Open nalbion-nullify[bot] opened 2 months ago
New code security updates for commits 2763432dfb60af06d308d479accd31a97ca715d2...a90557d5cc25748dca078c58479df6bd630e6a34
New | Fixed | Allowlisted | Unallowlisted |
---|---|---|---|
45 | 0 | 0 | 0 |
/nullify fix vulnerability 01HX8MRPBAXNB9566W87KAK6NM
I have created a pull request to address the SQL Injection vulnerability with ID 01HX8MRPBAXNB9566W87KAK6NM
. You can review and merge the changes here.
Severity Threshold: π΅ MEDIUM
45 Potential vulnerability sources found within this repo
π΄ CRITICAL
π‘ HIGH
π΅ MEDIUM
βͺ LOW
ID: 01HX8MRPBAXNB9566W8CF8G1BP
Language: Java
Severity: π‘ HIGH
CWE-918
Java ssrf rule ssrf
Server-Side-Request-Forgery (SSRF) exploits backend systems that initiate requests to third parties. If user input is used in constructing or sending these requests, an attacker could supply malicious data to force the request to other systems or modify request data to cause unwanted actions.
Ensure user input is not used directly in constructing URLs or URIs when initiating requests to third party systems from back end systems. Care must also be taken when constructing payloads using user input. Where possible restrict to known URIs or payloads. Consider using a server-side map where keys are used to return URLs such as
https://site/goto?key=1
where{key: 1, url: 'http://some.url/', key: 2, url: 'http://...'}
.If you must use user-supplied input for requesting URLs, it is strongly recommended that the HTTP client chosen allows you to customize and block certain IP ranges at the network level. By blocking RFC 1918 addresses or other network address ranges, you can limit the severity of a successful SSRF attack. Care must also be taken to block certain protocol or address formatting such as IPv6.
If you cannot block address ranges at the client level, you may want to run the HTTP client as a protected user, or in a protected network where you can apply IP Table or firewall rules to block access to dangerous addresses. Finally, if none of the above protections are available, you could also run a custom HTTP proxy and force all requests through it to handle blocking dangerous addresses.
Example using a map to look up a key to be used in a HTTP request:
If using a map is not possible, the user-supplied input must be encoded prior to use, and never allow full URLs:
For more information on SSRF see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java#L51 #
ID: 01HX8MRPBAXNB9566W87KAK6NM
Language: Java
Severity: π‘ HIGH
CWE-89
Java inject rule sqlinjection
SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code.
Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key.
For example, some database drivers do not allow parameterized queries for
>
or<
comparison operators. In these cases, do not use a user supplied>
or<
value, but rather have the user supply agt
orlt
value. The alphabetical values are then used to look up the>
and<
values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized.Example using
PreparedStatement
queries:For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java#L158 #
ID: 01HX8MRPBAXNB9566W6WB416ES
Language: Java
Severity: π‘ HIGH
CWE-321
Java password rule hardcodekey
A potential cryptographic key was identified in a hard-coded string. Cryptographic keys should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/cryptography/CryptoUtil.java#L139 #
ID: 01HX8MRPBAXNB9566W83BRC81D
Language: Java
Severity: π‘ HIGH
CWE-89
Java inject rule sqlinjection
SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code.
Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key.
For example, some database drivers do not allow parameterized queries for
>
or<
comparison operators. In these cases, do not use a user supplied>
or<
value, but rather have the user supply agt
orlt
value. The alphabetical values are then used to look up the>
and<
values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized.Example using
PreparedStatement
queries:For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java#L74 #
ID: 01HX8MRPBAXNB9566W80WZ7HP9
Language: Java
Severity: π‘ HIGH
CWE-89
Java inject rule sqlinjection
SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code.
Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key.
For example, some database drivers do not allow parameterized queries for
>
or<
comparison operators. In these cases, do not use a user supplied>
or<
value, but rather have the user supply agt
orlt
value. The alphabetical values are then used to look up the>
and<
values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized.Example using
PreparedStatement
queries:For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java#L69 #
ID: 01HX8MRPBAXNB9566W6B4JJJDP
Language: JavaScript
Severity: π΅ MEDIUM
CWE-185
Javascript dos rule non literal regexp
The
RegExp
constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.
Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):
For more information on Regular Expression DoS see:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/polyglot.min.js#L17 #
ID: 01HX8MRPBAXNB9566W73MG6BFW
Language: Java
Severity: π΅ MEDIUM
CWE-259
Java password rule hardcodekeyequals
A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java#L77 #
ID: 01HX8MRPBAXNB9566W6E46DBAK
Language: JavaScript
Severity: π΅ MEDIUM
CWE-95
Javascript eval rule eval with expression
The application was found calling the
eval
function OR Function() constructor OR setTimeout() OR setInterval() methods. If thevariables or strings or functions passed to these methods contains user-supplied input, an adversary could attempt to execute arbitrary
JavaScript
code. This could lead to a full system compromise in Node applications or Cross-site Scripting
(XSS) in web applications.
To remediate this issue, remove all calls to above methods and consider alternative methods for
executing
the necessary business logic. There is almost no safe method of calling
eval
or other above stated sinks withuser-supplied input.
Instead, consider alternative methods such as using property accessors to dynamically access
values.
Example using property accessors to dynamically access an object's property:
For more information on why not to use
eval
, and alternatives see:https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!
Other References:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function
https://developer.mozilla.org/en-US/docs/Web/API/setTimeout
https://developer.mozilla.org/en-US/docs/Web/API/setInterval
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/require.min.js#L5 #
ID: 01HX8MRPBAXNB9566W6H0XKCEN
Language: JavaScript
Severity: π΅ MEDIUM
CWE-185
Regex dos
Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/require.min.js#L5 #
ID: 01HX8MRPBAXNB9566W6KTJVMPW
Language: JavaScript
Severity: π΅ MEDIUM
CWE-185
Javascript dos rule non literal regexp
The
RegExp
constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.
Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):
For more information on Regular Expression DoS see:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/underscore-min.js#L6 #
ID: 01HX8MRPBAXNB9566W6J5FDAV2
Language: JavaScript
Severity: π΅ MEDIUM
CWE-327
Node insecure random generator
crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/underscore-min.js#L6 #
ID: 01HX8MRPBAXNB9566W5QD42XX0
Language: JavaScript
Severity: π΅ MEDIUM
CWE-185
Javascript dos rule non literal regexp
The
RegExp
constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.
Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):
For more information on Regular Expression DoS see:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/backbone-min.js#L1 #
ID: 01HX8MRPBAXNB9566W72CDJ820
Language: Java
Severity: π΅ MEDIUM
CWE-259
Java password rule hardcodekeyequals
A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java#L40 #
ID: 01HX8MRPBAXNB9566W71RD8F61
Language: Java
Severity: π΅ MEDIUM
CWE-259
Java password rule hardcodekeyequals
A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java#L47 #
ID: 01HX8MRPBAXNB9566W735M4A65
Language: Java
Severity: π΅ MEDIUM
CWE-330
Java random rule pseudorandom
Depending on the context, generating weak random numbers may expose cryptographic functions which rely on these numbers, to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the
DRBG
instance ofSecureRandom
be used.Example using
DRBG
withSecureRandom
:For more information on Java Cryptography see: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java#L48 #
ID: 01HX8MRPBAXNB9566W6RQ9WRQ6
Language: JavaScript
Severity: π΅ MEDIUM
CWE-327
Node insecure random generator
crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/modernizr.min.js#L3 #
ID: 01HX8MRPBAXNB9566W6WYKT52Q
Language: Java
Severity: π΅ MEDIUM
CWE-327
Java crypto rule weakmessagedigest
The application was found using an insecure or risky digest or signature algorithm. Both MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. strongly recommended that a standard Digest algorithm be chosen instead as implementing a digest by hand is error-prone.
Example of creating a SHA-384 hash:
For more information on secure password storage see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java#L55 #
ID: 01HX8MRPBAXNB9566W7DZEMEAN
Language: Java
Severity: π΅ MEDIUM
CWE-259
Java password rule hardcodekeyequals
A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java#L60 #
ID: 01HX8MRPBAXNB9566W6RTNDFKW
Language: Java
Severity: π΅ MEDIUM
CWE-259
Java password rule hardcodekeyequals
A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java#L60 #
ID: 01HX8MRPBAXNB9566W7HJV5WMB
Language: Java
Severity: π΅ MEDIUM
CWE-259
Java password rule hardcodekeyequals
A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java#L60 #
ID: 01HX8MRPBAXNB9566W878S0ZXD
Language: Java
Severity: π΅ MEDIUM
CWE-89
Java inject rule custominjection
SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code.
Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key.
For example, some database drivers do not allow parameterized queries for
>
or<
comparison operators. In these cases, do not use a user supplied>
or<
value, but rather have the user supply agt
orlt
value. The alphabetical values are then used to look up the>
and<
values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized.Example using
PreparedStatement
queries:For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java#L64-L78 #
ID: 01HX8MRPBAXNB9566W8ANW7TGK
Language: Java
Severity: π΅ MEDIUM
CWE-89
Java inject rule custominjection
SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code.
Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key.
For example, some database drivers do not allow parameterized queries for
>
or<
comparison operators. In these cases, do not use a user supplied>
or<
value, but rather have the user supply agt
orlt
value. The alphabetical values are then used to look up the>
and<
values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized.Example using
PreparedStatement
queries:For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java#L66-L80 #
ID: 01HX8MRPBAXNB9566W5WVD8WED
Language: JavaScript
Severity: π΅ MEDIUM
CWE-185
Javascript dos rule non literal regexp
The
RegExp
constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.
Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):
For more information on Regular Expression DoS see:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/jquery-2.1.4.min.js#L3 #
ID: 01HX8MRPBAXNB9566W6Q889RCD
Language: JavaScript
Severity: π΅ MEDIUM
CWE-185
Javascript dos rule non literal regexp
The
RegExp
constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.
Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):
For more information on Regular Expression DoS see:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/modernizr.min.js#L3 #
ID: 01HX8MRPBAXNB9566W6QRHNH2M
Language: JavaScript
Severity: π΅ MEDIUM
CWE-95
Javascript eval rule eval with expression
The application was found calling the
eval
function OR Function() constructor OR setTimeout() OR setInterval() methods. If thevariables or strings or functions passed to these methods contains user-supplied input, an adversary could attempt to execute arbitrary
JavaScript
code. This could lead to a full system compromise in Node applications or Cross-site Scripting
(XSS) in web applications.
To remediate this issue, remove all calls to above methods and consider alternative methods for
executing
the necessary business logic. There is almost no safe method of calling
eval
or other above stated sinks withuser-supplied input.
Instead, consider alternative methods such as using property accessors to dynamically access
values.
Example using property accessors to dynamically access an object's property:
For more information on why not to use
eval
, and alternatives see:https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!
Other References:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function
https://developer.mozilla.org/en-US/docs/Web/API/setTimeout
https://developer.mozilla.org/en-US/docs/Web/API/setInterval
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/modernizr.min.js#L3 #
ID: 01HX8MRPBAXNB9566W7QP805RH
Language: Java
Severity: π΅ MEDIUM
CWE-1004
Java cookie rule cookiehttponly
The
HttpOnly
attribute when set totrue
protects the cookie value from being accessed by client side JavaScript such as reading thedocument.cookie
values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.Example of protecting a
Cookie
:For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean-
Session cookies should be configured with the following security directives:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java#L79-L81 #
ID: 01HX8MRPBAXNB9566W7S31AZX9
Language: Java
Severity: π΅ MEDIUM
CWE-614
Java cookie rule cookieinsecure
The
Secure
attribute when set totrue
protects the cookie value from being being transmitted over clear text communication paths such as HTTP. By enabling this protection, the cookie will only be sent over HTTPS.Example of protecting a
Cookie
:For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setSecure-boolean-
Session cookies should be configured with the following security directives:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java#L79-L81 #
ID: 01HX8MRPBAXNB9566W72CH21X0
Language: Java
Severity: π΅ MEDIUM
CWE-1004
Java cookie rule cookiehttponly
The
HttpOnly
attribute when set totrue
protects the cookie value from being accessed by client side JavaScript such as reading thedocument.cookie
values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.Example of protecting a
Cookie
:For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean-
Session cookies should be configured with the following security directives:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java#L86-L89 #
ID: 01HX8MRPBAXNB9566W7HYCAN49
Language: Java
Severity: π΅ MEDIUM
CWE-259
Java password rule hardcodekeyequals
A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java#L88 #
ID: 01HX8MRPBAXNB9566W7MP18JKD
Language: Java
Severity: π΅ MEDIUM
CWE-259
Java password rule hardcodekeyequals
A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java#L90 #
ID: 01HX8MRPBAXNB9566W6XG372VB
Language: Java
Severity: π΅ MEDIUM
CWE-259
Java password rule hardcodekeyequals
A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java#L90 #
ID: 01HX8MRPBAXNB9566W6YR1PPBJ
Language: Java
Severity: π΅ MEDIUM
CWE-259
Java password rule hardcodekeyequals
A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java#L92 #
ID: 01HX8MRPBAXNB9566W7Q2Z3VXD
Language: Java
Severity: π΅ MEDIUM
CWE-22
Java inject rule spotbugspathtraversalabsolute
The application dynamically constructs file or path information. If the path information comes from user input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access.
User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or replacing it with unique values and use
Path.resolve
to resolve and validate the path information prior to processing any file functionality.Example using
Path.resolve
and not allowing direct user input:For more information on path traversal issues see OWASP: https://owasp.org/www-community/attacks/Path_Traversal
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java#L92 #
ID: 01HX8MRPBAXNB9566W7VFE65FW
Language: Java
Severity: π΅ MEDIUM
CWE-259
Java password rule hardcodekeyequals
A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java#L93 #
ID: 01HX8MRPBAXNB9566W7YSSHZGS
Language: Java
Severity: π΅ MEDIUM
CWE-1004
Java cookie rule cookiehttponly
The
HttpOnly
attribute when set totrue
protects the cookie value from being accessed by client side JavaScript such as reading thedocument.cookie
values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.Example of protecting a
Cookie
:For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean-
Session cookies should be configured with the following security directives:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java#L95-L98 #
ID: 01HX8MRPBAXNB9566W759HGF14
Language: Java
Severity: π΅ MEDIUM
CWE-1004
Java cookie rule cookiehttponly
The
HttpOnly
attribute when set totrue
protects the cookie value from being accessed by client side JavaScript such as reading thedocument.cookie
values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.Example of protecting a
Cookie
:For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean-
Session cookies should be configured with the following security directives:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java#L130-L131 #
ID: 01HX8MRPBAXNB9566W77FZM15T
Language: Java
Severity: π΅ MEDIUM
CWE-614
Java cookie rule cookieinsecure
The
Secure
attribute when set totrue
protects the cookie value from being being transmitted over clear text communication paths such as HTTP. By enabling this protection, the cookie will only be sent over HTTPS.Example of protecting a
Cookie
:For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setSecure-boolean-
Session cookies should be configured with the following security directives:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java#L130-L131 #
ID: 01HX8MRPBAXNB9566W7A0CRTXV
Language: Java
Severity: π΅ MEDIUM
CWE-614
Java cookie rule cookieinsecure
The
Secure
attribute when set totrue
protects the cookie value from being being transmitted over clear text communication paths such as HTTP. By enabling this protection, the cookie will only be sent over HTTPS.Example of protecting a
Cookie
:For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setSecure-boolean-
Session cookies should be configured with the following security directives:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java#L135-L136 #
ID: 01HX8MRPBAXNB9566W7854W1WY
Language: Java
Severity: π΅ MEDIUM
CWE-1004
Java cookie rule cookiehttponly
The
HttpOnly
attribute when set totrue
protects the cookie value from being accessed by client side JavaScript such as reading thedocument.cookie
values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.Example of protecting a
Cookie
:For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean-
Session cookies should be configured with the following security directives:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java#L135-L136 #
ID: 01HX8MRPBAXNB9566W5TFERSJN
Language: JavaScript
Severity: π΅ MEDIUM
CWE-185
Javascript dos rule non literal regexp
The
RegExp
constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.
Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):
For more information on Regular Expression DoS see:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/jquery-2.1.4.min.js#L2 #
ID: 01HX8MRPBAXNB9566W5QF1KZFD
Language: JavaScript
Severity: π΅ MEDIUM
CWE-327
Node insecure random generator
crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/jquery-2.1.4.min.js#L2 #
ID: 01HX8MRPBAXNB9566W5Y18MQVJ
Language: JavaScript
Severity: π΅ MEDIUM
CWE-185
Regex dos
Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/mode-java.js#L534 #
ID: 01HX8MRPBAXNB9566W61CHVNEH
Language: JavaScript
Severity: π΅ MEDIUM
CWE-185
Javascript dos rule non literal regexp
The
RegExp
constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.
Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):
For more information on Regular Expression DoS see:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/mode-java.js#L573-L575 #
ID: 01HX8MRPBAXNB9566W652RA6NW
Language: JavaScript
Severity: π΅ MEDIUM
CWE-185
Javascript dos rule non literal regexp
The
RegExp
constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.
Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):
For more information on Regular Expression DoS see:
https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/mode-java.js#L576-L578 #
ID: 01HX8MRPBAXNB9566W67Q35C9A
Language: JavaScript
Severity: π΅ MEDIUM
CWE-185
Regex dos
Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/mode-java.js#L685-L686
Reply with
/nullify
to interact with me like another developer