Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

CWE Vulnerability Issue Fix  RSS feed

 
Anna Ai
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, there:

I got some vulnerablity issue when using IBM AppScan to scan our Java web application and need some solution:


1.CWE 20 - Improper Input Validation for below source code:
request.getSession().setAttribute("objStr", obj);

2. CWE 511 - Logic/Time ( Malicious Trigger) for date compare like: currDate.compare(processDate) or currDate.equal(processDate)

3. CWE 73 - External control of file or path for source code like:
String todayDate = getTodaysDate();
String currTime= getCurrentTime();
String path = fileToRead+".done_"+ todayDate + currTime;
File file=new File (path); -- CWE 73

Thanks in advance.
 
Jeanne Boyarsky
author & internet detective
Sheriff
Posts: 36396
454
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Anna,
A nice thing about CWE (Common Weakness Enumeration) is that you can easily Google them. For example, CWE 511 tells us it is about logic bombs. Which is saying that a programmer out to no good could have embedded code that only runs on/after a specific date. Like a way of hurting the company if they are fired. It is likely that this is a false positive and you have business logic about a date. Which means someone on your team needs to analyze it and confirm it is a false positive.

For the other two, the solution is likely more validation. You'd need to share more about what you are trying to do in order to get advice on how to handle them.
 
Bob X Chen
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
for CWE 20 if Obj is an string then you will need to search for escape characters like < > and &. since you are setting in the request, it will be displayed in HTML. if it is an Object I don't know how I would validate it. Anyway please like me know how you overcame the AppScan.

Thanks
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!