JMS Sample Report

JMS Github 2 Scan Report
Project Name JMS Github 2

Scan Start Wednesday, August 23, 2023 8:23:03 AM
Preset Checkmarx Default
Scan Time 00h:01m:24s
Lines Of Code Scanned 4635
Files Scanned 57
Report Creation Time Friday, September 15, 2023 12:38:54 PM
https://cxapactrial.checkmarx.net/CxWebClient/ViewerMain.aspx?scanid=1011402
Online Results
&projectid=4262
Team SP Trials
Checkmarx Version 9.5.5.1004 HF11
Scan Type Full
Source Origin GIT
Scanned Branch /refs/heads/master
Density 6/100 (Vulnerabilities/LOC)
Visibility Public
Filter Settings
Severity
Included: High, Medium, Low, Information
Excluded: None
Result State
Included: To Verify, Not Exploitable, Confirmed, Urgent, Proposed Not Exploitable
Excluded: None
Assigned to
Included: All
Categories
Included:
Uncategorized All
Custom All
PCI DSS v3.2.1 All
OWASP Top 10 2013 All
FISMA 2014 All
NIST SP 800-53 All
OWASP Mobile Top 10 All
2016
ASD STIG 4.10 All
OWASP Top 10 API All
MOIS(KISA) Secure All
PAGE 1 OF 299
Coding 2021
SANS top 25 All
CWE top 25 All
OWASP ASVS All
ASA Mobile Premium All
ASA Premium All
Top Tier All
ASD STIG 5.2 All
Excluded:
Uncategorized None
Custom None
PCI DSS v3.2.1 None
OWASP Top 10 2013 None
FISMA 2014 None
NIST SP 800-53 None
OWASP Mobile Top 10 None
2016
ASD STIG 4.10 None
OWASP Top 10 API None
MOIS(KISA) Secure None
Coding 2021
SANS top 25 None
CWE top 25 None
OWASP ASVS None
ASA Mobile Premium None
ASA Premium None
Top Tier None
ASD STIG 5.2 None
Results Limit
A limit was not defined
Selected Queries
Selected queries are listed in Result Summary
PAGE 2 OF 299
Result Summary Most Vulnerable Files
Customer.java
Billing.java
High
Medium Vendor.java
Low
Inventory.java
JobCard.java
Top 5 Vulnerabilities
PAGE 3 OF 299
Scan Summary - OWASP Top 10 2017
Further details and elaboration about vulnerabilities and risks can be found at: OWASP Top 10 2017
Threat Weakness Weakness Technical Business Issues Best Fix

Category Exploitability
Agent Prevalence Detectability Impact Impact Found Locations
App. App.
A1-Injection* EASY COMMON EASY SEVERE 121 32
Specific Specific
A2-Broken App. App.

EASY COMMON AVERAGE SEVERE 4 1
Authentication* Specific Specific
A3-Sensitive App. App.

AVERAGE WIDESPREAD AVERAGE SEVERE 0 0
Data Exposure* Specific Specific
A4-XML External App. App.

AVERAGE COMMON EASY SEVERE 0 0
Entities (XXE) Specific Specific
A5-Broken App. App.

AVERAGE COMMON AVERAGE SEVERE 20 8
Access Control* Specific Specific
A6-Security
App. App.
Misconfiguration EASY WIDESPREAD EASY MODERATE 34 34
Specific Specific
*
A7-Cross-Site App. App.

EASY WIDESPREAD EASY MODERATE 0 0
Scripting (XSS) Specific Specific
A8-Insecure App. App.

DIFFICULT COMMON AVERAGE SEVERE 0 0
Deserialization Specific Specific
A9-Using
Components App. App.
AVERAGE WIDESPREAD AVERAGE MODERATE 1 1
with Known Specific Specific
Vulnerabilities*
A10-Insufficient
App. App.
Logging & AVERAGE WIDESPREAD DIFFICULT MODERATE 0 0
Specific Specific
Monitoring
* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant standard queries.
PAGE 4 OF 299
Issues Best Fix

Category
Found Locations
A1-Broken Access Control* 71 34
A2-Cryptographic Failures 8 8
A3-Injection* 118 30
A4-Insecure Design* 45 42
A5-Security Misconfiguration* 0 0
A6-Vulnerable and Outdated Components* 0 0
A7-Identification and Authentication Failures* 2 2
A8-Software and Data Integrity Failures* 1 1
A9-Security Logging and Monitoring Failures 16 15
A10-Server-Side Request Forgery 0 0
PAGE 5 OF 299
Further details and elaboration about vulnerabilities and risks can be found at: OWASP Top 10 2013
Threat Attack Weakness Weakness Technical Business Issues Best Fix

Category
Agent Vectors Prevalence Detectability Impact Impact Found Locations
EXTERNAL,
A1-Injection* INTERNAL, EASY COMMON AVERAGE SEVERE ALL DATA 118 30
ADMIN USERS
A2-Broken
EXTERNAL, AFFECTED
Authentication
INTERNAL AVERAGE WIDESPREAD AVERAGE SEVERE DATA AND 4 1
and Session
USERS FUNCTIONS
Management*
EXTERNAL, AFFECTED
A3-Cross-Site VERY
INTERNAL, AVERAGE EASY MODERATE DATA AND 0 0
Scripting (XSS) WIDESPREAD
ADMIN USERS SYSTEM
A4-Insecure
SYSTEM EXPOSED
Direct Object EASY COMMON EASY MODERATE 20 8
USERS DATA
References*
A5-Security EXTERNAL,
ALL DATA
Misconfiguration INTERNAL, EASY COMMON EASY MODERATE 33 33
AND SYSTEM
* ADMIN USERS
EXTERNAL,
INTERNAL,
A6-Sensitive EXPOSED
ADMIN DIFFICULT UNCOMMON AVERAGE SEVERE 7 7
Data Exposure* DATA
USERS, USERS
BROWSERS
A7-Missing EXTERNAL, EXPOSED

Function Level INTERNAL EASY COMMON AVERAGE MODERATE DATA AND 0 0
Access Control* USERS FUNCTIONS
A8-Cross-Site AFFECTED
USERS
Request Forgery AVERAGE COMMON EASY MODERATE DATA AND 35 10
BROWSERS
(CSRF) FUNCTIONS
A9-Using EXTERNAL
AFFECTED
Components USERS,
AVERAGE WIDESPREAD DIFFICULT MODERATE DATA AND 1 1
with Known AUTOMATED
FUNCTIONS
Vulnerabilities* TOOLS
A10-Unvalidated AFFECTED
USERS
Redirects and AVERAGE WIDESPREAD DIFFICULT MODERATE DATA AND 0 0
BROWSERS
Forwards FUNCTIONS
PAGE 6 OF 299
Scan Summary - PCI DSS v3.2.1
Issues Best Fix

Category
Found Locations
PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection 138 38
PCI DSS (3.2.1) - 6.5.2 - Buffer overflows 0 0
PCI DSS (3.2.1) - 6.5.3 - Insecure cryptographic storage* 0 0
PCI DSS (3.2.1) - 6.5.4 - Insecure communications* 0 0
PCI DSS (3.2.1) - 6.5.5 - Improper error handling* 33 33
PCI DSS (3.2.1) - 6.5.7 - Cross-site scripting (XSS) 0 0
PCI DSS (3.2.1) - 6.5.8 - Improper access control* 0 0
PCI DSS (3.2.1) - 6.5.9 - Cross-site request forgery 35 10
PCI DSS (3.2.1) - 6.5.10 - Broken authentication and session management* 4 1
PAGE 7 OF 299
Scan Summary - FISMA 2014
Issues Best Fix

Category Description
Found Locations
Organizations must limit information system access
to authorized users, processes acting on behalf of
authorized users, or devices (including other
Access Control* 14 2
information systems) and to the types of
transactions and functions that authorized users are
permitted to exercise.
Organizations must: (i) create, protect, and retain

information system audit records to the extent
needed to enable the monitoring, analysis,
investigation, and reporting of unlawful,
Audit And Accountability* unauthorized, or inappropriate information system 0 0
activity; and (ii) ensure that the actions of individual
information system users can be uniquely traced to
those users so they can be held accountable for
their actions.
Organizations must: (i) establish and maintain

baseline configurations and inventories of
organizational information systems (including
hardware, software, firmware, and documentation)
Configuration Management* throughout the respective system development life 33 33
cycles; and (ii) establish and enforce security
configuration settings for information technology
products employed in organizational information
systems.
Organizations must identify information system

users, processes acting on behalf of users, or
devices and authenticate (or verify) the identities of
Identification And Authentication* 20 20
those users, processes, or devices, as a prerequisite
to allowing access to organizational information
systems.
Organizations must: (i) protect information system

media, both paper and digital; (ii) limit access to
information on information system media to
Media Protection 4 1
authorized users; and (iii) sanitize or destroy
information system media before disposal or release
for reuse.
Organizations must: (i) monitor, control, and protect

organizational communications (i.e., information
transmitted or received by organizational
information systems) at the external boundaries and
System And Communications Protection key internal boundaries of the information systems; 1 1
and (ii) employ architectural designs, software
development techniques, and systems engineering
principles that promote effective information
security within organizational information systems.
Organizations must: (i) identify, report, and correct

information and information system flaws in a
timely manner; (ii) provide protection from
System And Information Integrity* malicious code at appropriate locations within 121 32
organizational information systems; and (iii) monitor
information system security alerts and advisories
and take appropriate actions in response.
PAGE 8 OF 299
Scan Summary - NIST SP 800-53
Issues Best Fix

Category
Found Locations
AC-12 Session Termination (P2) 0 0
AC-3 Access Enforcement (P1)* 34 22
AC-4 Information Flow Enforcement (P1) 0 0
AC-6 Least Privilege (P1) 0 0
AU-9 Protection of Audit Information (P1) 3 2
CM-6 Configuration Settings (P2) 0 0
IA-5 Authenticator Management (P1) 0 0
IA-6 Authenticator Feedback (P2) 0 0
IA-8 Identification and Authentication (Non-Organizational Users) (P1) 0 0
SC-12 Cryptographic Key Establishment and Management (P1) 0 0
SC-13 Cryptographic Protection (P1) 0 0
SC-17 Public Key Infrastructure Certificates (P1) 0 0
SC-18 Mobile Code (P2) 0 0
SC-23 Session Authenticity (P1)* 36 11
SC-28 Protection of Information at Rest (P1)* 0 0
SC-4 Information in Shared Resources (P1) 0 0
SC-5 Denial of Service Protection (P1)* 19 19
SC-8 Transmission Confidentiality and Integrity (P1) 5 2
SI-10 Information Input Validation (P1)* 118 30
SI-11 Error Handling (P2)* 33 33
SI-15 Information Output Filtering (P0) 0 0
SI-16 Memory Protection (P1)* 0 0
PAGE 9 OF 299
Scan Summary - OWASP Mobile Top 10 2016
Issues Best Fix

Category Description
Found Locations
This category covers misuse of a platform feature or
failure to use platform security controls. It might
include Android intents, platform permissions,
M1-Improper Platform Usage* misuse of TouchID, the Keychain, or some other 0 0
security control that is part of the mobile operating
system. There are several ways that mobile apps can
experience this risk.
This category covers insecure data storage and

M2-Insecure Data Storage* 0 0
unintended data leakage.
This category covers poor handshaking, incorrect

M3-Insecure Communication* SSL versions, weak negotiation, cleartext 0 0
communication of sensitive assets, etc.
This category captures notions of authenticating the

end user or bad session management. This can
include:
-Failing to identify the user at all when that should
M4-Insecure Authentication* 0 0
be required
-Failure to maintain the user's identity when it is
required
-Weaknesses in session management
The code applies cryptography to a sensitive

information asset. However, the cryptography is
insufficient in some way. Note that anything and
everything related to TLS or SSL goes in M3. Also, if
M5-Insufficient Cryptography* 0 0
the app fails to use cryptography at all when it
should, that probably belongs in M2. This category
is for issues where cryptography was attempted, but
it wasnt done correctly.
This is a category to capture any failures in

authorization (e.g., authorization decisions in the
client side, forced browsing, etc.). It is distinct from
authentication issues (e.g., device enrolment, user
identification, etc.).
M6-Insecure Authorization* If the app does not authenticate users at all in a 0 0
situation where it should (e.g., granting anonymous
access to some resource or service when
authenticated and authorized access is required),
then that is an authentication failure not an
authorization failure.
This category is the catch-all for code-level

implementation problems in the mobile client.
That's distinct from server-side coding mistakes.
M7-Client Code Quality* This would capture things like buffer overflows, 59 15
format string vulnerabilities, and various other code-
level mistakes where the solution is to rewrite some
code that's running on the mobile device.
This category covers binary patching, local resource

modification, method hooking, method swizzling,
and dynamic memory modification. Once the
application is delivered to the mobile device, the
M8-Code Tampering* 0 0
code and data resources are resident there. An
attacker can either directly modify the code, change
the contents of memory dynamically, change or
replace the system APIs that the application uses, or
PAGE 10 OF 299
modify the application's data and resources. This
can provide the attacker a direct method of
subverting the intended use of the software for
personal or monetary gain.
This category includes analysis of the final core

binary to determine its source code, libraries,
algorithms, and other assets. Software such as IDA
Pro, Hopper, otool, and other binary inspection
tools give the attacker insight into the inner
M9-Reverse Engineering* 0 0
workings of the application. This may be used to
exploit other nascent vulnerabilities in the
application, as well as revealing information about
back end servers, cryptographic constants and
ciphers, and intellectual property.
Often, developers include hidden backdoor

functionality or other internal development security
controls that are not intended to be released into a
M10-Extraneous Functionality* production environment. For example, a developer 0 0
may accidentally include a password as a comment
in a hybrid app. Another example includes disabling
of 2-factor authentication during testing.
PAGE 11 OF 299
Scan Summary - Custom
Issues Best Fix

Category
Found Locations
Must audit 0 0
Check 0 0
Optional 0 0
PAGE 12 OF 299
Scan Summary - ASD STIG 4.10
Issues Best Fix

Category
Found Locations
APSC-DV-000640 - CAT II The application must provide audit record generation capability for the renewal
0 0
of session IDs.
APSC-DV-000650 - CAT II The application must not write sensitive data into the application logs. 0 0
APSC-DV-000660 - CAT II The application must provide audit record generation capability for session
0 0
timeouts.
APSC-DV-000670 - CAT II The application must record a time stamp indicating when the event occurred. 0 0
APSC-DV-000680 - CAT II The application must provide audit record generation capability for HTTP
0 0
headers including User-Agent, Referer, GET, and POST.
APSC-DV-000690 - CAT II The application must provide audit record generation capability for connecting
0 0
system IP addresses.
APSC-DV-000700 - CAT II The application must record the username or user ID of the user associated with
0 0
the event.
APSC-DV-000710 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to grant privileges occur.
0 0
attempts to access security objects occur.
0 0
attempts to access security levels occur.
0 0
attempts to access categories of information (e.g., classification levels) occur.
0 0
attempts to modify privileges occur.
0 0
attempts to modify security objects occur.
0 0
attempts to modify security levels occur.
0 0
attempts to modify categories of information (e.g., classification levels) occur.
0 0
attempts to delete privileges occur.
0 0
attempts to delete security levels occur.
0 0
attempts to delete application database security objects occur.
0 0
attempts to delete categories of information (e.g., classification levels) occur.
0 0
logon attempts occur.
APSC-DV-000840 - CAT II The application must generate audit records for privileged activities or other
0 0
system-level access.
APSC-DV-000850 - CAT II The application must generate audit records showing starting and ending time
0 0
for user access to the system.
0 0
accesses to objects occur.
PAGE 13 OF 299
APSC-DV-000870 - CAT II The application must generate audit records for all direct access to the
0 0
information system.
APSC-DV-000880 - CAT II The application must generate audit records for all account creations,
0 0
modifications, disabling, and termination events.
APSC-DV-000910 - CAT II The application must initiate session auditing upon startup. 0 0
APSC-DV-000940 - CAT II The application must log application shutdown events. 0 0
APSC-DV-000950 - CAT II The application must log destination IP addresses. 0 0
APSC-DV-000960 - CAT II The application must log user actions involving access to data. 0 0
APSC-DV-000970 - CAT II The application must log user actions involving changes to data. 0 0
APSC-DV-000980 - CAT II The application must produce audit records containing information to establish
0 0
when (date and time) the events occurred.
APSC-DV-000990 - CAT II The application must produce audit records containing enough information to
0 0
establish which component, feature or function of the application triggered the audit event.
APSC-DV-001000 - CAT II When using centralized logging; the application must include a unique identifier
0 0
in order to distinguish itself from other application logs.
APSC-DV-001010 - CAT II The application must produce audit records that contain information to
0 0
establish the outcome of the events.
APSC-DV-001020 - CAT II The application must generate audit records containing information that
0 0
establishes the identity of any individual or process associated with the event.
APSC-DV-001030 - CAT II The application must generate audit records containing the full-text recording
0 0
of privileged commands or the individual identities of group account users.
APSC-DV-001040 - CAT II The application must implement transaction recovery logs when transaction
0 0
based.
APSC-DV-001050 - CAT II The application must provide centralized management and configuration of the
0 0
content to be captured in audit records generated by all application components.
APSC-DV-001070 - CAT II The application must off-load audit records onto a different system or media
0 0
than the system being audited.
APSC-DV-001080 - CAT II The application must be configured to write application logs to a centralized log
0 0
repository.
APSC-DV-001090 - CAT II The application must provide an immediate warning to the SA and ISSO (at a
minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record 0 0
storage capacity.
APSC-DV-001100 - CAT II Applications categorized as having a moderate or high impact must provide an
0 0
immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events.
APSC-DV-001110 - CAT II The application must alert the ISSO and SA (at a minimum) in the event of an
0 0
audit processing failure.
APSC-DV-001120 - CAT II The application must shut down by default upon audit failure (unless availability
0 0
is an overriding concern).
APSC-DV-001130 - CAT II The application must provide the capability to centrally review and analyze audit
0 0
records from multiple components within the system.
APSC-DV-001140 - CAT II The application must provide the capability to filter audit records for events of
0 0
interest based upon organization-defined criteria.
APSC-DV-001150 - CAT II The application must provide an audit reduction capability that supports on-
0 0
demand reporting requirements.
0 0
demand audit review and analysis.
APSC-DV-001170 - CAT II The application must provide an audit reduction capability that supports after-
0 0
the-fact investigations of security incidents.
APSC-DV-001180 - CAT II The application must provide a report generation capability that supports on-
0 0
PAGE 14 OF 299
0 0
APSC-DV-001200 - CAT II The application must provide a report generation capability that supports after-
0 0
APSC-DV-001210 - CAT II The application must provide an audit reduction capability that does not alter
0 0
original content or time ordering of audit records.
APSC-DV-001220 - CAT II The application must provide a report generation capability that does not alter
0 0
APSC-DV-001250 - CAT II The applications must use internal system clocks to generate time stamps for
0 0
audit records.
APSC-DV-001260 - CAT II The application must record time stamps for audit records that can be mapped
0 0
to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
APSC-DV-001270 - CAT II The application must record time stamps for audit records that meet a
0 0
granularity of one second for a minimum degree of precision.
APSC-DV-001280 - CAT II The application must protect audit information from any type of unauthorized
0 0
read access.
APSC-DV-001290 - CAT II The application must protect audit information from unauthorized modification. 0 0
APSC-DV-001300 - CAT II The application must protect audit information from unauthorized deletion. 0 0
APSC-DV-001310 - CAT II The application must protect audit tools from unauthorized access. 0 0
APSC-DV-001320 - CAT II The application must protect audit tools from unauthorized modification. 0 0
APSC-DV-001330 - CAT II The application must protect audit tools from unauthorized deletion. 0 0
APSC-DV-001340 - CAT II The application must back up audit records at least every seven days onto a
0 0
different system or system component than the system or component being audited.
APSC-DV-001570 - CAT II The application must electronically verify Personal Identity Verification (PIV)
0 0
credentials.
APSC-DV-001350 - CAT II The application must use cryptographic mechanisms to protect the integrity of
0 0
audit information.
APSC-DV-001360 - CAT II Application audit tools must be cryptographically hashed. 0 0
APSC-DV-001370 - CAT II The integrity of the audit tools must be validated by checking the files for
0 0
changes in the cryptographic hash value.
APSC-DV-001390 - CAT II The application must prohibit user installation of software without explicit
0 0
privileged status.
APSC-DV-001410 - CAT II The application must enforce access restrictions associated with changes to
0 0
application configuration.
APSC-DV-001420 - CAT II The application must audit who makes configuration changes to the application. 0 0
APSC-DV-001430 - CAT II The application must have the capability to prevent the installation of patches,
service packs, or application components without verification the software component has been digitally 0 0
signed using a certificate that is recognized and approved by the orga
APSC-DV-001440 - CAT II The applications must limit privileges to change the software resident within
0 0
software libraries.
APSC-DV-001460 - CAT II An application vulnerability assessment must be conducted. 0 0
APSC-DV-001480 - CAT II The application must prevent program execution in accordance with
organization-defined policies regarding software program usage and restrictions, and/or rules authorizing 0 0
the terms and conditions of software program usage.
APSC-DV-001490 - CAT II The application must employ a deny-all, permit-by-exception (whitelist) policy
0 0
to allow the execution of authorized software programs.
APSC-DV-001500 - CAT II The application must be configured to disable non-essential capabilities. 0 0
APSC-DV-001510 - CAT II The application must be configured to use only functions, ports, and protocols
0 0
permitted to it in the PPSM CAL.
PAGE 15 OF 299
APSC-DV-001520 - CAT II The application must require users to reauthenticate when organization-defined
0 0
circumstances or situations require reauthentication.
APSC-DV-001530 - CAT II The application must require devices to reauthenticate when organization-
0 0
defined circumstances or situations requiring reauthentication.
APSC-DV-001540 - CAT I The application must uniquely identify and authenticate organizational users (or
0 0
processes acting on behalf of organizational users).
APSC-DV-001550 - CAT II The application must use multifactor (Alt. Token) authentication for network
0 0
access to privileged accounts.
APSC-DV-001560 - CAT II The application must accept Personal Identity Verification (PIV) credentials. 0 0
APSC-DV-001580 - CAT II The application must use multifactor (e.g., CAC, Alt. Token) authentication for
0 0
network access to non-privileged accounts.
APSC-DV-001590 - CAT II The application must use multifactor (Alt. Token) authentication for local access
0 0
to privileged accounts.
0 0
local access to non-privileged accounts.
APSC-DV-001610 - CAT II The application must ensure users are authenticated with an individual
0 0
authenticator prior to using a group authenticator.
APSC-DV-001620 - CAT II The application must implement replay-resistant authentication mechanisms for
0 0
network access to privileged accounts.
0 0
APSC-DV-001640 - CAT II The application must utilize mutual authentication when endpoint device non-
0 0
repudiation protections are required by DoD policy or by the data owner.
APSC-DV-001650 - CAT II The application must authenticate all network connected endpoint devices
0 0
before establishing any connection.
APSC-DV-001660 - CAT II Service-Oriented Applications handling non-releasable data must authenticate

0 0
endpoint devices via mutual SSL/TLS.
APSC-DV-001670 - CAT II The application must disable device identifiers after 35 days of inactivity unless
0 0
a cryptographic certificate is used for authentication.
APSC-DV-001680 - CAT I The application must enforce a minimum 15-character password length. 0 0
APSC-DV-001690 - CAT II The application must enforce password complexity by requiring that at least one
0 0
upper-case character be used.
0 0
lower-case character be used.
0 0
numeric character be used.
0 0
special character be used.
APSC-DV-001730 - CAT II The application must require the change of at least 8 of the total number of
0 0
characters when passwords are changed.
APSC-DV-001740 - CAT I The application must only store cryptographic representations of passwords. 0 0
APSC-DV-001850 - CAT I The application must not display passwords/PINs as clear text. 0 0
APSC-DV-001750 - CAT I The application must transmit only cryptographically-protected passwords. 0 0
APSC-DV-001760 - CAT II The application must enforce 24 hours/1 day as the minimum password lifetime. 0 0
APSC-DV-001770 - CAT II The application must enforce a 60-day maximum password lifetime restriction. 0 0
APSC-DV-001780 - CAT II The application must prohibit password reuse for a minimum of five
0 0
generations.
APSC-DV-001790 - CAT II The application must allow the use of a temporary password for system logons
0 0
with an immediate change to a permanent password.
PAGE 16 OF 299
APSC-DV-001795 - CAT II The application password must not be changeable by users other than the
0 0
administrator or the user with which the password is associated.
APSC-DV-001800 - CAT II The application must terminate existing user sessions upon account deletion. 0 0
APSC-DV-001820 - CAT I The application, when using PKI-based authentication, must enforce authorized
0 0
access to the corresponding private key.
APSC-DV-001830 - CAT II The application must map the authenticated identity to the individual user or
0 0
group account for PKI-based authentication.
APSC-DV-001870 - CAT II The application must uniquely identify and authenticate non-organizational
0 0
users (or processes acting on behalf of non-organizational users).
APSC-DV-001810 - CAT I The application, when utilizing PKI-based authentication, must validate
certificates by constructing a certification path (which includes status information) to an accepted trust 0 0
anchor.
APSC-DV-001840 - CAT II The application, for PKI-based authentication, must implement a local cache of
revocation data to support path discovery and validation in case of the inability to access revocation 0 0
information via the network.
APSC-DV-001860 - CAT II The application must use mechanisms meeting the requirements of applicable
federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication 0 0
to a cryptographic module.
APSC-DV-001880 - CAT II The application must accept Personal Identity Verification (PIV) credentials from
0 0
other federal agencies.
0 0
credentials from other federal agencies.
APSC-DV-002050 - CAT II Applications making SAML assertions must use FIPS-approved random numbers
0 0
in the generation of SessionIndex in the SAML element AuthnStatement.
APSC-DV-001900 - CAT II The application must accept FICAM-approved third-party credentials. 0 0
APSC-DV-001910 - CAT II The application must conform to FICAM-issued profiles. 0 0
APSC-DV-001930 - CAT II Applications used for non-local maintenance sessions must audit non-local
0 0
maintenance and diagnostic sessions for organization-defined auditable events.
APSC-DV-000310 - CAT III The application must have a process, feature or function that prevents removal
0 0
or disabling of emergency accounts.
APSC-DV-001940 - CAT II Applications used for non-local maintenance sessions must implement
cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic 0 0
communications.
cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic 0 0
communications.
APSC-DV-001960 - CAT II Applications used for non-local maintenance sessions must verify remote
0 0
disconnection at the termination of non-local maintenance and diagnostic sessions.
APSC-DV-001970 - CAT II The application must employ strong authenticators in the establishment of non-
0 0
local maintenance and diagnostic sessions.
APSC-DV-001980 - CAT II The application must terminate all sessions and network connections when non-
0 0
local maintenance is completed.
APSC-DV-001995 - CAT II The application must not be vulnerable to race conditions. 0 0
APSC-DV-002000 - CAT II The application must terminate all network connections associated with a
0 0
communications session at the end of the session.
APSC-DV-002010 - CAT II The application must implement NSA-approved cryptography to protect

classified information in accordance with applicable federal laws, Executive Orders, directives, policies, 0 0
regulations, and standards.
APSC-DV-002020 - CAT II The application must utilize FIPS-validated cryptographic modules when signing
0 0
application components.
APSC-DV-002030 - CAT II The application must utilize FIPS-validated cryptographic modules when
0 0
generating cryptographic hashes.
PAGE 17 OF 299
0 0
protecting unclassified information that requires cryptographic protection.
APSC-DV-002150 - CAT II The application user interface must be either physically or logically separated
0 0
from data storage and management interfaces.
APSC-DV-002210 - CAT II The application must set the HTTPOnly flag on session cookies. 0 0
APSC-DV-002220 - CAT II The application must set the secure flag on session cookies. 0 0
APSC-DV-002230 - CAT I The application must not expose session IDs. 0 0
APSC-DV-002240 - CAT I The application must destroy the session ID value and/or cookie on logoff or
0 0
browser close.
APSC-DV-002250 - CAT II Applications must use system-generated session identifiers that protect against
0 0
session fixation.
APSC-DV-002260 - CAT II Applications must validate session identifiers. 0 0
APSC-DV-002270 - CAT II Applications must not use URL embedded session IDs. 0 0
APSC-DV-002280 - CAT II The application must not re-use or recycle session IDs. 0 0
APSC-DV-002290 - CAT II The application must use the Federal Information Processing Standard (FIPS)
140-2-validated cryptographic modules and random number generator if the application implements 0 0
encryption, key exchange, digital signature, and hash functionality.
APSC-DV-002300 - CAT II The application must only allow the use of DoD-approved certificate authorities
0 0
for verification of the establishment of protected sessions.
APSC-DV-002310 - CAT I The application must fail to a secure state if system initialization fails, shutdown
0 0
fails, or aborts fail.
APSC-DV-002320 - CAT II In the event of a system failure, applications must preserve any information
necessary to determine cause of failure and any information necessary to return to operations with least 0 0
disruption to mission processes.
APSC-DV-002330 - CAT II The application must protect the confidentiality and integrity of stored
0 0
information when required by DoD policy or the information owner.
APSC-DV-002340 - CAT II The application must implement approved cryptographic mechanisms to

prevent unauthorized modification of organization-defined information at rest on organization-defined 0 0
information system components.
APSC-DV-002350 - CAT II The application must use appropriate cryptography in order to protect stored
0 0
DoD information when required by the information owner or DoD policy.
APSC-DV-002360 - CAT II The application must isolate security functions from non-security functions. 0 0
APSC-DV-002370 - CAT II The application must maintain a separate execution domain for each executing
0 0
process.
APSC-DV-002380 - CAT II Applications must prevent unauthorized and unintended information transfer
0 0
via shared system resources.
APSC-DV-002390 - CAT II XML-based applications must mitigate DoS attacks by using XML filters, parser
0 0
options, or gateways.
APSC-DV-002400 - CAT II The application must restrict the ability to launch Denial of Service (DoS) attacks
0 0
against itself or other information systems.
APSC-DV-002410 - CAT II The web service design must include redundancy mechanisms when used with
0 0
high-availability systems.
APSC-DV-002420 - CAT II An XML firewall function must be deployed to protect web services when
0 0
exposed to untrusted networks.
APSC-DV-002610 - CAT II The application must remove organization-defined software components after
0 0
updated versions have been installed.
APSC-DV-002440 - CAT I The application must protect the confidentiality and integrity of transmitted
0 0
information.
APSC-DV-002450 - CAT II The application must implement cryptographic mechanisms to prevent

unauthorized disclosure of information and/or detect changes to information during transmission unless 0 0
otherwise protected by alternative physical safeguards, such as, at a minimum, a Prot
PAGE 18 OF 299
APSC-DV-002460 - CAT II The application must maintain the confidentiality and integrity of information
0 0
during preparation for transmission.
0 0
during reception.
APSC-DV-002480 - CAT II The application must not disclose unnecessary information to users. 0 0
APSC-DV-002485 - CAT I The application must not store sensitive information in hidden fields. 0 0
APSC-DV-002490 - CAT I The application must protect from Cross-Site Scripting (XSS) vulnerabilities. 0 0
APSC-DV-002500 - CAT II The application must protect from Cross-Site Request Forgery (CSRF)
0 0
vulnerabilities.
APSC-DV-002510 - CAT I The application must protect from command injection. 0 0
APSC-DV-002520 - CAT II The application must protect from canonical representation vulnerabilities. 0 0
APSC-DV-002530 - CAT II The application must validate all input. 0 0
APSC-DV-002540 - CAT I The application must not be vulnerable to SQL Injection. 0 0
APSC-DV-002550 - CAT I The application must not be vulnerable to XML-oriented attacks. 0 0
APSC-DV-002560 - CAT I The application must not be subject to input handling vulnerabilities. 0 0
APSC-DV-002570 - CAT II The application must generate error messages that provide information
0 0
necessary for corrective actions without revealing information that could be exploited by adversaries.
APSC-DV-002580 - CAT II The application must reveal error messages only to the ISSO, ISSM, or SA. 0 0
APSC-DV-002590 - CAT I The application must not be vulnerable to overflow attacks. 0 0
APSC-DV-002630 - CAT II Security-relevant software updates and patches must be kept up to date. 0 0
APSC-DV-002760 - CAT II The application performing organization-defined security functions must verify
0 0
correct operation of security functions.
APSC-DV-002900 - CAT II The ISSO must ensure application audit trails are retained for at least 1 year for
0 0
applications without SAMI data, and 5 years for applications including SAMI data.
APSC-DV-002770 - CAT II The application must perform verification of the correct operation of security
functions: upon system startup and/or restart; upon command by a user with privileged access; and/or 0 0
every 30 days.
APSC-DV-002780 - CAT III The application must notify the ISSO and ISSM of failed security verification
0 0
tests.
APSC-DV-002870 - CAT II Unsigned Category 1A mobile code must not be used in the application in
0 0
accordance with DoD policy.
APSC-DV-002880 - CAT II The ISSO must ensure an account management process is implemented,
verifying only authorized users can gain access to the application, and individual accounts designated as 0 0
inactive, suspended, or terminated are promptly removed.
APSC-DV-002890 - CAT I Application web servers must be on a separate network segment from the
0 0
application and database servers if it is a tiered application operating in the DoD DMZ.
APSC-DV-002910 - CAT II The ISSO must review audit trails periodically based on system documentation
0 0
recommendations or immediately upon system security events.
APSC-DV-002920 - CAT II The ISSO must report all suspected violations of IA policies in accordance with
0 0
DoD information system IA procedures.
APSC-DV-002930 - CAT II The ISSO must ensure active vulnerability testing is performed. 0 0
APSC-DV-002980 - CAT II New IP addresses, data services, and associated ports used by the application
must be submitted to the appropriate approving authority for the organization, which in turn will be 0 0
submitted through the DoD Ports, Protocols, and Services Management (DoD PPS
APSC-DV-002950 - CAT II Execution flow diagrams and design documents must be created to show how
0 0
deadlock and recursion issues in web services are being mitigated.
APSC-DV-002960 - CAT II The designer must ensure the application does not store configuration and
0 0
control files in the same directory as user data.
APSC-DV-002970 - CAT II The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party 0 0
PAGE 19 OF 299
product will be configured by following available guidance.
APSC-DV-002990 - CAT II The application must be registered with the DoD Ports and Protocols Database. 0 0
APSC-DV-002995 - CAT II The Configuration Management (CM) repository must be properly patched and
0 0
STIG compliant.
APSC-DV-003000 - CAT II Access privileges to the Configuration Management (CM) repository must be
0 0
reviewed every three months.
APSC-DV-003010 - CAT II A Software Configuration Management (SCM) plan describing the configuration
control and change management process of application objects developed by the organization and the 0 0
roles and responsibilities of the organization must be created and maintained.
APSC-DV-003020 - CAT II A Configuration Control Board (CCB) that meets at least every release cycle, for
0 0
managing the Configuration Management (CM) process must be established.
APSC-DV-003030 - CAT II The application services and interfaces must be compatible with and ready for
0 0
IPv6 networks.
APSC-DV-003040 - CAT II The application must not be hosted on a general purpose machine if the
0 0
application is designated as critical or high availability by the ISSO.
APSC-DV-003050 - CAT II A disaster recovery/continuity plan must exist in accordance with DoD policy
0 0
based on the applications availability requirements.
APSC-DV-003060 - CAT II Recovery procedures and technical system features must exist so recovery is
performed in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted 0 0
recovery.
APSC-DV-003070 - CAT II Data backup must be performed at required intervals in accordance with DoD
0 0
policy.
APSC-DV-003080 - CAT II Back-up copies of the application software or source code must be stored in a
0 0
fire-rated container or stored separately (offsite).
APSC-DV-003090 - CAT II Procedures must be in place to assure the appropriate physical and technical
0 0
protection of the backup and restoration of the application.
APSC-DV-003100 - CAT II The application must use encryption to implement key exchange and
0 0
authenticate endpoints prior to establishing a communication channel for key exchange.
APSC-DV-003110 - CAT I The application must not contain embedded authentication data. 0 0
APSC-DV-003120 - CAT I The application must have the capability to mark sensitive/classified output
0 0
when required.
APSC-DV-003130 - CAT III Prior to each release of the application, updates to system, or applying patches;
0 0
tests plans and procedures must be created and executed.
APSC-DV-003150 - CAT II At least one tester must be designated to test for security flaws in addition to
0 0
functional testing.
APSC-DV-003140 - CAT II Application files must be cryptographically hashed prior to deploying to DoD
0 0
operational networks.
APSC-DV-003160 - CAT III Test procedures must be created and at least annually executed to ensure
0 0
system initialization, shutdown, and aborts are configured to verify the system remains in a secure state.
APSC-DV-003170 - CAT II An application code review must be performed on the application. 0 0
APSC-DV-003180 - CAT III Code coverage statistics must be maintained for each release of the
0 0
application.
APSC-DV-003190 - CAT II Flaws found during a code review must be tracked in a defect tracking system. 0 0
APSC-DV-003200 - CAT II The changes to the application must be assessed for IA and accreditation
0 0
impact prior to implementation.
APSC-DV-003210 - CAT II Security flaws must be fixed or addressed in the project plan. 0 0
APSC-DV-003215 - CAT III The application development team must follow a set of coding standards. 0 0
APSC-DV-003220 - CAT III The designer must create and update the Design Document for each release of
0 0
the application.
PAGE 20 OF 299
APSC-DV-003230 - CAT II Threat models must be documented and reviewed for each application release
0 0
and updated as required by design and functionality changes or when new threats are discovered.
APSC-DV-003235 - CAT II The application must not be subject to error handling vulnerabilities. 0 0
APSC-DV-003250 - CAT I The application must be decommissioned when maintenance or support is no

0 0
longer available.
APSC-DV-003236 - CAT II The application development team must provide an application incident
0 0
response plan.
APSC-DV-003240 - CAT I All products must be supported by the vendor or the development team. 0 0
APSC-DV-003260 - CAT III Procedures must be in place to notify users when an application is
0 0
decommissioned.
APSC-DV-003270 - CAT II Unnecessary built-in application accounts must be disabled. 0 0
APSC-DV-003280 - CAT I Default passwords must be changed. 0 0
APSC-DV-003330 - CAT II The system must alert an administrator when low resource conditions are
0 0
encountered.
APSC-DV-003285 - CAT II An Application Configuration Guide must be created and included with the
0 0
application.
APSC-DV-003290 - CAT II If the application contains classified data, a Security Classification Guide must
0 0
exist containing data elements and their classification.
APSC-DV-003300 - CAT II The designer must ensure uncategorized or emerging mobile code is not used
0 0
in applications.
APSC-DV-003310 - CAT II Production database exports must have database administration credentials and
0 0
sensitive data removed before releasing the export.
APSC-DV-003320 - CAT II Protections against DoS attacks must be implemented. 0 0
APSC-DV-003340 - CAT III At least one application administrator must be registered to receive update
0 0
notifications, or security alerts, when automated alerts are available.
APSC-DV-003360 - CAT III The application must generate audit records when concurrent logons from
0 0
different workstations occur.
APSC-DV-003345 - CAT III The application must provide notifications or alerts when product update and
0 0
security related patches are available.
APSC-DV-003350 - CAT II Connections between the DoD enclave and the Internet or other public or
0 0
commercial wide area networks must require a DMZ.
APSC-DV-003400 - CAT II The Program Manager must verify all levels of program management, designers,
0 0
developers, and testers receive annual security training pertaining to their job function.
APSC-DV-000010 - CAT II The application must provide a capability to limit the number of logon sessions
0 0
per user.
APSC-DV-000060 - CAT II The application must clear temporary storage and cookies when the session is
0 0
terminated.
APSC-DV-000070 - CAT II The application must automatically terminate the non-privileged user session
0 0
and log off non-privileged users after a 15 minute idle time period has elapsed.
APSC-DV-000080 - CAT II The application must automatically terminate the admin user session and log off
0 0
admin users after a 10 minute idle time period is exceeded.
APSC-DV-000090 - CAT II Applications requiring user access authentication must provide a logoff
0 0
capability for user initiated communication session.
APSC-DV-000100 - CAT III The application must display an explicit logoff message to users indicating the
0 0
reliable termination of authenticated communications sessions.
APSC-DV-000110 - CAT II The application must associate organization-defined types of security attributes
0 0
having organization-defined security attribute values with information in storage.
0 0
having organization-defined security attribute values with information in process.
APSC-DV-000130 - CAT II The application must associate organization-defined types of security attributes 0 0
PAGE 21 OF 299
having organization-defined security attribute values with information in transmission.
APSC-DV-000160 - CAT II The application must implement DoD-approved encryption to protect the
0 0
confidentiality of remote access sessions.
APSC-DV-000170 - CAT II The application must implement cryptographic mechanisms to protect the
0 0
integrity of remote access sessions.
APSC-DV-000190 - CAT I Messages protected with WS_Security must use time stamps with creation and
0 0
expiration times.
APSC-DV-000180 - CAT II Applications with SOAP messages requiring integrity must include the following
message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in 0 0
messages) and all elements of the message must be digitally signed.
APSC-DV-000200 - CAT I Validity periods must be verified on all application messages using WS-Security
0 0
or SAML assertions.
APSC-DV-000210 - CAT II The application must ensure each unique asserting party provides unique
0 0
assertion ID references for each SAML assertion.
APSC-DV-000220 - CAT II The application must ensure encrypted assertions, or equivalent confidentiality
protections are used when assertion data is passed through an intermediary, and confidentiality of the 0 0
assertion data is required when passing through the intermediary.
APSC-DV-000230 - CAT I The application must use the NotOnOrAfter condition when using the
0 0
SubjectConfirmation element in a SAML assertion.
APSC-DV-000240 - CAT I The application must use both the NotBefore and NotOnOrAfter elements or
0 0
OneTimeUse element when using the Conditions element in a SAML assertion.
APSC-DV-000250 - CAT II The application must ensure if a OneTimeUse element is used in an assertion,
0 0
there is only one of the same used in the Conditions element portion of an assertion.
APSC-DV-000260 - CAT II The application must ensure messages are encrypted when the SessionIndex is
0 0
tied to privacy data.
APSC-DV-000290 - CAT II Shared/group account credentials must be terminated when members leave the
0 0
group.
APSC-DV-000280 - CAT II The application must provide automated mechanisms for supporting account
0 0
management functions.
APSC-DV-000300 - CAT II The application must automatically remove or disable temporary user accounts
0 0
72 hours after account creation.
APSC-DV-000320 - CAT III The application must automatically disable accounts after a 35 day period of
0 0
account inactivity.
APSC-DV-000330 - CAT II Unnecessary application accounts must be disabled, or deleted. 0 0
APSC-DV-000420 - CAT II The application must automatically audit account enabling actions. 0 0
APSC-DV-000340 - CAT II The application must automatically audit account creation. 0 0
APSC-DV-000350 - CAT II The application must automatically audit account modification. 0 0
APSC-DV-000360 - CAT II The application must automatically audit account disabling actions. 0 0
APSC-DV-000370 - CAT II The application must automatically audit account removal actions. 0 0
APSC-DV-000380 - CAT III The application must notify System Administrators and Information System
0 0
Security Officers when accounts are created.
0 0
Security Officers when accounts are modified.
0 0
Security Officers of account disabling actions.
0 0
Security Officers of account removal actions.
0 0
Security Officers of account enabling actions.
APSC-DV-000440 - CAT II Application data protection requirements must be identified and documented. 0 0
PAGE 22 OF 299
APSC-DV-000520 - CAT II The application must audit the execution of privileged functions. 0 0
APSC-DV-000450 - CAT II The application must utilize organization-defined data mining detection
0 0
techniques for organization-defined data storage objects to adequately detect data mining attempts.
APSC-DV-000460 - CAT I The application must enforce approved authorizations for logical access to
0 0
information and system resources in accordance with applicable access control policies.
APSC-DV-000470 - CAT II The application must enforce organization-defined discretionary access control
0 0
policies over defined subjects and objects.
APSC-DV-000480 - CAT II The application must enforce approved authorizations for controlling the flow
0 0
of information within the system based on organization-defined information flow control policies.
of information between interconnected systems based on organization-defined information flow control 0 0
policies.
APSC-DV-000500 - CAT II The application must prevent non-privileged users from executing privileged
functions to include disabling, circumventing, or altering implemented security 0 0
safeguards/countermeasures.
APSC-DV-000510 - CAT I The application must execute without excessive account permissions. 0 0
APSC-DV-000530 - CAT I The application must enforce the limit of three consecutive invalid logon
0 0
attempts by a user during a 15 minute time period.
APSC-DV-000560 - CAT III The application must retain the Standard Mandatory DoD Notice and Consent
Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for 0 0
further access.
APSC-DV-000540 - CAT II The application administrator must follow an approved process to unlock locked
0 0
user accounts.
APSC-DV-000550 - CAT III The application must display the Standard Mandatory DoD Notice and Consent
0 0
Banner before granting access to the application.
APSC-DV-000570 - CAT III The publicly accessible application must display the Standard Mandatory DoD
0 0
Notice and Consent Banner before granting access to the application.
APSC-DV-000580 - CAT III The application must display the time and date of the users last successful
0 0
logon.
APSC-DV-000630 - CAT II The application must provide audit record generation capability for the
0 0
destruction of session IDs.
APSC-DV-000590 - CAT II The application must protect against an individual (or process acting on behalf
of an individual) falsely denying having performed organization-defined actions to be covered by non- 0 0
repudiation.
APSC-DV-000600 - CAT II For applications providing audit record aggregation, the application must
compile audit records from organization-defined information system components into a system-wide 0 0
audit trail that is time-correlated with an organization-defined level of tolerance
APSC-DV-000610 - CAT II The application must provide the capability for organization-identified
individuals or roles to change the auditing to be performed on all application components, based on all 0 0
selectable event criteria within organization-defined time thresholds.
APSC-DV-000620 - CAT II The application must provide audit record generation capability for the creation
0 0
of session IDs.
PAGE 23 OF 299
Scan Summary - ASD STIG 5.2
Issues Best Fix

Category
Found Locations
APSC-DV-000640 - CAT II The application must provide audit record generation capability for the renewal
0 0
of session IDs.
APSC-DV-000650 - CAT II The application must not write sensitive data into the application logs. 0 0
APSC-DV-000660 - CAT II The application must provide audit record generation capability for session
0 0
timeouts.
APSC-DV-000670 - CAT II The application must record a time stamp indicating when the event occurred. 0 0
APSC-DV-000680 - CAT II The application must provide audit record generation capability for HTTP
0 0
headers including User-Agent, Referer, GET, and POST.
APSC-DV-000690 - CAT II The application must provide audit record generation capability for connecting
0 0
system IP addresses.
APSC-DV-000700 - CAT II The application must record the username or user ID of the user associated with
0 0
the event.
0 0
attempts to grant privileges occur.
0 0
attempts to access security objects occur.
0 0
attempts to access security levels occur.
0 0
attempts to access categories of information (e.g., classification levels) occur.
0 0
attempts to modify privileges occur.
0 0
attempts to modify security objects occur.
0 0
attempts to modify security levels occur.
0 0
attempts to modify categories of information (e.g., classification levels) occur.
0 0
attempts to delete privileges occur.
0 0
attempts to delete security levels occur.
0 0
attempts to delete application database security objects occur.
0 0
attempts to delete categories of information (e.g., classification levels) occur.
0 0
logon attempts occur.
APSC-DV-000840 - CAT II The application must generate audit records for privileged activities or other
0 0
system-level access.
APSC-DV-000850 - CAT II The application must generate audit records showing starting and ending time
0 0
for user access to the system.
0 0
accesses to objects occur.
PAGE 24 OF 299
APSC-DV-000870 - CAT II The application must generate audit records for all direct access to the
0 0
information system.
APSC-DV-000880 - CAT II The application must generate audit records for all account creations,
0 0
modifications, disabling, and termination events.
APSC-DV-000910 - CAT II The application must initiate session auditing upon startup. 0 0
APSC-DV-000940 - CAT II The application must log application shutdown events. 0 0
APSC-DV-000950 - CAT II The application must log destination IP addresses. 0 0
APSC-DV-000960 - CAT II The application must log user actions involving access to data. 0 0
APSC-DV-000970 - CAT II The application must log user actions involving changes to data. 0 0
APSC-DV-000980 - CAT II The application must produce audit records containing information to establish
0 0
when (date and time) the events occurred.
APSC-DV-000990 - CAT II The application must produce audit records containing enough information to
0 0
establish which component, feature or function of the application triggered the audit event.
APSC-DV-001000 - CAT II When using centralized logging; the application must include a unique identifier
0 0
in order to distinguish itself from other application logs.
APSC-DV-001010 - CAT II The application must produce audit records that contain information to
0 0
establish the outcome of the events.
APSC-DV-001020 - CAT II The application must generate audit records containing information that
0 0
establishes the identity of any individual or process associated with the event.
APSC-DV-001030 - CAT II The application must generate audit records containing the full-text recording
0 0
of privileged commands or the individual identities of group account users.
APSC-DV-001040 - CAT II The application must implement transaction recovery logs when transaction
0 0
based.
APSC-DV-001050 - CAT II The application must provide centralized management and configuration of the
0 0
content to be captured in audit records generated by all application components.
APSC-DV-001070 - CAT II The application must off-load audit records onto a different system or media
0 0
than the system being audited.
APSC-DV-001080 - CAT II The application must be configured to write application logs to a centralized log
0 0
repository.
APSC-DV-001090 - CAT II The application must provide an immediate warning to the SA and ISSO (at a
minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record 0 0
storage capacity.
APSC-DV-001100 - CAT II Applications categorized as having a moderate or high impact must provide an
0 0
immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events.
APSC-DV-001110 - CAT II The application must alert the ISSO and SA (at a minimum) in the event of an
0 0
audit processing failure.
APSC-DV-001120 - CAT II The application must shut down by default upon audit failure (unless availability
0 0
is an overriding concern).
APSC-DV-001130 - CAT II The application must provide the capability to centrally review and analyze audit
0 0
records from multiple components within the system.
APSC-DV-001140 - CAT II The application must provide the capability to filter audit records for events of
0 0
interest based upon organization-defined criteria.
0 0
0 0
APSC-DV-001170 - CAT II The application must provide an audit reduction capability that supports after-
0 0
0 0
PAGE 25 OF 299
0 0
APSC-DV-001200 - CAT II The application must provide a report generation capability that supports after-
0 0
APSC-DV-001210 - CAT II The application must provide an audit reduction capability that does not alter
0 0
APSC-DV-001220 - CAT II The application must provide a report generation capability that does not alter
0 0
APSC-DV-001250 - CAT II The applications must use internal system clocks to generate time stamps for
0 0
audit records.
APSC-DV-001260 - CAT II The application must record time stamps for audit records that can be mapped
0 0
to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
APSC-DV-001270 - CAT II The application must record time stamps for audit records that meet a
0 0
granularity of one second for a minimum degree of precision.
APSC-DV-001280 - CAT II The application must protect audit information from any type of unauthorized
0 0
read access.
APSC-DV-001290 - CAT II The application must protect audit information from unauthorized modification. 0 0
APSC-DV-001300 - CAT II The application must protect audit information from unauthorized deletion. 0 0
APSC-DV-001310 - CAT II The application must protect audit tools from unauthorized access. 0 0
APSC-DV-001320 - CAT II The application must protect audit tools from unauthorized modification. 0 0
APSC-DV-001330 - CAT II The application must protect audit tools from unauthorized deletion. 0 0
APSC-DV-001340 - CAT II The application must back up audit records at least every seven days onto a
0 0
different system or system component than the system or component being audited.
0 0
credentials.
APSC-DV-001350 - CAT II The application must use cryptographic mechanisms to protect the integrity of
0 0
audit information.
APSC-DV-001360 - CAT II Application audit tools must be cryptographically hashed. 0 0
APSC-DV-001370 - CAT II The integrity of the audit tools must be validated by checking the files for
0 0
changes in the cryptographic hash value.
APSC-DV-001390 - CAT II The application must prohibit user installation of software without explicit
0 0
privileged status.
APSC-DV-001410 - CAT II The application must enforce access restrictions associated with changes to
0 0
application configuration.
APSC-DV-001420 - CAT II The application must audit who makes configuration changes to the application. 0 0
APSC-DV-001430 - CAT II The application must have the capability to prevent the installation of patches,
service packs, or application components without verification the software component has been digitally 0 0
signed using a certificate that is recognized and approved by the orga
APSC-DV-001440 - CAT II The applications must limit privileges to change the software resident within
0 0
software libraries.
APSC-DV-001460 - CAT II An application vulnerability assessment must be conducted. 0 0
APSC-DV-001480 - CAT II The application must prevent program execution in accordance with
organization-defined policies regarding software program usage and restrictions, and/or rules authorizing 0 0
the terms and conditions of software program usage.
APSC-DV-001490 - CAT II The application must employ a deny-all, permit-by-exception (whitelist) policy
0 0
to allow the execution of authorized software programs.
APSC-DV-001500 - CAT II The application must be configured to disable non-essential capabilities. 0 0
APSC-DV-001510 - CAT II The application must be configured to use only functions, ports, and protocols
0 0
permitted to it in the PPSM CAL.
PAGE 26 OF 299
APSC-DV-001520 - CAT II The application must require users to reauthenticate when organization-defined
0 0
circumstances or situations require reauthentication.
APSC-DV-001530 - CAT II The application must require devices to reauthenticate when organization-
0 0
defined circumstances or situations requiring reauthentication.
APSC-DV-001540 - CAT I The application must uniquely identify and authenticate organizational users (or
0 0
processes acting on behalf of organizational users).
APSC-DV-001550 - CAT II The application must use multifactor (Alt. Token) authentication for network
0 0
access to privileged accounts.
APSC-DV-001560 - CAT II The application must accept Personal Identity Verification (PIV) credentials. 0 0
0 0
APSC-DV-001590 - CAT II The application must use multifactor (Alt. Token) authentication for local access
0 0
to privileged accounts.
0 0
local access to non-privileged accounts.
APSC-DV-001610 - CAT II The application must ensure users are authenticated with an individual
0 0
authenticator prior to using a group authenticator.
0 0
network access to privileged accounts.
0 0
APSC-DV-001640 - CAT II The application must utilize mutual authentication when endpoint device non-
0 0
repudiation protections are required by DoD policy or by the data owner.
APSC-DV-001650 - CAT II The application must authenticate all network connected endpoint devices
0 0
before establishing any connection.
APSC-DV-001660 - CAT II Service-Oriented Applications handling non-releasable data must authenticate

0 0
endpoint devices via mutual SSL/TLS.
APSC-DV-001670 - CAT II The application must disable device identifiers after 35 days of inactivity unless
0 0
a cryptographic certificate is used for authentication.
APSC-DV-001680 - CAT I The application must enforce a minimum 15-character password length. 0 0
0 0
upper-case character be used.
0 0
lower-case character be used.
0 0
numeric character be used.
0 0
special character be used.
APSC-DV-001730 - CAT II The application must require the change of at least 8 of the total number of
0 0
characters when passwords are changed.
APSC-DV-001740 - CAT I The application must only store cryptographic representations of passwords.* 4 1
APSC-DV-001850 - CAT I The application must not display passwords/PINs as clear text. 0 0
APSC-DV-001750 - CAT I The application must transmit only cryptographically-protected passwords. 0 0
APSC-DV-001760 - CAT II The application must enforce 24 hours/1 day as the minimum password lifetime. 0 0
APSC-DV-001770 - CAT II The application must enforce a 60-day maximum password lifetime restriction. 0 0
APSC-DV-001780 - CAT II The application must prohibit password reuse for a minimum of five
0 0
generations.
APSC-DV-001790 - CAT II The application must allow the use of a temporary password for system logons
0 0
with an immediate change to a permanent password.
PAGE 27 OF 299
APSC-DV-001795 - CAT II The application password must not be changeable by users other than the
0 0
administrator or the user with which the password is associated.
APSC-DV-001800 - CAT II The application must terminate existing user sessions upon account deletion. 0 0
APSC-DV-001820 - CAT I The application, when using PKI-based authentication, must enforce authorized
0 0
access to the corresponding private key.
APSC-DV-001830 - CAT II The application must map the authenticated identity to the individual user or
0 0
group account for PKI-based authentication.
APSC-DV-001870 - CAT II The application must uniquely identify and authenticate non-organizational
0 0
users (or processes acting on behalf of non-organizational users).
APSC-DV-001810 - CAT I The application, when utilizing PKI-based authentication, must validate
certificates by constructing a certification path (which includes status information) to an accepted trust 0 0
anchor.
APSC-DV-001840 - CAT II The application, for PKI-based authentication, must implement a local cache of
revocation data to support path discovery and validation in case of the inability to access revocation 0 0
information via the network.
APSC-DV-001860 - CAT II The application must use mechanisms meeting the requirements of applicable
federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication 0 0
to a cryptographic module.
APSC-DV-001880 - CAT II The application must accept Personal Identity Verification (PIV) credentials from
0 0
other federal agencies.
0 0
credentials from other federal agencies.
APSC-DV-002050 - CAT II Applications making SAML assertions must use FIPS-approved random numbers
0 0
in the generation of SessionIndex in the SAML element AuthnStatement.
APSC-DV-001900 - CAT II The application must accept FICAM-approved third-party credentials. 0 0
APSC-DV-001910 - CAT II The application must conform to FICAM-issued profiles. 0 0
APSC-DV-001930 - CAT II Applications used for non-local maintenance sessions must audit non-local
0 0
maintenance and diagnostic sessions for organization-defined auditable events.
APSC-DV-000310 - CAT III The application must have a process, feature or function that prevents removal
0 0
or disabling of emergency accounts.
cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic 0 0
communications.
cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic 0 0
communications.
APSC-DV-001960 - CAT II Applications used for non-local maintenance sessions must verify remote
0 0
disconnection at the termination of non-local maintenance and diagnostic sessions.
APSC-DV-001970 - CAT II The application must employ strong authenticators in the establishment of non-
0 0
local maintenance and diagnostic sessions.
APSC-DV-001980 - CAT II The application must terminate all sessions and network connections when non-
0 0
local maintenance is completed.
APSC-DV-001995 - CAT II The application must not be vulnerable to race conditions. 0 0
APSC-DV-002000 - CAT II The application must terminate all network connections associated with a
0 0
communications session at the end of the session.
APSC-DV-002010 - CAT II The application must implement NSA-approved cryptography to protect

classified information in accordance with applicable federal laws, Executive Orders, directives, policies, 0 0
regulations, and standards.
APSC-DV-002020 - CAT II The application must utilize FIPS-validated cryptographic modules when signing
0 0
application components.
0 0
generating cryptographic hashes.
PAGE 28 OF 299
0 0
protecting unclassified information that requires cryptographic protection.
APSC-DV-002150 - CAT II The application user interface must be either physically or logically separated
0 0
from data storage and management interfaces.
APSC-DV-002210 - CAT II The application must set the HTTPOnly flag on session cookies. 0 0
APSC-DV-002220 - CAT II The application must set the secure flag on session cookies. 0 0
APSC-DV-002230 - CAT I The application must not expose session IDs.* 0 0
APSC-DV-002240 - CAT I The application must destroy the session ID value and/or cookie on logoff or
0 0
browser close.
APSC-DV-002250 - CAT II Applications must use system-generated session identifiers that protect against
0 0
session fixation.
APSC-DV-002260 - CAT II Applications must validate session identifiers. 0 0
APSC-DV-002270 - CAT II Applications must not use URL embedded session IDs. 0 0
APSC-DV-002280 - CAT II The application must not re-use or recycle session IDs. 0 0
APSC-DV-002290 - CAT II The application must use the Federal Information Processing Standard (FIPS)
140-2-validated cryptographic modules and random number generator if the application implements 0 0
encryption, key exchange, digital signature, and hash functionality.
APSC-DV-002300 - CAT II The application must only allow the use of DoD-approved certificate authorities
0 0
for verification of the establishment of protected sessions.
APSC-DV-002310 - CAT I The application must fail to a secure state if system initialization fails, shutdown
0 0
fails, or aborts fail.
APSC-DV-002320 - CAT II In the event of a system failure, applications must preserve any information
necessary to determine cause of failure and any information necessary to return to operations with least 0 0
disruption to mission processes.
APSC-DV-002330 - CAT II The application must protect the confidentiality and integrity of stored
7 7
information when required by DoD policy or the information owner.
APSC-DV-002340 - CAT II The application must implement approved cryptographic mechanisms to

prevent unauthorized modification of organization-defined information at rest on organization-defined 0 0
information system components.
APSC-DV-002350 - CAT II The application must use appropriate cryptography in order to protect stored
0 0
DoD information when required by the information owner or DoD policy.
APSC-DV-002360 - CAT II The application must isolate security functions from non-security functions. 0 0
APSC-DV-002370 - CAT II The application must maintain a separate execution domain for each executing
0 0
process.
APSC-DV-002380 - CAT II Applications must prevent unauthorized and unintended information transfer
0 0
via shared system resources.
APSC-DV-002390 - CAT II XML-based applications must mitigate DoS attacks by using XML filters, parser
0 0
options, or gateways.
APSC-DV-002400 - CAT II The application must restrict the ability to launch Denial of Service (DoS) attacks
19 19
against itself or other information systems.*
APSC-DV-002410 - CAT II The web service design must include redundancy mechanisms when used with
0 0
high-availability systems.
APSC-DV-002420 - CAT II An XML firewall function must be deployed to protect web services when
0 0
exposed to untrusted networks.
APSC-DV-002610 - CAT II The application must remove organization-defined software components after
0 0
updated versions have been installed.
APSC-DV-002440 - CAT I The application must protect the confidentiality and integrity of transmitted
0 0
information.
APSC-DV-002450 - CAT II The application must implement cryptographic mechanisms to prevent

unauthorized disclosure of information and/or detect changes to information during transmission unless 0 0
otherwise protected by alternative physical safeguards, such as, at a minimum, a Prot
PAGE 29 OF 299
0 0
during preparation for transmission.
0 0
during reception.
APSC-DV-002480 - CAT II The application must not disclose unnecessary information to users. 1 1
APSC-DV-002485 - CAT I The application must not store sensitive information in hidden fields. 0 0
APSC-DV-002490 - CAT I The application must protect from Cross-Site Scripting (XSS) vulnerabilities. 0 0
APSC-DV-002500 - CAT II The application must protect from Cross-Site Request Forgery (CSRF)
35 10
vulnerabilities.
APSC-DV-002510 - CAT I The application must protect from command injection. 0 0
APSC-DV-002520 - CAT II The application must protect from canonical representation vulnerabilities. 0 0
APSC-DV-002530 - CAT II The application must validate all input. 0 0
APSC-DV-002540 - CAT I The application must not be vulnerable to SQL Injection.* 118 30
APSC-DV-002550 - CAT I The application must not be vulnerable to XML-oriented attacks. 0 0
APSC-DV-002560 - CAT I The application must not be subject to input handling vulnerabilities.* 6 6
APSC-DV-002570 - CAT II The application must generate error messages that provide information
33 33
necessary for corrective actions without revealing information that could be exploited by adversaries.*
APSC-DV-002580 - CAT II The application must reveal error messages only to the ISSO, ISSM, or SA.* 0 0
APSC-DV-002590 - CAT I The application must not be vulnerable to overflow attacks. 0 0
APSC-DV-002630 - CAT II Security-relevant software updates and patches must be kept up to date. 0 0
APSC-DV-002760 - CAT II The application performing organization-defined security functions must verify
0 0
correct operation of security functions.
APSC-DV-002900 - CAT II The ISSO must ensure application audit trails are retained for at least 1 year for
0 0
applications without SAMI data, and 5 years for applications including SAMI data.
APSC-DV-002770 - CAT II The application must perform verification of the correct operation of security
functions: upon system startup and/or restart; upon command by a user with privileged access; and/or 0 0
every 30 days.
APSC-DV-002780 - CAT III The application must notify the ISSO and ISSM of failed security verification
0 0
tests.
APSC-DV-002870 - CAT II Unsigned Category 1A mobile code must not be used in the application in
0 0
accordance with DoD policy.
APSC-DV-002880 - CAT II The ISSO must ensure an account management process is implemented,
verifying only authorized users can gain access to the application, and individual accounts designated as 0 0
inactive, suspended, or terminated are promptly removed.
APSC-DV-002890 - CAT I Application web servers must be on a separate network segment from the
0 0
application and database servers if it is a tiered application operating in the DoD DMZ.
APSC-DV-002910 - CAT II The ISSO must review audit trails periodically based on system documentation
0 0
recommendations or immediately upon system security events.
APSC-DV-002920 - CAT II The ISSO must report all suspected violations of IA policies in accordance with
0 0
DoD information system IA procedures.
APSC-DV-002930 - CAT II The ISSO must ensure active vulnerability testing is performed. 0 0
APSC-DV-002980 - CAT II New IP addresses, data services, and associated ports used by the application
must be submitted to the appropriate approving authority for the organization, which in turn will be 0 0
submitted through the DoD Ports, Protocols, and Services Management (DoD PPS
APSC-DV-002950 - CAT II Execution flow diagrams and design documents must be created to show how
0 0
deadlock and recursion issues in web services are being mitigated.
APSC-DV-002960 - CAT II The designer must ensure the application does not store configuration and
0 0
control files in the same directory as user data.
APSC-DV-002970 - CAT II The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party 0 0
PAGE 30 OF 299
product will be configured by following available guidance.
APSC-DV-002995 - CAT II The Configuration Management (CM) repository must be properly patched and
0 0
STIG compliant.
APSC-DV-003000 - CAT II Access privileges to the Configuration Management (CM) repository must be
0 0
reviewed every three months.
APSC-DV-003010 - CAT II A Software Configuration Management (SCM) plan describing the configuration
control and change management process of application objects developed by the organization and the 0 0
roles and responsibilities of the organization must be created and maintained.
APSC-DV-003020 - CAT II A Configuration Control Board (CCB) that meets at least every release cycle, for
0 0
managing the Configuration Management (CM) process must be established.
APSC-DV-003030 - CAT II The application services and interfaces must be compatible with and ready for
0 0
IPv6 networks.
APSC-DV-003040 - CAT II The application must not be hosted on a general purpose machine if the
0 0
application is designated as critical or high availability by the ISSO.
APSC-DV-003050 - CAT II A disaster recovery/continuity plan must exist in accordance with DoD policy
0 0
based on the applications availability requirements.
APSC-DV-003060 - CAT II Recovery procedures and technical system features must exist so recovery is
performed in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted 0 0
recovery.
APSC-DV-003070 - CAT II Data backup must be performed at required intervals in accordance with DoD
0 0
policy.
APSC-DV-003080 - CAT II Back-up copies of the application software or source code must be stored in a
0 0
fire-rated container or stored separately (offsite).
APSC-DV-003090 - CAT II Procedures must be in place to assure the appropriate physical and technical
0 0
protection of the backup and restoration of the application.
APSC-DV-003100 - CAT II The application must use encryption to implement key exchange and
0 0
authenticate endpoints prior to establishing a communication channel for key exchange.
APSC-DV-003110 - CAT I The application must not contain embedded authentication data. 0 0
APSC-DV-003120 - CAT I The application must have the capability to mark sensitive/classified output
0 0
when required.
APSC-DV-003130 - CAT III Prior to each release of the application, updates to system, or applying patches;
0 0
tests plans and procedures must be created and executed.
APSC-DV-003150 - CAT II At least one tester must be designated to test for security flaws in addition to
0 0
functional testing.
APSC-DV-003140 - CAT II Application files must be cryptographically hashed prior to deploying to DoD
0 0
operational networks.
APSC-DV-003160 - CAT III Test procedures must be created and at least annually executed to ensure
0 0
system initialization, shutdown, and aborts are configured to verify the system remains in a secure state.
APSC-DV-003170 - CAT II An application code review must be performed on the application. 0 0
APSC-DV-003180 - CAT III Code coverage statistics must be maintained for each release of the
0 0
application.
APSC-DV-003190 - CAT II Flaws found during a code review must be tracked in a defect tracking system. 0 0
APSC-DV-003200 - CAT II The changes to the application must be assessed for IA and accreditation
0 0
impact prior to implementation.
APSC-DV-003210 - CAT II Security flaws must be fixed or addressed in the project plan. 0 0
APSC-DV-003215 - CAT III The application development team must follow a set of coding standards. 0 0
APSC-DV-003220 - CAT III The designer must create and update the Design Document for each release of
0 0
the application.
APSC-DV-003230 - CAT II Threat models must be documented and reviewed for each application release 0 0
PAGE 31 OF 299
and updated as required by design and functionality changes or when new threats are discovered.
APSC-DV-003235 - CAT II The application must not be subject to error handling vulnerabilities.* 0 0
APSC-DV-003250 - CAT I The application must be decommissioned when maintenance or support is no

0 0
longer available.
APSC-DV-003236 - CAT II The application development team must provide an application incident
0 0
response plan.
APSC-DV-003240 - CAT I All products must be supported by the vendor or the development team. 0 0
APSC-DV-003260 - CAT III Procedures must be in place to notify users when an application is
0 0
decommissioned.
APSC-DV-003270 - CAT II Unnecessary built-in application accounts must be disabled. 0 0
APSC-DV-003280 - CAT I Default passwords must be changed. 0 0
APSC-DV-003330 - CAT II The system must alert an administrator when low resource conditions are
0 0
encountered.
APSC-DV-003285 - CAT II An Application Configuration Guide must be created and included with the
0 0
application.
APSC-DV-003290 - CAT II If the application contains classified data, a Security Classification Guide must
0 0
exist containing data elements and their classification.
APSC-DV-003300 - CAT II The designer must ensure uncategorized or emerging mobile code is not used
0 0
in applications.
APSC-DV-003310 - CAT II Production database exports must have database administration credentials and
0 0
sensitive data removed before releasing the export.
APSC-DV-003320 - CAT II Protections against DoS attacks must be implemented. 0 0
APSC-DV-003340 - CAT III At least one application administrator must be registered to receive update
0 0
notifications, or security alerts, when automated alerts are available.
APSC-DV-003360 - CAT III The application must generate audit records when concurrent logons from
0 0
different workstations occur.
APSC-DV-003345 - CAT III The application must provide notifications or alerts when product update and
0 0
security related patches are available.
APSC-DV-003350 - CAT II Connections between the DoD enclave and the Internet or other public or
0 0
commercial wide area networks must require a DMZ.
APSC-DV-003400 - CAT II The Program Manager must verify all levels of program management, designers,
0 0
developers, and testers receive annual security training pertaining to their job function.
APSC-DV-000010 - CAT II The application must provide a capability to limit the number of logon sessions
0 0
per user.
APSC-DV-000060 - CAT II The application must clear temporary storage and cookies when the session is
0 0
terminated.
APSC-DV-000070 - CAT II The application must automatically terminate the non-privileged user session
0 0
and log off non-privileged users after a 15 minute idle time period has elapsed.
APSC-DV-000080 - CAT II The application must automatically terminate the admin user session and log off
0 0
admin users after a 10 minute idle time period is exceeded.
APSC-DV-000090 - CAT II Applications requiring user access authentication must provide a logoff
0 0
capability for user initiated communication session.
APSC-DV-000100 - CAT III The application must display an explicit logoff message to users indicating the
0 0
reliable termination of authenticated communications sessions.
0 0
having organization-defined security attribute values with information in storage.
0 0
having organization-defined security attribute values with information in process.
0 0
having organization-defined security attribute values with information in transmission.
PAGE 32 OF 299
APSC-DV-000160 - CAT II The application must implement DoD-approved encryption to protect the
0 0
confidentiality of remote access sessions.
APSC-DV-000170 - CAT II The application must implement cryptographic mechanisms to protect the
0 0
integrity of remote access sessions.
APSC-DV-000190 - CAT I Messages protected with WS_Security must use time stamps with creation and
0 0
expiration times.
APSC-DV-000180 - CAT II Applications with SOAP messages requiring integrity must include the following
message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in 0 0
messages) and all elements of the message must be digitally signed.
APSC-DV-000200 - CAT I Validity periods must be verified on all application messages using WS-Security
0 0
or SAML assertions.
APSC-DV-000210 - CAT II The application must ensure each unique asserting party provides unique
0 0
assertion ID references for each SAML assertion.
APSC-DV-000220 - CAT II The application must ensure encrypted assertions, or equivalent confidentiality
protections are used when assertion data is passed through an intermediary, and confidentiality of the 0 0
assertion data is required when passing through the intermediary.
APSC-DV-000230 - CAT I The application must use the NotOnOrAfter condition when using the
0 0
SubjectConfirmation element in a SAML assertion.
APSC-DV-000240 - CAT I The application must use both the NotBefore and NotOnOrAfter elements or
0 0
OneTimeUse element when using the Conditions element in a SAML assertion.
APSC-DV-000250 - CAT II The application must ensure if a OneTimeUse element is used in an assertion,
0 0
there is only one of the same used in the Conditions element portion of an assertion.
APSC-DV-000260 - CAT II The application must ensure messages are encrypted when the SessionIndex is
0 0
tied to privacy data.
APSC-DV-000290 - CAT II Shared/group account credentials must be terminated when members leave the
0 0
group.
APSC-DV-000280 - CAT II The application must provide automated mechanisms for supporting account
0 0
management functions.
APSC-DV-000300 - CAT II The application must automatically remove or disable temporary user accounts
0 0
72 hours after account creation.
APSC-DV-000320 - CAT III The application must automatically disable accounts after a 35 day period of
0 0
account inactivity.
APSC-DV-000330 - CAT II Unnecessary application accounts must be disabled, or deleted. 0 0
APSC-DV-000420 - CAT II The application must automatically audit account enabling actions. 0 0
APSC-DV-000340 - CAT II The application must automatically audit account creation. 0 0
APSC-DV-000350 - CAT II The application must automatically audit account modification. 0 0
APSC-DV-000360 - CAT II The application must automatically audit account disabling actions. 0 0
APSC-DV-000370 - CAT II The application must automatically audit account removal actions. 0 0
0 0
Security Officers when accounts are created.
0 0
Security Officers when accounts are modified.
0 0
Security Officers of account disabling actions.
0 0
Security Officers of account removal actions.
0 0
Security Officers of account enabling actions.
APSC-DV-000440 - CAT II Application data protection requirements must be identified and documented. 0 0
APSC-DV-000520 - CAT II The application must audit the execution of privileged functions. 0 0
PAGE 33 OF 299
APSC-DV-000450 - CAT II The application must utilize organization-defined data mining detection
0 0
techniques for organization-defined data storage objects to adequately detect data mining attempts.
APSC-DV-000460 - CAT I The application must enforce approved authorizations for logical access to
0 0
information and system resources in accordance with applicable access control policies.*
APSC-DV-000470 - CAT II The application must enforce organization-defined discretionary access control
14 2
policies over defined subjects and objects.*
0 0
of information within the system based on organization-defined information flow control policies.
of information between interconnected systems based on organization-defined information flow control 0 0
policies.
APSC-DV-000500 - CAT II The application must prevent non-privileged users from executing privileged
functions to include disabling, circumventing, or altering implemented security 0 0
safeguards/countermeasures.
APSC-DV-000510 - CAT I The application must execute without excessive account permissions. 0 0
APSC-DV-000530 - CAT I The application must enforce the limit of three consecutive invalid logon
0 0
attempts by a user during a 15 minute time period.
APSC-DV-000560 - CAT III The application must retain the Standard Mandatory DoD Notice and Consent
Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for 0 0
further access.
APSC-DV-000540 - CAT II The application administrator must follow an approved process to unlock locked
0 0
user accounts.
APSC-DV-000550 - CAT III The application must display the Standard Mandatory DoD Notice and Consent
0 0
Banner before granting access to the application.
APSC-DV-000570 - CAT III The publicly accessible application must display the Standard Mandatory DoD
0 0
Notice and Consent Banner before granting access to the application.
APSC-DV-000580 - CAT III The application must display the time and date of the users last successful
0 0
logon.
APSC-DV-000630 - CAT II The application must provide audit record generation capability for the
0 0
destruction of session IDs.
APSC-DV-000590 - CAT II The application must protect against an individual (or process acting on behalf
of an individual) falsely denying having performed organization-defined actions to be covered by non- 0 0
repudiation.
APSC-DV-000600 - CAT II For applications providing audit record aggregation, the application must
compile audit records from organization-defined information system components into a system-wide 0 0
audit trail that is time-correlated with an organization-defined level of tolerance
APSC-DV-000610 - CAT II The application must provide the capability for organization-identified
individuals or roles to change the auditing to be performed on all application components, based on all 0 0
selectable event criteria within organization-defined time thresholds.
APSC-DV-000620 - CAT II The application must provide audit record generation capability for the creation
0 0
of session IDs.
PAGE 34 OF 299
Scan Summary - OWASP Top 10 API
Issues Best Fix

Category
Found Locations
API1-Broken Object Level Authorization 14 2
API2-Broken Authentication* 0 0
API3-Excessive Data Exposure 33 33
API4-Lack of Resources and Rate Limiting 0 0
API5-Broken Function Level Authorization 0 0
API6-Mass Assignment 0 0
API7-Security Misconfiguration* 0 0
API8-Injection* 118 30
API9-Improper Assets Management 0 0
API10-Insufficient Logging and Monitoring 0 0
PAGE 35 OF 299
Issues Best Fix

Category
Found Locations
A1-Injection 59 15
A2-Cross-Site Scripting (XSS) 0 0
A3-Broken Authentication and Session Management* 0 0
A4-Insecure Direct Object References 0 0
A5-Cross-Site Request Forgery (CSRF) 0 0
A6-Security Misconfiguration 0 0
A7-Insecure Cryptographic Storage 0 0
A8-Failure to Restrict URL Access 0 0
A9-Insufficient Transport Layer Protection 0 0
A10-Unvalidated Redirects and Forwards 0 0
PAGE 36 OF 299
Scan Summary - MOIS(KISA) Secure Coding 2021
Issues Best Fix

Category
Found Locations
MOIS(KISA) API misuse* 0 0
MOIS(KISA) Code error 19 19
MOIS(KISA) Encapsulation* 0 0
MOIS(KISA) Error processing* 34 34
MOIS(KISA) Security Functions* 31 28
MOIS(KISA) Time and status* 0 0
MOIS(KISA) Verification and representation of input data* 170 45
PAGE 37 OF 299
Scan Summary - SANS top 25
Issues Best Fix

Category
Found Locations
SANS top 25* 229 101
PAGE 38 OF 299
Scan Summary - CWE top 25
Issues Best Fix

Category
Found Locations
CWE top 25* 228 100
PAGE 39 OF 299
Scan Summary - Top Tier
Issues Best Fix

Category
Found Locations
Top Tier 59 15
PAGE 40 OF 299
Scan Summary - OWASP ASVS
Issues Best Fix

Category
Found Locations
V01 Architecture, Design and Threat Modeling* 21 9
V02 Authentication* 4 1
V03 Session Management 0 0
V04 Access Control 20 20
V05 Validation, Sanitization and Encoding* 119 31
V06 Stored Cryptography* 0 0
V07 Error Handling and Logging* 16 15
V08 Data Protection 7 7
V09 Communication* 1 1
V10 Malicious Code 0 0
V11 Business Logic* 0 0
V12 Files and Resources 0 0
V13 API and Web Service 37 12
V14 Configuration* 36 36
PAGE 41 OF 299
Scan Summary - ASA Mobile Premium
Issues Best Fix

Category
Found Locations
ASA Mobile Premium* 59 15
PAGE 42 OF 299
Scan Summary - ASA Premium
Issues Best Fix

Category
Found Locations
ASA Premium* 127 45
PAGE 43 OF 299
Results Distribution By Status First scan of the project
High Medium Low Information Total

New Issues 58 58 151 13 280
Recurrent Issues 0 0 0 0 0
Total 58 58 151 13 280
Fixed Issues 0 0 0 0 0
New Scan
Previous Scan
Results Distribution By State

High Medium Low Information Total
To Verify 56 58 151 13 278
Not Exploitable 2 0 0 0 2
Confirmed 0 0 0 0 0
Urgent 0 0 0 0 0
Proposed Not
0 0 0 0 0
Exploitable
Total 58 58 151 13 280
Result Summary
Vulnerability Type Occurrences Severity
SQL Injection 59 High
CSRF 35 Medium
DB Parameter Tampering 14 Medium
Parameter Tampering 6 Medium
PAGE 44 OF 299
Frameable Login Page 1 Medium
Missing HSTS Header 1 Medium
Blind SQL Injections 59 Low
Information Exposure Through an Error Message 33 Low
Improper Resource Access Authorization 20 Low
Improper Resource Shutdown or Release 19 Low
Heap Inspection 7 Low
Insufficiently Protected Credentials 4 Low
Log Forging 3 Low
Information Exposure Through an Error Message 1 Low
JSON Hijacking 1 Low
Missing CSP Header 1 Low
Potentially Vulnerable To Csrf 1 Low
Use of Deprecated or Obsolete Functions 1 Low
Use Of HTTP Sensitive Data Exposure 1 Low
Insufficient Logging of Database Actions 12 Information
Insufficient Logging of Exceptions 1 Information
10 Most Vulnerable Files

High and Medium Vulnerabilities
File Name Issues Found

Customer.java 22
Vendor.java 18
Inventory.java 18
JobCard.java 16
Billing.java 15
LoginAdd.java 6
LoginDel.java 3
InventoryDel.java 2
BillingDel.java 2
VendorDel.java 2
PAGE 45 OF 299
Scanned Files
File Size
File Name Checksum
KB
e3b0c44298fc1c149afbf4c8996fb92427ae4
.ActiveScans/1011402 0
1e4649b934ca495991b7852b855
.SourceControl/0000000057_0- e3b0c44298fc1c149afbf4c8996fb92427ae4
0
2035474192_000923869015 1e4649b934ca495991b7852b855
6771aa6938dec973ef4c961912cc869e4638
Billing.java 10
591a98de2a6578174092bec9eff8
c2da06291b20e82f756fd257cf2ca98d0b25
BillingDel.java 3
1d9af25d20c756419e814476ebbd
82a509520228d771ed9939beee64cd07b8c
BillingView.java 5
26a1f855aa1c00c9be999df6071ac
1074749db12d0da2fea8f5c534e6b92f5953
build.xml 1
8f597d9f338be9d67f0f980e16c8
7f4cb2d260c474e842f88b82a21572d63656
Customer.java 7
5e23eea2f086c5321dd932c783e0
b72f2e29f3d455f082e2a7501afa22ed951b
CustomerDel.java 3
342d63a77f1af8f03dc52f2b897b
f7b1b6b74dd96d99bf4d961fe2f8e458dcdf
CustomerView.java 5
a51f0940dd2284b7dc22f574b382
51fa84bc0dcd05298c5b54a8b8f7170d9f1e
InterNal.java 14
20439d40031ce67dbd2ac03854b8
90cc0a801f9a87bcb7a9551a076db9d3e56
Inventory.java 6
9d804f28c3c93cbac55f09da3461d
f358475516cebe4266616b9a6405919bf37f
InventoryDel.java 3
6140406fcfea6ff0ac62a5a9e7d4
e7ecffc42c611e671eb9f8cf3183c13298204
InventoryView.java 5
9de93490e7ddf885ba4c10c7cc8
55d4ff8e0dac261539a86d7720def8577357
JobCard.java 6
5b97dd80919cea169a4ecec9353c
59fdb1783f9707e92cc1371ef12329789edd
JobCardDel.java 3
05da5030619a9f0fe9bceab7d2fa
5b797190fadb1e0a36666fb74d5cdf528f00
JobCardView.java 5
6db8a5d94e64b521965ca8952f92
38d47cd226014b662d1c5b881f28e0450e6
Login.java 5
21fb4f1032f53094d2b556883f5c6
39f805958025a59510f713908e8326c3203b
LoginAdd.java 5
7e5b412469ab9bc99831b94b10a3
8ec9a7b58d792abcec9a7ada391424aaabfa
LoginDel.java 3
cc1ee47192821a027f2aea3a92f1
92cda33197d828b38fbdee5828af338d460
package.json 1
af08894e8f953b7d24829f588ff35
bb6c3360470027f7f61eebc4c44471f1452df
SplashScreen.java 3
127f1d598ff136a805ca964d041
terraform-examples- 1 bf901993535e776d39bf73684b0bd7f7807a
PAGE 46 OF 299
master/aws/aws_lambda_api/example- 54f22894b00e5f0c1afa69829a1a
project/package.json
terraform-examples-
f5ca14cab96e9b53906d49dc45ae5b15cdf5
master/aws/aws_lambda_api/example- 1
830beee2f2ce35000832809e0094
project/src/index.ts
terraform-examples-
a7e27b0de045457438e695a360bee617e9e
9db0f85c91e54d9c7451e78c3e1eb
project/src/types.d.ts
terraform-examples-
1977fcb6549b48b947bdd3c6a3a501cfdce3
86db9f82a7d045a45e74fedb5f68
project/tsconfig.json
terraform-examples- d164e2457a5b0eea3c83289fffffeeb91378a
4
master/aws/aws_reverse_proxy/lambda.tpl.js 04e7c3d88c9e267fc0d78a4c2e7
terraform-examples- 1eb85fc97224598dad1852b5d6483bbcf0a
12
master/aws/aws_vpc_msk/LICENSE a8608790dcc657a5a2a761ae9c8c6
terraform-examples-
a54e84937c86bb730ef39745c4fab2688873
master/azure/azure_linux_docker_app_service/examp 1
ed44f9a091287b9f08cde5386826
le-app/Dockerfile
terraform-examples-
6f9a763d45e1565dca540b5fa773b246fa0a
65b03fdbf1b7402e2007b1bcde47
le-app/index.js
terraform-examples-
7ece3c84a95e9930463084a6d65aedf72524
65b3407b2a700ecdc6871929fe3b
le-app/package.json
terraform-examples-
1d5a227cea59103b2b71ddf3adc826e4e58
01cdb02ea601c804bdb3cbb4caddd
le-app/package-lock.json
terraform-examples-
427de8c095da9328c58785f922e453c07c83
master/google_cloud/CQRS_bigquery_memorystore/ 1
299693c981aa9f51337ebd4695c1
bigquery/schemas/control.template.schema.json
terraform-examples-
7f1478f824b24132e3f6e35b37915dfa46dd
272f2bfd5ad517d1623f8389928f
bigquery/schemas/prober.schema.json
terraform-examples-
bef1bf47c3ab5ad643a6caec3ca1b5335a0b
6ab94770852be08d38d29d29b6a7
bigquery/schemas/report.schema.json
terraform-examples-
5f72555b88779484b21a7f1aac648688c838
784a3f401e22bda3125b01964ad3
bigquery/schemas/vendor1.schema.json
terraform-examples-
a8137c8c1625bea27774a4549c6e0fd408d3
f640d26b464d6ad58e9f6c1c1807
bigquery/sql/control_range_view.sql
terraform-examples-
3f928ac56d28abe67ff8db21755dd661493d
e97f9a1346206f3e2afd73ae58a1
bigquery/sql/daily_adjusted_totals.sql
terraform-examples-
571b6cfd48a17b530d79bbd8b7a9504f716f
193d745f96a81d2c890892189756
bigquery/sql/last_n_days_totals.sql
terraform-examples-
ef8e01f3d69fd5d2bd8ef945d856db7f019b
03f47afcdf43f4c126aa2f985327
bigquery/sql/unified_values.sql
PAGE 47 OF 299
terraform-examples-
4b956f846a7d8c7325168233d34ee417930
25347cdac6fd63db454cd55616614
bigquery/sql/vendor1_cleanup.sql
terraform-examples-
master/google_cloud/CQRS_bigquery_memorystore/ 707ff72c573ba9c87d8ecf0feedf7f8d54687
1
bigquery/udf/CUSTOM_JSON_EXTRACT_ARRAY_FLO 8f7f7af0ee8609fb5bacdd92588
AT.sql
terraform-examples-
98eaa0d9b242c9415b951dc92d981f62d52
e276918c96825c3249525a536c6db
bigquery/udf/jsonpath-0.8.0.js
terraform-examples-
aa4279cb6bee4ef3c0cad1d2490857614fe1
2f19dece6f6ba180640caabcb2ce
functions/src/materialize/index.js
terraform-examples-
008a8a1e117d0a27a3fc463d22e689f1cfd0
c5f56bef9ef208b4b05307a08d5d
functions/src/materialize/package.json
terraform-examples-
95ae32d3b544faf8b3510da28b37cddc9acd
f50b8fb18f8550bf344323b99e74
functions/src/memorystoreload/index.js
terraform-examples-
77bd4ac78ff4428e9c2190320b5040b81179
11c3b2b402dd2ec083d874c102bb
functions/src/memorystoreload/package.json
terraform-examples-
658e7de7741496c3e097a84f4b4fb1d0d75f
2b5dc660786ccb84b0224831d041
functions/src/probe/index.js
terraform-examples-
646121608bd4f6621cb02eb130901454348
21c58aae6224ed5b8257fbbecb2d2
functions/src/probe/package.json
terraform-examples-
a0bb7ea153457a59d28dc4506e67b2646de
24d5310550e9f1db0b3e1efc5c1ed
functions/src/test/index.js
terraform-examples-
1c0ca337cab898a538ebb4f2e8ce009e7582
9b0d28714aafed7da689a2fa4717
functions/src/test/package.json
terraform-examples-
3c10ff76e9d2bb49b8255a7f730f8189442e
master/google_cloud/openresty- 1
74bf714cb5b1ec13763152daef47
beyondcorp/docker-compose.yaml
terraform-examples-
19d73696268e8502693cfed9cb1445b1b32
master/google_cloud/openresty- 19
58d8d1dd5715bf2bf7e9b9eaba70f
beyondcorp/files/default.template.conf
f1fb255d4cfda55ca2f69d392392e3ae8b50
terraform-examples-master/LICENSE 2
112a603507803a0b8ae534039e4d
30fd85f8ab111f6d7cafa3c6a8634c3876b8c
terraform-examples-master/package.json 1
1f707b7766f8303c5f3931feb27
9853dbd461c386efcf21dec4e559bffcec839
terraform-examples-master/package-lock.json 4
ff762054aaa86a2b143e2721ee3
terraform-examples- 8497b932120094bc3d199fce38758344603
4
master/repotools/generate_readme.js 7ab6e42aae696f92e224a571706f7
7cbcc8f003c7ce8f7096013f8ba3d028489e6
Vendor.java 6
a958c465dffa232c301caca0d5d
VendorDel.java 3 98bfb2e8efc738a6fb971eeffb240a9a59c43
PAGE 48 OF 299
3fbf021da74a95c579b760c0f51
483091d7c814ead6beff34e8729ad991624e
VendorView.java 4
0516238e64b8dddcee055f322760
Scanned Queries
Query Name Issues Found
Blind SQL Injections 59
SQL Injection 59
CSRF 35
Information Exposure Through an Error Message 33
Improper Resource Access Authorization 20
Improper Resource Shutdown or Release 19
DB Parameter Tampering 14
Insufficient Logging of Database Actions 12
Heap Inspection 7
Parameter Tampering 6
Insufficiently Protected Credentials 4
Insufficient Logging of Exceptions 1
Missing CSP Header 1
Potentially Vulnerable To Csrf 1
Use of Deprecated or Obsolete Functions 1
Use Of HTTP Sensitive Data Exposure 1
Absolute Path Traversal 0
Akka Debug Loglevel Enabled 0
Akka Disabling Hostname Verification 0
Akka Encrypt Data Disabled 0
Akka Missing Max Age 0
Akka Serialize Enabled 0
Akka Untrusted Mode Enabled 0
Akka Verbose Mode Enabled 0
Angular Client DOM XSS 0
Angular Client Stored DOM XSS 0
Angular Deprecated API 0
Angular Improper Type Pipe Usage 0
Angular Usage of Unsafe DOM Sanitizer 0
AngularJS SCE Disabled 0
Authorization Bypass Through User Controlled SQL PrimaryKey 0
Avoid the Use of FinalizationRegistry 0
Avoid the Use of WeakRef 0
AWS Credentials Leak 0
CGI Reflected XSS All Clients 0
CGI Stored XSS 0
Channel Accessible by NonEndpoint 0
Citrus Developer Mode Enabled 0
Cleansing Canonicalization and Comparison Errors 0
Cleartext Storage Of Sensitive Information 0
Cleartext Submission of Sensitive Information 0
Client Cookies Inspection 0
PAGE 49 OF 299
Client Cross Frame Scripting Attack 0
Client Cross Session Contamination 0
Client CSS Injection 0
Client DB Parameter Tampering 0
Client DOM Code Injection 0
Client DOM Cookie Poisoning 0
Client DOM CSRF 0
Client DOM Open Redirect 0
Client DOM Stored Code Injection 0
Client DOM Stored XSS 0
Client DOM XSS 0
Client DoS By Sleep 0
Client Dynamic File Inclusion 0
Client Empty Password 0
Client Hardcoded Domain 0
Client Header Manipulation 0
Client Heuristic Poor XSS Validation 0
Client HTML5 Easy To Guess Database Name 0
Client HTML5 Heuristic Session Insecure Storage 0
Client HTML5 Information Exposure 0
Client HTML5 Insecure Storage 0
Client HTML5 Store Sensitive data In Web Storage 0
Client Insecure Randomness 0
Client Insufficient Key Size 0
Client JQuery Deprecated Symbols 0
Client Located JQuery Outdated Lib File 0
Client Manual CSRF Token Handling 0
Client Manual XHR Handling 0
Client Negative Content Length 0
Client Null Password 0
Client Overly Permissive Message Posting 0
Client Password In Comment 0
Client Password Weak Encryption 0
Client Path Manipulation 0
Client Potential Ad Hoc Ajax 0
Client Potential Code Injection 0
Client Potential DOM Open Redirect 0
Client Potential ReDoS In Match 0
Client Potential ReDoS In Replace 0
Client Potential XSS 0
Client Privacy Violation 0
Client ReDoS From Regex Injection 0
Client ReDoS In Match 0
Client ReDos In RegExp 0
Client ReDoS In Replace 0
Client Reflected File Download 0
Client Regex Injection 0
Client Remote File Inclusion 0
PAGE 50 OF 299
Client Resource Injection 0
Client Sandbox Allows Scripts With Same Origin 0
Client Second Order Sql Injection 0
Client Server Empty Password 0
Client SQL Injection 0
Client State Saving Method JSF 0
Client Untrusted Activex 0
Client Use Of Deprecated SQL Database 0
Client Use Of Iframe Without Sandbox 0
Client Use Of JQuery Deprecated Version 0
Client Weak Cryptographic Hash 0
Client Weak Encryption 0
Client Weak Password Authentication 0
Client XPATH Injection 0
Clipboard Information Leakage 0
Code Injection 0
Collapse of Data into Unsafe Value 0
Command Argument Injection 0
Command Injection 0
Connection String Injection 0
Cookie Overly Broad Path 0
Cookie Poisoning 0
Cordova Code Injection 0
Cordova File Disclosure 0
Cordova File Manipulation 0
Cordova Insufficient Domain Whitelist 0
Cordova Missing Content Security Policy 0
Cordova Open Redirect 0
Cordova Permissive Content Security Policy 0
Cordova Privacy Violation 0
Creation of Temp File in Dir with Incorrect Permissions 0
Creation of Temp File With Insecure Permissions 0
Cross Site History Manipulation 0
CSV Injection 0
Dangerous File Inclusion 0
Dangling Database Cursor 0
Data Leak Between Sessions 0
DB Control of System or Config Setting 0
Declaration of Multiple Vue Components per File 0
Declaration of Vue Component Data as Property 0
Default Definer Rights in Method Definition 0
Default Definer Rights in Package or Object Definition 0
Deprecated API 0
Deserialization of Untrusted Data 0
Deserialization of Untrusted Data in JMS 0
Direct Use of Unsafe JNI 0
Divide By Zero 0
DoS by Sleep 0
PAGE 51 OF 299
DoS By Sleep 0
Download of Code Without Integrity Check 0
Dynamic Set Of Null SecurityManager 0
DynamoDB NoSQL Injection 0
Empty Password In Connection String 0
ESAPI Same Password Repeats Twice 0
Escape False 0
Excessive Data Exposure 0
Exposure of System Data 0
Expression Language Injection EL 0
Expression Language Injection MVEL 0
Expression Language Injection OGNL 0
Expression Language Injection SPEL 0
External Control of Critical State Data 0
External Control of System or Config Setting 0
External XML Entities XXE 0
File Permissions World Readable 0
Frameable Login Page 0
GWT DOM XSS 0
GWT Reflected XSS 0
Hardcoded Absolute Path 0
Hardcoded AWS Credentials 0
Hardcoded password in Connection String 0
Heuristic 2nd Order SQL Injection 0
Heuristic CGI Stored XSS 0
Heuristic CSRF 0
Heuristic DB Parameter Tampering 0
Heuristic Parameter Tampering 0
Heuristic SQL Injection 0
Heuristic Stored XSS 0
HTTP Response Splitting 0
HttpOnlyCookies 0
HttpOnlyCookies In Config 0
Improper Build Of Sql Mapping 0
Improper Exception Handling 0
Improper Locking 0
Improper Privilege Management 0
Improper Resource Locking 0
Improper Restriction of Stored XXE Ref 0
Improper Restriction of XXE Ref 0
Improper Session Management 0
Improper Transaction Handling 0
Inadequate Encryption Strength 0
Inconsistent Component Top Level Elements Ordering 0
Inconsistent use of Directive Shorthands 0
Incorrect Permission Assignment For Critical Resources 0
Information Exposure Through Debug Log 0
Information Exposure Through Directory Listing 0
PAGE 52 OF 299
Information Exposure Through Log Files 0
Information Exposure Through Query String 0
Information Exposure Through Query Strings 0
Information Exposure Through Server Log 0
Information Leak Through Comments 0
Information Leak Through Persistent Cookies 0
Information Leak Through Shell Error Message 0
Input Path Not Canonicalized 0
Insecure Direct Object References 0
Insecure Storage of Sensitive Data 0
Insecure Text Entry 0
Insecure Value of the SameSite Cookie Attribute in Code 0
Insufficient Session Expiration 0
Insufficient Transport Layer Security 0
Integer Overflow 0
Integer Underflow 0
Jelly Injection 0
Jelly XSS 0
JSF CSRF 0
JSF Local File Inclusion 0
JSF Managed Bean PII Leak 0
JSON Hijacking 0
Just One of Equals and Hash code Defined 0
JWT Excessive Expiration Time 0
JWT Lack Of Expiration Time 0
JWT No Expiration Time Validation 0
JWT No NotBefore Validation 0
JWT No Signature Verification 0
JWT Sensitive Information Exposure 0
JWT Use Of Hardcoded Secret 0
JWT Use Of None Algorithm 0
Kony Code Injection 0
Kony Deprecated Functions 0
Kony Hardcoded EncryptionKey 0
Kony Information Leakage 0
Kony Path Injection 0
Kony Reflected XSS 0
Kony Second Order SQL Injection 0
Kony SQL Injection 0
Kony Stored Code Injection 0
Kony Stored XSS 0
Kony Unsecure Browser Configuration 0
Kony Unsecure iOSBrowser Configuration 0
Kony URL Injection 0
Kony Use WeakEncryption 0
Kony Use WeakHash 0
LDAP Injection 0
Leaving Temporary File 0
PAGE 53 OF 299
Lightning Aura Attribute With Object Type 0
Lightning Component Bad Naming 0
Lightning Data Retrieval Without Wire Decorator 0
Lightning DOM XSS 0
Lightning Dynamic Href In Anchor Tag 0
Lightning Stored XSS 0
Lightning Use of Aura Component 0
Lightning Use of LWC Event Bubbling 0
Lightning Use of Same Controller Method In Different Components 0
Log Forging 0
Logic Time Bomb 0
Missing Content Security Policy 0
Missing Encryption of Sensitive Data 0
Missing HSTS Header 0
Missing Password Field Masking 0
Missing Root Or Jailbreak Check 0
Missing Secure Flag 0
Missing X Frame Options 0
Mongo NoSQL Injection 0
MongoDB NoSQL Injection 0
Multiple Binds to the Same Port 0
Not Using a Random IV 0
Not Using a Random IV with CBC Mode 0
Null Password 0
Object Hijack 0
Off by One Error 0
Open Redirect 0
Overly Permissive Cross Origin Resource Sharing Policy 0
Parse Double DoS 0
Password In Comment 0
Password Weak Encryption 0
Permission Manipulation in S3 0
Permissive Content Security Policy 0
Plaintext Storage in a Cookie 0
Plaintext Storage of a Password 0
Poor Database Access Control 0
Portability Flaw In File Separator 0
Portability Flaw Locale Dependent Comparison 0
Potential Clickjacking on Legacy Browsers 0
Potential Code Injection 0
Potential Command Injection 0
Potential Connection String Injection 0
Potential GWT Reflected XSS 0
Potential Hardcoded password in Connection String 0
Potential I Reflected XSS All Clients 0
Potential IO Reflected XSS All Clients 0
Potential LDAP Injection 0
Potential O Reflected XSS All Clients 0
PAGE 54 OF 299
Potential Parameter Tampering 0
Potential ReDoS 0
Potential ReDoS By Injection 0
Potential ReDoS In Match 0
Potential ReDoS In Replace 0
Potential ReDoS In Static Field 0
Potential Resource Injection 0
Potential SpringShell 0
Potential SQL Injection 0
Potential Stored XSS 0
Potential Usage of Vulnerable Log4J 0
Potential Use of Hard coded Cryptographic Key 0
Potential UTF7 XSS 0
Potential XPath Injection 0
Potential XXE Injection 0
Privacy Violation 0
Private Array Returned From A Public Method 0
Process Control 0
Prototype Pollution 0
Public Data Assigned to Private Array 0
Public Static Final References Mutable Object 0
Race Condition 0
Race Condition Concurrent Instances 0
Race Condition Format Flaw 0
Race Condition Global Scope 0
Reachable Assertion 0
React Deprecated 0
React Multiple Classes With Same Name 0
ReDoS From Regex Injection 0
ReDoS In Match 0
ReDoS In Pattern 0
ReDOS in RegExp 0
ReDoS In Replace 0
Reflected Environment Injection 0
Reflected XSS 0
Reflected XSS All Clients 0
Relative Path Traversal 0
Reliance on Cookies in a Decision 0
Reliance on Cookies without Validation 0
Reliance on DNS Lookups in a Decision 0
Resource Injection 0
Reversible One Way Hash 0
Same Seed in PRNG 0
SAPUI5 Custom OData Model 0
SAPUI5 Deprecated Symbols 0
SAPUI5 Hardcoded UserId In Comments 0
SAPUI5 OData Call Without Batch Mode 0
SAPUI5 Potential Malicious File Upload 0
PAGE 55 OF 299
SAPUI5 Use Of Hardcoded URL 0
Second Order SQL Injection 0
Security Misconfiguration 0
Sensitive Cookie in HTTPS Session Without Secure Attribute 0
Sensitive Information Over HTTP 0
Serializable Class Containing Sensitive Data 0
Server DoS by loop 0
Server DoS by sleep 0
Session Fixation 0
Spring Argon2 Insecure Parameters 0
Spring BCrypt Insecure Parameters 0
Spring Comparison Timing Attack 0
Spring CSRF 0
Spring defaultHtmlEscape Not True 0
Spring Missing Content Security Policy 0
Spring Missing Expect CT Header 0
Spring Missing Function Level Authorization 0
Spring Missing HSTS Header 0
Spring Missing Object Level Authorization 0
Spring Missing X Content Type Options 0
Spring Missing X Frame Options 0
Spring Missing XSS Protection Header 0
Spring ModelView Injection 0
Spring Overly Permissive Cross Origin Resource Sharing Policy 0
Spring PBKDF2 Insecure Parameters 0
Spring Permissive Content Security Policy 0
Spring SCrypt Insecure Parameters 0
Spring Use of Broken or Risky Cryptographic Primitive 0
Spring Use Of Hardcoded Password 0
Spring View SPEL Injection 0
Spring XSRF 0
SQL Injection Evasion Attack 0
SSL Verification Bypass 0
SSRF 0
Stored Absolute Path Traversal 0
Stored Boundary Violation 0
Stored Code Injection 0
Stored Command Argument Injection 0
Stored Command Injection 0
Stored Environment Injection 0
Stored External XML Entities XXE 0
Stored HTTP Response Splitting 0
Stored LDAP Injection 0
Stored Log Forging 0
Stored Mongo NoSQL Injection 0
Stored Open Redirect 0
Stored Path Traversal 0
Stored Relative Path Traversal 0
PAGE 56 OF 299
Stored XPath Injection 0
Stored XSS 0
Storing Passwords in a Recoverable Format 0
Struts Duplicate Config Files 0
Struts Duplicate Form Bean 0
Struts Duplicate Validation Files 0
Struts Duplicate Validation Forms 0
Struts Form Does Not Extend Validation Class 0
Struts Form Field Without Validator 0
Struts Incomplete Validate Method Definition 0
Struts Mapping to Missing Form Bean 0
Struts Non Private Field In ActionForm Class 0
Struts Thread Safety Violation In Action Class 0
Struts Unused Validation Form 0
Struts Unvalidated Action Form 0
Struts Validation Turned Off 0
Struts Validator Without Form Field 0
Struts2 Action Field Without Validator 0
Struts2 Duplicate Action Field Validators 0
Struts2 Duplicate Validators 0
Suspected XSS 0
Suspicious Endpoints 0
TOCTOU 0
TruffleHog HighEntropy Strings 0
TruffleHog Regex Matches 0
Trust Boundary Violation in Session Variables 0
Uncaught Exception 0
Unchecked Input for Loop Condition 0
Unchecked Input For Loop Condition 0
Unchecked Return Value to NULL Pointer Dereference 0
Uncontrolled Format String 0
Uncontrolled Memory Allocation 0
Undocumented API 0
Unencrypted Sensitive Data Storage 0
Unnormalize Input String 0
Unprotected Cookie 0
Unrestricted Delete S3 0
Unrestricted File Upload 0
Unrestricted Read S3 0
Unrestricted Write S3 0
Unsafe JNDI Lookup 0
Unsafe Object Binding 0
Unsafe Reflection 0
Unsafe Use Of Target blank 0
Unsynchronized Access To Shared Data 0
Unvalidated Forwards 0
Unvalidated SSL Certificate Hostname 0
Use of a One Way Hash with a Predictable Salt 0
PAGE 57 OF 299
Use of a One Way Hash without a Salt 0
Use of Broken or Risky Cryptographic Algorithm 0
Use Of Broken Or Risky Cryptographic Algorithm 0
Use of Client Side Authentication 0
Use Of Controlled Input On Sensitive Field 0
Use of Cryptographically Weak PRNG 0
Use Of getenv 0
Use of Hard coded Cryptographic Key 0
Use of Hard coded Security Constants 0
Use of Hardcoded Cryptographic Key On Server 0
Use Of Hardcoded Password 0
Use Of Hardcoded Password In Config 0
Use of Implicit Types on Vue Component Props 0
Use of Insufficiently Random Values 0
Use of Native Language 0
Use of Non Cryptographic Random 0
Use of RSA Algorithm without OAEP 0
Use of Single Word Named Vue Components 0
Use of System exit 0
Use of vif and vfor On Same Element 0
User Based SDK Configurations 0
Using Referer Field for Authentication 0
UTF7 XSS 0
VF Remoting Client Potential Code Injection 0
VF Remoting Client Potential CSRF 0
VF Remoting Client Potential XSS 0
Vue DOM XSS 0
XML External Entities XXE 0
XPath Injection 0
XQuery Injection 0
XS Code Injection 0
XS CSRF 0
XS Log Injection 0
XS Open Redirect 0
XS Overly Permissive CORS 0
XS Parameter Tampering 0
XS Potentially Vulnerable To Clickjacking 0
XS Reflected XSS 0
XS Response Splitting 0
XS Second Order SQL Injection 0
XS SQL Injection 0
XS Stored Code Injection 0
XS Stored XSS 0
XS Unencrypted Data Transfer 0
XS Use Of Hardcoded URL 0
PAGE 58 OF 299
Scan Results Details
SQL Injection
Query Path:
Java\Cx\Java High Risk\SQL Injection Version:4
Categories
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection
OWASP Top 10 2013: A1-Injection
FISMA 2014: System And Information Integrity
NIST SP 800-53: SI-10 Information Input Validation (P1)
OWASP Mobile Top 10 2016: M7-Client Code Quality
OWASP Top 10 API: API8-Injection
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Verification and representation of input data
SANS top 25: SANS top 25
CWE top 25: CWE top 25
OWASP ASVS: V05 Validation, Sanitization and Encoding
ASA Mobile Premium: ASA Mobile Premium
ASA Premium: ASA Premium
Top Tier: Top Tier
ASD STIG 5.2: APSC-DV-002540 - CAT I The application must not be vulnerable to SQL Injection.
Description
SQL Injection\Path 1:
Severity High
Result State To Verify
Online Results https://cxapactrial.checkmarx.net/CxWebClient/ViewerMain.aspx?scanid=1011402&projec
tid=4262&pathid=50
Result Comment
Status New
Detection Date 8/23/2023 8:24:23 AM
The application's actionPerformed method executes an SQL query with executeUpdate, at line 58 of
LoginDel.java. The application constructs this SQL query by embedding an untrusted string into the query
without proper sanitization. The concatenated string is submitted to the database, where it is parsed and
executed accordingly.
An attacker would be able to inject arbitrary syntax and data into the SQL query, by crafting a malicious
payload and providing it via the input getText; this input is then read by the actionPerformed method at line
58 of LoginDel.java. This input then flows through the code, into a query and to the database server - without
sanitization.
This may enable an SQL Injection attack.
Source Destination
File LoginDel.java LoginDel.java
Line 61 73
Object getText executeUpdate
PAGE 59 OF 299
Code Snippet
File Name LoginDel.java
Method public void actionPerformed(ActionEvent e)
....
61. String delstr = LoginDel_Id.getText();
....
70. String query = "DELETE * FROM Login E WHERE E.User = '"+delstr+"'";
....
73. int result = stmt.executeUpdate ( query );
Severity High
tid=4262&pathid=51
Result Comment
Status New
LoginAdd.java. The application constructs this SQL query by embedding an untrusted string into the query
131 of LoginAdd.java. This input then flows through the code, into a query and to the database server -
without sanitization.
Source Destination
File LoginAdd.java LoginAdd.java
Line 139 148
Code Snippet
File Name LoginAdd.java
....
139. String sUser = User.getText();
....
144. String query =" INSERT INTO Login(User,Password,Type,Name,Contact)
VALUES
('"+sUser+"','"+sPassword+"','"+sType+"','"+sName+"','"+sContact+"')";
....
Severity High
PAGE 60 OF 299
tid=4262&pathid=52
Result Comment
Status New
Source Destination
Line 140 148
Code Snippet
....
140. String sName = Name.getText();
....
VALUES
....
Severity High
Result State Not Exploitable
tid=4262&pathid=53
Result Comment Bhawani Singh Test JMSK, [Monday, August 7, 2023 7:48:12 AM]: Changed status to Not
Exploitable
Bhawani Singh Test JMSK, [Monday, August 7, 2023 7:48:01 AM]: this is fp because i am
using a custom sanitization method.
Status New
PAGE 61 OF 299
Source Destination
Line 142 148
Code Snippet
....
142. String sContact = Contact.getText();
....
VALUES
....
Severity High
tid=4262&pathid=54
Result Comment
Status New
Vendor.java. The application constructs this SQL query by embedding an untrusted string into the query
146 of Vendor.java. This input then flows through the code, into a query and to the database server - without
sanitization.
Source Destination
File Vendor.java Vendor.java
Line 148 165
Code Snippet
PAGE 62 OF 299
File Name Vendor.java
....
148. String sVendor_Name = Vendor_Name.getText();
....
158. String query =" INSERT INTO Vendor
(Vendor_name,Contact_Person,Phone,Fax,Mobile,email,Cargo_Name,Remark,Dat
e_In) VALUES
('"+sVendor_Name+"','"+sContact_Person+"','"+sPhone+"','"+sFax+"','"+sMo
bile+"','"+semail+"','"+sCargo_Name+"','"+sRemark+"','"+sDate_In+"')";
....
Severity High
tid=4262&pathid=55
Result Comment
Status New
sanitization.
Source Destination
Line 149 165
Code Snippet
....
149. String sContact_Person = Contact_Person.getText();
....
e_In) VALUES
....
PAGE 63 OF 299
Severity High
tid=4262&pathid=56
Result Comment
Status New
sanitization.
Source Destination
Line 150 165
Code Snippet
....
150. String sPhone = Phone.getText();
....
e_In) VALUES
....
Severity High
tid=4262&pathid=57
Result Comment
Status New
PAGE 64 OF 299
sanitization.
Source Destination
Line 151 165
Code Snippet
....
151. String sFax = Fax.getText();
....
e_In) VALUES
....
Severity High
tid=4262&pathid=58
Result Comment
Status New
sanitization.
Source Destination
Line 152 165
PAGE 65 OF 299
Code Snippet
....
152. String sMobile = Mobile.getText();
....
e_In) VALUES
....

Severity High
tid=4262&pathid=59
Result Comment
Status New
Inventory.java. The application constructs this SQL query by embedding an untrusted string into the query
149 of Inventory.java. This input then flows through the code, into a query and to the database server -
Source Destination
File Inventory.java Inventory.java
Line 152 169
Code Snippet
File Name Inventory.java
PAGE 66 OF 299
....
152. String sstyle_id= style_id.getText();
....
162. String query =" INSERT INTO
Inventory(Style_ID,Vendor_ID,In_Date,Gold,Gold_wt,Stone_Type,Stone_Weigh
t,Stone_numbers,Details) VALUES
('"+sstyle_id+"','"+sVendor_id+"','"+sin_date+"','"+sgold_cr+"','"+sgold
_wt+"','"+sstone_type+"','"+sstone_wt+"','"+sstone_number+"','"+sdetails
+"')";
....

Severity High
tid=4262&pathid=60
Result Comment
Status New
sanitization.
Source Destination
Line 153 165
Code Snippet
....
153. String semail = email.getText();
....
e_In) VALUES
....
PAGE 67 OF 299
Severity High
tid=4262&pathid=61
Result Comment
Status New
Source Destination
Line 153 169
Code Snippet
....
153. String sVendor_id = Vendor_id.getText();
....
+"')";
....

Severity High
tid=4262&pathid=62
Result Comment
Status New
PAGE 68 OF 299
sanitization.
Source Destination
Line 154 165
Code Snippet
....
154. String sCargo_Name = Cargo_Name.getText();
....
e_In) VALUES
....

Severity High
tid=4262&pathid=63
Result Comment
Status New
Source Destination
Line 154 169
PAGE 69 OF 299
Code Snippet
....
154. String sin_date = in_date.getText();
....
+"')";
....

Severity High
tid=4262&pathid=64
Result Comment
Status New
sanitization.
Source Destination
Line 155 165
Code Snippet
PAGE 70 OF 299
....
155. String sRemark = Remark.getText();
....
e_In) VALUES
....

Severity High
tid=4262&pathid=65
Result Comment
Status New
Source Destination
Line 155 169
Code Snippet
....
155. String sgold_cr = gold_cr.getText();
....
+"')";
....
PAGE 71 OF 299
Severity High
tid=4262&pathid=66
Result Comment
Status New
sanitization.
Source Destination
Line 156 165
Code Snippet
....
156. String sDate_In = Date_In.getText();
....
e_In) VALUES
....

Severity High
tid=4262&pathid=67
Result Comment
Status New
PAGE 72 OF 299
Source Destination
Line 156 169
Code Snippet
....
156. String sgold_wt = gold_wt.getText();
....
+"')";
....

Severity High
tid=4262&pathid=68
Result Comment
Status New
Source Destination
Line 157 169
PAGE 73 OF 299
Code Snippet
....
157. String sstone_type = stone_type.getText();
....
+"')";
....

Severity High
tid=4262&pathid=69
Result Comment
Status New
Source Destination
Line 158 169
Code Snippet
PAGE 74 OF 299
....
158. String sstone_wt = stone_wt.getText();
....
+"')";
....

Severity High
tid=4262&pathid=70
Result Comment
Status New
Source Destination
Line 159 169
Code Snippet
....
159. String sstone_number = stone_number.getText();
....
+"')";
....
PAGE 75 OF 299
Severity High
tid=4262&pathid=72
Result Comment
Status New
Source Destination
Line 160 169
Code Snippet
....
160. String sdetails = details.getText();
....
+"')";
....

Severity High
tid=4262&pathid=73
Result Comment
Status New
JobCard.java. The application constructs this SQL query by embedding an untrusted string into the query
PAGE 76 OF 299
161 of JobCard.java. This input then flows through the code, into a query and to the database server - without
sanitization.
Source Destination
File JobCard.java JobCard.java
Line 164 180
Code Snippet
File Name JobCard.java
....
164. String sCustomer_Id = Customer_Id.getText();
....
Job_Card(Customer_ID,Style_ID,Order_Date,Due_Date,Estimated_Cost,Remarks
,Amount_Advance,Salesman,Current_Status) VALUES
('"+sCustomer_Id+"','"+sStyle_Id+"','"+sOrder_Date+"','"+sDue_Date+"','"
+sE_Cost+"','"+sRemark+"','"+sAmount_Pay+"','"+sSalesMan+"','"+com+"')";
....

Severity High
tid=4262&pathid=74
Result Comment
Status New
sanitization.
Source Destination
Line 165 180
PAGE 77 OF 299
Code Snippet
....
165. String sStyle_Id= Style_Id.getText();
....
....

Severity High
tid=4262&pathid=75
Result Comment
Status New
sanitization.
Source Destination
Line 166 180
Code Snippet
PAGE 78 OF 299
....
166. String sOrder_Date = Order_Date.getText();
....
....

Severity High
tid=4262&pathid=76
Result Comment
Status New
sanitization.
Source Destination
Line 167 180
Code Snippet
....
167. String sDue_Date = Due_Date.getText();
....
....
PAGE 79 OF 299
Severity High
tid=4262&pathid=77
Result Comment
Status New
sanitization.
Source Destination
Line 168 180
Code Snippet
....
168. String sE_Cost = E_Cost.getText();
....
....

Severity High
tid=4262&pathid=78
Result Comment
Status New
PAGE 80 OF 299
sanitization.
Source Destination
Line 169 180
Code Snippet
....
....
....

Severity High
tid=4262&pathid=79
Result Comment
Status New
sanitization.
Source Destination
Line 170 180
PAGE 81 OF 299
Code Snippet
....
170. String sAmount_Pay = Amount_Pay.getText();
....
....

Severity High
tid=4262&pathid=80
Result Comment
Status New
sanitization.
Source Destination
Line 171 180
Code Snippet
PAGE 82 OF 299
....
171. String sSalesMan = SalesMan.getText();
....
....

Severity High
tid=4262&pathid=81
Result Comment
Status New
Customer.java. The application constructs this SQL query by embedding an untrusted string into the query
184 of Customer.java. This input then flows through the code, into a query and to the database server -
Source Destination
File Customer.java Customer.java
Line 190 214
Code Snippet
File Name Customer.java
....
190. String sAddress = Address.getText();
....
Customer(Date_In,Name,Address,Phone,Wedding_Aniv,Birthday,Ring_Husband,R
ing_Wife,Ring_Other,Visits,credit,Style_Id,Remark) VALUES
('"+sDate_In+"','"+sCustomer_Name+"','"+sAddress+"','"+sPhone+"','"+sWed
ding_Aniv+"','"+sBirthday+"','"+sRing_Husband+"','"+sRing_Wife+"','"+sRi
ng_Other+"','"+sVisits+"','"+scredit+"','"+sStyle_Id+"','"+sRemark+"')";
....
PAGE 83 OF 299
Severity High
tid=4262&pathid=82
Result Comment
Status New
Source Destination
Line 191 214
Code Snippet
....
....
....

Severity High
tid=4262&pathid=84
Result Comment
Status New
PAGE 84 OF 299
Source Destination
Line 193 214
Code Snippet
....
193. String sBirthday = Birthday.getText();
....
....

Severity High
tid=4262&pathid=85
Result Comment
Status New
Source Destination
Line 194 214
PAGE 85 OF 299
Code Snippet
....
194. String sRing_Husband = Ring_Husband.getText();
....
....

Severity High
tid=4262&pathid=86
Result Comment
Status New
Source Destination
Line 195 214
Code Snippet
PAGE 86 OF 299
....
195. String sRing_Wife= Ring_Wife.getText();
....
....

Severity High
tid=4262&pathid=88
Result Comment
Status New
Source Destination
Line 196 214
Code Snippet
....
196. String sRing_Other = Ring_Other.getText();
....
....
PAGE 87 OF 299
Severity High
tid=4262&pathid=90
Result Comment
Status New
Source Destination
Line 197 214
Code Snippet
....
197. String sVisits = Visits.getText();
....
....

Severity High
tid=4262&pathid=92
Result Comment
Status New
PAGE 88 OF 299
Source Destination
Line 198 214
Code Snippet
....
198. String scredit = credit.getText();
....
....

Severity High
tid=4262&pathid=94
Result Comment
Status New
Source Destination
Line 199 214
PAGE 89 OF 299
Code Snippet
....
199. String sStyle_Id = Style_Id.getText();
....
....

Severity High
tid=4262&pathid=96
Result Comment
Status New
Source Destination
Line 200 214
Code Snippet
PAGE 90 OF 299
....
....
....

Severity High
tid=4262&pathid=98
Result Comment
Status New
The application's actionPerformed method executes an SQL query with executeQuery, at line 101 of
Login.java. The application constructs this SQL query by embedding an untrusted string into the query without
proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed
accordingly.
101 of Login.java. This input then flows through the code, into a query and to the database server - without
sanitization.
Source Destination
File Login.java Login.java
Line 109 121
Object getText executeQuery
Code Snippet
File Name Login.java
Method public void actionPerformed(ActionEvent e)//throws SQLException
....
109. String SUser = User.getText();
....
119. String query = new String("SELECT * FROM Login L WHERE
L.User='"+SUser+"' ");
....
121. rs = stmt.executeQuery ( query );

Severity High
PAGE 91 OF 299
tid=4262&pathid=99
Result Comment
Status New
Billing.java. The application constructs this SQL query by embedding an untrusted string into the query
206 of Billing.java. This input then flows through the code, into a query and to the database server - without
sanitization.
Source Destination
File Billing.java Billing.java
Line 210 241
Code Snippet
File Name Billing.java
....
....
225. if(sCustomer_Id.equals(""))
....
239. String qCustom = "SELECT Customer_ID FROM Job_Card WHERE
Customer_ID = '"+sCustomer_Id+"'";
....
241. res = stmtCustom.executeQuery ( qCustom );

Severity High
tid=4262&pathid=100
Result Comment
Status New
PAGE 92 OF 299
sanitization.
Source Destination
Line 214 313
Code Snippet
....
214. String sWeight = Weight.getText();
....
306. String query =new String(" INSERT INTO
Billing(Customer_ID,Job_ID,Bill_Date,Stone_Numbers,Weight,Net_Weight,Gro
ss_error,Weight_error,Gold_purity,Total_Price,Payment_Mode,Discount,Deta
ils) VALUES
('"+sCustomer_Id+"','"+sJob_Id+"','"+sBill_Date+"','"+sStone_Numbers+"',
'"+sWeight+"','"+sNet_Weight+"','"+sGross_Err+"','"+sWeight_Err+"','"+sG
old_Purity+"','"+sTotal_Price+"','"+com+"','"+sDiscount+"','"+sDetails+"
')");
....

Severity High
tid=4262&pathid=101
Result Comment
Status New
sanitization.
Source Destination
Line 221 313
PAGE 93 OF 299
Code Snippet
....
221. String sDiscount = Discount.getText();
....
ils) VALUES
')");
....

Severity High
tid=4262&pathid=102
Result Comment
Status New
sanitization.
Source Destination
Line 222 313
Code Snippet
PAGE 94 OF 299
....
222. String sDetails = Details.getText();
....
ils) VALUES
')");
....

Severity High
tid=4262&pathid=103
Result Comment
Status New
sanitization.
Source Destination
Line 211 316
Code Snippet
....
211. String sJob_Id = Job_Id.getText();
....
255. if(sJob_Id.equals(""))
....
308. String query1 = new String("SELECT Amount_Advance FROM Job_Card
WHERE Job_ID = "+sJob_Id+"");
....
316. rs1 = stmt1.executeQuery ( query1 );
PAGE 95 OF 299
Severity High
tid=4262&pathid=105
Result Comment
Status New
sanitization.
Source Destination
Line 212 313
Code Snippet
....
212. String sBill_Date = Bill_Date.getText();
....
261. if(sBill_Date.equals(""))
....
ils) VALUES
')");
....

Severity High
tid=4262&pathid=106
Result Comment
Status New
PAGE 96 OF 299
sanitization.
Source Destination
Line 213 313
Code Snippet
....
213. String sStone_Numbers = Stone_Numbers.getText();
....
267. if(sStone_Numbers.equals(""))
....
ils) VALUES
')");
....

Severity High
tid=4262&pathid=107
Result Comment
Status New
PAGE 97 OF 299
sanitization.
Source Destination
Line 215 313
Code Snippet
....
215. String sNet_Weight = Net_Weight.getText();
....
273. if(sNet_Weight.equals(""))
....
ils) VALUES
')");
....

Severity High
tid=4262&pathid=108
Result Comment
Status New
sanitization.
Source Destination
Line 216 313
PAGE 98 OF 299
Code Snippet
....
216. String sGross_Err = Gross_Err.getText();
....
279. if(sGross_Err.equals(""))
....
ils) VALUES
')");
....

Severity High
tid=4262&pathid=109
Result Comment
Status New
sanitization.
Source Destination
Line 217 313
Code Snippet
PAGE 99 OF 299
....
217. String sWeight_Err= Weight_Err.getText();
....
285. if(sWeight_Err.equals(""))
....
ils) VALUES
')");
....

Severity High
tid=4262&pathid=110
Result Comment
Status New
sanitization.
Source Destination
Line 218 313
Code Snippet
PAGE 100 OF 299

....
218. String sGold_Purity = Gold_Purity.getText();
....
291. if(sGold_Purity.equals(""))
....
ils) VALUES
')");
....

Severity High
tid=4262&pathid=111
Result Comment
Status New
sanitization.
Source Destination
Line 219 313
Code Snippet
PAGE 101 OF 299

....
219. String sTotal_Price = Total_Price.getText();
....
297. if(sTotal_Price.equals(""))
....
ils) VALUES
')");
....

Severity High
tid=4262&pathid=112
Result Comment
Status New
VendorView.java. The application constructs this SQL query by embedding an untrusted string into the query
75 of VendorView.java. This input then flows through the code, into a query and to the database server -
Source Destination
File VendorView.java VendorView.java
Line 77 105
Code Snippet
File Name VendorView.java
PAGE 102 OF 299

....
77. String str = tf.getText();
....
83. if(!str.equals(""))
....
92. str1 = "'"+str+"'";
93. query = "SELECT * FROM Vendor E WHERE E."+com+" = "+str1;
....
105. rs = stmt.executeQuery(query);

Severity High
tid=4262&pathid=113
Result Comment
Status New
BillingView.java. The application constructs this SQL query by embedding an untrusted string into the query
75 of BillingView.java. This input then flows through the code, into a query and to the database server -
Source Destination
File BillingView.java BillingView.java
Line 77 105
Code Snippet
File Name BillingView.java
....
....
....
92. str1 = "'"+str+"'";
93. query = "SELECT * FROM Billing E WHERE E."+com+" = "+str1;
....

Severity High
Result State Not Exploitable
PAGE 103 OF 299

tid=4262&pathid=114
Result Comment Bhawani Singh JMS-VSCode, [Wednesday, November 30, 2022 10:47:54 AM]: Changed
status to Not Exploitable
Bhawani Singh JMS-VSCode, [Wednesday, November 30, 2022 10:47:51 AM]: explanation
is accepted.
Bhawani Singh JMS-VSCode, [Wednesday, November 30, 2022 10:47:32 AM]: Changed
status to Proposed Not Exploitable
Bhawani Singh JMS-VSCode, [Wednesday, November 30, 2022 10:47:29 AM]: This is a fp
because i am using a custom sanitization method.
Status New
CustomerView.java. The application constructs this SQL query by embedding an untrusted string into the
query without proper sanitization. The concatenated string is submitted to the database, where it is parsed
and executed accordingly.
75 of CustomerView.java. This input then flows through the code, into a query and to the database server -
Source Destination
File CustomerView.java CustomerView.java
Line 77 105
Code Snippet
File Name CustomerView.java
....
....
....
92. str1 = "'"+str+"'";
93. query = "SELECT * FROM Customer E WHERE E."+com+" = "+str1;
....

Severity High
tid=4262&pathid=115
Result Comment
Status New
PAGE 104 OF 299

InventoryView.java. The application constructs this SQL query by embedding an untrusted string into the
75 of InventoryView.java. This input then flows through the code, into a query and to the database server -
Source Destination
File InventoryView.java InventoryView.java
Line 77 105
Code Snippet
File Name InventoryView.java
....
....
....
92. str1 = "'"+str+"'";
93. query = "SELECT * FROM Inventory E WHERE E."+com+" = "+str1;
....

Severity High
tid=4262&pathid=116
Result Comment
Status New
JobCardView.java. The application constructs this SQL query by embedding an untrusted string into the query
80 of JobCardView.java. This input then flows through the code, into a query and to the database server -
Source Destination
File JobCardView.java JobCardView.java
PAGE 105 OF 299

Line 82 110
Code Snippet
File Name JobCardView.java
....
....
....
97. str1 = "'"+str+"'";
98. query = "SELECT * FROM Job_Card E WHERE E."+com+" = "+str1;
....

Severity Medium
tid=4262&pathid=83
Result Comment Bhawani Singh JMS test Ask, [Thursday, May 18, 2023 10:53:24 AM]: Changed severity to
Medium
Status New
Source Destination
Line 192 214
Code Snippet
PAGE 106 OF 299

....
192. String sWedding_Aniv = Wedding_Aniv.getText();
....
....
CSRF
Query Path:
Java\Cx\Java Medium Threat\CSRF Version:6
Categories
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.9 - Cross-site request forgery
OWASP Top 10 2013: A8-Cross-Site Request Forgery (CSRF)
NIST SP 800-53: SC-23 Session Authenticity (P1)
OWASP Top 10 2021: A1-Broken Access Control
OWASP ASVS: V13 API and Web Service
ASD STIG 5.2: APSC-DV-002500 - CAT II The application must protect from Cross-Site Request Forgery (CSRF)
vulnerabilities.
Description
CSRF\Path 1:
Severity Medium
tid=4262&pathid=1
Result Comment
Status New
Method actionPerformed at line 149 of Inventory.java gets a parameter from a user request from getText. This
parameter value flows through the code and is eventually used to access application state altering
functionality. This may enable Cross-Site Request Forgery (CSRF).
Source Destination
Line 156 169
Code Snippet
PAGE 107 OF 299

....
....
+"')";
....
CSRF\Path 2:
Severity Medium
tid=4262&pathid=2
Result Comment
Status New
Method actionPerformed at line 60 of InventoryDel.java gets a parameter from a user request from getText.
This parameter value flows through the code and is eventually used to access application state altering
Source Destination
File InventoryDel.java InventoryDel.java
Line 63 74
Code Snippet
File Name InventoryDel.java
....
63. String delstr = InventoryDel_Id.getText();
....
71. int custstr = Integer.parseInt(delstr);
72. String query = "DELETE * FROM Inventory E WHERE E.Inventory_ID =
"+custstr;
....
CSRF\Path 3:
Severity Medium
tid=4262&pathid=3
Result Comment
Status New
PAGE 108 OF 299

Method actionPerformed at line 161 of JobCard.java gets a parameter from a user request from getText. This
Source Destination
Line 171 180
Code Snippet
....
....
....
CSRF\Path 4:
Severity Medium
tid=4262&pathid=4
Result Comment
Status New
Source Destination
Line 169 180
Code Snippet
PAGE 109 OF 299

....
....
....
CSRF\Path 5:
Severity Medium
tid=4262&pathid=5
Result Comment
Status New
Source Destination
Line 167 180
Code Snippet
....
....
....
CSRF\Path 6:
Severity Medium
tid=4262&pathid=6
Result Comment
Status New
PAGE 110 OF 299

Method actionPerformed at line 146 of Vendor.java gets a parameter from a user request from getText. This
Source Destination
Line 148 165
Code Snippet
....
....
e_In) VALUES
....
CSRF\Path 7:
Severity Medium
tid=4262&pathid=7
Result Comment
Status New
Method actionPerformed at line 131 of LoginAdd.java gets a parameter from a user request from getText. This
Source Destination
Line 140 148
Code Snippet
PAGE 111 OF 299

....
....
VALUES
....
CSRF\Path 8:
Severity Medium
tid=4262&pathid=8
Result Comment
Status New
Method actionPerformed at line 58 of BillingDel.java gets a parameter from a user request from getText. This
Source Destination
File BillingDel.java BillingDel.java
Line 61 72
Code Snippet
File Name BillingDel.java
....
61. String delstr = BillingDel_Id.getText();
....
70. String query = "DELETE * FROM Billing E WHERE E.Bill_No =
"+custstr;
....
CSRF\Path 9:
Severity Medium
tid=4262&pathid=9
Result Comment
Status New
PAGE 112 OF 299

Method actionPerformed at line 60 of VendorDel.java gets a parameter from a user request from getText. This
Source Destination
File VendorDel.java VendorDel.java
Line 63 74
Code Snippet
File Name VendorDel.java
....
63. String delstr = VendorDel_Id.getText();
....
72. String query = "DELETE * FROM Vendor E WHERE E.Vendor_ID =
"+custstr;
....
CSRF\Path 10:
Severity Medium
tid=4262&pathid=10
Result Comment
Status New
Method actionPerformed at line 58 of LoginDel.java gets a parameter from a user request from getText. This
Source Destination
Line 61 73
Code Snippet
PAGE 113 OF 299

....
....
....
CSRF\Path 11:
Severity Medium
tid=4262&pathid=11
Result Comment
Status New
Source Destination
Line 153 165
Code Snippet
....
....
e_In) VALUES
....
CSRF\Path 12:
Severity Medium
tid=4262&pathid=12
Result Comment
Status New
PAGE 114 OF 299

Source Destination
Line 151 165
Code Snippet
....
....
e_In) VALUES
....
CSRF\Path 13:
Severity Medium
tid=4262&pathid=13
Result Comment
Status New
Method actionPerformed at line 60 of CustomerDel.java gets a parameter from a user request from getText.
Source Destination
File CustomerDel.java CustomerDel.java
Line 63 74
Code Snippet
File Name CustomerDel.java
PAGE 115 OF 299

....
63. String delstr = CustomerDel_Id.getText();
....
72. String query = "DELETE * FROM Customer E WHERE E.Customer_ID =
"+custstr;
....
CSRF\Path 14:
Severity Medium
tid=4262&pathid=14
Result Comment
Status New
Source Destination
Line 154 169
Code Snippet
....
....
+"')";
....
CSRF\Path 15:
Severity Medium
tid=4262&pathid=15
Result Comment
Status New
PAGE 116 OF 299

Source Destination
Line 149 165
Code Snippet
....
....
e_In) VALUES
....
CSRF\Path 16:
Severity Medium
tid=4262&pathid=16
Result Comment
Status New
Source Destination
Line 152 169
Code Snippet
PAGE 117 OF 299

....
....
+"')";
....
CSRF\Path 17:
Severity Medium
tid=4262&pathid=17
Result Comment
Status New
Source Destination
Line 142 148
Code Snippet
....
....
VALUES
....
CSRF\Path 18:
Severity Medium
tid=4262&pathid=18
Result Comment
Status New
PAGE 118 OF 299

Source Destination
Line 139 148
Code Snippet
....
....
VALUES
....
CSRF\Path 19:
Severity Medium
tid=4262&pathid=19
Result Comment
Status New
Source Destination
Line 165 180
Code Snippet
PAGE 119 OF 299

....
....
....
CSRF\Path 20:
Severity Medium
tid=4262&pathid=20
Result Comment
Status New
Method actionPerformed at line 58 of JobCardDel.java gets a parameter from a user request from getText.
Source Destination
File JobCardDel.java JobCardDel.java
Line 61 72
Code Snippet
File Name JobCardDel.java
....
61. String delstr = JobCardDel_Id.getText();
....
70. String query = "DELETE * FROM Job_Card E WHERE E.Job_ID =
"+custstr;
....
CSRF\Path 21:
Severity Medium
tid=4262&pathid=21
Result Comment
Status New
PAGE 120 OF 299

Source Destination
Line 156 165
Code Snippet
....
....
e_In) VALUES
....
CSRF\Path 22:
Severity Medium
tid=4262&pathid=22
Result Comment
Status New
Source Destination
Line 159 169
Code Snippet
PAGE 121 OF 299

....
....
+"')";
....
CSRF\Path 23:
Severity Medium
tid=4262&pathid=23
Result Comment
Status New
Source Destination
Line 154 165
Code Snippet
....
....
e_In) VALUES
....
CSRF\Path 24:
Severity Medium
tid=4262&pathid=24
Result Comment
Status New
PAGE 122 OF 299

Source Destination
Line 157 169
Code Snippet
....
....
+"')";
....
CSRF\Path 25:
Severity Medium
tid=4262&pathid=25
Result Comment
Status New
Source Destination
Line 152 165
Code Snippet
PAGE 123 OF 299

....
....
e_In) VALUES
....
CSRF\Path 26:
Severity Medium
tid=4262&pathid=26
Result Comment
Status New
Source Destination
Line 155 169
Code Snippet
....
....
+"')";
....
CSRF\Path 27:
Severity Medium
tid=4262&pathid=27
Result Comment
Status New
PAGE 124 OF 299

Source Destination
Line 150 165
Code Snippet
....
....
e_In) VALUES
....
CSRF\Path 28:
Severity Medium
tid=4262&pathid=28
Result Comment
Status New
Source Destination
Line 153 169
Code Snippet
PAGE 125 OF 299

....
....
+"')";
....
CSRF\Path 29:
Severity Medium
tid=4262&pathid=29
Result Comment
Status New
Source Destination
Line 170 180
Code Snippet
....
....
....
CSRF\Path 30:
Severity Medium
tid=4262&pathid=30
Result Comment
Status New
PAGE 126 OF 299

Source Destination
Line 168 180
Code Snippet
....
....
....
CSRF\Path 31:
Severity Medium
tid=4262&pathid=31
Result Comment
Status New
Source Destination
Line 166 180
Code Snippet
PAGE 127 OF 299

....
....
....
CSRF\Path 32:
Severity Medium
tid=4262&pathid=32
Result Comment
Status New
Source Destination
Line 164 180
Code Snippet
....
....
....
CSRF\Path 33:
Severity Medium
tid=4262&pathid=33
Result Comment
Status New
PAGE 128 OF 299

Source Destination
Line 160 169
Code Snippet
....
....
+"')";
....
CSRF\Path 34:
Severity Medium
tid=4262&pathid=34
Result Comment
Status New
Source Destination
Line 155 165
Code Snippet
PAGE 129 OF 299

....
....
e_In) VALUES
....
CSRF\Path 35:
Severity Medium
tid=4262&pathid=35
Result Comment
Status New
Source Destination
Line 158 169
Code Snippet
....
....
+"')";
....
DB Parameter Tampering
Query Path:
Java\Cx\Java Medium Threat\DB Parameter Tampering Version:1
Categories
OWASP Top 10 2013: A4-Insecure Direct Object References
PAGE 130 OF 299

FISMA 2014: Access Control
NIST SP 800-53: AC-3 Access Enforcement (P1)
OWASP Top 10 API: API1-Broken Object Level Authorization
OWASP ASVS: V01 Architecture, Design and Threat Modeling
ASD STIG 5.2: APSC-DV-000470 - CAT II The application must enforce organization-defined discretionary
access control policies over defined subjects and objects.
Description
DB Parameter Tampering\Path 1:
Severity Medium
tid=4262&pathid=36
Result Comment
Status New
Method actionPerformed at line 184 of Customer.java gets user input from element getText. This input is
used by the application, without being validated, to filter personal records from sensitive database tables.
Method actionPerformed submits a query to the database executeUpdate, at line 184 of Customer.java,
without any additional filtering by the database. This could allow the user to choose different records based
on the id.
Source Destination
Line 193 214
Code Snippet
....
....
....
Severity Medium
PAGE 131 OF 299

tid=4262&pathid=37
Result Comment
Status New
on the id.
Source Destination
Line 196 214
Code Snippet
....
....
....
Severity Medium
tid=4262&pathid=38
Result Comment
Status New
on the id.
Source Destination
PAGE 132 OF 299

Line 199 214
Code Snippet
....
....
....
Severity Medium
tid=4262&pathid=39
Result Comment
Status New
Method actionPerformed at line 206 of Billing.java gets user input from element getText. This input is used by
the application, without being validated, to filter personal records from sensitive database tables. Method
actionPerformed submits a query to the database executeUpdate, at line 206 of Billing.java, without any
additional filtering by the database. This could allow the user to choose different records based on the id.
Source Destination
Line 214 313
Code Snippet
PAGE 133 OF 299

....
....
ils) VALUES
')");
....
Severity Medium
tid=4262&pathid=40
Result Comment
Status New
Source Destination
Line 221 313
Code Snippet
....
....
ils) VALUES
')");
....
Severity Medium
PAGE 134 OF 299

tid=4262&pathid=41
Result Comment
Status New
on the id.
Source Destination
Line 190 214
Code Snippet
....
....
....
Severity Medium
tid=4262&pathid=42
Result Comment
Status New
on the id.
Source Destination
PAGE 135 OF 299

Line 198 214
Code Snippet
....
....
....
Severity Medium
tid=4262&pathid=43
Result Comment
Status New
on the id.
Source Destination
Line 192 214
Code Snippet
PAGE 136 OF 299

....
....
....
Severity Medium
tid=4262&pathid=44
Result Comment
Status New
on the id.
Source Destination
Line 195 214
Code Snippet
....
....
....

Severity Medium
PAGE 137 OF 299

tid=4262&pathid=45
Result Comment
Status New
Source Destination
Line 222 313
Code Snippet
....
....
ils) VALUES
')");
....

Severity Medium
tid=4262&pathid=46
Result Comment
Status New
on the id.
Source Destination
Line 191 214
PAGE 138 OF 299

Code Snippet
....
....
....

Severity Medium
tid=4262&pathid=47
Result Comment
Status New
on the id.
Source Destination
Line 194 214
Code Snippet
PAGE 139 OF 299

....
....
....

Severity Medium
tid=4262&pathid=48
Result Comment
Status New
on the id.
Source Destination
Line 197 214
Code Snippet
....
....
....

Severity Medium
PAGE 140 OF 299

tid=4262&pathid=49
Result Comment
Status New
on the id.
Source Destination
Line 200 214
Code Snippet
....
....
....
Parameter Tampering
Query Path:
Java\Cx\Java Medium Threat\Parameter Tampering Version:1
Categories
OWASP Top 10 2013: A4-Insecure Direct Object References
OWASP Top 10 2021: A4-Insecure Design
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Security Functions
ASD STIG 5.2: APSC-DV-002560 - CAT I The application must not be subject to input handling vulnerabilities.
Description
Parameter Tampering\Path 1:
Severity Medium
tid=4262&pathid=87
PAGE 141 OF 299

Result Comment
Status New
Method actionPerformed at line 58 of LoginDel.java gets user input from element getText. This input is later
concatenated by the application directly into a string variable containing SQL commands, without being
validated. This string is then used in method actionPerformed to query the database executeUpdate, at line 58
of LoginDel.java, without any additional filtering by the database. This could allow the user to tamper with the
filter parameter.
Source Destination
Line 61 73
Code Snippet
....
....
....
Severity Medium
tid=4262&pathid=89
Result Comment
Status New
Method actionPerformed at line 58 of BillingDel.java gets user input from element getText. This input is later
of BillingDel.java, without any additional filtering by the database. This could allow the user to tamper with the
filter parameter.
Source Destination
Line 61 72
Code Snippet
PAGE 142 OF 299

....
61. String delstr = BillingDel_Id.getText();
....
70. String query = "DELETE * FROM Billing E WHERE E.Bill_No =
"+custstr;
....
Severity Medium
tid=4262&pathid=91
Result Comment
Status New
Method actionPerformed at line 58 of JobCardDel.java gets user input from element getText. This input is later
of JobCardDel.java, without any additional filtering by the database. This could allow the user to tamper with
the filter parameter.
Source Destination
Line 61 72
Code Snippet
....
61. String delstr = JobCardDel_Id.getText();
....
70. String query = "DELETE * FROM Job_Card E WHERE E.Job_ID =
"+custstr;
....
Severity Medium
tid=4262&pathid=93
Result Comment
Status New
PAGE 143 OF 299

Method actionPerformed at line 60 of VendorDel.java gets user input from element getText. This input is later
of VendorDel.java, without any additional filtering by the database. This could allow the user to tamper with
Source Destination
Line 63 74
Code Snippet
....
63. String delstr = VendorDel_Id.getText();
....
72. String query = "DELETE * FROM Vendor E WHERE E.Vendor_ID =
"+custstr;
....
Severity Medium
tid=4262&pathid=95
Result Comment
Status New
Method actionPerformed at line 60 of CustomerDel.java gets user input from element getText. This input is
later concatenated by the application directly into a string variable containing SQL commands, without being
of CustomerDel.java, without any additional filtering by the database. This could allow the user to tamper with
Source Destination
Line 63 74
Code Snippet
PAGE 144 OF 299

....
63. String delstr = CustomerDel_Id.getText();
....
72. String query = "DELETE * FROM Customer E WHERE E.Customer_ID =
"+custstr;
....
Severity Medium
tid=4262&pathid=97
Result Comment
Status New
Method actionPerformed at line 60 of InventoryDel.java gets user input from element getText. This input is
later concatenated by the application directly into a string variable containing SQL commands, without being
of InventoryDel.java, without any additional filtering by the database. This could allow the user to tamper with
Source Destination
Line 63 74
Code Snippet
....
63. String delstr = InventoryDel_Id.getText();
....
72. String query = "DELETE * FROM Inventory E WHERE E.Inventory_ID =
"+custstr;
....
Frameable Login Page

Query Path:
JavaScript\Cx\JavaScript Medium Threat\Frameable Login Page Version:6
Categories
OWASP Top 10 2017: A6-Security Misconfiguration
OWASP Top 10 2021: A8-Software and Data Integrity Failures
PAGE 145 OF 299

Description
Frameable Login Page\Path 1:
Severity Medium
tid=4262&pathid=71
Result Comment
Status New
The web-application does not properly utilize the "X-FRAME-OPTIONS" header to restrict embedding web-
pages inside of a frame.
Source Destination
File terraform-examples- terraform-examples-

master/google_cloud/CQRS_bigquery_memory master/google_cloud/CQRS_bigquery_memory
store/functions/src/test/index.js store/functions/src/test/index.js
Line 23 28
Object res send
Code Snippet
File Name terraform-examples-
master/google_cloud/CQRS_bigquery_memorystore/functions/src/test/index.js
Method exports.test = async (req, res) => {
....
23. exports.test = async (req, res) => {
....
28. res.send({
Missing HSTS Header

Query Path:
JavaScript\Cx\JavaScript Medium Threat\Missing HSTS Header Version:2
Categories
OWASP Top 10 2021: A7-Identification and Authentication Failures
OWASP ASVS: V14 Configuration
Description
Missing HSTS Header\Path 1:
Severity Medium
tid=4262&pathid=104
PAGE 146 OF 299

Result Comment
Status New
The web-application does not define an HSTS header, leaving it vulnerable to attack.
Source Destination

master/azure/azure_linux_docker_app_service/ master/azure/azure_linux_docker_app_service/
example-app/index.js example-app/index.js
Line 54 54
Object end end
Code Snippet
File Name terraform-examples-master/azure/azure_linux_docker_app_service/example-app/index.js
Method const requestListener = async function (req, res) {
....
54. res.end("My first server!");
Blind SQL Injections

Query Path:
Java\Cx\Java Low Visibility\Blind SQL Injections Version:5
Categories
NIST SP 800-53: SI-10 Information Input Validation (P1)
OWASP Top 10 API: API8-Injection
ASD STIG 5.2: APSC-DV-002540 - CAT I The application must not be vulnerable to SQL Injection.
Description
Blind SQL Injections\Path 1:
Severity Low
tid=4262&pathid=117
Result Comment
Status New
PAGE 147 OF 299

LoginDel.java. The application constructs this SQL query by embedding an untrusted string into the query
If an exception is thrown by the database code, it is caught and handled. An attacker could still use inferential
or boolean exploitation techniques to retrieve the data, by altering the user input getText. This is read in the
actionPerformed method, at line 58 of LoginDel.java, and used without sanitization in the SQL query that is
sent to the database server.
This may enable a Blind SQL Injection attack.
Source Destination
Line 61 73
Code Snippet
....
....
....

Severity Low
tid=4262&pathid=118
Result Comment
Status New
actionPerformed method, at line 131 of LoginAdd.java, and used without sanitization in the SQL query that is
Source Destination
Line 139 148
PAGE 148 OF 299

Code Snippet
....
....
VALUES
....

Severity Low
tid=4262&pathid=119
Result Comment
Status New
Source Destination
Line 140 148
Code Snippet
....
....
VALUES
....
PAGE 149 OF 299

Severity Low
tid=4262&pathid=120
Result Comment
Status New
Source Destination
Line 142 148
Code Snippet
....
....
VALUES
....

Severity Low
tid=4262&pathid=121
Result Comment
Status New
PAGE 150 OF 299

actionPerformed method, at line 146 of Vendor.java, and used without sanitization in the SQL query that is
Source Destination
Line 148 165
Code Snippet
....
....
e_In) VALUES
....

Severity Low
tid=4262&pathid=122
Result Comment
Status New
Source Destination
Line 149 165
PAGE 151 OF 299

Code Snippet
....
....
e_In) VALUES
....

Severity Low
tid=4262&pathid=123
Result Comment
Status New
Source Destination
Line 150 165
Code Snippet
PAGE 152 OF 299

....
....
e_In) VALUES
....

Severity Low
tid=4262&pathid=124
Result Comment
Status New
Source Destination
Line 151 165
Code Snippet
....
....
e_In) VALUES
....
PAGE 153 OF 299

Severity Low
tid=4262&pathid=125
Result Comment
Status New
Source Destination
Line 152 165
Code Snippet
....
....
e_In) VALUES
....

Severity Low
tid=4262&pathid=126
Result Comment
Status New
PAGE 154 OF 299

actionPerformed method, at line 149 of Inventory.java, and used without sanitization in the SQL query that is
Source Destination
Line 152 169
Code Snippet
....
....
+"')";
....

Severity Low
tid=4262&pathid=127
Result Comment
Status New
Source Destination
Line 153 165
PAGE 155 OF 299

Code Snippet
....
....
e_In) VALUES
....

Severity Low
tid=4262&pathid=128
Result Comment
Status New
Source Destination
Line 153 169
Code Snippet
PAGE 156 OF 299

....
....
+"')";
....

Severity Low
tid=4262&pathid=129
Result Comment
Status New
Source Destination
Line 154 165
Code Snippet
....
....
e_In) VALUES
....
PAGE 157 OF 299

Severity Low
tid=4262&pathid=130
Result Comment
Status New
Source Destination
Line 154 169
Code Snippet
....
....
+"')";
....

Severity Low
tid=4262&pathid=131
Result Comment
Status New
PAGE 158 OF 299

Source Destination
Line 155 165
Code Snippet
....
....
e_In) VALUES
....

Severity Low
tid=4262&pathid=132
Result Comment
Status New
Source Destination
Line 155 169
PAGE 159 OF 299

Code Snippet
....
....
+"')";
....

Severity Low
tid=4262&pathid=133
Result Comment
Status New
Source Destination
Line 156 165
Code Snippet
PAGE 160 OF 299

....
....
e_In) VALUES
....

Severity Low
tid=4262&pathid=134
Result Comment
Status New
Source Destination
Line 156 169
Code Snippet
....
....
+"')";
....
PAGE 161 OF 299

Severity Low
tid=4262&pathid=135
Result Comment
Status New
Source Destination
Line 157 169
Code Snippet
....
....
+"')";
....

Severity Low
tid=4262&pathid=136
Result Comment
Status New
PAGE 162 OF 299

Source Destination
Line 158 169
Code Snippet
....
....
+"')";
....

Severity Low
tid=4262&pathid=137
Result Comment
Status New
Source Destination
Line 159 169
PAGE 163 OF 299

Code Snippet
....
....
+"')";
....

Severity Low
tid=4262&pathid=138
Result Comment
Status New
Source Destination
Line 160 169
Code Snippet
PAGE 164 OF 299

....
....
+"')";
....

Severity Low
tid=4262&pathid=139
Result Comment
Status New
actionPerformed method, at line 161 of JobCard.java, and used without sanitization in the SQL query that is
Source Destination
Line 164 180
Code Snippet
....
....
....
PAGE 165 OF 299

Severity Low
tid=4262&pathid=140
Result Comment
Status New
Source Destination
Line 165 180
Code Snippet
....
....
....

Severity Low
tid=4262&pathid=141
Result Comment
Status New
PAGE 166 OF 299

Source Destination
Line 166 180
Code Snippet
....
....
....

Severity Low
tid=4262&pathid=142
Result Comment
Status New
Source Destination
Line 167 180
PAGE 167 OF 299

Code Snippet
....
....
....

Severity Low
tid=4262&pathid=143
Result Comment
Status New
Source Destination
Line 168 180
Code Snippet
PAGE 168 OF 299

....
....
....

Severity Low
tid=4262&pathid=144
Result Comment
Status New
Source Destination
Line 169 180
Code Snippet
....
....
....
PAGE 169 OF 299

Severity Low
tid=4262&pathid=145
Result Comment
Status New
Source Destination
Line 170 180
Code Snippet
....
....
....

Severity Low
tid=4262&pathid=146
Result Comment
Status New
PAGE 170 OF 299

Source Destination
Line 171 180
Code Snippet
....
....
....

Severity Low
tid=4262&pathid=147
Result Comment
Status New
actionPerformed method, at line 184 of Customer.java, and used without sanitization in the SQL query that is
Source Destination
Line 190 214
PAGE 171 OF 299

Code Snippet
....
....
....

Severity Low
tid=4262&pathid=148
Result Comment
Status New
Source Destination
Line 191 214
Code Snippet
PAGE 172 OF 299

....
....
....

Severity Low
tid=4262&pathid=149
Result Comment
Status New
Source Destination
Line 192 214
Code Snippet
....
....
....
PAGE 173 OF 299

Severity Low
tid=4262&pathid=150
Result Comment
Status New
Source Destination
Line 193 214
Code Snippet
....
....
....

Severity Low
tid=4262&pathid=151
Result Comment
Status New
PAGE 174 OF 299

Source Destination
Line 194 214
Code Snippet
....
....
....

Severity Low
tid=4262&pathid=152
Result Comment
Status New
Source Destination
Line 195 214
PAGE 175 OF 299

Code Snippet
....
....
....

Severity Low
tid=4262&pathid=153
Result Comment
Status New
Source Destination
Line 196 214
Code Snippet
PAGE 176 OF 299

....
....
....

Severity Low
tid=4262&pathid=154
Result Comment
Status New
Source Destination
Line 197 214
Code Snippet
....
....
....
PAGE 177 OF 299

Severity Low
tid=4262&pathid=155
Result Comment
Status New
Source Destination
Line 198 214
Code Snippet
....
....
....

Severity Low
tid=4262&pathid=156
Result Comment
Status New
PAGE 178 OF 299

Source Destination
Line 199 214
Code Snippet
....
....
....

Severity Low
tid=4262&pathid=157
Result Comment
Status New
Source Destination
Line 200 214
PAGE 179 OF 299

Code Snippet
....
....
....

Severity Low
tid=4262&pathid=158
Result Comment
Status New
Login.java. The application constructs this SQL query by embedding an untrusted string into the query without
proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed
accordingly.
actionPerformed method, at line 101 of Login.java, and used without sanitization in the SQL query that is sent
to the database server.
Source Destination
Line 109 121
Code Snippet
PAGE 180 OF 299

....
109. String SUser = User.getText();
....
119. String query = new String("SELECT * FROM Login L WHERE
L.User='"+SUser+"' ");
....

Severity Low
tid=4262&pathid=159
Result Comment
Status New
actionPerformed method, at line 206 of Billing.java, and used without sanitization in the SQL query that is sent
Source Destination
Line 210 241
Code Snippet
....
....
225. if(sCustomer_Id.equals(""))
....
239. String qCustom = "SELECT Customer_ID FROM Job_Card WHERE
Customer_ID = '"+sCustomer_Id+"'";
....

Severity Low
PAGE 181 OF 299

tid=4262&pathid=160
Result Comment
Status New
Source Destination
Line 214 313
Code Snippet
....
....
ils) VALUES
')");
....

Severity Low
tid=4262&pathid=161
Result Comment
Status New
PAGE 182 OF 299

Source Destination
Line 221 313
Code Snippet
....
....
ils) VALUES
')");
....

Severity Low
tid=4262&pathid=162
Result Comment
Status New
Source Destination
Line 222 313
PAGE 183 OF 299

Code Snippet
....
....
ils) VALUES
')");
....

Severity Low
tid=4262&pathid=163
Result Comment
Status New
Source Destination
Line 211 316
Code Snippet
PAGE 184 OF 299

....
211. String sJob_Id = Job_Id.getText();
....
255. if(sJob_Id.equals(""))
....
308. String query1 = new String("SELECT Amount_Advance FROM Job_Card
WHERE Job_ID = "+sJob_Id+"");
....

Severity Low
tid=4262&pathid=164
Result Comment
Status New
Source Destination
Line 212 313
Code Snippet
PAGE 185 OF 299

....
212. String sBill_Date = Bill_Date.getText();
....
261. if(sBill_Date.equals(""))
....
ils) VALUES
')");
....

Severity Low
tid=4262&pathid=165
Result Comment
Status New
Source Destination
Line 213 313
Code Snippet
PAGE 186 OF 299

....
213. String sStone_Numbers = Stone_Numbers.getText();
....
267. if(sStone_Numbers.equals(""))
....
ils) VALUES
')");
....

Severity Low
tid=4262&pathid=166
Result Comment
Status New
Source Destination
Line 215 313
Code Snippet
PAGE 187 OF 299

....
215. String sNet_Weight = Net_Weight.getText();
....
273. if(sNet_Weight.equals(""))
....
ils) VALUES
')");
....

Severity Low
tid=4262&pathid=167
Result Comment
Status New
Source Destination
Line 216 313
Code Snippet
PAGE 188 OF 299

....
216. String sGross_Err = Gross_Err.getText();
....
279. if(sGross_Err.equals(""))
....
ils) VALUES
')");
....

Severity Low
tid=4262&pathid=168
Result Comment
Status New
Source Destination
Line 217 313
Code Snippet
PAGE 189 OF 299

....
217. String sWeight_Err= Weight_Err.getText();
....
285. if(sWeight_Err.equals(""))
....
ils) VALUES
')");
....

Severity Low
tid=4262&pathid=169
Result Comment
Status New
Source Destination
Line 218 313
Code Snippet
PAGE 190 OF 299

....
218. String sGold_Purity = Gold_Purity.getText();
....
291. if(sGold_Purity.equals(""))
....
ils) VALUES
')");
....

Severity Low
tid=4262&pathid=170
Result Comment
Status New
Source Destination
Line 219 313
Code Snippet
PAGE 191 OF 299

....
219. String sTotal_Price = Total_Price.getText();
....
297. if(sTotal_Price.equals(""))
....
ils) VALUES
')");
....

Severity Low
tid=4262&pathid=171
Result Comment
Status New
VendorView.java. The application constructs this SQL query by embedding an untrusted string into the query
actionPerformed method, at line 75 of VendorView.java, and used without sanitization in the SQL query that is
Source Destination
Line 77 105
Code Snippet
PAGE 192 OF 299

....
....
....
92. str1 = "'"+str+"'";
93. query = "SELECT * FROM Vendor E WHERE E."+com+" = "+str1;
....

Severity Low
tid=4262&pathid=172
Result Comment
Status New
BillingView.java. The application constructs this SQL query by embedding an untrusted string into the query
actionPerformed method, at line 75 of BillingView.java, and used without sanitization in the SQL query that is
Source Destination
Line 77 105
Code Snippet
....
....
....
92. str1 = "'"+str+"'";
93. query = "SELECT * FROM Billing E WHERE E."+com+" = "+str1;
....

Severity Low
PAGE 193 OF 299

tid=4262&pathid=173
Result Comment
Status New
CustomerView.java. The application constructs this SQL query by embedding an untrusted string into the
actionPerformed method, at line 75 of CustomerView.java, and used without sanitization in the SQL query that
is sent to the database server.
Source Destination
Line 77 105
Code Snippet
....
....
....
92. str1 = "'"+str+"'";
93. query = "SELECT * FROM Customer E WHERE E."+com+" = "+str1;
....

Severity Low
tid=4262&pathid=174
Result Comment
Status New
InventoryView.java. The application constructs this SQL query by embedding an untrusted string into the
PAGE 194 OF 299

actionPerformed method, at line 75 of InventoryView.java, and used without sanitization in the SQL query that
Source Destination
Line 77 105
Code Snippet
....
....
....
92. str1 = "'"+str+"'";
93. query = "SELECT * FROM Inventory E WHERE E."+com+" = "+str1;
....

Severity Low
tid=4262&pathid=175
Result Comment
Status New
JobCardView.java. The application constructs this SQL query by embedding an untrusted string into the query
actionPerformed method, at line 80 of JobCardView.java, and used without sanitization in the SQL query that
Source Destination
Line 82 110
Code Snippet
PAGE 195 OF 299

....
....
....
97. str1 = "'"+str+"'";
98. query = "SELECT * FROM Job_Card E WHERE E."+com+" = "+str1;
....
Information Exposure Through an Error Message

Query Path:
Java\Cx\Java Low Visibility\Information Exposure Through an Error Message Version:5
Categories
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.5 - Improper error handling
FISMA 2014: Configuration Management
NIST SP 800-53: SI-11 Error Handling (P2)
OWASP Top 10 API: API3-Excessive Data Exposure
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Error processing
ASD STIG 5.2: APSC-DV-002570 - CAT II The application must generate error messages that provide
information necessary for corrective actions without revealing information that could be exploited by
adversaries.
Description
Information Exposure Through an Error Message\Path 1:
Severity Low
tid=4262&pathid=222
Result Comment
Status New
Method BillingView, at line 26 of BillingView.java, handles an Exception or runtime Error ae. During the
exception handling code, the application exposes the exception details to printStackTrace, in method
BillingView of BillingView.java, line 26.
Source Destination
Line 33 36
Object ae printStackTrace
Code Snippet
PAGE 196 OF 299

Method public BillingView()
....
33. catch(Exception ae)
....
36. ae.printStackTrace();

Severity Low
tid=4262&pathid=223
Result Comment
Status New
Method VendorView, at line 26 of VendorView.java, handles an Exception or runtime Error ae. During the
VendorView of VendorView.java, line 26.
Source Destination
Line 33 36
Code Snippet
Method public VendorView()
....
....

Severity Low
tid=4262&pathid=224
Result Comment
Status New
Method InventoryView, at line 26 of InventoryView.java, handles an Exception or runtime Error ae. During the
InventoryView of InventoryView.java, line 26.
Source Destination
PAGE 197 OF 299

Line 33 36
Code Snippet
Method public InventoryView()
....
....

Severity Low
tid=4262&pathid=225
Result Comment
Status New
Method CustomerView, at line 26 of CustomerView.java, handles an Exception or runtime Error ae. During the
CustomerView of CustomerView.java, line 26.
Source Destination
Line 33 36
Code Snippet
Method public CustomerView()
....
....

Severity Low
tid=4262&pathid=226
Result Comment
Status New
PAGE 198 OF 299

Method JobCardView, at line 31 of JobCardView.java, handles an Exception or runtime Error ae. During the
JobCardView of JobCardView.java, line 31.
Source Destination
Line 38 41
Code Snippet
Method public JobCardView()
....
....

Severity Low
tid=4262&pathid=227
Result Comment
Status New
Method InterNal, at line 30 of InterNal.java, handles an Exception or runtime Error ae. During the exception
handling code, the application exposes the exception details to printStackTrace, in method InterNal of
InterNal.java, line 30.
Source Destination
File InterNal.java InterNal.java
Line 39 42
Code Snippet
File Name InterNal.java
Method public InterNal(String access)
....
....

Severity Low
PAGE 199 OF 299

tid=4262&pathid=228
Result Comment
Status New
Method LoginAdd, at line 35 of LoginAdd.java, handles an Exception or runtime Error ae. During the exception
handling code, the application exposes the exception details to printStackTrace, in method LoginAdd of
LoginAdd.java, line 35.
Source Destination
Line 42 44
Code Snippet
Method public LoginAdd()
....
....

Severity Low
tid=4262&pathid=229
Result Comment
Status New
Method Login, at line 28 of Login.java, handles an Exception or runtime Error ae. During the exception
handling code, the application exposes the exception details to printStackTrace, in method Login of
Login.java, line 28.
Source Destination
Line 48 51
Code Snippet
Method public Login()
PAGE 200 OF 299

....
....

Severity Low
tid=4262&pathid=230
Result Comment
Status New
Method Billing, at line 46 of Billing.java, handles an Exception or runtime Error ae. During the exception
handling code, the application exposes the exception details to printStackTrace, in method Billing of
Billing.java, line 46.
Source Destination
Line 53 56
Code Snippet
Method public Billing()
....
....

Severity Low
tid=4262&pathid=231
Result Comment
Status New
Method actionPerformed, at line 58 of JobCardDel.java, handles an Exception or runtime Error ae. During the
actionPerformed of JobCardDel.java, line 58.
Source Destination
Line 86 88
PAGE 201 OF 299

Code Snippet
....
....

Severity Low
tid=4262&pathid=232
Result Comment
Status New
Method actionPerformed, at line 58 of BillingDel.java, handles an Exception or runtime Error ae. During the
actionPerformed of BillingDel.java, line 58.
Source Destination
Line 86 88
Code Snippet
....
....

Severity Low
tid=4262&pathid=235
Result Comment
Status New
PAGE 202 OF 299

Method actionPerformed, at line 58 of LoginDel.java, handles an Exception or runtime Error ae. During the
actionPerformed of LoginDel.java, line 58.
Source Destination
Line 87 89
Code Snippet
....
....

Severity Low
tid=4262&pathid=238
Result Comment
Status New
Method actionPerformed, at line 60 of CustomerDel.java, handles an Exception or runtime Error ae. During the
actionPerformed of CustomerDel.java, line 60.
Source Destination
Line 88 90
Code Snippet
....
....

Severity Low
PAGE 203 OF 299

tid=4262&pathid=239
Result Comment
Status New
Method actionPerformed, at line 60 of VendorDel.java, handles an Exception or runtime Error ae. During the
actionPerformed of VendorDel.java, line 60.
Source Destination
Line 88 90
Code Snippet
....
....

Severity Low
tid=4262&pathid=240
Result Comment
Status New
Method actionPerformed, at line 60 of InventoryDel.java, handles an Exception or runtime Error ae. During the
actionPerformed of InventoryDel.java, line 60.
Source Destination
Line 88 90
Code Snippet
PAGE 204 OF 299

....
....

Severity Low
tid=4262&pathid=242
Result Comment
Status New
Method actionPerformed, at line 75 of CustomerView.java, handles an Exception or runtime Error sqlx. During
the exception handling code, the application exposes the exception details to printStackTrace, in method
actionPerformed of CustomerView.java, line 75.
Source Destination
Line 109 111
Object sqlx printStackTrace
Code Snippet
....
109. catch(SQLException sqlx)
....
111. sqlx.printStackTrace();

Severity Low
tid=4262&pathid=243
Result Comment
Status New
Method actionPerformed, at line 75 of BillingView.java, handles an Exception or runtime Error sqlx. During the
actionPerformed of BillingView.java, line 75.
Source Destination
Line 109 111
PAGE 205 OF 299

Code Snippet
....
....

Severity Low
tid=4262&pathid=244
Result Comment
Status New
Method actionPerformed, at line 75 of VendorView.java, handles an Exception or runtime Error sqlx. During
actionPerformed of VendorView.java, line 75.
Source Destination
Line 109 111
Code Snippet
....
....

Severity Low
tid=4262&pathid=245
Result Comment
Status New
PAGE 206 OF 299

Method actionPerformed, at line 75 of InventoryView.java, handles an Exception or runtime Error sqlx. During
actionPerformed of InventoryView.java, line 75.
Source Destination
Line 109 111
Code Snippet
....
....

Severity Low
tid=4262&pathid=246
Result Comment
Status New
Method actionPerformed, at line 80 of JobCardView.java, handles an Exception or runtime Error sqlx. During
actionPerformed of JobCardView.java, line 80.
Source Destination
Line 114 116
Code Snippet
....
....

Severity Low
PAGE 207 OF 299

tid=4262&pathid=247
Result Comment
Status New
Method actionPerformed, at line 131 of LoginAdd.java, handles an Exception or runtime Error ae. During the
actionPerformed of LoginAdd.java, line 131.
Source Destination
Line 150 152
Code Snippet
....
....

Severity Low
tid=4262&pathid=248
Result Comment
Status New
Method displayResultSet, at line 115 of BillingView.java, handles an Exception or runtime Error sqlx. During the
displayResultSet of BillingView.java, line 115.
Source Destination
Line 150 152
Code Snippet
Method public void displayResultSet(ResultSet rs1)throws SQLException
PAGE 208 OF 299

....
....

Severity Low
tid=4262&pathid=249
Result Comment
Status New
Method displayResultSet, at line 115 of InventoryView.java, handles an Exception or runtime Error sqlx. During
displayResultSet of InventoryView.java, line 115.
Source Destination
Line 150 152
Code Snippet
....
....

Severity Low
tid=4262&pathid=250
Result Comment
Status New
Method displayResultSet, at line 115 of VendorView.java, handles an Exception or runtime Error sqlx. During
displayResultSet of VendorView.java, line 115.
Source Destination
Line 150 152
PAGE 209 OF 299

Code Snippet
....
....

Severity Low
tid=4262&pathid=251
Result Comment
Status New
Method displayResultSet, at line 115 of CustomerView.java, handles an Exception or runtime Error sqlx. During
displayResultSet of CustomerView.java, line 115.
Source Destination
Line 150 152
Code Snippet
....
....

Severity Low
tid=4262&pathid=253
Result Comment
Status New
PAGE 210 OF 299

Method displayResultSet, at line 120 of JobCardView.java, handles an Exception or runtime Error sqlx. During
displayResultSet of JobCardView.java, line 120.
Source Destination
Line 155 157
Code Snippet
....
....

Severity Low
tid=4262&pathid=254
Result Comment
Status New
Method actionPerformed, at line 101 of Login.java, handles an Exception or runtime Error ae. During the
actionPerformed of Login.java, line 101.
Source Destination
Line 164 166
Code Snippet
....
....

Severity Low
PAGE 211 OF 299

tid=4262&pathid=255
Result Comment
Status New
Method actionPerformed, at line 146 of Vendor.java, handles an Exception or runtime Error ae. During the
actionPerformed of Vendor.java, line 146.
Source Destination
Line 167 169
Code Snippet
....
....

Severity Low
tid=4262&pathid=256
Result Comment
Status New
Method actionPerformed, at line 149 of Inventory.java, handles an Exception or runtime Error ae. During the
actionPerformed of Inventory.java, line 149.
Source Destination
Line 171 173
Code Snippet
PAGE 212 OF 299

....
....

Severity Low
tid=4262&pathid=257
Result Comment
Status New
Method actionPerformed, at line 161 of JobCard.java, handles an Exception or runtime Error ae. During the
actionPerformed of JobCard.java, line 161.
Source Destination
Line 182 184
Code Snippet
....
....

Severity Low
tid=4262&pathid=258
Result Comment
Status New
Method actionPerformed, at line 184 of Customer.java, handles an Exception or runtime Error ae. During the
actionPerformed of Customer.java, line 184.
Source Destination
Line 216 218
PAGE 213 OF 299

Code Snippet
....
....

Severity Low
tid=4262&pathid=262
Result Comment
Status New
Method actionPerformed, at line 206 of Billing.java, handles an Exception or runtime Error ae. During the
actionPerformed of Billing.java, line 206.
Source Destination
Line 250 252
Code Snippet
....
....

Severity Low
tid=4262&pathid=263
Result Comment
Status New
PAGE 214 OF 299

Method actionPerformed, at line 206 of Billing.java, handles an Exception or runtime Error ae. During the
actionPerformed of Billing.java, line 206.
Source Destination
Line 327 329
Code Snippet
....
....
Improper Resource Access Authorization

Query Path:
Java\Cx\Java Low Visibility\Improper Resource Access Authorization Version:13
Categories
FISMA 2014: Identification And Authentication
NIST SP 800-53: AC-3 Access Enforcement (P1)
OWASP ASVS: V04 Access Control
Description
Improper Resource Access Authorization\Path 1:
Severity Low
tid=4262&pathid=183
Result Comment
Status New
An I\O action occurs at Vendor.java in 146 without authorization checks.

Source Destination
Line 165 165
Object executeUpdate executeUpdate
Code Snippet
PAGE 215 OF 299

....

Severity Low
tid=4262&pathid=184
Result Comment
Status New
An I\O action occurs at Inventory.java in 149 without authorization checks.

Source Destination
Line 169 169
Code Snippet
....

Severity Low
tid=4262&pathid=185
Result Comment
Status New
An I\O action occurs at Billing.java in 206 without authorization checks.

Source Destination
Line 313 313
Code Snippet
PAGE 216 OF 299

....

Severity Low
tid=4262&pathid=186
Result Comment
Status New
An I\O action occurs at VendorView.java in 75 without authorization checks.

Source Destination
Line 105 105
Object executeQuery executeQuery
Code Snippet
....

Severity Low
tid=4262&pathid=187
Result Comment
Status New
An I\O action occurs at Customer.java in 184 without authorization checks.

Source Destination
Line 214 214
Code Snippet
PAGE 217 OF 299

....

Severity Low
tid=4262&pathid=188
Result Comment
Status New
An I\O action occurs at JobCard.java in 161 without authorization checks.

Source Destination
Line 180 180
Code Snippet
....

Severity Low
tid=4262&pathid=189
Result Comment
Status New
An I\O action occurs at LoginAdd.java in 131 without authorization checks.

Source Destination
Line 148 148
Code Snippet
PAGE 218 OF 299

....

Severity Low
tid=4262&pathid=190
Result Comment
Status New
An I\O action occurs at CustomerView.java in 75 without authorization checks.

Source Destination
Line 105 105
Code Snippet
....

Severity Low
tid=4262&pathid=191
Result Comment
Status New
An I\O action occurs at BillingView.java in 75 without authorization checks.

Source Destination
Line 105 105
Code Snippet
PAGE 219 OF 299

....

Severity Low
tid=4262&pathid=192
Result Comment
Status New
An I\O action occurs at CustomerDel.java in 60 without authorization checks.

Source Destination
Line 74 74
Code Snippet
....

Severity Low
tid=4262&pathid=193
Result Comment
Status New
An I\O action occurs at BillingDel.java in 58 without authorization checks.

Source Destination
Line 72 72
Code Snippet
PAGE 220 OF 299

....

Severity Low
tid=4262&pathid=194
Result Comment
Status New
An I\O action occurs at LoginDel.java in 58 without authorization checks.

Source Destination
Line 73 73
Code Snippet
....

Severity Low
tid=4262&pathid=195
Result Comment
Status New
An I\O action occurs at JobCardDel.java in 58 without authorization checks.

Source Destination
Line 72 72
Code Snippet
PAGE 221 OF 299

....

Severity Low
tid=4262&pathid=196
Result Comment
Status New
An I\O action occurs at VendorDel.java in 60 without authorization checks.

Source Destination
Line 74 74
Code Snippet
....

Severity Low
tid=4262&pathid=197
Result Comment
Status New

Source Destination
Line 241 241
Code Snippet
PAGE 222 OF 299

....

Severity Low
tid=4262&pathid=198
Result Comment
Status New
An I\O action occurs at Login.java in 101 without authorization checks.

Source Destination
Line 121 121
Code Snippet
....

Severity Low
tid=4262&pathid=199
Result Comment
Status New
An I\O action occurs at JobCardView.java in 80 without authorization checks.

Source Destination
Line 110 110
Code Snippet
PAGE 223 OF 299

....

Severity Low
tid=4262&pathid=200
Result Comment
Status New

Source Destination
Line 316 316
Code Snippet
....

Severity Low
tid=4262&pathid=201
Result Comment
Status New
An I\O action occurs at InventoryDel.java in 60 without authorization checks.

Source Destination
Line 74 74
Code Snippet
PAGE 224 OF 299

....

Severity Low
tid=4262&pathid=202
Result Comment
Status New
An I\O action occurs at InventoryView.java in 75 without authorization checks.

Source Destination
Line 105 105
Code Snippet
....
Improper Resource Shutdown or Release

Query Path:
Java\Cx\Java Low Visibility\Improper Resource Shutdown or Release Version:15
Categories
NIST SP 800-53: SC-5 Denial of Service Protection (P1)
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Code error
ASD STIG 5.2: APSC-DV-002400 - CAT II The application must restrict the ability to launch Denial of Service
(DoS) attacks against itself or other information systems.
Description
Improper Resource Shutdown or Release\Path 1:
Severity Low
tid=4262&pathid=203
Result Comment
Status New
PAGE 225 OF 299

The application's actionPerformed method in Vendor.java defines and initializes the getConnection object at
146. This object encapsulates a limited computing resource, such as open file streams, database connections,
or network streams. This resource is not properly closed and released in all situations.
Source Destination
Line 163 164
Object getConnection createStatement
Code Snippet
....
163. con = DriverManager.getConnection("jdbc:odbc:JMS1");
164. stmt = con.createStatement();

Severity Low
tid=4262&pathid=204
Result Comment
Status New
The application's actionPerformed method in Customer.java defines and initializes the getConnection object at
Source Destination
Line 212 213
Code Snippet
....
212. con = DriverManager.getConnection("jdbc:odbc:JMS");

Severity Low
tid=4262&pathid=205
PAGE 226 OF 299

Result Comment
Status New
The application's actionPerformed method in BillingDel.java defines and initializes the getConnection object at
58. This object encapsulates a limited computing resource, such as open file streams, database connections, or
network streams. This resource is not properly closed and released in all situations.
Source Destination
Line 68 71
Code Snippet
....
....

Severity Low
tid=4262&pathid=206
Result Comment
Status New
The application's actionPerformed method in VendorDel.java defines and initializes the getConnection object
at 60. This object encapsulates a limited computing resource, such as open file streams, database connections,
Source Destination
Line 70 73
Code Snippet
....
....
PAGE 227 OF 299

Severity Low
tid=4262&pathid=207
Result Comment
Status New
The application's actionPerformed method in LoginDel.java defines and initializes the getConnection object at
Source Destination
Line 68 72
Code Snippet
....
....

Severity Low
tid=4262&pathid=208
Result Comment
Status New
The application's InterNal method in InterNal.java defines and initializes the getConnection object at 30. This
object encapsulates a limited computing resource, such as open file streams, database connections, or
Source Destination
File InterNal.java InterNal.java
Line 37 37
Object getConnection con
Code Snippet
File Name InterNal.java
PAGE 228 OF 299

Method public InterNal(String access)
....

Severity Low
tid=4262&pathid=209
Result Comment
Status New
The application's actionPerformed method in CustomerDel.java defines and initializes the getConnection
object at 60. This object encapsulates a limited computing resource, such as open file streams, database
connections, or network streams. This resource is not properly closed and released in all situations.
Source Destination
Line 70 73
Code Snippet
....
....

Severity Low
tid=4262&pathid=210
Result Comment
Status New
The application's actionPerformed method in InventoryDel.java defines and initializes the getConnection
Source Destination
Line 70 73
PAGE 229 OF 299

Code Snippet
....
....

Severity Low
tid=4262&pathid=211
Result Comment
Status New
The application's CustomerView method in CustomerView.java defines and initializes the getConnection
Source Destination
Line 31 31
Code Snippet
Method public CustomerView()
....

Severity Low
tid=4262&pathid=212
Result Comment
Status New
The application's actionPerformed method in JobCardDel.java defines and initializes the getConnection object
PAGE 230 OF 299

Source Destination
Line 68 71
Code Snippet
....
....

Severity Low
tid=4262&pathid=213
Result Comment
Status New
The application's Login method in Login.java defines and initializes the getConnection object at 28. This object
encapsulates a limited computing resource, such as open file streams, database connections, or network
streams. This resource is not properly closed and released in all situations.
Source Destination
Line 46 46
Code Snippet
....

Severity Low
tid=4262&pathid=214
Result Comment
Status New
PAGE 231 OF 299

The application's JobCardView method in JobCardView.java defines and initializes the getConnection object at
Source Destination
Line 36 36
Code Snippet
Method public JobCardView()
....

Severity Low
tid=4262&pathid=215
Result Comment
Status New
The application's LoginAdd method in LoginAdd.java defines and initializes the getConnection object at 35.
This object encapsulates a limited computing resource, such as open file streams, database connections, or
Source Destination
Line 40 40
Code Snippet
Method public LoginAdd()
....

Severity Low
tid=4262&pathid=216
PAGE 232 OF 299

Result Comment
Status New
The application's BillingView method in BillingView.java defines and initializes the getConnection object at 26.
This object encapsulates a limited computing resource, such as open file streams, database connections, or
Source Destination
Line 31 31
Code Snippet
Method public BillingView()
....

Severity Low
tid=4262&pathid=217
Result Comment
Status New
The application's actionPerformed method in Inventory.java defines and initializes the getConnection object at
Source Destination
Line 167 168
Code Snippet
....
PAGE 233 OF 299

Severity Low
tid=4262&pathid=218
Result Comment
Status New
The application's actionPerformed method in JobCard.java defines and initializes the getConnection object at
Source Destination
Line 178 179
Code Snippet
....
178. con = DriverManager.getConnection("jdbc:odbc:JMS1");

Severity Low
tid=4262&pathid=219
Result Comment
Status New
The application's Billing method in Billing.java defines and initializes the getConnection object at 46. This
object encapsulates a limited computing resource, such as open file streams, database connections, or
Source Destination
Line 51 51
Code Snippet
Method public Billing()
PAGE 234 OF 299

....

Severity Low
tid=4262&pathid=220
Result Comment
Status New
The application's InventoryView method in InventoryView.java defines and initializes the getConnection object
Source Destination
Line 31 31
Code Snippet
Method public InventoryView()
....

Severity Low
tid=4262&pathid=221
Result Comment
Status New
The application's VendorView method in VendorView.java defines and initializes the getConnection object at
Source Destination
Line 31 31
PAGE 235 OF 299

Code Snippet
Method public VendorView()
....
Heap Inspection
Query Path:
Java\Cx\Java Low Visibility\Heap Inspection Version:10
Categories
OWASP Top 10 2013: A6-Sensitive Data Exposure
OWASP Top 10 2021: A2-Cryptographic Failures
OWASP ASVS: V08 Data Protection
ASD STIG 5.2: APSC-DV-002330 - CAT II The application must protect the confidentiality and integrity of
stored information when required by DoD policy or the information owner.
Description
Heap Inspection\Path 1:
Severity Low
tid=4262&pathid=176
Result Comment
Status New
Method actionPerformed at line 101 of Login.java defines SPassword, which is designated to contain user
passwords. However, while plaintext passwords are later assigned to SPassword, this variable is never cleared
from memory.
Source Destination
Line 110 110
Object SPassword SPassword
Code Snippet
....
110. String SPassword = Password.getText();
Severity Low
PAGE 236 OF 299

tid=4262&pathid=177
Result Comment
Status New
Method actionPerformed at line 101 of Login.java defines dPassword, which is designated to contain user
passwords. However, while plaintext passwords are later assigned to dPassword, this variable is never cleared
from memory.
Source Destination
Line 130 130
Object dPassword dPassword
Code Snippet
....
130. String dPassword = rs.getString(("Password"));
Severity Low
tid=4262&pathid=178
Result Comment
Status New
Method actionPerformed at line 131 of LoginAdd.java defines sPassword, which is designated to contain user
passwords. However, while plaintext passwords are later assigned to sPassword, this variable is never cleared
from memory.
Source Destination
Line 134 134
Object sPassword sPassword
Code Snippet
....
134. String sPassword = Password.getText();
PAGE 237 OF 299

Severity Low
tid=4262&pathid=179
Result Comment
Status New
Method actionPerformed at line 131 of LoginAdd.java defines sPasswordC, which is designated to contain user
passwords. However, while plaintext passwords are later assigned to sPasswordC, this variable is never cleared
from memory.
Source Destination
Line 135 135
Object sPasswordC sPasswordC
Code Snippet
....
135. String sPasswordC = PasswordC.getText();
Severity Low
tid=4262&pathid=180
Result Comment
Status New
Method Login at line 28 of Login.java defines l_Password, which is designated to contain user passwords.
However, while plaintext passwords are later assigned to l_Password, this variable is never cleared from
memory.
Source Destination
Line 69 69
Object l_Password l_Password
Code Snippet
PAGE 238 OF 299

....
69. JLabel l_Password = new JLabel("Password");;
Severity Low
tid=4262&pathid=181
Result Comment
Status New
Method LoginAddFrame at line 47 of LoginAdd.java defines l_Password, which is designated to contain user
passwords. However, while plaintext passwords are later assigned to l_Password, this variable is never cleared
from memory.
Source Destination
Line 73 73
Object l_Password l_Password
Code Snippet
Method public JInternalFrame LoginAddFrame(JDesktopPane desktop)
....
73. JLabel l_Password =new JLabel(" Password:");
Severity Low
tid=4262&pathid=182
Result Comment
Status New
Method LoginAddFrame at line 47 of LoginAdd.java defines l_PasswordC, which is designated to contain user
passwords. However, while plaintext passwords are later assigned to l_PasswordC, this variable is never cleared
from memory.
Source Destination
Line 81 81
Object l_PasswordC l_PasswordC
PAGE 239 OF 299

Code Snippet
Method public JInternalFrame LoginAddFrame(JDesktopPane desktop)
....
81. JLabel l_PasswordC =new JLabel("Re Enter Password:");
Insufficiently Protected Credentials

Query Path:
Java\Cx\Java Low Visibility\Insufficiently Protected Credentials Version:1
Categories
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.10 - Broken authentication and session management
OWASP Top 10 2013: A2-Broken Authentication and Session Management
FISMA 2014: Media Protection
NIST SP 800-53: SC-8 Transmission Confidentiality and Integrity (P1)
OWASP Top 10 2017: A2-Broken Authentication
OWASP ASVS: V02 Authentication
ASD STIG 5.2: APSC-DV-001740 - CAT I The application must only store cryptographic representations of
passwords.
Description
Insufficiently Protected Credentials\Path 1:
Severity Low
tid=4262&pathid=233
Result Comment
Status New
The password 101 did not used a secure scheme to store the password - this may allow attackers to retrieve it,
and use it to access authenticated resources.
Source Destination
Line 121 150
Object rs dPassword
Code Snippet
PAGE 240 OF 299

....
....
126. while(rs.next())
....
128. String dUser = rs.getString(("User"));
....
....
150.
if((SType.equals(dType))||(SUser.equals(dUser))||!(SPassword.equals(dPas
sword)))

Severity Low
tid=4262&pathid=234
Result Comment
Status New
Source Destination
Line 121 135
Object rs dPassword
Code Snippet
....
....
....
....
....
135.
if((SType.equals(dType))&&(SUser.equals(dUser))&&(SPassword.equals(dPass
word)))

Severity Low
tid=4262&pathid=236
PAGE 241 OF 299

Result Comment
Status New
Source Destination
Line 121 130
Object rs dPassword
Code Snippet
....
....
....
....

Severity Low
tid=4262&pathid=237
Result Comment
Status New
Source Destination
Line 121 145
Object rs dPassword
Code Snippet
PAGE 242 OF 299

....
....
....
....
....
145.
if((SType.equals(dType))&&(SUser.equals(dUser))||!(SPassword.equals(dPas
sword)))
Log Forging
Query Path:
JavaScript\Cx\JavaScript Server Side Vulnerabilities\Log Forging Version:4
Categories
NIST SP 800-53: AU-9 Protection of Audit Information (P1)
OWASP Top 10 2021: A9-Security Logging and Monitoring Failures
OWASP ASVS: V07 Error Handling and Logging
Description
Log Forging\Path 1:
Severity Low
tid=4262&pathid=259
Result Comment
Status New
Method function at line 49 of terraform-examples-master/azure/azure_linux_docker_app_service/example-

app/index.js gets user input from element url. This element’s value flows through the code without being
properly sanitized or validated, and is eventually used in writing an audit log in function at line 49 of
terraform-examples-master/azure/azure_linux_docker_app_service/example-app/index.js.
This may enable Log Forging.
Source Destination

Line 51 51
Object url log
Code Snippet
Method const requestListener = async function (req, res) {
PAGE 243 OF 299

....
51. console.log("Request to", req.url);
Log Forging\Path 2:
Severity Low
tid=4262&pathid=260
Result Comment
Status New
Method async at line 12 of terraform-examples-

master/google_cloud/CQRS_bigquery_memorystore/functions/src/probe/index.js gets user input from
element query. This element’s value flows through the code without being properly sanitized or validated, and
is eventually used in writing an audit log in async at line 12 of terraform-examples-
master/google_cloud/CQRS_bigquery_memorystore/functions/src/probe/index.js.
Source Destination

store/functions/src/probe/index.js store/functions/src/probe/index.js
Line 14 35
Object query log
Code Snippet
master/google_cloud/CQRS_bigquery_memorystore/functions/src/probe/index.js
Method exports.probe = async (event, ctx) => {
....
14. : event.query; // If running as http
....
13. const payload = event.data ? JSON.parse(Buffer.from(event.data,
'base64'))
....
35. console.log(`New version detected ${payload.version} writing
control`);
Log Forging\Path 3:
Severity Low
tid=4262&pathid=261
Result Comment
Status New
PAGE 244 OF 299

Method async at line 12 of terraform-examples-
master/google_cloud/CQRS_bigquery_memorystore/functions/src/probe/index.js gets user input from
element query. This element’s value flows through the code without being properly sanitized or validated, and
is eventually used in writing an audit log in }]).catch at line 44 of terraform-examples-
master/google_cloud/CQRS_bigquery_memorystore/functions/src/probe/index.js.
Source Destination

store/functions/src/probe/index.js store/functions/src/probe/index.js
Line 14 45
Object query error
Code Snippet
Method exports.probe = async (event, ctx) => {
....
14. : event.query; // If running as http
....
13. const payload = event.data ? JSON.parse(Buffer.from(event.data,
'base64'))
....
17. const user = `probe_${payload.version}`;

Method control => bigquery
....
37. control => bigquery
....
41. user: user,
....
40. .insert([{

Method }]).catch(err => {
....
44. }]).catch(err => {
45. console.error(JSON.stringify(err));

Query Path:
PAGE 245 OF 299

JavaScript\Cx\JavaScript Server Side Vulnerabilities\Information Exposure Through an Error Message Version:1
Categories
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Error processing
ASD STIG 5.2: APSC-DV-002480 - CAT II The application must not disclose unnecessary information to users.
Description
Severity Low
tid=4262&pathid=241
Result Comment
Status New
Method async, at line 23 of terraform-examples-

master/google_cloud/CQRS_bigquery_memorystore/functions/src/test/index.js, handles an Exception or
runtime Error err. During the exception handling code, the application exposes the exception details to
send, in method async of terraform-examples-
master/google_cloud/CQRS_bigquery_memorystore/functions/src/test/index.js, line 23.
Source Destination

store/functions/src/test/index.js store/functions/src/test/index.js
Line 36 39
Object err send
Code Snippet
master/google_cloud/CQRS_bigquery_memorystore/functions/src/test/index.js
Method exports.test = async (req, res) => {
....
36. } catch (err) {
....
41. "error": err.message,
....
39. .send({
JSON Hijacking
Query Path:
JavaScript\Cx\JavaScript Server Side Vulnerabilities\JSON Hijacking Version:2
Categories
NIST SP 800-53: SC-23 Session Authenticity (P1)
PAGE 246 OF 299

Description
JSON Hijacking\Path 1:
Severity Low
tid=4262&pathid=252
Result Comment
Status New
The application returns sensitive data in a JSON object in terraform-examples-

master/aws/aws_lambda_api/example-project/src/index.ts at line 4.
Source Destination

master/aws/aws_lambda_api/example- master/aws/aws_lambda_api/example-
project/src/index.ts project/src/index.ts
Line 7 5
Object stringify resolve
Code Snippet
File Name terraform-examples-master/aws/aws_lambda_api/example-project/src/index.ts
Method export const handler: APIGatewayProxyHandler = () => {
....
7. body: JSON.stringify(getRandomJoke(), null, 2)
....
5. return Promise.resolve({
Missing CSP Header

Query Path:
JavaScript\Cx\JavaScript Server Side Vulnerabilities\Missing CSP Header Version:3
Categories
OWASP Top 10 2021: A7-Identification and Authentication Failures
Description
Missing CSP Header\Path 1:
Severity Low
tid=4262&pathid=264
PAGE 247 OF 299

Result Comment
Status New
A Content Security Policy is not explicitly defined within the web-application.

Source Destination

master/aws/aws_lambda_api/example- master/aws/aws_lambda_api/example-
project/src/index.ts project/src/index.ts
Line 5 5
Object resolve resolve
Code Snippet
File Name terraform-examples-master/aws/aws_lambda_api/example-project/src/index.ts
Method export const handler: APIGatewayProxyHandler = () => {
....
5. return Promise.resolve({
Potentially Vulnerable To Csrf

Query Path:
JavaScript\Cx\JavaScript Server Side Vulnerabilities\Potentially Vulnerable To Csrf Version:3
Categories
Description
Potentially Vulnerable To Csrf\Path 1:
Severity Low
tid=4262&pathid=265
Result Comment
Status New
Method startServer at line 48 of terraform-examples-master/azure/azure_linux_docker_app_service/example-

app/index.js gets a parameter from a user request from createServer. This parameter value flows through the
code and is eventually used to access application state altering functionality. This may enable Cross-Site
Request Forgery (CSRF).
Source Destination

PAGE 248 OF 299

Line 62 62
Object createServer createServer
Code Snippet
Method async function startServer() {
....
62. const server = http.createServer(requestListener);
Use of Deprecated or Obsolete Functions

Query Path:
JavaScript\Cx\JavaScript Server Side Vulnerabilities\Use of Deprecated or Obsolete Functions Version:9
Categories
OWASP Top 10 2013: A9-Using Components with Known Vulnerabilities
OWASP Top 10 2017: A9-Using Components with Known Vulnerabilities
Description
Use of Deprecated or Obsolete Functions\Path 1:
Severity Low
tid=4262&pathid=266
Result Comment
Status New
Method Buffer in terraform-examples-master/aws/aws_reverse_proxy/lambda.tpl.js, at line 7, calls an obsolete

API, Buffer. This has been deprecated, and should not be used in a modern codebase.
Source Destination

master/aws/aws_reverse_proxy/lambda.tpl.js master/aws/aws_reverse_proxy/lambda.tpl.js
Line 7 7
Object Buffer Buffer
Code Snippet
File Name terraform-examples-master/aws/aws_reverse_proxy/lambda.tpl.js
Method const validAuthHeader = 'Basic ' + new Buffer(validCredentials).toString('base64');
....
7. const validAuthHeader = 'Basic ' + new
Buffer(validCredentials).toString('base64');
PAGE 249 OF 299

Use Of HTTP Sensitive Data Exposure
Query Path:
JavaScript\Cx\JavaScript Server Side Vulnerabilities\Use Of HTTP Sensitive Data Exposure Version:3
Categories
FISMA 2014: System And Communications Protection
NIST SP 800-53: SC-8 Transmission Confidentiality and Integrity (P1)
OWASP Top 10 2021: A2-Cryptographic Failures
OWASP ASVS: V09 Communication
Description
Use Of HTTP Sensitive Data Exposure\Path 1:
Severity Low
tid=4262&pathid=267
Result Comment
Status New
The webserver created in createServer at terraform-examples-

master/azure/azure_linux_docker_app_service/example-app/index.js in line 48 utilizes HTTP, implying all traffic
to and from this server is unencrypted.
Source Destination

Line 62 62
Object createServer createServer
Code Snippet
Method async function startServer() {
....
62. const server = http.createServer(requestListener);
Insufficient Logging of Database Actions

Query Path:
Java\Cx\Java Best Coding Practice\Insufficient Logging of Database Actions Version:1
Categories
PAGE 250 OF 299

Description
Insufficient Logging of Database Actions\Path 1:
Severity Information
tid=4262&pathid=269
Result Comment
Status New
Source Destination
Line 165 165
Code Snippet
....

tid=4262&pathid=270
Result Comment
Status New
Source Destination
Line 148 148
Code Snippet
....

PAGE 251 OF 299

tid=4262&pathid=271
Result Comment
Status New
Source Destination
Line 180 180
Code Snippet
....

tid=4262&pathid=272
Result Comment
Status New
Source Destination
Line 169 169
Code Snippet
....

tid=4262&pathid=273
PAGE 252 OF 299

Result Comment
Status New
Source Destination
Line 214 214
Code Snippet
....

tid=4262&pathid=274
Result Comment
Status New
Source Destination
Line 313 313
Code Snippet
....

tid=4262&pathid=275
Result Comment
Status New
PAGE 253 OF 299

Source Destination
Line 72 72
Code Snippet
....

tid=4262&pathid=276
Result Comment
Status New
Source Destination
Line 73 73
Code Snippet
....

tid=4262&pathid=277
Result Comment
Status New
Source Destination
PAGE 254 OF 299

Line 74 74
Code Snippet
....

tid=4262&pathid=278
Result Comment
Status New
Source Destination
Line 74 74
Code Snippet
....

tid=4262&pathid=279
Result Comment
Status New
Source Destination
Line 74 74
PAGE 255 OF 299

Code Snippet
....

tid=4262&pathid=280
Result Comment
Status New
Source Destination
Line 72 72
Code Snippet
....
Insufficient Logging of Exceptions

Query Path:
Java\Cx\Java Best Coding Practice\Insufficient Logging of Exceptions Version:2
Categories
Description
Insufficient Logging of Exceptions\Path 1:
tid=4262&pathid=268
Result Comment
Status New
PAGE 256 OF 299

In line 36, the security-critical event is not logged properly and, therefore,the error message has some
important details omitted.
Source Destination
File SplashScreen.java SplashScreen.java
Line 64 64
Object catch catch
Code Snippet
File Name SplashScreen.java
Method public void showSplash() {
....
64. } catch (Exception e) {
SQL Injection
Risk
What might happen
An attacker could directly access all of the system's data. The attacker would likely be able to steal any sensitive
information stored by the system, including private user information, credit card details, proprietary business data, and
any other secret data. Likewise, the attacker could possibly modify or erase existing data, or even add new bogus data. In
some scenarios, it may even be possible to execute code on the database.
In addition to disclosing or altering confidential information directly, this vulnerability might also be used to achieve
secondary effects, such as bypassing authentication, subverting security checks, or forging a data trail.
Further increasing the likelihood of exploit is the fact that this flaw is easy for attackers to find, and easy to exploit.
Cause
How does it happen
The application stores and manages data in a database, by submitting a textual SQL query to the database engine for
processing. The application creates the query by simple string concatenation, embedding untrusted data. However, there
is no separation between data and code; furthermore, the embedded data is neither checked for data type validity nor
subsequently sanitized. Thus, the untrusted data could contain SQL commands, or modify the intended query. The
database would interpret the altered query and commands as if they originated from the application, and execute them
accordingly.
Note that an attacker can exploit this vulnerability either by modifying the URL, or by submitting malicious data in the
user input or other request fields.
General Recommendations
How to avoid it
 Validate all untrusted data, regardless of source. Validation should be based on a whitelist: accept only data
fitting a specified structure, rather than reject bad patterns.
 In particular, check for:
o Data type
o Size
o Range
o Format
o Expected values.
PAGE 257 OF 299

 Restrict access to database objects and functionality, according to the Principle of Least Privilege.
 Do not use dynamically concatenate strings to construct SQL queries.
 Prefer using DB Stored Procedures for all data access, instead of ad-hoc dynamic queries.
 Instead of unsafe string concatenation, use secure database components such as parameterized queries and
object bindings (for example, commands and parameters).
 Alternatively, an even better solution is to use an ORM library, in order to pre-define and encapsulate the allowed
commands enabled for the application, instead of dynamically accessing the database directly. In this way the
code plane and data plane should be isolated from each other.
 Data validation can be performed effectively using a secure library, such as OWASP's Encoder or ESAPI libraries.
 Prefer using PreparedStatement for parameterizing the queries, or even better CallableStatement. Add
dynamic data via the .set*() methods, instead of string concatenation.
 Consider using an ORM package, such as Hibernate, myBatis, or others.
Source Code Examples
Java
Create SQL query using string concatenation
public int getUserId(HttpServletRequest request)

throws ServletException, IOException {
int userId = 0;
String userName = request.getParameter("UserName");

String sql = "SELECT [UserID] FROM [AppUsers] WHERE [UserName] = '" + userName + "' " ;
try {
Connection conn = getConnection();
Statement stmt = conn.createStatement();
ResultSet data = stmt.executeQuery(sql);
userId = data.getInt(1);
} catch (SQLException ex) {
handleExceptions(ex);
}
finally {
closeQuietly(data);
closeQuietly(stmt);
closeQuietly(conn);
}
return userId;
}
Create SQL query using Sanitized Username

int userId = 0;
// Sanitize input using OWASP's ESAPI Encoder library

// Still not complete solution!
Encoder esapiEncoder = new DefaultEncoder();
String sanitizedUserName = esapiEncoder.encodeForSQL(new OracleCodec(), userName);
PAGE 258 OF 299

String sql = "SELECT [UserID] FROM [AppUsers] WHERE [UserName] = '" + sanitizedUserName
+ "' " ;
try {
ResultSet data = stmt.executeQuery(sql);
userId = data.getInt(1);
}
finally {
closeQuietly(data);
closeQuietly(stmt);
closeQuietly(conn);
}
return userId;
}
Build PreparedStatement to call Stored Procedure and set input to parameters

int userId = 0;

String sqlStoredProc = "{call getUserId (?, ?)}";
try {
CallableStatement stmt = conn.prepareCall(sqlStoredProc);
stmt.setString(1, userName);
stmt.registerOutParameter(2, java.sql.Types.INTEGER);
stmt.execute();
userId = stmt.getInt(2);
}
finally {
closeQuietly(stmt);
closeQuietly(conn);
}
return userId;
}
PAGE 259 OF 299

CSRF
Risk
What might happen
An attacker could cause the victim to perform any action for which the victim is authorized, such as transferring funds
from the victim’s account to the attacker’s. The action will be logged as being performed by the victim, in the context of
their account, and potentially without their knowledge that this action has occurred.
Cause
How does it happen
The application performs some action that modifies database contents, based purely on HTTP request content, and does
not require per-request renewed authentication (such as transaction authentication or a synchronizer token), instead
relying solely on session authentication. This means that an attacker could use social engineering to cause a victim to
browse to a link which contains a transaction request to the vulnerable application, submitting that request from the
user's browser. Once the application receives the request, it would trust the victim’s session, and would perform the
action. This type of attack is known as Cross-Site Request Forgery (CSRF).
A Cross-Site Request Forgery attack relies on the trust between a server and an authenticated client. By only validating
the session, the server ensures that a request has emerged from a client's web-browser. However, any website may
submit GET and POST requests to other websites, to which the browser will automatically add the session token if it is in
a cookie. This cross-site request can then be trusted as arriving from the user's browser, but does not validate that it was
their intent was to make this request.
How to avoid it
Mitigating CSRF requires an additional layer of authentication that is built into the request validation mechanism. This
mechanism would attach an additional token that only applies to the given user; this token would be available within the
user's web-page, but will not be attached automatically to a request from a different website (e.g. not stored in a cookie).
Since the token is not automatically attached to the request, and is not available to the attacker, and is required by the
server to process the request, it would be completely impossible for the attacker to fill in a valid cross-site form that
contains this token.
Many platforms offer built-in CSRF mitigation functionality which should be used, and perform this type of token
management under the hood. Alternatively, use a known or trusted library which adds this functionality.
If implementing CSRF protection is required, this protection should adhere to the following rules:
 Any state altering form (Create, Update, Delete operations) should enforce CSRF protection, by adding an CSRF
token to every state altering form submission on the client.
 An CSRF token should be generated, and be unique per-user per-session (and, preferably, per request).
 The CSRF token should be inserted into the client side form, and be submitted to the server as part of the form
request. For example, it could be a hidden field in an HTML form, or a custom header added by a Javascript
request.
 The CSRF token in the request body or custom header must then be verified as belonging to the current user by
the server, before a request is authorized and processed as valid.
Java
Change E-Mail Functionality Vulnerable to XSRF, Allowing Attackers to Hijack User Accounts with the "Forgot
Password" Functionality
PAGE 260 OF 299

public void doPost (HttpServletRequest request, HttpServletResponse response) throws
ServletException, IOException {
HttpSession session = request.getSession();
String email = request.getParameter("NewEmail");
if (isAuthenticated(session)) {
if (isValidEmail(email)) {
// update Email
}
else {
// reject invalid Email
}
} else {
// Require authentication
}
}
Change E-Mail Functionality Protected By XSRF Tokens, By Embedding Token in Form and Comparing It To a
Session Variable
public void doPost (HttpServletRequest request, HttpServletResponse response) throws

ServletException, IOException {
String email = request.getParameter("NewEmail");
String csrfFormToken = request.getParameter("csrfToken");
String csrfSessionToken = session.getAttribute("csrfToken"); /* Token should be attached
to every state-changing form;
* must be cryptographically secure and unique per-session

* at the very least (could also be unique per-request)
*/
if (csrfFormToken == null || !csrfFormToken.equals(csrfSessionToken)) {
// Reject request and log potential XSRF attempt
} else {
if (isAuthenticated(session)) {
if (isValidEmail(email)) {
// update Email
}
else {
// reject invalid Email
}
} else {
// Require authentication
}
}
}
PAGE 261 OF 299

DB Parameter Tampering
Risk
What might happen
A malicious user could access other users’ personal information, by simply altering the reference parameter sent to the
server. Thus, the malicious user could bypass access controls and access unauthorized records, such as other users
accounts, stealing confidential or restricted information.
Cause
How does it happen
The application accesses user information without filtering by user ID. For example, it may provide information solely by a
submitted account ID. The application uses the user input to filter specific records from database tables, which contain
sensitive personal information (e.g. user accounts or payment details). Since the application does not filter the records
according to any user identifier, nor constrain it to a pre-computed list of acceptable values, a malicious user can easily
modify the submitted reference identifier, and thus access unauthorized records.
How to avoid it
Generic Guidance:
 Enforce authorization checks before providing any access to sensitive data, including the specific object
reference.
 Explicitly block access to any unauthorized data, especially to other users’ data.
 If possible, avoid allowing the user to request arbitrary data by simply sending a record ID. For example, instead
of having the user send an account ID, the application should look up the account ID for the current
authenticated user session.
Specific Mitigation:
 Filter the database query according to a user-specific identifier, such as the customer number.
 Map the user input to an indirect reference, e.g. via a prepared list of allowable values.
Java
Unfiltered Direct Object Reference
public ResultSet getAccountInfo(request req){

int accountId = Integer.parseInt(req.getParameter("accountId"));
PreparedStatement stmt = connection.PreparedStatement("SELECT * from Accounts where
AccountId = ?");
stmt.setInt(1, accountId);
ResultSet accountRS = stmt.executeQuery();
return accountRS;
}
Record References are Now Filtered and Indirect
PAGE 262 OF 299

public ResultSet getAccountInfo(request req){
int accountIndex = Integer.parseInt(req.getParameter("accountId"));
int realAccountId = userAccountList.get(accountIndex);
int userId = req.getSession().getAttribute("userId");
PreparedStatement stmt = connection.PreparedStatement("SELECT * from Accounts where
AccountId = ? AND UserId = ?");
stmt.setInt(1, realAccountId);
stmt.setInt(2, userId);
ResultSet accountRS = stmt.executeQuery();
return accountRS;
}
PAGE 263 OF 299

Frameable Login Page
Risk
What might happen
Allowing setting of web-pages inside of a frame in an untrusted web-page will leave these web-pages vulnerable to
Clickjacking, otherwise known as a redress attack. This may allow an attacker to redress a vulnerable web-page by setting
it inside a frame within a malicious web-page. By crafting a convincing malicious web-page, the attacker can then use the
overlayed redress to convince the user to click a certain area of the screen, unknowingly clicking inside the frame
containing the vulnerable web-page, and thus performing actions within the user's context on the attacker's behalf.
Cause
How does it happen
Failure to utilize the "X-FRAME-OPTIONS" header will likely allow attackers to perform Clickjacking attacks. Properly
utilizing the "X-FRAME-OPTIONS" header would indicate to the browser to disallow embedding the web-page within a
frame, mitigating this risk, if the browser supports this header. All modern browsers support this header by default.
How to avoid it
Utilize the "X-FRAME-OPTIONS" header flags according to business requirements to restrict browsers that support this
header from allowing embedding web-pages in a frame:
· "X-Frame-Options: DENY" will indicate to the browser to disallow embedding any web-page inside a frame, including
the current web-site.
· "X-Frame-Options: SAMEORIGIN" will indicate to the browser to disallow embedding any web-page inside a
frame, excluding the current web-site.
· "X-Frame-Options: ALLOW-FROM https://example.com/" will indicate to the browser to disallow embedding any web-
page inside a frame, excluding the web-site listed after the ALLOW-FROM parameter.
JavaScript
Use Helmet To Automatically Set X-Frame-Options Header
app.use(helmet.frameguard());
Setting The "DENY" Flag On A Response
response.setHeader("X-Frame-Options", "DENY");
PAGE 264 OF 299

Parameter Tampering
Risk
What might happen
A malicious user could access other users’ information. By requesting information directly, such as by an account number,
authorization may be bypassed and the attacker could steal confidential or restricted information (for example, a bank
account balance), using a direct object reference.
Cause
How does it happen
The application provides user information without filtering by user ID. For example, it may provide information solely by a
submitted account ID. The application concatenates the user input directly into the SQL query string, without any
additional filtering. The application also does not perform any validation on the input, nor constrain it to a pre-computed
list of acceptable values.
How to avoid it
Generic Guidance:
 Enforce authorization checks before providing any access to sensitive data, including the specific object
reference.
 Explicitly block access to any unauthorized data, especially to other users’ data.
 If possible, avoid allowing the user to request arbitrary data by simply sending a record ID. For example, instead
of having the user send an account ID, the application should look up the account ID for the current
authenticated user session.
Specific Mitigation:
 Do not concatenate user input directly into SQL queries.
 Include a user-specific identifier as a filter in the WHERE clause of the SQL query.
 Map the user input to an indirect reference, e.g. via a prepared list of allowable values.
Java
Unfiltered Direct Object Reference
public ResultSet getAccountInfo(request req) {

int accountId = Integer.parseInt(req.getParameter("accountId"));
string sql = "select * from [Accounts] where [AccountId] = "

+ accountId.toString();

ResultSet accountRS = stmt.executeQuery(sql);
return accountRS;
}
Record References are Now Filtered and Indirect
PAGE 265 OF 299

public ResultSet getAccountInfo(request req) {
int accountIndex = Integer.parseInt(req.getParameter("accountIndex"));
int realAccountId = userAccountList.get(accountIndex);
int userId = req.getSession().getAttribute("userId");
string sql = "select * from [Accounts] where [AccountId] = "

+ realAccountId.toString()
+ " and [UserId] = " + userId.toString();

ResultSet accountRS = stmt.executeQuery(sql);
return accountRS;
}
PAGE 266 OF 299

Missing HSTS Header
Risk
What might happen
Failure to set an HSTS header and provide it with a reasonable "max-age" value of at least one year may leave users
vulnerable to Man-in-the-Middle attacks.
Cause
How does it happen
Many users browse to websites by simply typing the domain name into the address bar, without the protocol prefix. The
browser will automatically assume that the user's intended protocol is HTTP, instead of the encrypted HTTPS protocol.
When this initial request is made, an attacker can perform a Man-in-the-Middle attack and manipulate it to redirect users
to a malicious web-site of the attacker's choosing. To protect the user from such an occurence, the HTTP Strict Transport
Security (HSTS) header instructs the user's browser to disallow use of an unsecure HTTP connection to the the domain
associated with the HSTS header.
Once a browser that supports the HSTS feature has visited a web-site and the header was set, it will no longer
allow communicating with the domain over an HTTP connection.
Once an HSTS header was issued for a specific website, the browser is also instructed to prevent users from manually
overriding and accepting an untrusted SSL certificate for as long as the "max-age" value still applies. The recommended
"max-age" value is for at least one year in seconds, or 31536000.
How to avoid it
 Before setting the HSTS header - consider the implications it may have:
o Forcing HTTPS will prevent any future use of HTTP, which could hinder some testing
o Disabling HSTS is not trivial, as once it is disabled on the site, it must also be disabled on the browser
 Set the HSTS header either explicitly within application code, or using web-server configurations.
 Ensure the "max-age" value for HSTS headers is set to 31536000 to ensure HSTS is strictly enforced for at least
one year.
 Include the "includeSubDomains" to maximize HSTS coverage, and ensure HSTS is enforced on all sub-domains
under the current domain
o Note that this may prevent secure browser access to any sub-domains that utilize HTTP; however, use of
HTTP is very severe and highly discouraged, even for websites that do not contain any sensitive
information, as their contents can still be tampered via Man-in-the-Middle attacks to phish users under
the HTTP domain.
 Once HSTS has been enforced, submit the web-application's address to an HSTS preload list - this will ensure
that, even if a client is accessing the web-application for the first time (implying HSTS has not yet been set by the
web-application), a browser that respects the HSTS preload list would still treat the web-application as if it had
already issued an HSTS header. Note that this requires the server to have a trusted SSL certificate, and issue an
HSTS header with a maxAge of 1 year (31536000)
 Note that this query is designed to return one result per application. This means that if more than one vulnerable
response without an HSTS header is identified, only the first identified instance of this issue will be highlighted as
a result. If a misconfigured instance of HSTS is identified (has a short lifespan, or is missing the
"includeSubDomains" flag), that result will be flagged. Since HSTS is required to be enforced across the entire
application to be considered a secure deployment of HSTS functionality, fixing this issue only where the query
highlights this result is likely to produce subsequent results in other sections of the application; therefore, when
adding this header via code, ensure it is uniformly deployed across the entire application. If this header is added
via configuration, ensure that this configuration applies to the entire application.
 Note that misconfigured HSTS headers that do not contain the recommended max-age value of at least one year
or the "includeSubDomains" flag will still return a result for a missing HSTS header.
PAGE 267 OF 299

JavaScript
Using Helmet with Express
var express = require('express')

var helmet = require('helmet') // Helmet includes HSTS, defined to one year and with
"includeSubDomains", as a built-in header
var app = express()

app.use(helmet())
Using Explicit HSTS Package - Built into Helmet, So Either 'HSTS' or 'Helmet' Can Be Used
var hsts = require('hsts')
app.use(hsts({
maxAge: 31536000,
includeSubDomains: true // Also enabled by default
}))
Explicitly Setting HSTS Header in Code
res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
PAGE 268 OF 299

Blind SQL Injections
Risk
What might happen
An attacker could directly access all of the system's data. The attacker would likely be able to steal any sensitive
information stored by the system, including private user information, credit card details, proprietary business data, and
any other secret data. Likewise, the attacker could possibly modify or erase existing data, or even add new bogus data. In
some scenarios, it may even be possible to execute code on the database.
In addition to disclosing or altering confidential information directly, this vulnerability might also be used to achieve
secondary effects, such as bypassing authentication, subverting security checks, or forging a data trail.
Further increasing the likelihood of exploit is the fact that this flaw is easy for attackers to find, and easy to exploit.
In this case, while the actual exploit is constrained to single bit of information at a time, it is still possible to eventually
retrieve all data from the system, though this process is more time consuming and would be rather noisy. Note that other
consequences, such as data modification and creation, code execution, etc. are unaffected, and still equally exploitable.
Cause
How does it happen
The application stores and manages data in a database, by submitting a textual SQL query to the database engine for
processing. The application creates the query by simple string concatenation, embedding untrusted data. However, there
is no separation between data and code; furthermore, the embedded data is neither checked for data type validity nor
subsequently sanitized. Thus, the untrusted data could contain SQL commands, or modify the intended query. The
database would interpret the altered query and commands as if they originated from the application, and execute them
accordingly.
In this case, the attacker does not need to rely on the application returning data from the database. Instead, it is possible
to leverage existing tools that perform a series of boolean tests based on varying user input, relying only on the existence
of application errors to indicate server state. Thus, the full database content can gradually be obtained, one bit at a time.
How to avoid it
 Validate all untrusted data, regardless of source. Validation should be based on a whitelist: accept only data
fitting a specified structure, rather than reject bad patterns.
 In particular, check for:
o Data type
o Size
o Range
o Format
o Expected values.
 Restrict access to database objects and functionality, according to the Principle of Least Privilege.
 Do not use dynamically concatenate strings to construct SQL queries.
 Prefer using DB Stored Procedures for all data access, instead of ad-hoc dynamic queries.
 Instead of unsafe string concatenation, use secure database components such as parameterized queries and
object bindings (for example, commands and parameters).
 Alternatively, an even better solution is to use an ORM library, in order to pre-define and encapsulate the allowed
commands enabled for the application, instead of dynamically accessing the database directly. In this way the
code plane and data plane should be isolated from each other.
 Do not allow the user to dynamically provide the name of the queried table. Furthermore, if possible, completely
avoid dynamically specifying table names.
 Ensure that all exceptions are properly handled, without leaking information on the errors, server state, or that an
error occurred at all.
 Data validation can be performed effectively using a secure library, such as OWASP's Encoder or ESAPI libraries.
 Prefer using PreparedStatement for parameterizing the queries, or even better CallableStatement. Add
dynamic data via the .set*() methods, instead of string concatenation.
PAGE 269 OF 299

 Consider using an ORM package, such as Hibernate, myBatis, or others.
Java
Create SQL INSERT query using string concatenation
public String acceptUserTOS_Unsafe(HttpServletRequest request)

int rowCount = 0;

String sql = "INSERT INTO [UserTOS] ([UserName], [AcceptDate]) VALUES ('" + userName +
"', CURRENT_TIMESTAMP) " ;
try {
rowCount = stmt.executeUpdate(sql);
}
finally {
closeQuietly(stmt);
closeQuietly(conn);
}
if (rowCount > 0)
return "Success";
else
return "Failed!";
}
Build PreparedStatement to call write-only Stored Procedure and set input to parameters
public String acceptUserTOS_SafeParameterizedQuery(HttpServletRequest request)

int rowCount = 0;

String sqlStoredProc = "{call acceptUserTOS(?)}";
try {
CallableStatement stmt = conn.prepareCall(sqlStoredProc);
stmt.setString(1, userName);
rowCount = stmt.executeUpdate();
}
finally {
closeQuietly(stmt);
closeQuietly(conn);
}
PAGE 270 OF 299

if (rowCount > 0)
return "Success";
else
return "Failed!";
}
PAGE 271 OF 299

Heap Inspection
Risk
What might happen
All variables stored by the application in unencrypted memory can potentially be retrieved by an unauthorized user, with
privileged access to the machine. For example, a privileged attacker could attach a debugger to the running process, or
retrieve the process's memory from the swapfile or crash dump file. Once the attacker finds the user passwords in
memory, these can be reused to easily impersonate the user to the system.
Cause
How does it happen
String variables are immutable - in other words, once a string variable is assigned, its value cannot be changed or
removed. Thus, these strings may remain around in memory, possibly in multiple locations, for an indefinite period of
time until the garbage collector happens to remove it. Sensitive data, such as passwords, will remain exposed in memory
as plaintext with no control over their lifetime.
While it may still be possible to retrieve data from memory, even if it uses a mutable container that is cleared, or retrieve
a decryption key and decrypt sensitive data from memory - layering sensitive data with these types of protection would
significantly increase the required effort to do so. By setting a high bar for retrieving sensitive data from memory, and
reducing the amount and exposure of sensitive data in memory, an adversary is significantly less likely to succeed in
obtaining valuable data.
How to avoid it
When it comes to avoiding Heap Inspection, it is important to note that, given any read access to memory or a memory
dump of an application, it is always likely to disclose some sensitive data to an adversary - these suggestions are part of
defense-in-depth principles for protection of sensitive data in cases where such memory read access is successfully
obtained. These recommendations will enable significant reduction in the lifespan and exposure of sensitive data in
memory; however - given enough time, effort and unlimited access to memory, they will only go so far in protecting
sensitive data being used by the application. The only way to handle Heap Inspection issues is to minimize and reduce
data exposure, and obscure it in memory wherever possible.
 Do not store sensitive data, such as passwords or encryption keys, in memory in plain-text, even for a short
period of time.
 Prefer to use specialized classes that store encrypted data in memory to ensure it cannot be trivially retrieved
from memory.
 When required to use sensitive data in its raw form, temporarily store it in mutable data types, such as byte
arrays, to reduce readability from memory, and then promptly zeroize the memory locations, to reduce exposure
duration of this data while in memory.
 Ensure that memory dumps are not exchanged with untrusted parties, as even by ensuring all of the above - it
may still be possible to reverse-engineer encrypted containers, or retrieve bytes of sensitive data from memory
and rebuild it.
 In Java, do not store passwords in immutable strings - prefer using an encrypted memory object, such as
SealedObject.
Java
Plaintext Password in Immutable String
PAGE 272 OF 299

class Heap_Inspection
{
private String password;
public void setPassword(String password)

{
this.password = password;
}
}
Password Protected in Memory
class Heap_Inspection_Fixed
{
private SealedObject password;
public void setPassword(Character[] input)

{
Key key = getKeyFromConfiguration();
Cipher c = Cipher.getInstance(CIPHER_NAME);
c.init(Cipher.ENCRYPT_MODE, key);
List<Character> characterList = Arrays.asList(input);
password = new SealedObject((Serializable) characterList, c);
Arrays.fill(input, '\0'); // Zero out input. Will also overwrite the values in
characterList by reference.
}
}
PAGE 273 OF 299

Improper Resource Access Authorization
Risk
What might happen
Unauthorized actions may allow attackers to write malicious content or code to files, databases and other I\Os or read
sensitive I\O contents. Impact of this issue varies, depending on implementation, but may allow:
 Remote code execution, in case an attacker is able to inject malicious data into a writable I\O, which would then
be interpreted or compiled as code
 Overwriting or leaking of configuration files
 Compromising confidentiality or integrity of stored data
Cause
How does it happen
A logic flow in code triggers I/O and is not authorized. If an attacker can trigger it, it may leave it vulnerable to attack.
How to avoid it
When logic flows are affected by user input or behavior, always ensure the user is authorized to trigger them.
Java
Writing to File Without Any Authorization Checks
Part filePart = request.getPart("file");

if (filePart != null) {
InputStream filecontent = null;
filecontent = filePart.getInputStream();
Path path = Paths.get(filename);
byte[] contentByteArray = new byte[filecontent.available()];
filecontent.read(contentByteArray);
Files.write(path, contentByteArray);
}
Using a Basic Authorization Check Based on Session Variables

String role = (String)session.getAttribute("role");
if (role.equals(ADMIN)) {
Part filePart = request.getPart("file");
if (filePart != null) {
InputStream filecontent = null;
filecontent = filePart.getInputStream();
Path path = Paths.get(filename);
byte[] contentByteArray = new byte[filecontent.available()];
filecontent.read(contentByteArray);
Files.write(path, contentByteArray);
}
PAGE 274 OF 299

}
PAGE 275 OF 299

Improper Resource Shutdown or Release
Risk
What might happen
Unreleased resources can cause a drain of those available for system use, eventually causing general reliability and
availability problems, such as performance degradation, process bloat, and system instability. If a resource leak can be
intentionally exploited by an attacker, it may be possible to cause a widespread DoS (Denial of Service) attack. This might
even expose sensitive information between unprivileged users, if the resource continues to retain data or user id between
subsequent allocations.
Cause
How does it happen
The application code allocates resource objects, but does not ensure these are always closed and released in a timely
manner. This can include database connections, file handles, network sockets, or any other resource that needs to be
released. In some cases, these might be released - but only if everything works as planned; if there is any runtime
exception during the normal course of system operations, resources start to leak.
Note that even in managed-memory languages such as Java, these resources must be explicitly released. Many types of
resource are not released even when the Garbage Collector runs; and even if the the object would eventually release the
resource, we have no control over when the Garbage Collector does run.
How to avoid it
 Always close and release all resources.
 Ensure resources are released (along with any other necessary cleanup) in a finally { } block. Do not close
resources in a catch { } block, since this is not ensured to be called.
 Explicitly call .close() on any instance of a class that implements the Closable or AutoClosable interfaces.
 Alternatively, an even better solution is to use the try-with-resources idiom, in order to automatically close any
defined AutoClosable instances.
Java
Unreleased Database Connection
private MyObject getDataFromDb(int id) {

MyObject data = null;
Connection con = null;
try {
Connection con = DriverManager.getConnection(CONN_STRING);
data = queryDb(con, id);
}
catch ( SQLException e ) {
handleError(e);
}
}
Explicit Release of Database Connection
PAGE 276 OF 299

try {
Connection con = DriverManager.getConnection(CONN_STRING);
}
handleError(e);
}
finally {
if ((con != null) && (!con.isClosed())) {
con.close();
}
}
}
Automatic Implicit Release Using Try-With-Resources

try (Connection con = DriverManager.getConnection(CONN_STRING)) {
}
handleError(e);
}
}
PAGE 277 OF 299

Risk
What might happen
Exposed details about the application’s environment, users, or associated data (for example, stack trace) could enable an
attacker to find another flaw and help the attacker to mount an attack. This may also leak sensitive data, e.g. passwords
or database fields.
Cause
How does it happen
The application handles exceptions in an insecure manner, including raw details directly in the error message. This could
occur in various ways: by not handling the exception; printing it directly to the output or file; explicitly returning the
exception object; or by configuration. These exception details may include sensitive information that could leak to the
users due to the occurrence of the runtime error.
How to avoid it
 Do not expose exception data directly to the output or users, instead return an informative, generic error
message. Log the exception details to a dedicated log mechanism.
 Any method that could throw an exception should be wrapped in an exception handling block that:
o Explicitly handles expected exceptions.
o Includes a default solution to explicitly handle unexpected exceptions.
 Configure a global handler to prevent unhandled errors from leaving the application.
Java
Handle Exception by Printing To Output
private void wrapCallToDB_Unsafe(HttpServletRequest request)

String paramValue = request.getParameter("Param");
try {
callDbProc(paramValue);
ex.printStackTrace();
}
}
Write Exception Details to Log, Send Generic Error Message
private void wrapCallToDB_SafePrintToLog(HttpServletRequest request)

String paramValue = request.getParameter("Param");
PAGE 278 OF 299

try {
callDbProc(paramValue);
writeExceptionToLog(ex);
System.err.println("Database Error, see log for details");
}
}
PAGE 279 OF 299

Insufficiently Protected Credentials
Risk
What might happen
Passwords that are stored in plaintext outside of a secure container would be trivial to read, if retrieved by an attacker.
Leaked passwords could then be used to authenticate to other sensitive resources, to perform actions and retrieve
additional information.
Cause
How does it happen
A password was stored in plaintext, outside of a secure container such as a password hashing algorithm or data
encryption.
How to avoid it
Generic Guidance:
 Always use strong, modern algorithms for encryption, hashing, and so on.
 Do not use weak, outdated, or obsolete algorithms.
 Ensure you select the correct cryptographic mechanism according to the specific requirements.
 Passwords should be protected with a dedicated password protection scheme, such as bcrypt, scrypt, PBKDF2, or
Argon2.
Specific Recommendations:
 Do not use SHA-1, MD5, or any other weak hash algorithm to protect passwords or personal data. Instead, use a
stronger hash such as SHA-256 when a secure hash is required.
 Do not use DES, 3DES, RC2, or any other weak encryption algorithm to protect passwords or personal data.
Instead, use a stronger encryption algorithm such as AES to protect personal data.
 Do not use weak encryption modes such as ECB, or rely on insecure defaults. Explicitly specify a stronger
encryption mode, such as GCM.
 For symmetric encryption, use a key length of at least 256 bits.
Java
Plaintext Database Password
public Connection createConnection(Properties connectionProperties) {
string user = connectionProperties.getProperty("user");

string password = connectionProperties.getProperty("password");
Connection conn = DriverManager.getConnection(CONN_STRING, user, password);
return conn;
}
Encrypted Database Password
PAGE 280 OF 299

public Connection createConnection(Properties connectionProperties) {
string user = connectionProperties.getProperty("user");

string password = connectionProperties.getProperty("password");
// Call encryption framework to decrypt password with protected key

password = decryptPassword(password);
try {
Connection conn = DriverManager.getConnection(CONN_STRING,
user, password);
}
catch (SQLException e) {
handleException(e);
}
return conn;
}
PAGE 281 OF 299

Risk
What might happen
Exposed details about the application’s environment, users, or associated data (for example, stack trace) could enable an
attacker to find another flaw and help the attacker to mount an attack. This may also leak sensitive data, e.g. passwords
or database fields.
Cause
How does it happen
The application handles exceptions in an insecure manner, including raw details directly in the error message. This could
occur in various ways: by not handling the exception; printing it directly to the output or file; explicitly returning the
exception object; or by configuration. These exception details may include sensitive information that could leak to the
users due to the occurrence of the runtime error.
How to avoid it
 Do not expose exception data directly to the output or users, instead return an informative, generic error
message. Log the exception details to a dedicated log mechanism.
 Any method that could throw an exception should be wrapped in an exception handling block that:
o Explicitly handles expected exceptions.
o Includes a default solution to explicitly handle unexpected exceptions.
 Configure a global handler to prevent unhandled errors from leaving the application.
JavaScript
Throwing Error Without Handling it
app.get('/create-db', (req, res) => {

db = new sqlite.Database('mydb.db', (err) => {
if (err) throw err
})
})
Writing the Error to Log and Sending a Generic Message
app.get('/create-db', (req, res) => {

db = new sqlite.Database('mydb.db', (err) => {
if (err) {
console.log(err)
res.send('An error occurred!')
}
})
})
PAGE 282 OF 299

PAGE 283 OF 299
JSON Hijacking
Risk
What might happen
An attacker may craft a malicious web-page and, via social engineering, get a user to access it. If that user uses an
outdated browser, and is logged in to the vulnerable application, the attacker may retrieve the contents of JSON objects,
bypassing SOP and reading these objects' contents, and any sensitive information therein. Note that, while this issue
generally applies to outdated, legacy and obsolete browsers, JSON hijacking issues also periodically arise in more
modern browsers.
Cause
How does it happen
The following is required for the application to be vulnerable:
 The application must be using cookie-based authentication
 The application responds in an authenticated manner to simple GET request
 This sensitive data is returned as a JSON, specifically in array form (enclosed in square [] brackets), and containing
objects inside within the array
By returning a JSON array, an attacker may create a malicious website, which incorporates a <script> tag in their page
in the following manner:
<script src="https://example.com/path/to/vulnerable/page"></script>
The browser will interpret the returned value as an object, causing it to temporarily exist in the malicious web-page's
DOM; however since this object it is not assigned or referenced, it will be ephemeral, and would normally be immediately
discarded. This is similar to any other declaration or return value without an assignment, and the malicious web-page
would be unable to reference it in any way.
To actually exploit this issue in a vulnerable browser, an attacker would have to be able to override the prototype
function for setters, which is normally restricted. If the browser is vulnerable and does allow overwriting certain core
prototypes for setters in Javascript within the web-page context, they could craft a Javascript that, once a vulnerable page
is included with the method, an object will initiate construction, trigger the overridden setter prototypes with the JSON
object's contents as values, and an attacker would then be able to access these values in the context of their malicious
web-page. From that point on - accessing them would be trivial.
How to avoid it
There are multiple methods to address this issue:
 Do not respond with JSON arrays as they are wrapped with square brackets, which immediately get evaluated as
objects; if required, wrap the array with an external object (e.g. {"array":[]}) or add some sort of prefix to prevent
this issue
 If required, respond with JSON arrays only to POST request; ensure no sensitive information is ever returned as
an array to a GET request
 Prefix the JSON object with either JavaScript (for(;;);) or an unparseable JSON ({};) , and, before processing
it on the client, strip this prefix; the latter will cause importation to fail, and the former will cause importation to
hang forever - either way, this will prevent an attacker from importing a JSON object as a script
JavaScript
JSON Array Containing Sensitive Data and Vulnerable to JSON Hijacking
PAGE 284 OF 299

app.get('/security_answers', function(req, res) {
var userId = req.session.userId; // Assume userId is assigned only if authenticated
if (userId) {
connection.query('SELECT security_question, security_answer' +
'FROM security_qa WHERE userId=?',[userId],
function(err,results) {
/* JSON response would be of the form [{"security_question":"Q1",
"security_answer":"A1"},
* "security_question":"Q2", "security_answer":"A2"}], implying it can be loaded as an

Object
* using <script src="path/to/this/JSON"></script>
*/
res.json(results);
});
} else {
res.json({"error":"Not authenticated"});
}
});
JSON Array Wrapped in JSON Object, Preventing JSON Hijacking

if (userId) {
/* JSON response would be of the form
{"results":[{"security_question":"Q1", "security_answer":"A1"},
* {"security_question":"Q2","security_answer":"A2"}]}, implying
it will always be formulated
* like a JSON object, not a JSON array, and would not be loaded externally
*/
res.json({"results":results});
});
} else {
}
});
JSON Array Preceded by JavaScript That Freezes Page, Preventing Loading Array

if (userId) {
res.setHeader('Content-Type', 'application/json');
/* JSON response would be of the form
"for(;;);[{"security_question":"Q1", "security_answer":"A1"},
* {"security_question":"Q2","security_answer":"A2"}]", implying
if it is loaded as an Object using
* <script src="path/to/this/JSON"></script>, an endless loop will
occur before the object is loaded
PAGE 285 OF 299

*/
res.send("for(;;);"+JSON.stringify(results));
});
} else {
}
});
PAGE 286 OF 299

Log Forging
Risk
What might happen
An attacker could engineer audit logs of security-sensitive actions and lay a false audit trail, potentially implicating an
innocent user or hiding an incident.
Cause
How does it happen
The application writes audit logs upon security-sensitive actions. Since the audit log includes user input that is neither
checked for data type validity nor subsequently sanitized, the input could contain false information made to look like
legitimate audit log data,
How to avoid it
1. Validate all input, regardless of source. Validation should be based on a whitelist: accept only data fitting a
specified structure, rather than reject bad patterns. Check for:
o Data type
o Size
o Range
o Format
o Expected values
2. Validation is not a replacement for encoding. Fully encode all dynamic data, regardless of source, before
embedding it in logs.
3. Use a secure logging mechanism.
JavaScript
Passing Unsanitized Values to HAPI server.log()
var id = request.query["id"];
try {
var val = tryGetById(id); // Assume this throws an exception if "id" is not found
// Handle val
}
catch(err) {
server.log(['error','id'],id); // Log unsanitized values, which could also not be
sanitized downstream, and could contain CRLF
}
Passing Sanitized Values to HAPI server.log()
var id = request.query["id"];
try {
var val = tryGetById(id); // Assume this throws an exception if "id" is not found
PAGE 287 OF 299

// Handle val
}
catch(err) {
server.log(['error','id'],encodeURI(id)); // encodeURI() is a sufficient sanitizer for
CRLF, as it URL-encodes the line break characters
}
PAGE 288 OF 299

Missing CSP Header
Risk
What might happen
The Content-Security-Policy header enforces that the source of content, such as the origin of a script, embedded (child)
frame, embedding (parent) frame or image, are trusted and allowed by the current web-page; if, within the web-page, a
content's source does not adhere to a strict Content Security Policy, it is promptly rejected by the browser. Failure to
define a policy may leave the application's users exposed to Cross-Site Scripting (XSS) attacks, Clickjacking attacks,
content forgery and more.
Cause
How does it happen
The Content-Security-Policy header is used by modern browsers as an indicator for trusted sources of content, including
media, images, scripts, frames and more. If these policies are not explicitly defined, default browser behavior would
allow untrusted content.
The application creates web responses, but does not properly set a Content-Security-Policy header.
How to avoid it
Explicitly set the Content-Security-Policy headers for all applicable policy types (frame, script, form, script, media, img
etc.) according to business requirements and deployment layout of external file hosting services. Specifically, do not use a
wildcard, '*', to specify these policies, as this would allow content from any external resource.
The Content-Security-Policy can be explicitly defined within web-application code, as a header managed by web-server
configurations, or within <meta> tags in the HTML <head> section.
JavaScript
Setting The CSP Header Explicitly
app.use(function(req, res, next) {

res.setHeader("Content-Security-Policy", "script-src 'self'");
return next();
});
PAGE 289 OF 299

Potentially Vulnerable To Csrf
Risk
What might happen
An attacker could cause the victim to perform any action for which the victim is authorized, such as transferring funds
from the victim’s account to the attacker’s. The action will be logged as being performed by the victim, in the context of
their account, and potentially without their knowledge that this action has occurred.
Cause
How does it happen
The application performs some action that modifies database contents, based purely on HTTP request content, and does
not require per-request renewed authentication (such as transaction authentication or a synchronizer token), instead
relying solely on session authentication. This means that an attacker could use social engineering to cause a victim to
browse to a link which contains a transaction request to the vulnerable application, submitting that request from the
user's browser. Once the application receives the request, it would trust the victim’s session, and would perform the
action. This type of attack is known as Cross-Site Request Forgery (CSRF).
A Cross-Site Request Forgery attack relies on the trust between a server and an authenticated client. By only validating
the session, the server ensures that a request has emerged from a client's web-browser. However, any website may
submit GET and POST requests to other websites, to which the browser will automatically add the session token if it is in
a cookie. This cross-site request can then be trusted as arriving from the user's browser, but does not validate that it was
their intent was to make this request.
In some cases, XSRF protection functionality exists in the application, but is either not implemented, or explicitly disabled.
How to avoid it
Mitigating CSRF requires an additional layer of authentication that is built into the request validation mechanism. This
mechanism would attach an additional token that only applies to the given user; this token would be available within the
user's web-page, but will not be attached automatically to a request from a different website (e.g. not stored in a cookie).
Since the token is not automatically attached to the request, and is not available to the attacker, and is required by the
server to process the request, it would be completely impossible for the attacker to fill in a valid cross-site form that
contains this token.
Many platforms offer built-in CSRF mitigation functionality which should be used, and perform this type of token
management under the hood. Alternatively, use a known or trusted library which adds this functionality.
If implementing CSRF protection is required, this protection should adhere to the following rules:
 Any state altering form (Create, Update, Delete operations) should enforce CSRF protection, by adding an CSRF
token to every state altering form submission on the client.
 An CSRF token should be generated, and be unique per-user per-session (and, preferably, per request).
 The CSRF token should be inserted into the client side form, and be submitted to the server as part of the form
request. For example, it could be a hidden field in an HTML form, or a custom header added by a Javascript
request.
 The CSRF token in the request body or custom header must then be verified as belonging to the current user by
the server, before a request is authorized and processed as valid.
Always rely on best practices when using XSRF protection - always enable built-in functionality or available libraries
where possible.
When using application-wide XSRF protection, never explicitly disable or subvert XSRF protection for specific functionality
unless said functionality has been thoroughly verified to not require XSRF protection.
PAGE 290 OF 299

JavaScript
Applying 'csurf' Library to HTML Forms in Express
app.get('/profile/email/edit', (req, res) => {

// Add csrfToken() as a value inside the form, so that the token is submitted in the
request
res.send(`
<h1>Change E-Mail Form</h1>

<form action="/profile/email/edit" method="POST">
<input id="email" name="email" type="text" />
<input id="email" name="verify_email" type="text" />
<input type="submit" value="Ok" />
<input type="hidden" name="_csrf" value="${req.csrfToken()}" />
</form>
`);
});
// If the _csrf token in the request body is not equal to the synchronizer token, the POST
request will be rejected, and this method will not trigger
app.post('/profile/email/edit', (req, res) => {
// Authenticate user session
// Update email address
}
PAGE 291 OF 299

Use of Deprecated or Obsolete Functions
Risk
What might happen
Referencing deprecated modules can cause an application to be exposed to known vulnerabilities, that have been
publicly reported and already fixed. A common attack technique is to scan applications for these known vulnerabilities,
and then exploit the application through these deprecated versions. However, even if deprecated code is used in a way
that is completely secure, its very use and inclusion in the code base would encourage developers to re-use the
deprecated element in the future, potentially leaving the application vulnerable to attack, which is why deprecated code
should be eliminated from the code-base as a matter of practice.
Note that the actual risk involved depends on the specifics of any known vulnerabilities in older versions.
Cause
How does it happen
The application references code elements that have been declared as deprecated. This could include classes, functions,
methods, properties, modules, or obsolete library versions that are either out of date by version, or have been entirely
deprecated. It is likely that the code that references the obsolete element was developed before it was declared as
obsolete, and in the meantime the referenced code was updated.
How to avoid it
 Always prefer to use the most updated versions of libraries, packages, and other dependancies.
 Do not use or reference any class, method, function, property, or other element that has been declared
deprecated.
JavaScript
Using a Deprecated Call to createClient
const http = require('http');

var client = http.createClient(PORT, HOST);
var request = client.request(METHOD, PATH);
Using a Supported Call to http.request

var request = http.request({
port: PORT,
host: HOST,
method: METHOD,
path: PATH
});
PAGE 292 OF 299

PAGE 293 OF 299
Use Of HTTP Sensitive Data Exposure
Risk
What might happen
Failure to implement secure communication channels, such as TLS over HTTP, will leave communications exposed to
tapping and Man-in-the-Middle attacks.
Cause
How does it happen
The web-server created uses HTTP without any TLS encryption.
How to avoid it
 Never transmit sensitive information in plain-text
 Always ensure connections, particularly over untrusted networks, are protected by well-configured TLS
JavaScript
Configuring an HTTP Server
function serverHandler(req, res) {

// Implement server
}

const server = http.createServer(serverHandler).listen(PORT);
Configuring an HTTPS Server
function serverHandler(req, res) {

// Implement server
}
const https = require('https');

const options = {
key: getTLSKey(),
cert: getTLSCert()
};
const server = https.createServer(options, serverHandler).listen(PORT);
PAGE 294 OF 299

Insufficient Logging of Exceptions
Risk
What might happen
If security-critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of
problems or the source of attacks may become more difficult or impossible.
Cause
How does it happen
Error's stack trace is not fully printed.
How to avoid it
Use a centralized logging mechanism that supports multiple levels of detail.Be sure to set the level of logging
appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect
attacks, diagnose errors, and recover from attacks.
Java
Print Stack Trace
public class Example1{

public String login(Model model, String username, String password) {
try {
// attempt to login user
userService.login(username, password);
} catch (Exception ex) {
ex.printStackTrace();
}
return "login";
}
}
Log Error
public class Example{

try {
// attempt to login user
log.error("Exception looking up customer by name: " + ex.getMessage());
}
return "login";
}
}
PAGE 295 OF 299

Log Error
public class Example{

try {
log.error("Exception looking up customer by name: " + ex.getMessage(),
ex);
}
return "login";
}
}
PAGE 296 OF 299

Insufficient Logging
Weakness ID: 778 (Weakness Base) Status: Draft
Description
Description Summary
When a security-critical event occurs, the software either does not record the event or omits important details
about the event when logging it.
Extended Description
When security-critical events are not logged properly, such as a failed login attempt,
this can make malicious behavior more difficult to detect and may hinder forensic
analysis after an attack succeeds.
Time of Introduction
 Operation
Applicable Platforms
Languages
Language-independent
Common Consequences
Scope Effect
Accountability If security critical information is not recorded, there will be no

trail for forensic analysis and discovering the cause of problems
or the source of attacks may become more difficult or
impossible.
Likelihood of Exploit
Medium
Demonstrative Examples
Example 1
The example below shows a configuration for the service security audit feature in the
Windows Communication Foundation (WCF).
(Bad Code)
Example Language: XML
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="NewBehavior">
<serviceSecurityAudit auditLogLocation="Default"
suppressAuditFailure="false"
serviceAuthorizationAuditLevel="None"
messageAuthenticationAuditLevel="None" />
...
</system.serviceModel>
The previous configuration file has effectively disabled the recording of security-critical
events, which would force the administrator to look to other sources during debug or
recovery efforts.
Logging failed authentication attempts can warn administrators of potential brute force
attacks. Similarly, logging successful authentication events can provide a useful audit
trail when a legitimate account is compromised. The following configuration shows
appropriate settings, assuming that the site does not have excessive traffic, which could
fill the logs if there are a large number of success or failure events (CWE-779).
(Good Code)
Example Language: XML
PAGE 297 OF 299

<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="NewBehavior">
<serviceSecurityAudit auditLogLocation="Default"
suppressAuditFailure="false"
serviceAuthorizationAuditLevel="SuccessAndFailure"
messageAuthenticationAuditLevel="SuccessAndFailure" />
...
</system.serviceModel>
Observed Examples
Reference Description
CVE-2008-4315 server does not log failed authentication attempts, making it

easier for attackers to perform brute force password guessing
without being detected
CVE-2008-1203 admin interface does not log failed authentication attempts,

making it easier for attackers to perform brute force password
guessing without being detected
CVE-2007-3730 default configuration for POP server does not log source IP or
username for login attempts
CVE-2007-1225 proxy does not log requests without "http://" in the URL,
allowing web surfers to access restricted web content without
detection
CVE-2003-1566 web server does not log requests for a non-standard request
type
Potential Mitigations
Phase: Architecture and Design
Use a centralized logging mechanism that supports multiple levels of detail. Ensure that all security-related successes and failures
can be logged.
Phase: Operation
Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system
administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779)
can cause the same problems.
Relationships
Nature Type ID Name View(s) this
relationship pertains
to
ChildOf Weakness Base 223 Omission of Security- Development
relevant Information Concepts
(primary)699
Research Concepts
(primary)1000
ChildOf Category 254 Security Features Development
Concepts699
ChildOf Weakness Class 693 Protection Mechanism Research Concepts1000
Failure
Content History
Submissions
Submission Date Submitter Organization Source
2009-07-02 Internal CWE Team
Contributions
Contribution Date Contributor Organization Source
2009-07-02 Fortify Software Content
Provided code example and additional information for description and consequences.
BACK TO TOP
PAGE 298 OF 299

Scanned Languages
Language Hash Number Change Date
Java 0565608910574429 6/4/2023
JavaScript 5693733879119650 6/4/2023
PLSQL 0342189457118079 1/29/2023
Scala 5090086836072228 1/29/2023
Common 1330881790325397 6/4/2023
PAGE 299 OF 299

JMS Sample Report

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

JMS Sample Report

Uploaded by

Copyright:

Available Formats

JMS Github 2 Scan Report

Project Name JMS Github 2

Threat Weakness Weakness Technical Business Issues Best Fix

A2-Broken App. App.

A3-Sensitive App. App.

A4-XML External App. App.

A5-Broken App. App.

A7-Cross-Site App. App.

A8-Insecure App. App.

Issues Best Fix

A6-Vulnerable and Outdated Components* 0 0

A7-Identification and Authentication Failures* 2 2

A8-Software and Data Integrity Failures* 1 1

A9-Security Logging and Monitoring Failures 16 15

A10-Server-Side Request Forgery 0 0

Threat Attack Weakness Weakness Technical Business Issues Best Fix

A7-Missing EXTERNAL, EXPOSED

Issues Best Fix

PCI DSS (3.2.1) - 6.5.2 - Buffer overflows 0 0

PCI DSS (3.2.1) - 6.5.3 - Insecure cryptographic storage* 0 0

PCI DSS (3.2.1) - 6.5.4 - Insecure communications* 0 0

PCI DSS (3.2.1) - 6.5.5 - Improper error handling* 33 33

PCI DSS (3.2.1) - 6.5.7 - Cross-site scripting (XSS) 0 0

PCI DSS (3.2.1) - 6.5.8 - Improper access control* 0 0

PCI DSS (3.2.1) - 6.5.9 - Cross-site request forgery 35 10

PCI DSS (3.2.1) - 6.5.10 - Broken authentication and session management* 4 1

Issues Best Fix

Organizations must: (i) create, protect, and retain

Organizations must: (i) establish and maintain

Organizations must identify information system

Organizations must: (i) protect information system

Organizations must: (i) monitor, control, and protect

Organizations must: (i) identify, report, and correct

Issues Best Fix

AC-3 Access Enforcement (P1)* 34 22

AC-4 Information Flow Enforcement (P1) 0 0

AC-6 Least Privilege (P1) 0 0

AU-9 Protection of Audit Information (P1) 3 2

CM-6 Configuration Settings (P2) 0 0

IA-5 Authenticator Management (P1) 0 0

IA-6 Authenticator Feedback (P2) 0 0

IA-8 Identification and Authentication (Non-Organizational Users) (P1) 0 0

SC-12 Cryptographic Key Establishment and Management (P1) 0 0

SC-13 Cryptographic Protection (P1) 0 0

SC-17 Public Key Infrastructure Certificates (P1) 0 0

SC-18 Mobile Code (P2) 0 0

SC-23 Session Authenticity (P1)* 36 11

SC-28 Protection of Information at Rest (P1)* 0 0

SC-4 Information in Shared Resources (P1) 0 0

SC-5 Denial of Service Protection (P1)* 19 19

SC-8 Transmission Confidentiality and Integrity (P1) 5 2

SI-10 Information Input Validation (P1)* 118 30

SI-11 Error Handling (P2)* 33 33

SI-15 Information Output Filtering (P0) 0 0

SI-16 Memory Protection (P1)* 0 0

Issues Best Fix

This category covers insecure data storage and

This category covers poor handshaking, incorrect

This category captures notions of authenticating the

The code applies cryptography to a sensitive

This is a category to capture any failures in

This category is the catch-all for code-level

This category covers binary patching, local resource