From 630a87054d642018160b14cbcf2cb119b669507f Mon Sep 17 00:00:00 2001 From: Wilian Gabriel Date: Wed, 23 Mar 2022 10:14:02 -0300 Subject: [PATCH] javascript::chore - Adding improvements on javascript rules (#1043) In this commit I changed to add Safe and Unsafe code in all rules of the javascript. Reference from issue #630 and #1020. Signed-off-by: Wilian Gabriel --- internal/services/engines/javascript/rules.go | 618 ++++++++++-------- .../services/engines/javascript/rules_test.go | 121 ++-- .../{samples_test.go => samples.go} | 217 ++++-- 3 files changed, 590 insertions(+), 366 deletions(-) rename internal/services/engines/javascript/{samples_test.go => samples.go} (57%) diff --git a/internal/services/engines/javascript/rules.go b/internal/services/engines/javascript/rules.go index 7f96e4391..e8a672be1 100644 --- a/internal/services/engines/javascript/rules.go +++ b/internal/services/engines/javascript/rules.go @@ -26,11 +26,13 @@ import ( func NewNoLogSensitiveInformationInConsole() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-1", - Name: "No Log Sensitive Information in console", - Description: "The App logs information. Sensitive information should never be logged. For more information checkout the CWE-532 (https://cwe.mitre.org/data/definitions/532.html) advisory.", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVASCRIPT-1", + Name: "No Log Sensitive Information in console", + Description: "The App logs information. Sensitive information should never be logged. For more information checkout the CWE-532 (https://cwe.mitre.org/data/definitions/532.html) advisory.", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT1, + UnsafeExample: SampleVulnerableHSJAVASCRIPT1, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -42,11 +44,13 @@ func NewNoLogSensitiveInformationInConsole() *text.Rule { func NewNoUseEval() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-2", - Name: "No use eval", - Description: "The eval function is extremely dangerous. Because if any user input is not handled correctly and passed to it, it will be possible to execute code remotely in the context of your application (RCE - Remote Code Executuion). For more information checkout the CWE-94 (https://cwe.mitre.org/data/definitions/94.html) advisory.", - Severity: severities.Critical.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-2", + Name: "No use eval", + Description: "The eval function is extremely dangerous. Because if any user input is not handled correctly and passed to it, it will be possible to execute code remotely in the context of your application (RCE - Remote Code Executuion). For more information checkout the CWE-94 (https://cwe.mitre.org/data/definitions/94.html) advisory.", + Severity: severities.Critical.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT2, + UnsafeExample: SampleVulnerableHSJAVASCRIPT2, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -58,11 +62,13 @@ func NewNoUseEval() *text.Rule { func NewNoDisableTlsRejectUnauthorized() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-3", - Name: "No disable tls reject unauthorized", - Description: "If the NODE_TLS_REJECT_UNAUTHORIZED option is disabled, the Node.js server will accept certificates that are self-signed, allowing an attacker to bypass the TLS security layer. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", - Severity: severities.Critical.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-3", + Name: "No disable tls reject unauthorized", + Description: "If the NODE_TLS_REJECT_UNAUTHORIZED option is disabled, the Node.js server will accept certificates that are self-signed, allowing an attacker to bypass the TLS security layer. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", + Severity: severities.Critical.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT3, + UnsafeExample: SampleVulnerableHSJAVASCRIPT3, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -74,11 +80,13 @@ func NewNoDisableTlsRejectUnauthorized() *text.Rule { func NewNoUseMD5Hashing() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-4", - Name: "No use MD5 hashing", - Description: "The MD5 hash algorithm that was used is considered weak. It can also cause hash collisions. It is always recommended to use some CHF (Cryptographic Hash Function), which is mathematically strong and not reversible. SHA512 would be the most recommended hash for storing the password and it is also important to adopt some type of Salt, so that the Hash is more secure. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-4", + Name: "No use MD5 hashing", + Description: "The MD5 hash algorithm that was used is considered weak. It can also cause hash collisions. It is always recommended to use some CHF (Cryptographic Hash Function), which is mathematically strong and not reversible. SHA512 would be the most recommended hash for storing the password and it is also important to adopt some type of Salt, so that the Hash is more secure. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT4, + UnsafeExample: SampleVulnerableHSJAVASCRIPT4, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -90,11 +98,13 @@ func NewNoUseMD5Hashing() *text.Rule { func NewNoUseSHA1Hashing() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-5", - Name: "No use SAH1 hashing", - Description: "The SHA1 hash algorithm that was used is considered weak. It can also cause hash collisions. It is always recommended to use some CHF (Cryptographic Hash Function), which is mathematically strong and not reversible. SHA512 would be the most recommended hash for storing the password and it is also important to adopt some type of Salt, so that the Hash is more secure. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-5", + Name: "No use SAH1 hashing", + Description: "The SHA1 hash algorithm that was used is considered weak. It can also cause hash collisions. It is always recommended to use some CHF (Cryptographic Hash Function), which is mathematically strong and not reversible. SHA512 would be the most recommended hash for storing the password and it is also important to adopt some type of Salt, so that the Hash is more secure. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT5, + UnsafeExample: SampleVulnerableHSJAVASCRIPT5, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -106,11 +116,13 @@ func NewNoUseSHA1Hashing() *text.Rule { func NewNoUseWeakRandom() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-6", - Name: "No use weak random number generator", - Description: "When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. As the Math.random() function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead. For more information checkout the CWE-338 (https://cwe.mitre.org/data/definitions/338.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-6", + Name: "No use weak random number generator", + Description: "When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. As the Math.random() function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead. For more information checkout the CWE-338 (https://cwe.mitre.org/data/definitions/338.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT6, + UnsafeExample: SampleVulnerableHSJAVASCRIPT6, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -122,11 +134,13 @@ func NewNoUseWeakRandom() *text.Rule { func NewNoReadFileUsingDataFromRequest() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-7", - Name: "No read file using data from request", - Description: "User data passed untreated to the 'createReadStream' function can cause a Directory Traversal attack. This attack exploits the lack of security, with the attacker gaining unauthorized access to the file system. For more information checkout the CWE-35 (https://cwe.mitre.org/data/definitions/35.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-7", + Name: "No read file using data from request", + Description: "User data passed untreated to the 'createReadStream' function can cause a Directory Traversal attack. This attack exploits the lack of security, with the attacker gaining unauthorized access to the file system. For more information checkout the CWE-35 (https://cwe.mitre.org/data/definitions/35.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT7, + UnsafeExample: SampleVulnerableHSJAVASCRIPT7, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -138,11 +152,13 @@ func NewNoReadFileUsingDataFromRequest() *text.Rule { func NewNoCreateReadStreamUsingDataFromRequest() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-8", - Name: "No create read stream using data from request", - Description: "User data passed untreated to the 'createReadStream' function can cause a Directory Traversal attack. This attack exploits the lack of security, with the attacker gaining unauthorized access to the file system. For more information checkout the CWE-35 (https://cwe.mitre.org/data/definitions/35.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-8", + Name: "No create read stream using data from request", + Description: "User data passed untreated to the 'createReadStream' function can cause a Directory Traversal attack. This attack exploits the lack of security, with the attacker gaining unauthorized access to the file system. For more information checkout the CWE-35 (https://cwe.mitre.org/data/definitions/35.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT8, + UnsafeExample: SampleVulnerableHSJAVASCRIPT8, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -154,11 +170,13 @@ func NewNoCreateReadStreamUsingDataFromRequest() *text.Rule { func NewSQLInjectionUsingParams() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-9", - Name: "SQL Injection Using params", - Description: "Passing untreated parameters to queries in the database can cause an injection of SQL / NoSQL. The attacker is able to insert a custom and improper SQL statement through the data entry of an application. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-9", + Name: "SQL Injection Using params", + Description: "Passing untreated parameters to queries in the database can cause an injection of SQL / NoSQL. The attacker is able to insert a custom and improper SQL statement through the data entry of an application. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT9, + UnsafeExample: SampleVulnerableHSJAVASCRIPT9, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -170,11 +188,13 @@ func NewSQLInjectionUsingParams() *text.Rule { func NewXMLParsersShouldNotBeVulnerableToXXEAttacks() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-10", - Name: "XML parsers should not be vulnerable to XXE attacks", - Description: "XML specification allows the use of entities that can be internal or external (file system / network access ...) which could lead to vulnerabilities such as confidential file disclosures or SSRFs. For more information checkout the CWE-827 (https://cwe.mitre.org/data/definitions/827.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-10", + Name: "XML parsers should not be vulnerable to XXE attacks", + Description: "XML specification allows the use of entities that can be internal or external (file system / network access ...) which could lead to vulnerabilities such as confidential file disclosures or SSRFs. For more information checkout the CWE-827 (https://cwe.mitre.org/data/definitions/827.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT10, + UnsafeExample: SampleVulnerableHSJAVASCRIPT10, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -190,8 +210,10 @@ func NewOriginsNotVerified() *text.Rule { Name: "Origins should be verified during cross-origin communications", Description: `Browsers allow message exchanges between Window objects of different origins. Because any window can send / receive messages from other window it is important to verify the sender's / receiver's identity: When sending message with postMessage method, the identity's receiver should be defined (the wildcard keyword (*) should not be used). When receiving message with message event, the sender's identity should be verified using the origin and possibly source properties. For more information checkout the OWASP A2:2017 (https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication) and (https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) advisory.`, - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT11, + UnsafeExample: SampleVulnerableHSJAVASCRIPT11, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -204,11 +226,13 @@ When receiving message with message event, the sender's identity should be verif func NewWeakSSLTLSProtocolsShouldNotBeUsed() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-12", - Name: "Weak SSL/TLS protocols should not be used", - Description: "Older versions of SSL/TLS protocol like \"SSLv3\" have been proven to be insecure. This rule raises an issue when an SSL/TLS context is created with an insecure protocol version (ie: a protocol different from \"TLSv1.2\", \"TLSv1.3\", \"DTLSv1.2\" or \"DTLSv1.3\"). For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) and CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-12", + Name: "Weak SSL/TLS protocols should not be used", + Description: "Older versions of SSL/TLS protocol like \"SSLv3\" have been proven to be insecure. This rule raises an issue when an SSL/TLS context is created with an insecure protocol version (ie: a protocol different from \"TLSv1.2\", \"TLSv1.3\", \"DTLSv1.2\" or \"DTLSv1.3\"). For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) and CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT12, + UnsafeExample: SampleVulnerableHSJAVASCRIPT12, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -225,8 +249,10 @@ func NewWebSQLDatabasesShouldNotBeUsed() *text.Rule { Description: `The Web SQL Database standard never saw the light of day. It was first formulated, then deprecated by the W3C and was only implemented in some browsers. (It is not supported in Firefox or IE.) Further, the use of a Web SQL Database poses security concerns, since you only need its name to access such a database. For more information checkout the OWSAP A3:2017 (https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html) and A9:2017 (https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities.html) advisory.`, - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT13, + UnsafeExample: SampleVulnerableHSJAVASCRIPT13, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -238,11 +264,13 @@ Further, the use of a Web SQL Database poses security concerns, since you only n func NewLocalStorageShouldNotBeUsed() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-14", - Name: "Local storage should not be used", - Description: "Session storage and local storage are HTML 5 features which allow developers to easily store megabytes of data client-side, as opposed to the 4Kb cookies can accommodate. While useful to speed applications up on the client side, it can be dangerous to store sensitive information this way because the data is not encrypted by default and any script on the page may access it. This rule raises an issue when the localStorage and sessionStorage API's are used. For more information checkout the OWSAP A3:2017 (https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html) advisory.", - Severity: severities.Info.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-14", + Name: "Local storage should not be used", + Description: "Session storage and local storage are HTML 5 features which allow developers to easily store megabytes of data client-side, as opposed to the 4Kb cookies can accommodate. While useful to speed applications up on the client side, it can be dangerous to store sensitive information this way because the data is not encrypted by default and any script on the page may access it. This rule raises an issue when the localStorage and sessionStorage API's are used. For more information checkout the OWSAP A3:2017 (https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html) advisory.", + Severity: severities.Info.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT14, + UnsafeExample: SampleVulnerableHSJAVASCRIPT14, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -255,11 +283,13 @@ func NewLocalStorageShouldNotBeUsed() *text.Rule { func NewDebuggerStatementsShouldNotBeUsed() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-15", - Name: "Debugger statements should not be used", - Description: "The debugger statement can be placed anywhere in procedures to suspend execution. Using the debugger statement is similar to setting a breakpoint in the code. By definition such statement must absolutely be removed from the source code to prevent any unexpected behavior or added vulnerability to attacks in production. For more information checkout the CWE-489 (https://cwe.mitre.org/data/definitions/489.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-15", + Name: "Debugger statements should not be used", + Description: "The debugger statement can be placed anywhere in procedures to suspend execution. Using the debugger statement is similar to setting a breakpoint in the code. By definition such statement must absolutely be removed from the source code to prevent any unexpected behavior or added vulnerability to attacks in production. For more information checkout the CWE-489 (https://cwe.mitre.org/data/definitions/489.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT15, + UnsafeExample: SampleVulnerableHSJAVASCRIPT15, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -271,11 +301,13 @@ func NewDebuggerStatementsShouldNotBeUsed() *text.Rule { func NewAlertStatementsShouldNotBeUsed() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-16", - Name: "Alert statements should not be used", - Description: "alert(...) as well as confirm(...) and prompt(...) can be useful for debugging during development, but in production mode this kind of pop-up could expose sensitive information to attackers, and should never be displayed. For more information checkout the CWE-489 (https://cwe.mitre.org/data/definitions/489.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-16", + Name: "Alert statements should not be used", + Description: "alert(...) as well as confirm(...) and prompt(...) can be useful for debugging during development, but in production mode this kind of pop-up could expose sensitive information to attackers, and should never be displayed. For more information checkout the CWE-489 (https://cwe.mitre.org/data/definitions/489.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT16, + UnsafeExample: SampleVulnerableHSJAVASCRIPT16, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -287,11 +319,13 @@ func NewAlertStatementsShouldNotBeUsed() *text.Rule { func NewStaticallyServingHiddenFilesIsSecuritySensitive() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-17", - Name: "Statically serving hidden files is security-sensitive", - Description: "Hidden files are created automatically by many tools to save user-preferences, well-known examples are .profile, .bashrc, .bash_history or .git. To simplify the view these files are not displayed by default using operating system commands like ls. Outside of the user environment, hidden files are sensitive because they are used to store privacy-related information or even hard-coded secrets. For more information checkout the CWE-538 (https://cwe.mitre.org/data/definitions/538.html) and OWASP A6:2017 (https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-17", + Name: "Statically serving hidden files is security-sensitive", + Description: "Hidden files are created automatically by many tools to save user-preferences, well-known examples are .profile, .bashrc, .bash_history or .git. To simplify the view these files are not displayed by default using operating system commands like ls. Outside of the user environment, hidden files are sensitive because they are used to store privacy-related information or even hard-coded secrets. For more information checkout the CWE-538 (https://cwe.mitre.org/data/definitions/538.html) and OWASP A6:2017 (https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT17, + UnsafeExample: SampleVulnerableHSJAVASCRIPT17, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -308,8 +342,10 @@ func NewUsingIntrusivePermissionsWithGeolocation() *text.Rule { Description: `Powerful features are browser features (geolocation, camera, microphone ...) that can be accessed with JavaScript API and may require a permission granted by the user. These features can have a high impact on privacy and user security thus they should only be used if they are really necessary to implement the critical parts of an application. This rule highlights intrusive permissions when requested with the future standard (but currently experimental) web browser query API and specific APIs related to the permission. It is highly recommended to customize this rule with the permissions considered as intrusive in the context of the web application. If geolocation is required, always explain to the user why the application needs it and prefer requesting an approximate location when possible. For more information checkout the CWE-250 (https://cwe.mitre.org/data/definitions/250.html) and OWASP A3:2017 (https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html) advisory.`, - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT18, + UnsafeExample: SampleVulnerableHSJAVASCRIPT18, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -322,11 +358,13 @@ This rule highlights intrusive permissions when requested with the future standa func NewHavingAPermissiveCrossOriginResourceSharingPolicy() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-19", - Name: "Having a permissive Cross-Origin Resource Sharing policy", - Description: "Same origin policy in browsers prevents, by default and for security-reasons, a javascript frontend to perform a cross-origin HTTP request to a resource that has a different origin (domain, protocol, or port) from its own. The requested target can append additional HTTP headers in response, called CORS, that act like directives for the browser and change the access control policy / relax the same origin policy. The Access-Control-Allow-Origin header should be set only for a trusted origin and for specific resources. For more information checkout the OWASP A6:2017 (https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-19", + Name: "Having a permissive Cross-Origin Resource Sharing policy", + Description: "Same origin policy in browsers prevents, by default and for security-reasons, a javascript frontend to perform a cross-origin HTTP request to a resource that has a different origin (domain, protocol, or port) from its own. The requested target can append additional HTTP headers in response, called CORS, that act like directives for the browser and change the access control policy / relax the same origin policy. The Access-Control-Allow-Origin header should be set only for a trusted origin and for specific resources. For more information checkout the OWASP A6:2017 (https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT19, + UnsafeExample: SampleVulnerableHSJAVASCRIPT19, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -340,11 +378,13 @@ func NewHavingAPermissiveCrossOriginResourceSharingPolicy() *text.Rule { func NewReadingTheStandardInput() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-20", - Name: "Reading the Standard Input", - Description: "It is common for attackers to craft inputs enabling them to exploit software vulnerabilities. Thus any data read from the standard input (stdin) can be dangerous and should be validated. Sanitize all data read from the standard input before using it. For more information checkout the CWE-20 (https://cwe.mitre.org/data/definitions/20.html) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-20", + Name: "Reading the Standard Input", + Description: "It is common for attackers to craft inputs enabling them to exploit software vulnerabilities. Thus any data read from the standard input (stdin) can be dangerous and should be validated. Sanitize all data read from the standard input before using it. For more information checkout the CWE-20 (https://cwe.mitre.org/data/definitions/20.html) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT20, + UnsafeExample: SampleVulnerableHSJAVASCRIPT20, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -357,11 +397,13 @@ func NewReadingTheStandardInput() *text.Rule { func NewUsingCommandLineArguments() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-21", - Name: "Using command line arguments", - Description: "Command line arguments can be dangerous just like any other user input. They should never be used without being first validated and sanitized. Remember also that any user can retrieve the list of processes running on a system, which makes the arguments provided to them visible. Thus passing sensitive information via command line arguments should be considered as insecure. This rule raises an issue when on every program entry points (main methods) when command line arguments are used. The goal is to guide security code reviews. Sanitize all command line arguments before using them. For more information checkout the CWE-88 (https://cwe.mitre.org/data/definitions/88.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-21", + Name: "Using command line arguments", + Description: "Command line arguments can be dangerous just like any other user input. They should never be used without being first validated and sanitized. Remember also that any user can retrieve the list of processes running on a system, which makes the arguments provided to them visible. Thus passing sensitive information via command line arguments should be considered as insecure. This rule raises an issue when on every program entry points (main methods) when command line arguments are used. The goal is to guide security code reviews. Sanitize all command line arguments before using them. For more information checkout the CWE-88 (https://cwe.mitre.org/data/definitions/88.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT21, + UnsafeExample: SampleVulnerableHSJAVASCRIPT21, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -373,11 +415,13 @@ func NewUsingCommandLineArguments() *text.Rule { func NewRedirectToUnknownPath() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-22", - Name: "Redirect to unknown path", - Description: "Sanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts. For more information checkout the CWE-20 (https://cwe.mitre.org/data/definitions/20.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVASCRIPT-22", + Name: "Redirect to unknown path", + Description: "Sanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts. For more information checkout the CWE-20 (https://cwe.mitre.org/data/definitions/20.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT22, + UnsafeExample: SampleVulnerableHSJAVASCRIPT22, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -389,11 +433,13 @@ func NewRedirectToUnknownPath() *text.Rule { func NewNoRenderContentFromRequest() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-23", - Name: "No render content from request", - Description: "Directly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution. For more information checkout the CWE-73 (https://cwe.mitre.org/data/definitions/73.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-23", + Name: "No render content from request", + Description: "Directly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution. For more information checkout the CWE-73 (https://cwe.mitre.org/data/definitions/73.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT23, + UnsafeExample: SampleVulnerableHSJAVASCRIPT23, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -406,11 +452,13 @@ func NewNoRenderContentFromRequest() *text.Rule { func NewNoWriteOnDocumentContentFromRequest() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-24", - Name: "No write content from request on HTML", - Description: "Directly writing messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the message can be influenced by a user. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-24", + Name: "No write content from request on HTML", + Description: "Directly writing messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the message can be influenced by a user. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT24, + UnsafeExample: SampleVulnerableHSJAVASCRIPT24, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -422,11 +470,13 @@ func NewNoWriteOnDocumentContentFromRequest() *text.Rule { func NewNoExposeStackTrace() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-25", - Name: "Stack trace exposure", - Description: "Software developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. For more information checkout the CWE-209 (https://cwe.mitre.org/data/definitions/209.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-25", + Name: "Stack trace exposure", + Description: "Software developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. For more information checkout the CWE-209 (https://cwe.mitre.org/data/definitions/209.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT25, + UnsafeExample: SampleVulnerableHSJAVASCRIPT25, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -438,11 +488,13 @@ func NewNoExposeStackTrace() *text.Rule { func NewInsecureDownload() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-26", - Name: "Insecure download of executable file", - Description: "Downloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.. For more information checkout the CWE-829 (https://cwe.mitre.org/data/definitions/829.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-26", + Name: "Insecure download of executable file", + Description: "Downloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.. For more information checkout the CWE-829 (https://cwe.mitre.org/data/definitions/829.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT26, + UnsafeExample: SampleVulnerableHSJAVASCRIPT26, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -454,11 +506,13 @@ func NewInsecureDownload() *text.Rule { func NewNoUseRequestMethodUsingDataFromRequestOfUserInput() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-27", - Name: "No use request method using data from request of user input", - Description: "Allows user input data to be used as parameters for the 'request' method. Without proper handling, it could cause a Server Side Request Forgery vulnerability. Which is a type of exploitation in which an attacker abuses the functionality of a server, causing it to access or manipulate information in that server's domain. For more information checkout the CWE-918 (https://cwe.mitre.org/data/definitions/918.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-27", + Name: "No use request method using data from request of user input", + Description: "Allows user input data to be used as parameters for the 'request' method. Without proper handling, it could cause a Server Side Request Forgery vulnerability. Which is a type of exploitation in which an attacker abuses the functionality of a server, causing it to access or manipulate information in that server's domain. For more information checkout the CWE-918 (https://cwe.mitre.org/data/definitions/918.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT27, + UnsafeExample: SampleVulnerableHSJAVASCRIPT27, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -471,11 +525,13 @@ func NewNoUseRequestMethodUsingDataFromRequestOfUserInput() *text.Rule { func NewNoUseGetMethodUsingDataFromRequestOfUserInput() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-28", - Name: "No use .get method using data from request of user input", - Description: "Allows user input data to be used as parameters for the 'request.get' method. Without proper handling, it could cause a Server Side Request Forgery vulnerability. Which is a type of exploitation in which an attacker abuses the functionality of a server, causing it to access or manipulate information in that server's domain. For more information checkout the CWE-918 (https://cwe.mitre.org/data/definitions/918.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-28", + Name: "No use .get method using data from request of user input", + Description: "Allows user input data to be used as parameters for the 'request.get' method. Without proper handling, it could cause a Server Side Request Forgery vulnerability. Which is a type of exploitation in which an attacker abuses the functionality of a server, causing it to access or manipulate information in that server's domain. For more information checkout the CWE-918 (https://cwe.mitre.org/data/definitions/918.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT28, + UnsafeExample: SampleVulnerableHSJAVASCRIPT28, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -488,11 +544,13 @@ func NewNoUseGetMethodUsingDataFromRequestOfUserInput() *text.Rule { func NewCryptographicRsaShouldBeRobust() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-29", - Name: "Cryptographic RSA should be robust", - Description: "Most of cryptographic systems require a sufficient key size to be robust against brute-force attacks. n ≥ 2048 for RSA (n is the key length). For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory.", - Severity: severities.Critical.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-29", + Name: "Cryptographic RSA should be robust", + Description: "Most of cryptographic systems require a sufficient key size to be robust against brute-force attacks. n ≥ 2048 for RSA (n is the key length). For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory.", + Severity: severities.Critical.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT29, + UnsafeExample: SampleVulnerableHSJAVASCRIPT29, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -505,11 +563,13 @@ func NewCryptographicRsaShouldBeRobust() *text.Rule { func NewCryptographicEcShouldBeRobust() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-30", - Name: "Cryptographic EC should be robust", - Description: "Most of cryptographic systems require a sufficient key size to be robust against brute-force attacks. n ≥ 224 for ECDH and ECMQV (Examples: secp192r1 is a non-compliant curve (n < 224) but secp224k1 is compliant (n >= 224)). For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-30", + Name: "Cryptographic EC should be robust", + Description: "Most of cryptographic systems require a sufficient key size to be robust against brute-force attacks. n ≥ 224 for ECDH and ECMQV (Examples: secp192r1 is a non-compliant curve (n < 224) but secp224k1 is compliant (n >= 224)). For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT30, + UnsafeExample: SampleVulnerableHSJAVASCRIPT30, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -522,11 +582,13 @@ func NewCryptographicEcShouldBeRobust() *text.Rule { func NewJWTNeedStrongCipherAlgorithms() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-31", - Name: "JWT should be signed and verified with strong cipher algorithms", - Description: "If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user identities. Don't use none algorithm to sign or verify the validity of an algorithm. Don't use a token without verifying its signature before. For more information checkout the CWE-347 (https://cwe.mitre.org/data/definitions/347.html) advisory.", - Severity: severities.Critical.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVASCRIPT-31", + Name: "JWT should be signed and verified with strong cipher algorithms", + Description: "If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user identities. Don't use none algorithm to sign or verify the validity of an algorithm. Don't use a token without verifying its signature before. For more information checkout the CWE-347 (https://cwe.mitre.org/data/definitions/347.html) advisory.", + Severity: severities.Critical.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT31, + UnsafeExample: SampleVulnerableHSJAVASCRIPT31, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -540,11 +602,13 @@ func NewJWTNeedStrongCipherAlgorithms() *text.Rule { func NewServerHostnameNotVerified() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-32", - Name: "Server hostnames should be verified during SSL/TLS connections", - Description: "To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right certificate. The certificate's hostname-specific data should match the server hostname. It's not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-297 (https://cwe.mitre.org/data/definitions/297.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVASCRIPT-32", + Name: "Server hostnames should be verified during SSL/TLS connections", + Description: "To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right certificate. The certificate's hostname-specific data should match the server hostname. It's not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-297 (https://cwe.mitre.org/data/definitions/297.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT32, + UnsafeExample: SampleVulnerableHSJAVASCRIPT32, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -557,11 +621,13 @@ func NewServerHostnameNotVerified() *text.Rule { func NewServerCertificatesNotVerified() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-33", - Name: "Server certificates should be verified during SSL/TLS connections", - Description: "To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right certificate. The certificate's hostname-specific data should match the server hostname. It's not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-297 (https://cwe.mitre.org/data/definitions/297.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVASCRIPT-33", + Name: "Server certificates should be verified during SSL/TLS connections", + Description: "To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right certificate. The certificate's hostname-specific data should match the server hostname. It's not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-297 (https://cwe.mitre.org/data/definitions/297.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT33, + UnsafeExample: SampleVulnerableHSJAVASCRIPT33, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -574,11 +640,13 @@ func NewServerCertificatesNotVerified() *text.Rule { func NewUntrustedContentShouldNotBeIncluded() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-34", - Name: "Untrusted content should not be included", - Description: "Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this rule raises an issue for each non-relative URL. For more information checkout the OWASP A1:2017 (https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVASCRIPT-34", + Name: "Untrusted content should not be included", + Description: "Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this rule raises an issue for each non-relative URL. For more information checkout the OWASP A1:2017 (https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT34, + UnsafeExample: SampleVulnerableHSJAVASCRIPT34, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -592,11 +660,13 @@ func NewUntrustedContentShouldNotBeIncluded() *text.Rule { func NewMysqlHardCodedCredentialsSecuritySensitive() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-35", - Name: "Mysql Hard-coded credentials are security-sensitive", - Description: "Because it is easy to extract strings from an application source code or binary, credentials should not be hard-coded. This is particularly true for applications that are distributed or that are open-source. It's recommended to customize the configuration of this rule with additional credential words such as \"oauthToken\", \"secret\", others. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.", - Severity: severities.Critical.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-35", + Name: "Mysql Hard-coded credentials are security-sensitive", + Description: "Because it is easy to extract strings from an application source code or binary, credentials should not be hard-coded. This is particularly true for applications that are distributed or that are open-source. It's recommended to customize the configuration of this rule with additional credential words such as \"oauthToken\", \"secret\", others. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.", + Severity: severities.Critical.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT35, + UnsafeExample: SampleVulnerableHSJAVASCRIPT35, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -609,11 +679,13 @@ func NewMysqlHardCodedCredentialsSecuritySensitive() *text.Rule { func NewUsingShellInterpreterWhenExecutingOSCommands() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-36", - Name: "Using shell interpreter when executing OS commands", - Description: "Arbitrary OS command injection vulnerabilities are more likely when a shell is spawned rather than a new process, indeed shell meta-chars can be used (when parameters are user-controlled for instance) to inject OS commands. For more information checkout the CWE-78 (https://cwe.mitre.org/data/definitions/78.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVASCRIPT-36", + Name: "Using shell interpreter when executing OS commands", + Description: "Arbitrary OS command injection vulnerabilities are more likely when a shell is spawned rather than a new process, indeed shell meta-chars can be used (when parameters are user-controlled for instance) to inject OS commands. For more information checkout the CWE-78 (https://cwe.mitre.org/data/definitions/78.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT36, + UnsafeExample: SampleVulnerableHSJAVASCRIPT36, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -626,11 +698,13 @@ func NewUsingShellInterpreterWhenExecutingOSCommands() *text.Rule { func NewForwardingClientIPAddress() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-37", - Name: "Forwarding client IP address", - Description: "Users often connect to web servers through HTTP proxies. Proxy can be configured to forward the client IP address via the X-Forwarded-For or Forwarded HTTP headers. IP address is a personal information which can identify a single user and thus impact his privacy. For more information checkout the CWE-78 (https://cwe.mitre.org/data/definitions/78.html) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-37", + Name: "Forwarding client IP address", + Description: "Users often connect to web servers through HTTP proxies. Proxy can be configured to forward the client IP address via the X-Forwarded-For or Forwarded HTTP headers. IP address is a personal information which can identify a single user and thus impact his privacy. For more information checkout the CWE-78 (https://cwe.mitre.org/data/definitions/78.html) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT37, + UnsafeExample: SampleVulnerableHSJAVASCRIPT37, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -644,11 +718,13 @@ func NewForwardingClientIPAddress() *text.Rule { func NewAllowingConfidentialInformationToBeLoggedWithSignale() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-38", - Name: "Allowing confidential information to be logged with signale", - Description: "Log management is an important topic, especially for the security of a web application, to ensure user activity, including potential attackers, is recorded and available for an analyst to understand what's happened on the web application in case of malicious activities. Retention of specific logs for a defined period of time is often necessary to comply with regulations such as GDPR, PCI DSS and others. However, to protect user's privacy, certain informations are forbidden or strongly discouraged from being logged, such as user passwords or credit card numbers, which obviously should not be stored or at least not in clear text. For more information checkout the CWE-532 (https://cwe.mitre.org/data/definitions/532.html) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-38", + Name: "Allowing confidential information to be logged with signale", + Description: "Log management is an important topic, especially for the security of a web application, to ensure user activity, including potential attackers, is recorded and available for an analyst to understand what's happened on the web application in case of malicious activities. Retention of specific logs for a defined period of time is often necessary to comply with regulations such as GDPR, PCI DSS and others. However, to protect user's privacy, certain informations are forbidden or strongly discouraged from being logged, such as user passwords or credit card numbers, which obviously should not be stored or at least not in clear text. For more information checkout the CWE-532 (https://cwe.mitre.org/data/definitions/532.html) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT38, + UnsafeExample: SampleVulnerableHSJAVASCRIPT38, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -662,11 +738,13 @@ func NewAllowingConfidentialInformationToBeLoggedWithSignale() *text.Rule { func NewAllowingBrowsersToPerformDNSPrefetching() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-39", - Name: "Allowing browsers to perform DNS prefetching", - Description: "By default, web browsers perform DNS prefetching to reduce latency due to DNS resolutions required when an user clicks links from a website page. It can add significant latency during requests, especially if the page contains many links to cross-origin domains. DNS prefetch allows web browsers to perform DNS resolving in the background before the user clicks a link. This feature can cause privacy issues because DNS resolving from the user's computer is performed without his consent if he doesn't intent to go to the linked website. On a complex private webpage, a combination \"of unique links/DNS resolutions\" can indicate, to a eavesdropper for instance, that the user is visiting the private page. For more information checkout the OWASP A3:2017 (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-39", + Name: "Allowing browsers to perform DNS prefetching", + Description: "By default, web browsers perform DNS prefetching to reduce latency due to DNS resolutions required when an user clicks links from a website page. It can add significant latency during requests, especially if the page contains many links to cross-origin domains. DNS prefetch allows web browsers to perform DNS resolving in the background before the user clicks a link. This feature can cause privacy issues because DNS resolving from the user's computer is performed without his consent if he doesn't intent to go to the linked website. On a complex private webpage, a combination \"of unique links/DNS resolutions\" can indicate, to a eavesdropper for instance, that the user is visiting the private page. For more information checkout the OWASP A3:2017 (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT39, + UnsafeExample: SampleVulnerableHSJAVASCRIPT39, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -680,11 +758,13 @@ func NewAllowingBrowsersToPerformDNSPrefetching() *text.Rule { func NewDisablingCertificateTransparencyMonitoring() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-40", - Name: "Disabling Certificate Transparency monitoring", - Description: "Certificate Transparency (CT) is an open-framework to protect against identity theft when certificates are issued. Certificate Authorities (CA) electronically sign certificate after verifying the identify of the certificate owner. Attackers use, among other things, social engineering attacks to trick a CA to correctly verifying a spoofed identity/forged certificate. CAs implement Certificate Transparency framework to publicly log the records of newly issued certificates, allowing the public and in particular the identity owner to monitor these logs to verify that his identify was not usurped. For more information checkout the OWASP A3:2017 (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-40", + Name: "Disabling Certificate Transparency monitoring", + Description: "Certificate Transparency (CT) is an open-framework to protect against identity theft when certificates are issued. Certificate Authorities (CA) electronically sign certificate after verifying the identify of the certificate owner. Attackers use, among other things, social engineering attacks to trick a CA to correctly verifying a spoofed identity/forged certificate. CAs implement Certificate Transparency framework to publicly log the records of newly issued certificates, allowing the public and in particular the identity owner to monitor these logs to verify that his identify was not usurped. For more information checkout the OWASP A3:2017 (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT40, + UnsafeExample: SampleVulnerableHSJAVASCRIPT40, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -697,11 +777,13 @@ func NewDisablingCertificateTransparencyMonitoring() *text.Rule { func NewDisablingStrictHTTPNoReferrerPolicy() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-41", - Name: "Disabling strict HTTP no-referrer policy", - Description: "Confidential information should not be set inside URLs (GET requests) of the application and a safe (ie: different from unsafe-url or no-referrer-when-downgrade) referrer-Policy header, to control how much information is included in the referer header, should be used. For more information checkout the OWASP A3:2017 (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVASCRIPT-41", + Name: "Disabling strict HTTP no-referrer policy", + Description: "Confidential information should not be set inside URLs (GET requests) of the application and a safe (ie: different from unsafe-url or no-referrer-when-downgrade) referrer-Policy header, to control how much information is included in the referer header, should be used. For more information checkout the OWASP A3:2017 (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJAVASCRIPT41, + UnsafeExample: SampleVulnerableHSJAVASCRIPT41, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -715,11 +797,13 @@ func NewDisablingStrictHTTPNoReferrerPolicy() *text.Rule { func NewAllowingBrowsersToSniffMIMETypes() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVASCRIPT-42", - Name: "Allowing browsers to sniff MIME types", - Description: "Implement X-Content-Type-Options header with nosniff value (the only existing value for this header) which is supported by all modern browsers and will prevent browsers from performing MIME type sniffing, so that in case of Content-Type header mismatch, the resource is not interpreted. For example within a