WhiteSource SAST Security Report: 2 high severity findings, 6 total findings

[NormanWenzelWSS]

WhiteSource SAST Security Report

Latest Scan: 2022-03-02 07:30pm

**New Findings:** 2 **Fixed Findings:** 1 **Total Findings:** 6 **Tested Project Files:** 1'458 **Detected Programming Languages:** 2

Language: Java

Severity	Vulnerability Type	CWE	Count	Remediations
High	SQL Injection	89	2	1
Medium	Cross-site Scripting	79	1	-
Low	Hard-coded Credentials	798	3	-

Details

SQL Injection (CWE 89) : 2

### Findings with Remediation

✅ org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java:58

#### Remediation Suggestion

```diff - String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; + String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= ?"; try (Connection connection = dataSource.getConnection()) { PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); query.setInt(1, count); + query.setString(2,accountName); ```

Create PR

### Findings w/o Remediation

❌ org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java:63

https://github.com/NormanWenzelWSS/webgoat-4/blob/7847e6957477ef92428770c7409344d3b8b0e83b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java#L60-L63 #### Remediation Recommondations

Using prepared statements (with parameterized queries)

Correct filtering (escaping) of string literal escape characters in SQL statements, like single quote ('), double quote ("), backslash (\) and the NULL byte

Checking parameters for valid representation for the give type (integer, float or boolean)

Correct database permissions on logon, which restricts web application or user access to unnecessary data

### Knowledge Base

Read more

#### Vulnerability Description SQL Injection vulnerability occurs when a user input is used in the construction of an SQL query without proper user input string neutralization (sanitization). A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown of the DBMS), recover the content of a given file present on the DBMS file system or in some cases issue commands to the operating system #### Compliance Standard Violations - PCI DSS: PCI DSS 6.5.1 - Injection Flaws - NIST: SI-10: Information Input Validation - OWASP Top 10: A1: Injection - HIPAA: 164.312 (a)(1): Standard: Access control - HITRUST: 10.b - Input Data Validation (Level 1 Implementation) - CAPEC: CAPEC-66: SQL Injection

Cross-site Scripting (CWE 79) : 1

### Findings w/o Remediation

❌ java/org/owasp/webgoat/xxe/Ping.java:55

https://github.com/NormanWenzelWSS/webgoat-4/blob/7847e6957477ef92428770c7409344d3b8b0e83b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java#L50-L55 #### Remediation Recommondations

Escape HTML before inserting untrusted data into element content

Escape attribute before inserting untrusted data into HTML common attributes

Escape JavaScript before inserting untrusted data into JavaScript data values

Escape CSS and strictly validate before inserting untrusted data into HTML style property values

Escape URL before inserting untrusted data into HTML URL parameter values

### Knowledge Base

Read more

#### Vulnerability Description Cross Site Scripting (XSS) vulnerability occurs when an application either does not perform or it performs incorrect neutralization (sanitization) of input data that is included in a web application response. As the result, an attacker is able to inject and execute arbitrary HTML and script code in a user's browser within the context of the vulnerable website. These attacks are often used to steal authentication credentials (e.g. session IDs in cookies). Depending on the vulnerability and the web application, it is also possible to completely alter the web page itself or control the victim's browser #### Compliance Standard Violations - PCI DSS: PCI DSS 6.5.7 - Cross-Site Scripting (XSS) - NIST: SI-10: Information Input Validation - OWASP Top 10: A7: Cross-Site Scripting (XSS) - HITRUST: 10.b - Input Data Validation (Level 1 Implementation) - CAPEC: CAPEC-63: Cross-Site Scripting (XSS)

Hard-coded Credentials (CWE 798) : 3

### Findings w/o Remediation

❌ org/owasp/webgoat/template/SampleAttack.java:45

https://github.com/NormanWenzelWSS/webgoat-4/blob/7847e6957477ef92428770c7409344d3b8b0e83b/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template/SampleAttack.java#L48 #### Remediation Recommondations

Store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key. If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible

❌ org/owasp/webgoat/challenges/SolutionConstants.java:34

https://github.com/NormanWenzelWSS/webgoat-4/blob/7847e6957477ef92428770c7409344d3b8b0e83b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/SolutionConstants.java#L34 #### Remediation Recommondations

Store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key. If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible

❌org/owasp/webgoat/challenges/SolutionConstants.java:35

https://github.com/NormanWenzelWSS/webgoat-4/blob/7847e6957477ef92428770c7409344d3b8b0e83b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/SolutionConstants.java#L35 #### Remediation Recommondations

Store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key. If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible

### Knowledge Base

Read more

#### Vulnerability Description The application contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data #### Compliance Standard Violations - PCI DSS: PCI DSS 6.5.3 - Insecure Cryptographic Storage - NIST: SC-28: Protection of Information at Rest - OWASP Top 10: A3: Sensitive Data Exposure - HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

Language: JavaScript

No vulnerabilities detected

[NormanWenzelWSS]

Please post your feedback in the comments. Every kind of feedback is welcome, but the most relevant questions are:

• Did you directly understand what this issue is about? If not, how long did it take to understand the context and what would have made it more clear?
• Will this security report issue help you as a developer or is it something that you will never review or that even bothers you?
• Would any of the following things be more helpful for you: 1) Issues per CWE, 2) Issue per finding, 3) check run, 4) no detection at all, only remediation suggestions, 5) nothing, no time for security
• Have you noticed that you can create remediation pull requests from this issue? If not, do you have any ideas how to make it more obvious?
• Is there anything you are not interested in?
• Is there anything you are missing?
• Any other suggestions (presentation, wording, workflow, ...)?

[danieltailor1]

Security issues are really important to me, this review covers couple of the common and important from them. I see this report as relevant and helpful. Thank you