These days, no one can deny that security matters. Every week on the news, you see stories about web attacks, and the theft of sensitive customer data from companies compromised by a data breach. The reasons for these attacks range from passwords left on a sticky note to complex vulnerability exploits.
Detecting injections
Since 2010, the OWASP organization, which defines the famous OWASP Top 10 standard, considers that the biggest security problem applications are suffering from is the possibility to perform injection attacks.
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
These last few months at SonarSource we have developed an engine dedicated to the security domain based on the technique call "taint analysis". Basically, we track whether your input variables have been sanitized by the time they reach a piece of code (a sink) that can be used to perform an attack. We don't pretend to cover all the possible sinks but that will be enhanced over the time so we can participate in this effort to eradicate the "Injection" from the OWASP Top 10 standard.
This new engine is part of SonarCloud and is targeting 6 common injection problems for Java and C#:
- S3649: SQL Query Injection: CWE-89, CWE-564, CWE-20, CWE-943, CERT IDS00-J., SANS Top 25
- S2076: OS Command Injection: CWE-78, CWE-88, SANS Top 25
- S2091: XPath Expressions Injection: CWE-643, CERT IDS53-J.
- S2078: LDAP Query Injection: CWE-90, CERT IDS54-J.
- S2083: I/O Function Calls Injection: CWE-22, CWE-23, CWE-36, CWE-99, CWE-641, CWE-22, SANS Top 25
- S2631: Regular Expressions Injection
What's next?
We want to detect more injection problems on more languages such as PHP! Additionally, we want to raise issues on low-hanging fruit related to the security domain such as: use of weak encryption algorithms, debug options left in production code, misconfigured cookies, etc.
Coming with that, we will soon provide a dedicated security space so you can easily check your compliance with OWASP Top 10 and SANS Top 25 standards. Stay tuned!