search

nalbion / WebGoat

WebGoat is a deliberately insecure application
https://owasp.org/www-project-webgoat/
Other
0 stars 0 forks source link

Vulnerabilities Dashboard - Code #3

Open nalbion-nullify[bot] opened 2 months ago

nalbion-nullify[bot] commented 2 months ago

Severity Threshold: πŸ”΅ MEDIUM

45 Potential vulnerability sources found within this repo

πŸ”΄ CRITICAL 🟑 HIGH πŸ”΅ MEDIUM βšͺ LOW
0 5 40 0

ID: 01HX8MRPBAXNB9566W8CF8G1BP Language: Java Severity: 🟑 HIGH CWE-918

Java ssrf rule ssrf

Server-Side-Request-Forgery (SSRF) exploits backend systems that initiate requests to third parties. If user input is used in constructing or sending these requests, an attacker could supply malicious data to force the request to other systems or modify request data to cause unwanted actions.

Ensure user input is not used directly in constructing URLs or URIs when initiating requests to third party systems from back end systems. Care must also be taken when constructing payloads using user input. Where possible restrict to known URIs or payloads. Consider using a server-side map where keys are used to return URLs such as https://site/goto?key=1 where {key: 1, url: 'http://some.url/', key: 2, url: 'http://...'}.

If you must use user-supplied input for requesting URLs, it is strongly recommended that the HTTP client chosen allows you to customize and block certain IP ranges at the network level. By blocking RFC 1918 addresses or other network address ranges, you can limit the severity of a successful SSRF attack. Care must also be taken to block certain protocol or address formatting such as IPv6.

If you cannot block address ranges at the client level, you may want to run the HTTP client as a protected user, or in a protected network where you can apply IP Table or firewall rules to block access to dangerous addresses. Finally, if none of the above protections are available, you could also run a custom HTTP proxy and force all requests through it to handle blocking dangerous addresses.

Example using a map to look up a key to be used in a HTTP request:

HashMap<String, String> lookupTable = new HashMap<>();
lookupTable.put("key1", "https://example.com/");
lookupTable.put("key2", "https://safeurl.com/");
String userInput = request.getParameter("key");

// Create a CloseableHttpClient, ideally any requests issued should be done
// out-of-band from the servlet request itself (such as using a separate thread/scheduler
system)
try (final CloseableHttpClient httpClient = HttpClients.createDefault()) {
    // Lookup the value from our user input from our lookupTable
    String value = lookupTable.getOrDefault(userInput, "https://example.com/");
    // Construct the url, with the hardcoded url and only pass in the value from the
lookupTable,
    // not direct user input
    final HttpGet httpget = new HttpGet(value);
    // Execute the request
    CloseableHttpResponse clientResponse = httpClient.execute(httpget);
    // Read the response
    byte[] responseData = clientResponse.getEntity().getContent().readAllBytes();
    // Handle the response
    // ...
}

If using a map is not possible, the user-supplied input must be encoded prior to use, and never allow full URLs:

// Get user input
String userInput = request.getParameter("key");
// Encode the string using java.net.URLEncoder with the UTF-8 character set
String encodedString = java.net.URLEncoder.encode(userInput, StandardCharsets.UTF_8);
// Create a CloseableHttpClient, ideally any requests issued should be done
// out-of-band from the servlet request itself (such as using a separate thread/scheduler
system)
try (final CloseableHttpClient httpClient = HttpClients.createDefault()) {
  // Construct the url, with the hardcoded url and only pass in the encoded value, never a
full URL
  final HttpGet httpget = new HttpGet("https://example.com/getId?key="+encodedString);
  // Execute the request
  CloseableHttpResponse clientResponse = httpClient.execute(httpget);
  // Read the response
  byte[] responseData = clientResponse.getEntity().getContent().readAllBytes();
  // handle the response
}

For more information on SSRF see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java#L51 # ID: 01HX8MRPBAXNB9566W87KAK6NM Language: Java Severity: 🟑 HIGH CWE-89

Java inject rule sqlinjection

SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code.

Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key.

For example, some database drivers do not allow parameterized queries for > or < comparison operators. In these cases, do not use a user supplied > or < value, but rather have the user supply a gt or lt value. The alphabetical values are then used to look up the > and < values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized.

Example using PreparedStatement queries:

// Some userInput
String userInput = "someUserInput";
// Your connection string
String url = "...";
// Get a connection from the DB via the DriverManager
Connection conn = DriverManager.getConnection(url);
// Create a prepared statement
PreparedStatement st = conn.prepareStatement("SELECT name FROM table where name=?");
// Set each parameters value by the index (starting from 1)
st.setString(1, userInput);
// Execute query and get the result set
ResultSet rs = st.executeQuery();
// Iterate over results
while (rs.next()) {
    // Get result for this row at the provided column number (starting from 1)
    String result = rs.getString(1);
    // ...
}
// Close the ResultSet
rs.close();
// Close the PreparedStatement
st.close();

For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java#L158 # ID: 01HX8MRPBAXNB9566W6WB416ES Language: Java Severity: 🟑 HIGH CWE-321

Java password rule hardcodekey

A potential cryptographic key was identified in a hard-coded string. Cryptographic keys should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/cryptography/CryptoUtil.java#L139 # ID: 01HX8MRPBAXNB9566W83BRC81D Language: Java Severity: 🟑 HIGH CWE-89

Java inject rule sqlinjection

SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code.

Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key.

For example, some database drivers do not allow parameterized queries for > or < comparison operators. In these cases, do not use a user supplied > or < value, but rather have the user supply a gt or lt value. The alphabetical values are then used to look up the > and < values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized.

Example using PreparedStatement queries:

// Some userInput
String userInput = "someUserInput";
// Your connection string
String url = "...";
// Get a connection from the DB via the DriverManager
Connection conn = DriverManager.getConnection(url);
// Create a prepared statement
PreparedStatement st = conn.prepareStatement("SELECT name FROM table where name=?");
// Set each parameters value by the index (starting from 1)
st.setString(1, userInput);
// Execute query and get the result set
ResultSet rs = st.executeQuery();
// Iterate over results
while (rs.next()) {
    // Get result for this row at the provided column number (starting from 1)
    String result = rs.getString(1);
    // ...
}
// Close the ResultSet
rs.close();
// Close the PreparedStatement
st.close();

For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java#L74 # ID: 01HX8MRPBAXNB9566W80WZ7HP9 Language: Java Severity: 🟑 HIGH CWE-89

Java inject rule sqlinjection

SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code.

Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key.

For example, some database drivers do not allow parameterized queries for > or < comparison operators. In these cases, do not use a user supplied > or < value, but rather have the user supply a gt or lt value. The alphabetical values are then used to look up the > and < values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized.

Example using PreparedStatement queries:

// Some userInput
String userInput = "someUserInput";
// Your connection string
String url = "...";
// Get a connection from the DB via the DriverManager
Connection conn = DriverManager.getConnection(url);
// Create a prepared statement
PreparedStatement st = conn.prepareStatement("SELECT name FROM table where name=?");
// Set each parameters value by the index (starting from 1)
st.setString(1, userInput);
// Execute query and get the result set
ResultSet rs = st.executeQuery();
// Iterate over results
while (rs.next()) {
    // Get result for this row at the provided column number (starting from 1)
    String result = rs.getString(1);
    // ...
}
// Close the ResultSet
rs.close();
// Close the PreparedStatement
st.close();

For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java#L69 # ID: 01HX8MRPBAXNB9566W6B4JJJDP Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-185

Javascript dos rule non literal regexp

The RegExp constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.

To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.

Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):

// Import the re2 module
const RE2 = require('re2');

function match(userSuppliedRegex, userInput) {
    // Create a RE2 object with the user supplied regex, this is relatively safe
    // due to RE2 not supporting backtracking which can be abused to cause long running
    // queries
    var re = new RE2(userSuppliedRegex);
    // Execute the regular expression against some userInput
    var result = re.exec(userInput);
    // Work with the result
}

For more information on Regular Expression DoS see:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/polyglot.min.js#L17 # ID: 01HX8MRPBAXNB9566W73MG6BFW Language: Java Severity: πŸ”΅ MEDIUM CWE-259

Java password rule hardcodekeyequals

A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java#L77 # ID: 01HX8MRPBAXNB9566W6E46DBAK Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-95

Javascript eval rule eval with expression

The application was found calling the eval function OR Function() constructor OR setTimeout() OR setInterval() methods. If the

variables or strings or functions passed to these methods contains user-supplied input, an adversary could attempt to execute arbitrary

JavaScript

code. This could lead to a full system compromise in Node applications or Cross-site Scripting

(XSS) in web applications.

To remediate this issue, remove all calls to above methods and consider alternative methods for

executing

the necessary business logic. There is almost no safe method of calling eval or other above stated sinks with

user-supplied input.

Instead, consider alternative methods such as using property accessors to dynamically access

values.

Example using property accessors to dynamically access an object's property:


  // Define an object

  const obj = {key1: 'value1', key2: 'value2'};

  // Get key dynamically from user input

  const key = getUserInput();

  // Check if the key exists in our object and return it, or a default empty string

  const value = (obj.hasOwnProperty(key)) ? obj[key] : '';

  // Work with the value

For more information on why not to use eval, and alternatives see:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/require.min.js#L5 # ID: 01HX8MRPBAXNB9566W6H0XKCEN Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-185

Regex dos

Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/require.min.js#L5 # ID: 01HX8MRPBAXNB9566W6KTJVMPW Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-185

Javascript dos rule non literal regexp

The RegExp constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.

To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.

Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):

// Import the re2 module
const RE2 = require('re2');

function match(userSuppliedRegex, userInput) {
    // Create a RE2 object with the user supplied regex, this is relatively safe
    // due to RE2 not supporting backtracking which can be abused to cause long running
    // queries
    var re = new RE2(userSuppliedRegex);
    // Execute the regular expression against some userInput
    var result = re.exec(userInput);
    // Work with the result
}

For more information on Regular Expression DoS see:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/underscore-min.js#L6 # ID: 01HX8MRPBAXNB9566W6J5FDAV2 Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-327

Node insecure random generator

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/underscore-min.js#L6 # ID: 01HX8MRPBAXNB9566W5QD42XX0 Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-185

Javascript dos rule non literal regexp

The RegExp constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.

To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.

Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):

// Import the re2 module
const RE2 = require('re2');

function match(userSuppliedRegex, userInput) {
    // Create a RE2 object with the user supplied regex, this is relatively safe
    // due to RE2 not supporting backtracking which can be abused to cause long running
    // queries
    var re = new RE2(userSuppliedRegex);
    // Execute the regular expression against some userInput
    var result = re.exec(userInput);
    // Work with the result
}

For more information on Regular Expression DoS see:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/backbone-min.js#L1 # ID: 01HX8MRPBAXNB9566W72CDJ820 Language: Java Severity: πŸ”΅ MEDIUM CWE-259

Java password rule hardcodekeyequals

A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java#L40 # ID: 01HX8MRPBAXNB9566W71RD8F61 Language: Java Severity: πŸ”΅ MEDIUM CWE-259

Java password rule hardcodekeyequals

A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java#L47 # ID: 01HX8MRPBAXNB9566W735M4A65 Language: Java Severity: πŸ”΅ MEDIUM CWE-330

Java random rule pseudorandom

Depending on the context, generating weak random numbers may expose cryptographic functions which rely on these numbers, to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the DRBG instance of SecureRandom be used.

Example using DRBG with SecureRandom:

public SecureRandom getSecureRandomDRBG() throws NoSuchAlgorithmException {
// Use DRBG according to
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
    return SecureRandom.getInstance("DRBG",
            // Security strength in bits (default is 128)
            DrbgParameters.instantiation(256,
                // Set prediction resistance and re-seeding
                DrbgParameters.Capability.PR_AND_RESEED,
                // Set the personalization string (optional, not necessary)
                "some_personalization_string".getBytes()
            )
    );
}

For more information on Java Cryptography see: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java#L48 # ID: 01HX8MRPBAXNB9566W6RQ9WRQ6 Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-327

Node insecure random generator

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/modernizr.min.js#L3 # ID: 01HX8MRPBAXNB9566W6WYKT52Q Language: Java Severity: πŸ”΅ MEDIUM CWE-327

Java crypto rule weakmessagedigest

The application was found using an insecure or risky digest or signature algorithm. Both MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. strongly recommended that a standard Digest algorithm be chosen instead as implementing a digest by hand is error-prone.

Example of creating a SHA-384 hash:

// Create a MessageDigest using the SHA-384 algorithm
MessageDigest sha384Digest = MessageDigest.getInstance("SHA-384");
// Call update with your data
sha384Digest.update(input);
// Only call digest once all data has been fed into the update sha384digest instance
byte[] output = sha384Digest.digest();
// output base64 encoded version of the hash
System.out.println("hash: " + Base64.getEncoder().encodeToString(output));

For more information on secure password storage see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java#L55 # ID: 01HX8MRPBAXNB9566W7DZEMEAN Language: Java Severity: πŸ”΅ MEDIUM CWE-259

Java password rule hardcodekeyequals

A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java#L60 # ID: 01HX8MRPBAXNB9566W6RTNDFKW Language: Java Severity: πŸ”΅ MEDIUM CWE-259

Java password rule hardcodekeyequals

A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java#L60 # ID: 01HX8MRPBAXNB9566W7HJV5WMB Language: Java Severity: πŸ”΅ MEDIUM CWE-259

Java password rule hardcodekeyequals

A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java#L60 # ID: 01HX8MRPBAXNB9566W878S0ZXD Language: Java Severity: πŸ”΅ MEDIUM CWE-89

Java inject rule custominjection

SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code.

Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key.

For example, some database drivers do not allow parameterized queries for > or < comparison operators. In these cases, do not use a user supplied > or < value, but rather have the user supply a gt or lt value. The alphabetical values are then used to look up the > and < values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized.

Example using PreparedStatement queries:

// Some userInput
String userInput = "someUserInput";
// Your connection string
String url = "...";
// Get a connection from the DB via the DriverManager
Connection conn = DriverManager.getConnection(url);
// Create a prepared statement
PreparedStatement st = conn.prepareStatement("SELECT name FROM table where name=?");
// Set each parameters value by the index (starting from 1)
st.setString(1, userInput);
// Execute query and get the result set
ResultSet rs = st.executeQuery();
// Iterate over results
while (rs.next()) {
    // Get result for this row at the provided column number (starting from 1)
    String result = rs.getString(1);
    // ...
}
// Close the ResultSet
rs.close();
// Close the PreparedStatement
st.close();

For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java#L64-L78 # ID: 01HX8MRPBAXNB9566W8ANW7TGK Language: Java Severity: πŸ”΅ MEDIUM CWE-89

Java inject rule custominjection

SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code.

Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key.

For example, some database drivers do not allow parameterized queries for > or < comparison operators. In these cases, do not use a user supplied > or < value, but rather have the user supply a gt or lt value. The alphabetical values are then used to look up the > and < values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized.

Example using PreparedStatement queries:

// Some userInput
String userInput = "someUserInput";
// Your connection string
String url = "...";
// Get a connection from the DB via the DriverManager
Connection conn = DriverManager.getConnection(url);
// Create a prepared statement
PreparedStatement st = conn.prepareStatement("SELECT name FROM table where name=?");
// Set each parameters value by the index (starting from 1)
st.setString(1, userInput);
// Execute query and get the result set
ResultSet rs = st.executeQuery();
// Iterate over results
while (rs.next()) {
    // Get result for this row at the provided column number (starting from 1)
    String result = rs.getString(1);
    // ...
}
// Close the ResultSet
rs.close();
// Close the PreparedStatement
st.close();

For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java#L66-L80 # ID: 01HX8MRPBAXNB9566W5WVD8WED Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-185

Javascript dos rule non literal regexp

The RegExp constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.

To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.

Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):

// Import the re2 module
const RE2 = require('re2');

function match(userSuppliedRegex, userInput) {
    // Create a RE2 object with the user supplied regex, this is relatively safe
    // due to RE2 not supporting backtracking which can be abused to cause long running
    // queries
    var re = new RE2(userSuppliedRegex);
    // Execute the regular expression against some userInput
    var result = re.exec(userInput);
    // Work with the result
}

For more information on Regular Expression DoS see:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/jquery-2.1.4.min.js#L3 # ID: 01HX8MRPBAXNB9566W6Q889RCD Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-185

Javascript dos rule non literal regexp

The RegExp constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.

To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.

Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):

// Import the re2 module
const RE2 = require('re2');

function match(userSuppliedRegex, userInput) {
    // Create a RE2 object with the user supplied regex, this is relatively safe
    // due to RE2 not supporting backtracking which can be abused to cause long running
    // queries
    var re = new RE2(userSuppliedRegex);
    // Execute the regular expression against some userInput
    var result = re.exec(userInput);
    // Work with the result
}

For more information on Regular Expression DoS see:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/modernizr.min.js#L3 # ID: 01HX8MRPBAXNB9566W6QRHNH2M Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-95

Javascript eval rule eval with expression

The application was found calling the eval function OR Function() constructor OR setTimeout() OR setInterval() methods. If the

variables or strings or functions passed to these methods contains user-supplied input, an adversary could attempt to execute arbitrary

JavaScript

code. This could lead to a full system compromise in Node applications or Cross-site Scripting

(XSS) in web applications.

To remediate this issue, remove all calls to above methods and consider alternative methods for

executing

the necessary business logic. There is almost no safe method of calling eval or other above stated sinks with

user-supplied input.

Instead, consider alternative methods such as using property accessors to dynamically access

values.

Example using property accessors to dynamically access an object's property:


  // Define an object

  const obj = {key1: 'value1', key2: 'value2'};

  // Get key dynamically from user input

  const key = getUserInput();

  // Check if the key exists in our object and return it, or a default empty string

  const value = (obj.hasOwnProperty(key)) ? obj[key] : '';

  // Work with the value

For more information on why not to use eval, and alternatives see:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/modernizr.min.js#L3 # ID: 01HX8MRPBAXNB9566W7QP805RH Language: Java Severity: πŸ”΅ MEDIUM CWE-1004

Java cookie rule cookiehttponly

The HttpOnly attribute when set to true protects the cookie value from being accessed by client side JavaScript such as reading the document.cookie values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.

Example of protecting a Cookie:

// Create an HttpOnly cookie.
Cookie someCookie = new Cookie("SomeCookieName", "SomeValue");
// Set HttpOnly flag to true
someCookie.setHttpOnly(true);

For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean-

Session cookies should be configured with the following security directives:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java#L79-L81 # ID: 01HX8MRPBAXNB9566W7S31AZX9 Language: Java Severity: πŸ”΅ MEDIUM CWE-614

Java cookie rule cookieinsecure

The Secure attribute when set to true protects the cookie value from being being transmitted over clear text communication paths such as HTTP. By enabling this protection, the cookie will only be sent over HTTPS.

Example of protecting a Cookie:

// Create an Secure cookie.
Cookie someCookie = new Cookie("SomeCookieName", "SomeValue");
// Set Secure flag to true
someCookie.setSecure(true);

For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setSecure-boolean-

Session cookies should be configured with the following security directives:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java#L79-L81 # ID: 01HX8MRPBAXNB9566W72CH21X0 Language: Java Severity: πŸ”΅ MEDIUM CWE-1004

Java cookie rule cookiehttponly

The HttpOnly attribute when set to true protects the cookie value from being accessed by client side JavaScript such as reading the document.cookie values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.

Example of protecting a Cookie:

// Create an HttpOnly cookie.
Cookie someCookie = new Cookie("SomeCookieName", "SomeValue");
// Set HttpOnly flag to true
someCookie.setHttpOnly(true);

For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean-

Session cookies should be configured with the following security directives:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java#L86-L89 # ID: 01HX8MRPBAXNB9566W7HYCAN49 Language: Java Severity: πŸ”΅ MEDIUM CWE-259

Java password rule hardcodekeyequals

A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java#L88 # ID: 01HX8MRPBAXNB9566W7MP18JKD Language: Java Severity: πŸ”΅ MEDIUM CWE-259

Java password rule hardcodekeyequals

A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java#L90 # ID: 01HX8MRPBAXNB9566W6XG372VB Language: Java Severity: πŸ”΅ MEDIUM CWE-259

Java password rule hardcodekeyequals

A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java#L90 # ID: 01HX8MRPBAXNB9566W6YR1PPBJ Language: Java Severity: πŸ”΅ MEDIUM CWE-259

Java password rule hardcodekeyequals

A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java#L92 # ID: 01HX8MRPBAXNB9566W7Q2Z3VXD Language: Java Severity: πŸ”΅ MEDIUM CWE-22

Java inject rule spotbugspathtraversalabsolute

The application dynamically constructs file or path information. If the path information comes from user input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or replacing it with unique values and use Path.resolve to resolve and validate the path information prior to processing any file functionality.

Example using Path.resolve and not allowing direct user input:

// Class to store our user data along with a randomly generated file name
public static class UserData {
    private String userFileNameUnsafe;
    private String fileName;
    public UserData(String userFileName) {
        this.userFileNameUnsafe = userFileName;
        // Generate a random ID for the filename
        this.fileName = UUID.randomUUID().toString();
    }
    public String getUserFileNameUnsafe() { return userFileNameUnsafe; };
    public String getFileName() { return fileName; };
}

public static void main(String[] args) throws Exception {
    // User input, saved only as a reference
    UserData userData = new UserData("..\\test.txt");
    // Restrict all file processing to this directory only
    String base = "/var/app/restricted";
    Path basePath = Paths.get(base);
    // Resolve the full path, but only use our random generated filename
    Path fullPath = basePath.resolve(userData.getFileName());
    // verify the path is contained within our basePath
    if (!fullPath.startsWith(base)) {
        throw new Exception("Invalid path specified!");
    }
    // process / work with file
}

For more information on path traversal issues see OWASP: https://owasp.org/www-community/attacks/Path_Traversal

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java#L92 # ID: 01HX8MRPBAXNB9566W7VFE65FW Language: Java Severity: πŸ”΅ MEDIUM CWE-259

Java password rule hardcodekeyequals

A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java#L93 # ID: 01HX8MRPBAXNB9566W7YSSHZGS Language: Java Severity: πŸ”΅ MEDIUM CWE-1004

Java cookie rule cookiehttponly

The HttpOnly attribute when set to true protects the cookie value from being accessed by client side JavaScript such as reading the document.cookie values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.

Example of protecting a Cookie:

// Create an HttpOnly cookie.
Cookie someCookie = new Cookie("SomeCookieName", "SomeValue");
// Set HttpOnly flag to true
someCookie.setHttpOnly(true);

For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean-

Session cookies should be configured with the following security directives:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java#L95-L98 # ID: 01HX8MRPBAXNB9566W759HGF14 Language: Java Severity: πŸ”΅ MEDIUM CWE-1004

Java cookie rule cookiehttponly

The HttpOnly attribute when set to true protects the cookie value from being accessed by client side JavaScript such as reading the document.cookie values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.

Example of protecting a Cookie:

// Create an HttpOnly cookie.
Cookie someCookie = new Cookie("SomeCookieName", "SomeValue");
// Set HttpOnly flag to true
someCookie.setHttpOnly(true);

For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean-

Session cookies should be configured with the following security directives:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java#L130-L131 # ID: 01HX8MRPBAXNB9566W77FZM15T Language: Java Severity: πŸ”΅ MEDIUM CWE-614

Java cookie rule cookieinsecure

The Secure attribute when set to true protects the cookie value from being being transmitted over clear text communication paths such as HTTP. By enabling this protection, the cookie will only be sent over HTTPS.

Example of protecting a Cookie:

// Create an Secure cookie.
Cookie someCookie = new Cookie("SomeCookieName", "SomeValue");
// Set Secure flag to true
someCookie.setSecure(true);

For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setSecure-boolean-

Session cookies should be configured with the following security directives:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java#L130-L131 # ID: 01HX8MRPBAXNB9566W7A0CRTXV Language: Java Severity: πŸ”΅ MEDIUM CWE-614

Java cookie rule cookieinsecure

The Secure attribute when set to true protects the cookie value from being being transmitted over clear text communication paths such as HTTP. By enabling this protection, the cookie will only be sent over HTTPS.

Example of protecting a Cookie:

// Create an Secure cookie.
Cookie someCookie = new Cookie("SomeCookieName", "SomeValue");
// Set Secure flag to true
someCookie.setSecure(true);

For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setSecure-boolean-

Session cookies should be configured with the following security directives:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java#L135-L136 # ID: 01HX8MRPBAXNB9566W7854W1WY Language: Java Severity: πŸ”΅ MEDIUM CWE-1004

Java cookie rule cookiehttponly

The HttpOnly attribute when set to true protects the cookie value from being accessed by client side JavaScript such as reading the document.cookie values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.

Example of protecting a Cookie:

// Create an HttpOnly cookie.
Cookie someCookie = new Cookie("SomeCookieName", "SomeValue");
// Set HttpOnly flag to true
someCookie.setHttpOnly(true);

For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean-

Session cookies should be configured with the following security directives:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java#L135-L136 # ID: 01HX8MRPBAXNB9566W5TFERSJN Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-185

Javascript dos rule non literal regexp

The RegExp constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.

To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.

Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):

// Import the re2 module
const RE2 = require('re2');

function match(userSuppliedRegex, userInput) {
    // Create a RE2 object with the user supplied regex, this is relatively safe
    // due to RE2 not supporting backtracking which can be abused to cause long running
    // queries
    var re = new RE2(userSuppliedRegex);
    // Execute the regular expression against some userInput
    var result = re.exec(userInput);
    // Work with the result
}

For more information on Regular Expression DoS see:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/jquery-2.1.4.min.js#L2 # ID: 01HX8MRPBAXNB9566W5QF1KZFD Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-327

Node insecure random generator

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/jquery-2.1.4.min.js#L2 # ID: 01HX8MRPBAXNB9566W5Y18MQVJ Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-185

Regex dos

Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/mode-java.js#L534 # ID: 01HX8MRPBAXNB9566W61CHVNEH Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-185

Javascript dos rule non literal regexp

The RegExp constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.

To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.

Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):

// Import the re2 module
const RE2 = require('re2');

function match(userSuppliedRegex, userInput) {
    // Create a RE2 object with the user supplied regex, this is relatively safe
    // due to RE2 not supporting backtracking which can be abused to cause long running
    // queries
    var re = new RE2(userSuppliedRegex);
    // Execute the regular expression against some userInput
    var result = re.exec(userInput);
    // Work with the result
}

For more information on Regular Expression DoS see:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/mode-java.js#L573-L575 # ID: 01HX8MRPBAXNB9566W652RA6NW Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-185

Javascript dos rule non literal regexp

The RegExp constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.

To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.

Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):

// Import the re2 module
const RE2 = require('re2');

function match(userSuppliedRegex, userInput) {
    // Create a RE2 object with the user supplied regex, this is relatively safe
    // due to RE2 not supporting backtracking which can be abused to cause long running
    // queries
    var re = new RE2(userSuppliedRegex);
    // Execute the regular expression against some userInput
    var result = re.exec(userInput);
    // Work with the result
}

For more information on Regular Expression DoS see:

https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/mode-java.js#L576-L578 # ID: 01HX8MRPBAXNB9566W67Q35C9A Language: JavaScript Severity: πŸ”΅ MEDIUM CWE-185

Regex dos

Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. https://github.com/nalbion/WebGoat/blob/a90557d5cc25748dca078c58479df6bd630e6a34/src/main/resources/webgoat/static/js/libs/mode-java.js#L685-L686

Reply with /nullify to interact with me like another developer

nalbion-nullify[bot] commented 2 months ago

New code security updates for commits 2763432dfb60af06d308d479accd31a97ca715d2...a90557d5cc25748dca078c58479df6bd630e6a34

New Fixed Allowlisted Unallowlisted
45 0 0 0
See Details ### New Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HX8MRPBAXNB9566W5QD42XX0 | Javascript dos rule non literal regexp | src/main/resources/webgoat/static/js/libs/backbone-min.js | 1 | 185 | | 01HX8MRPBAXNB9566W5QF1KZFD | Node insecure random generator | src/main/resources/webgoat/static/js/libs/jquery-2.1.4.min.js | 2 | 327 | | 01HX8MRPBAXNB9566W5TFERSJN | Javascript dos rule non literal regexp | src/main/resources/webgoat/static/js/libs/jquery-2.1.4.min.js | 2 | 185 | | 01HX8MRPBAXNB9566W6Q889RCD | Javascript dos rule non literal regexp | src/main/resources/webgoat/static/js/modernizr.min.js | 3 | 185 | | 01HX8MRPBAXNB9566W5WVD8WED | Javascript dos rule non literal regexp | src/main/resources/webgoat/static/js/libs/jquery-2.1.4.min.js | 3 | 185 | | 01HX8MRPBAXNB9566W6RQ9WRQ6 | Node insecure random generator | src/main/resources/webgoat/static/js/modernizr.min.js | 3 | 327 | | 01HX8MRPBAXNB9566W6QRHNH2M | Javascript eval rule eval with expression | src/main/resources/webgoat/static/js/modernizr.min.js | 3 | 95 | | 01HX8MRPBAXNB9566W6E46DBAK | Javascript eval rule eval with expression | src/main/resources/webgoat/static/js/libs/require.min.js | 5 | 95 | | 01HX8MRPBAXNB9566W6H0XKCEN | Regex dos | src/main/resources/webgoat/static/js/libs/require.min.js | 5 | 185 | | 01HX8MRPBAXNB9566W6KTJVMPW | Javascript dos rule non literal regexp | src/main/resources/webgoat/static/js/libs/underscore-min.js | 6 | 185 | | 01HX8MRPBAXNB9566W6J5FDAV2 | Node insecure random generator | src/main/resources/webgoat/static/js/libs/underscore-min.js | 6 | 327 | | 01HX8MRPBAXNB9566W6B4JJJDP | Javascript dos rule non literal regexp | src/main/resources/webgoat/static/js/libs/polyglot.min.js | 17 | 185 | | 01HX8MRPBAXNB9566W72CDJ820 | Java password rule hardcodekeyequals | src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java | 40 | 259 | | 01HX8MRPBAXNB9566W71RD8F61 | Java password rule hardcodekeyequals | src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java | 47 | 259 | | 01HX8MRPBAXNB9566W735M4A65 | Java random rule pseudorandom | src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java | 48 | 330 | | 01HX8MRPBAXNB9566W8CF8G1BP | Java ssrf rule ssrf | src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java | 51 | 918 | | 01HX8MRPBAXNB9566W6WYKT52Q | Java crypto rule weakmessagedigest | src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java | 55 | 327 | | 01HX8MRPBAXNB9566W7DZEMEAN | Java password rule hardcodekeyequals | src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java | 60 | 259 | | 01HX8MRPBAXNB9566W6RTNDFKW | Java password rule hardcodekeyequals | src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java | 60 | 259 | | 01HX8MRPBAXNB9566W7HJV5WMB | Java password rule hardcodekeyequals | src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java | 60 | 259 | | 01HX8MRPBAXNB9566W878S0ZXD | Java inject rule custominjection | src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java | 64 | 89 | | 01HX8MRPBAXNB9566W8ANW7TGK | Java inject rule custominjection | src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java | 66 | 89 | | 01HX8MRPBAXNB9566W80WZ7HP9 | Java inject rule sqlinjection | src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java | 69 | 89 | | 01HX8MRPBAXNB9566W83BRC81D | Java inject rule sqlinjection | src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java | 74 | 89 | | 01HX8MRPBAXNB9566W73MG6BFW | Java password rule hardcodekeyequals | src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java | 77 | 259 | | 01HX8MRPBAXNB9566W7QP805RH | Java cookie rule cookiehttponly | src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java | 79 | 1004 | | 01HX8MRPBAXNB9566W7S31AZX9 | Java cookie rule cookieinsecure | src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java | 79 | 614 | | 01HX8MRPBAXNB9566W72CH21X0 | Java cookie rule cookiehttponly | src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java | 86 | 1004 | | 01HX8MRPBAXNB9566W7HYCAN49 | Java password rule hardcodekeyequals | src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java | 88 | 259 | | 01HX8MRPBAXNB9566W7MP18JKD | Java password rule hardcodekeyequals | src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java | 90 | 259 | | 01HX8MRPBAXNB9566W6XG372VB | Java password rule hardcodekeyequals | src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java | 90 | 259 | | 01HX8MRPBAXNB9566W6YR1PPBJ | Java password rule hardcodekeyequals | src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java | 92 | 259 | | 01HX8MRPBAXNB9566W7Q2Z3VXD | Java inject rule spotbugspathtraversalabsolute | src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java | 92 | 22 | | 01HX8MRPBAXNB9566W7VFE65FW | Java password rule hardcodekeyequals | src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java | 93 | 259 | | 01HX8MRPBAXNB9566W7YSSHZGS | Java cookie rule cookiehttponly | src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java | 95 | 1004 | | 01HX8MRPBAXNB9566W759HGF14 | Java cookie rule cookiehttponly | src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java | 130 | 1004 | | 01HX8MRPBAXNB9566W77FZM15T | Java cookie rule cookieinsecure | src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java | 130 | 614 | | 01HX8MRPBAXNB9566W7A0CRTXV | Java cookie rule cookieinsecure | src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java | 135 | 614 | | 01HX8MRPBAXNB9566W7854W1WY | Java cookie rule cookiehttponly | src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java | 135 | 1004 | | 01HX8MRPBAXNB9566W6WB416ES | Java password rule hardcodekey | src/main/java/org/owasp/webgoat/lessons/cryptography/CryptoUtil.java | 139 | 321 | | 01HX8MRPBAXNB9566W87KAK6NM | Java inject rule sqlinjection | src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java | 158 | 89 | | 01HX8MRPBAXNB9566W5Y18MQVJ | Regex dos | src/main/resources/webgoat/static/js/libs/mode-java.js | 534 | 185 | | 01HX8MRPBAXNB9566W61CHVNEH | Javascript dos rule non literal regexp | src/main/resources/webgoat/static/js/libs/mode-java.js | 573 | 185 | | 01HX8MRPBAXNB9566W652RA6NW | Javascript dos rule non literal regexp | src/main/resources/webgoat/static/js/libs/mode-java.js | 576 | 185 | | 01HX8MRPBAXNB9566W67Q35C9A | Regex dos | src/main/resources/webgoat/static/js/libs/mode-java.js | 685 | 185 |
nalbion commented 2 months ago

/nullify fix vulnerability 01HX8MRPBAXNB9566W87KAK6NM

nalbion-nullify[bot] commented 2 months ago

I have created a pull request to address the SQL Injection vulnerability with ID 01HX8MRPBAXNB9566W87KAK6NM. You can review and merge the changes here.