• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

CWE Vulnerability Issue Fix

 
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, there:

I got some vulnerablity issue when using IBM AppScan to scan our Java web application and need some solution:


1.CWE 20 - Improper Input Validation for below source code:
request.getSession().setAttribute("objStr", obj);

2. CWE 511 - Logic/Time ( Malicious Trigger) for date compare like: currDate.compare(processDate) or currDate.equal(processDate)

3. CWE 73 - External control of file or path for source code like:
String todayDate = getTodaysDate();
String currTime= getCurrentTime();
String path = fileToRead+".done_"+ todayDate + currTime;
File file=new File (path); -- CWE 73

Thanks in advance.
 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Anna,
A nice thing about CWE (Common Weakness Enumeration) is that you can easily Google them. For example, CWE 511 tells us it is about logic bombs. Which is saying that a programmer out to no good could have embedded code that only runs on/after a specific date. Like a way of hurting the company if they are fired. It is likely that this is a false positive and you have business logic about a date. Which means someone on your team needs to analyze it and confirm it is a false positive.

For the other two, the solution is likely more validation. You'd need to share more about what you are trying to do in order to get advice on how to handle them.
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
for CWE 20 if Obj is an string then you will need to search for escape characters like < > and &. since you are setting in the request, it will be displayed in HTML. if it is an Object I don't know how I would validate it. Anyway please like me know how you overcame the AppScan.

Thanks
 
reply
    Bookmark Topic Watch Topic
  • New Topic