|fprintf\(|fprintf\(|Logging\(`)}, NotAnd: []*regexp.Regexp{regexp.MustCompile(`\*`)}, CWE: "CWE-532", AverageCVSS: 7.5, Description: "The binary can use the NSLog function for logging. Confidential information should never be recorded.", Recomendation: "Prevent sensitive data from being logged into production.", }, Rule{ ExactMatch: regexp.MustCompile(`(?i)\.noFileProtection`), CWE: "CWE-311", AverageCVSS: 4.3, Description: "The file has no special protections associated with it.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`\.TLSMinimumSupportedProtocolVersion`), regexp.MustCompile(`tls_protocol_version_t\.TLSv10|tls_protocol_version_t\.TLSv11`)}, CWE: "CWE-757", AverageCVSS: 7.5, Description: "TLS 1.3 should be used. Detected old version.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`\.TLSMinimumSupportedProtocolVersion`), regexp.MustCompile(`tls_protocol_version_t\.TLSv12`)}, CWE: "", AverageCVSS: 0, Description: "TLS 1.3 should be used. Detected old version - TLS 1.2.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`strcpy\(|memcpy\(|strcat\(|strncat\(|strncpy\(|sprintf\(|vsprintf\(|gets\(`), CWE: "CWE-676", AverageCVSS: 2.2, Description: "The application may contain prohibited APIs. These APIs are insecure and should not be used.", Recomendation: "Avoid using unsafe API (s) and never rely on data entered by the user, always sanitize the data entered.", }, Rule{ ExactMatch: regexp.MustCompile(`NSFileProtectionNone`), CWE: "CWE-311", AverageCVSS: 4.3, Description: "The file has no special protections associated with it.", Recomendation: "", }, }
View Source
var JavascriptRules []engine.Rule = []engine.Rule{ Rule{ ExactMatch: regexp.MustCompile(`(eval\(.+)(?:req\.|req\.query|req\.body|req\.param)`), CWE: "CWE-94", AverageCVSS: 7, Description: "The eval function is extremely dangerous, because if any user input that is not treated is passed to it, it may be possible to execute code remotely in the context of your application (RCE - Remote Code Executuion)", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`(setTimeout\(.+)(req\.|req\.query|req\.body|req\.param)`), CWE: "CWE-94", AverageCVSS: 7, Description: "The setTimeout function is very dangerous because it can interpret a string as code.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`(setInterval\(.+)(req\.|req\.query|req\.body|req\.param)`), CWE: "CWE-94", AverageCVSS: 7, Description: "The setInterval function is very dangerous because it can interpret a string as code..", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`(require\('js-yaml'\)\.load\(|yaml\.load\()`), CWE: "CWE-94", AverageCVSS: 7, Description: "If a user-controlled data that has not been processed reaches the 'load' function, it is possible for an attacker to execute code within your application. Reference at: https://www.npmjs.com/advisories/813", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`(?:\[|)(?:'|")NODE_TLS_REJECT_UNAUTHORIZED(?:'|")(?:\]|)\s*=\s*(?:'|")*0(?:'|")`), CWE: "CWE-295", AverageCVSS: 6, Description: "The NODE_TLS_REJECT_UNAUTHORIZED option being disabled allows the Node.js server to accept certificates that are self-signed, allowing an attacker to bypass the TLS security layer.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`SSL_VERIFYPEER\s*:\s*0`), CWE: "CWE-295", AverageCVSS: 6, Description: "The SSL_VERIFYPEER option controls the internal Node.js library, causing HTTPS requests to stop checking if a secure cryptographic tunnel has actually been established between the servers, allowing an attacker to intercept client communication in open text.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`createHash\((?:'|")md5(?:'|")`), CWE: "CWE-327", AverageCVSS: 7.4, Description: "A hash algorithm used is considered weak and can cause hash collisions.", Recomendation: "It is always recommended to use some CHF (Cryptographic Hash Function), which is mathematically strong and not reversible. SHA512 would be the most recommended hash for storing the password and it is also important to adopt some type of Salt, so that the Hash is more secure.", }, Rule{ ExactMatch: regexp.MustCompile(`createHash\((?:'|")sha1(?:'|")`), CWE: "CWE-327", AverageCVSS: 7.4, Description: "A hash algorithm used is considered weak and can cause hash collisions.", Recomendation: "It is always recommended to use some CHF (Cryptographic Hash Function), which is mathematically strong and not reversible. SHA512 would be the most recommended hash for storing the password and it is also important to adopt some type of Salt, so that the Hash is more secure.", }, Rule{ ExactMatch: regexp.MustCompile(`handlebars\.SafeString\(`), CWE: "CWE-707", AverageCVSS: 4, Description: "Using the Handlebars SafeString function is dangerous as the data passed to it does not undergo any internal validation, so a malicious input can cause an XSS", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\.createReadStream\(.*(?:req\.|req\.query|req\.body|req\.param)`), CWE: "CWE-35", AverageCVSS: 4, Description: "User data passed untreated to the 'createReadStream' function can cause a Directory Traversal attack.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\.readFile\(.*(?:req\.|req\.query|req\.body|req\.param)`), CWE: "CWE-35", AverageCVSS: 4, Description: "User data passed untreated to the 'createReadStream' function can cause a Directory Traversal attack.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`\.(find|drop|create|explain|delete|count|bulk|copy).*\n*{.*\n*\$where(?:'|"|):.*(?:req\.|req\.query|req\.body|req\.param)`), CWE: "CWE-943", AverageCVSS: 4, Description: "Passing untreated parameters to queries in the database can cause an SQL injection, or even a NoSQL query injection.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`res\.(write|send)\(.*(?:req\.|req\.query|req\.body|req\.param)`), CWE: "CWE-79", AverageCVSS: 3, Description: "When passing user data directly to the HTTP response headers, it is possible for an XSS to become viable.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`(?:\[|)(?:'|")X-XSS-Protection(?:'|")(?:\]|)\s*=\s*(?:'|")*0(?:'|")`), CWE: "CWE-693", AverageCVSS: 0, Description: "The HTTP header X-XSS-Protection activates protection on the user's browser side to mitigate XSS-based attacks. It is important to keep it activated whenever possible.", Recomendation: "", }, Rule{ ExactMatch: regexp.MustCompile(`res\.redirect\(`), CWE: "CWE-601", AverageCVSS: 4, Description: "Using the 'redirect' function can cause an Open Redirect.", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`require\((?:'|")request(?:'|")\)`), regexp.MustCompile(`request\(.*(req\.|req\.query|req\.body|req\.param)`)}, CWE: "CWE-79", AverageCVSS: 4, Description: "Allowing data from user input to be used as parameters for the unhandled 'request' method could cause a Server Side Request Forgery vulnerability", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`require\((?:'|")request(?:'|")\)`), regexp.MustCompile(`\.get\(.*(req\.|req\.query|req\.body|req\.param)`)}, CWE: "CWE-79", AverageCVSS: 4, Description: "Allowing data from user input to be used as parameters for the 'request.get' method without treatment could cause a Server Side Request Forgery vulnerability", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`require\((?:'|")needle(?:'|")\)`), regexp.MustCompile(`\.get\(.*(req\.|req\.query|req\.body|req\.param)`)}, CWE: "CWE-79", AverageCVSS: 4, Description: "Allowing data from user input to be used as parameters for the 'needle.get' method without treatment could cause a Server Side Request Forgery vulnerability", Recomendation: "", }, Rule{ And: []*regexp.Regexp{regexp.MustCompile(`require\((?:'|")child_process(?:'|")\)`), regexp.MustCompile(`\.exec\(.*(req\.|req\.query|req\.body|req\.param)`)}, CWE: "CWE-79", AverageCVSS: 4, Description: "Allowing data from user input to reach the 'exec' command without treatment could cause a Remote Code Execution vulnerability", Recomendation: "", }, }
Functions ¶
This section is empty.
Types ¶
type Rule ¶
type Rule struct {
CWE string
AverageCVSS float64
Title string
Severity string
Description string
Recomendation string
// And evaluate that each expresion on list is true
And []*regexp.Regexp
// Or evaluate that at least one expresion is true
Or []*regexp.Regexp
// ExactMatch evaluate that expresion is true
ExactMatch *regexp.Regexp
// NotAnd evaluate with ExactMatch, AndExpressions and OrExpressions .
// If all expresions on list is true the match statement turn to false
NotAnd []*regexp.Regexp
// NotOr evaluate with ExactMatch, AndExpressions and OrExpressions.
// If at least one expresion on list is true the match turn to false
NotOr []*regexp.Regexp
// NotMatch evaluate that expresion is false
NotMatch *regexp.Regexp
}
func (Rule) HaveNotAndClause ¶
func (Rule) HaveNotORClause ¶
func (Rule) IsAndMatch ¶
func (Rule) IsNotMatch ¶
type RuleBuilder ¶
type RuleBuilder struct{}
func NewRuleBuilder ¶
func NewRuleBuilder() *RuleBuilder
Source Files
¶
Click to show internal directories.
Click to hide internal directories.