https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=WichersOWASP - User contributions [en]2026-05-17T01:31:30ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Source_Code_Analysis_Tools&diff=256308Source Code Analysis Tools2019-12-12T13:22:16Z<p>Wichers: /* Commercial Tools Of This Type */</p>
<hr />
<div>[[Static_Code_Analysis | Source code analysis]] tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. <br />
<br />
Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.<br />
<br />
== Strengths and Weaknesses ==<br />
<br />
=== Strengths ===<br />
<br />
* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)<br />
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth<br />
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected<br />
<br />
=== Weaknesses ===<br />
<br />
* Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.<br />
* High numbers of false positives.<br />
* Frequently can't find configuration issues, since they are not represented in the code.<br />
* Difficult to 'prove' that an identified security issue is an actual vulnerability.<br />
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.<br />
<br />
==Important Selection Criteria==<br />
<br />
* Requirement: Must support your programming language, but not usually a key factor once it does.<br />
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)<br />
* How accurate is it? False Positive/False Negative rates?<br />
** Does the tool have an OWASP [[Benchmark]] score?<br />
* Does it understand the libraries/frameworks you use?<br />
* Does it require a fully buildable set of source?<br />
* Can it run against binaries instead of source?<br />
* Can it be integrated into the developer's IDE?<br />
* How hard is it to setup/use?<br />
* Can it be run continuously and automatically?<br />
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)<br />
<br />
==OWASP Tools Of This Type==<br />
<br />
* [[OWASP SonarQube Project]]<br />
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]<br />
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]<br />
* [[OWASP O2 Platform]]<br />
* [[OWASP WAP-Web Application Protection]]<br />
<br />
==Disclaimer==<br />
<br />
Disclaimer: <b>The tools listed in the tables below are presented in alphabetical order. <i>OWASP does not endorse any of the vendors or tools by listing them in the table below.</i> We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.</b><br />
<br />
==Open Source or Free Tools Of This Type==<br />
<br />
* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python<br />
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications<br />
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby<br />
* [https://discotek.ca/deepdive.xhtml Deep Dive] - Byte code analysis tool for discovering vulnerabilities in Java deployments (Ear, War, Jar).<br />
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs<br />
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,<br />
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++<br />
* [https://github.com/golangci/golangci-lint GolangCI-Lint] - A Go Linters aggregator - One of the Linters is [https://github.com/securego/gosec gosec (Go Security)], which is off by default but can easily be enabled.<br />
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''<br />
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python<br />
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.<br />
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.<br />
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)<br />
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.<br />
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.<br />
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.<br />
* [https://pyre-check.org/ Pyre] - A performant type-checker for Python 3, that also has [https://pyre-check.org/docs/static-analysis.html limited security/data flow analysis] capabilities.<br />
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS Open Source is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.<br />
* [https://discotek.ca/sinktank.xhtml Sink Tank] - Byte code static code analyzer for performing source/sink (taint) analysis.<br />
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].<br />
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.<br />
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.<br />
<br />
[https://docs.gitlab.com/ee/user/application_security/sast/index.html#supported-languages-and-frameworks GitLab has lashed a free SAST tool for a bunch of different languages natively into GitLab. So you might be able to use that, or at least identify a free SAST tool for the language you need from that list].<br />
<br />
An even broader list of free static analysis tools (not just for security) for lots of different languages is here called: [https://endler.dev/awesome-static-analysis/ Awesome Static Analysis]<br />
<br />
==Commercial Tools Of This Type==<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. <br />
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service. <br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source AppScan Source] (IBM)<br />
* [https://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.<br />
* [https://bugscout.io/en/ bugScout] (Nalbatech, Formally Buguroo)<br />
* [https://www.castsoftware.com/products/application-intelligence-platform CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. [https://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards AIP's security specific coverage is here].<br />
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)<br />
* [https://www.grammatech.com/products/codesonar CodeSonar] tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.<br />
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)<br />
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)<br />
* [https://www.microfocus.com/en-us/products/static-code-analysis-sast Fortify] (Micro Focus, Formally HP)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection] (Hdiv Security) - Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis.<br />
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis<br />
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)<br />
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis<br />
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)<br />
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ PT Application Inspector] combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation for high accuracy rate with minimum false positives; has a unique capability to generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis; integrates with CI/CD, VCS, etc. PT AI helps to easily understand, verify, and fix flaws; has a simple UI; is highly automated and easy to use. Supported languages are Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.<br />
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.<br />
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#<br />
* [https://www.reshiftsecurity.com reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019.<br />
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for Java and PHP that detects unknown security vulnerabilities and code quality issues.<br />
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)<br />
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)<br />
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.<br />
* [https://smartdecscanner.com/ SmartDec Scanner] (SmartDec) Capable of identifying vulnerabilities and backdoors (undocumented features) in over 30 programming languages by analyzing source code or executables, without requiring debug info.<br />
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)<br />
* [http://www.xanitizer.net Xanitizer] - Scans Java and Scala for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).<br />
<br />
==More info==<br />
<br />
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]<br />
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]<br />
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools<br />
* [[Free for Open Source Application Security Tools]] - This page lists the Commercial Source Code Analysis Tools (SAST) we know of that are free for Open Source<br />
<br />
[[Category:OWASP .NET Project]]<br />
[[Category:SAMM-CR-2]]<br />
__NOTOC__</div>Wichershttps://wiki.owasp.org/index.php?title=Benchmark&diff=255911Benchmark2019-11-02T21:25:34Z<p>Wichers: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Benchmark Project ==<br />
The OWASP Benchmark for Security Automation (OWASP Benchmark) is a free and open test suite designed to evaluate the speed, coverage, and accuracy of automated software vulnerability detection tools and services (henceforth simply referred to as 'tools'). Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other. Each version of the OWASP Benchmark contains thousands of test cases that are fully runnable and exploitable, each of which maps to the appropriate CWE number for that vulnerability.<br />
<br />
You can use the OWASP Benchmark with [[Source_Code_Analysis_Tools | Static Application Security Testing (SAST)]] tools, [[:Category:Vulnerability_Scanning_Tools | Dynamic Application Security Testing (DAST)]] tools like OWASP [[ZAP]] and Interactive Application Security Testing (IAST) tools. Benchmark is implemented in Java. Future versions may expand to include other languages.<br />
<br />
==Benchmark Project Scoring Philosophy==<br />
<br />
Security tools (SAST, DAST, and IAST) are amazing when they find a complex vulnerability in your code. But with widespread misunderstanding of the specific vulnerabilities automated tools cover, end users are often left with a false sense of security.<br />
<br />
We are on a quest to measure just how good these tools are at discovering and properly diagnosing security problems in applications. We rely on the [http://en.wikipedia.org/wiki/Receiver_operating_characteristic long history] of military and medical evaluation of detection technology as a foundation for our research. Therefore, the test suite tests both real and fake vulnerabilities.<br />
<br />
There are four possible test outcomes in the Benchmark:<br />
<br />
# Tool correctly identifies a real vulnerability (True Positive - TP)<br />
# Tool fails to identify a real vulnerability (False Negative - FN)<br />
# Tool correctly ignores a false alarm (True Negative - TN)<br />
# Tool fails to ignore a false alarm (False Positive - FP)<br />
<br />
We can learn a lot about a tool from these four metrics. Consider a tool that simply flags every line of code as vulnerable. This tool will perfectly identify all vulnerabilities! But it will also have 100% false positives and thus adds no value. Similarly, consider a tool that reports absolutely nothing. This tool will have zero false positives, but will also identify zero real vulnerabilities and is also worthless. You can even imagine a tool that flips a coin to decide whether to report whether each test case contains a vulnerability. The result would be 50% true positives and 50% false positives. We need a way to distinguish valuable security tools from these trivial ones.<br />
<br />
If you imagine the line that connects all these points, from 0,0 to 100,100 establishes a line that roughly translates to "random guessing." The ultimate measure of a security tool is how much better it can do than this line. The diagram below shows how we will evaluate security tools against the Benchmark.<br />
<br />
[[File:Wbe guide.png]]<br />
<br />
A point plotted on this chart provides a visual indication of how well a tool did considering both the True Positives the tool reported, as well as the False Positives it reported. We also want to compute an individual score for that point in the range 0 - 100, which we call the Benchmark Accuracy Score.<br />
<br />
The Benchmark Accuracy Score is essentially a [https://en.wikipedia.org/wiki/Youden%27s_J_statistic Youden Index], which is a standard way of summarizing the accuracy of a set of tests. Youden's index is one of the oldest measures for diagnostic accuracy. It is also a global measure of a test performance, used for the evaluation of overall discriminative power of a diagnostic procedure and for comparison of this test with other tests. Youden's index is calculated by deducting 1 from the sum of a test’s sensitivity and specificity expressed not as percentage but as a part of a whole number: (sensitivity + specificity) – 1. For a test with poor diagnostic accuracy, Youden's index equals 0, and in a perfect test Youden's index equals 1.<br />
<br />
So for example, if a tool has a True Positive Rate (TPR) of .98 (i.e., 98%) <br />
and False Positive Rate (FPR) of .05 (i.e., 5%)<br />
Sensitivity = TPR (.98)<br />
Specificity = 1-FPR (.95)<br />
So the Youden Index is (.98+.95) - 1 = .93<br />
<br />
And this would equate to a Benchmark score of 93 (since we normalize this to the range 0 - 100)<br />
<br />
On the graph, the Benchmark Score is the length of the line from the point down to the diagonal “guessing” line. Note that a Benchmark score can actually be negative if the point is below the line. This is caused when the False Positive Rate is actually higher than the True Positive Rate.<br />
<br />
==Benchmark Validity==<br />
<br />
The Benchmark tests are not exactly like real applications. The tests are derived from coding patterns observed in real applications, but the majority of them are considerably '''simpler''' than real applications. That is, most real world applications will be considerably harder to successfully analyze than the OWASP Benchmark Test Suite. Although the tests are based on real code, it is possible that some tests may have coding patterns that don't occur frequently in real code.<br />
<br />
Remember, we are trying to test the capabilities of the tools and make them explicit, so that users can make informed decisions about what tools to use, how to use them, and what results to expect. This is exactly aligned with the OWASP mission to make application security visible.<br />
<br />
==Generating Benchmark Scores==<br />
<br />
Anyone can use this Benchmark to evaluate vulnerability detection tools. The basic steps are:<br />
# Download the Benchmark from GitHub<br />
# Run your tools against the Benchmark<br />
# Run the BenchmarkScore tool on the reports from your tools<br />
<br />
That's it!<br />
<br />
Full details on how to do this are at the bottom of the page on the Quick_Start tab.<br />
<br />
We encourage both vendors, open source tools, and end users to verify their application security tools against the Benchmark. In order to ensure that the results are fair and useful, we ask that you follow a few simple rules when publishing results. We won't recognize any results that aren't easily reproducible:<br />
<br />
# A description of the default “out-of-the-box” installation, version numbers, etc…<br />
# Any and all configuration, tailoring, onboarding, etc… performed to make the tool run<br />
# Any and all changes to default security rules, tests, or checks used to achieve the results<br />
# Easily reproducible steps to run the tool<br />
<br />
== Reporting Format==<br />
<br />
The Benchmark includes tools to interpret raw tool output, compare it to the expected results, and generate summary charts and graphs. We use the following table format in order to capture all the information generated during the evaluation.<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! style="background:#DDDDDD" | Security Category<br />
! TP<br />
! FN<br />
! TN<br />
! FP<br />
! style="background:#DDDDDD" | Total<br />
! TPR<br />
! FPR<br />
! style="background:#DDDDDD" | Score<br />
|-<br />
! style="background:#DDDDDD" valign="top" width="11%"| General security category for test cases.<br />
| valign="top" width="11%"| '''True Positives''': Tests with real vulnerabilities that were correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Negative''': Tests with real vulnerabilities that were not correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''True Negative''': Tests with fake vulnerabilities that were correctly not reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Positive''':Tests with fake vulnerabilities that were incorrectly reported as vulnerable by the tool.<br />
| style="background:#DDDDDD" valign="top" width="11%"| Total test cases for this category.<br />
| valign="top" width="11%"| '''True Positive Rate''': TP / ( TP + FN ) - Also referred to as Precision, as defined at [https://en.wikipedia.org/wiki/Precision_and_recall Wikipedia].<br />
| valign="top" width="11%"| '''False Positive Rate''': FP / ( FP + TN ).<br />
| style="background:#DDDDDD" valign="top" width="11%"| Normalized distance from the “guess line” TPR - FPR.<br />
|-<br />
! style="background:#DDDDDD" | Command Injection<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | Etc...<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | <br />
! Total TP<br />
! Total FN<br />
! Total TN<br />
! Total FP<br />
! style="background:#DDDDDD" | Total TC<br />
! Average TPR<br />
! Average FPR<br />
! style="background:#DDDDDD" | Average Score<br />
|}<br />
<br />
==Code Repo and Build/Run Instructions ==<br />
<br />
See the '''Getting Started''' and '''Getting, Building, and Running the Benchmark''' sections on the Quick Start tab.<br />
<br />
==Licensing==<br />
<br />
The OWASP Benchmark is free to use under the [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0].<br />
<br />
== Mailing List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-benchmark-project OWASP Benchmark Mailing List]<br />
<br />
== Project Leaders ==<br />
<br />
[https://www.owasp.org/index.php/User:Wichers Dave Wichers] [mailto:dave.wichers@owasp.org @]<br />
<br />
== Project References ==<br />
* [https://www.mir-swamp.org/#packages/public Software Assurance Marketplace (SWAMP) - set of curated packages to test tools against]<br />
* [http://samate.nist.gov/Other_Test_Collections.html SAMATE List of Test Collections]<br />
<br />
== Related Projects ==<br />
<br />
* [http://samate.nist.gov/SARD/testsuite.php NSA's Juliet for Java]<br />
* [http://sectoolmarket.com/ The Web Application Vulnerability Scanner Evaluation Project (WAVSEP)]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
All test code and project files can be downloaded from [https://github.com/OWASP/benchmark OWASP GitHub].<br />
<br />
== Project Intro Video ==<br />
<br />
[[File:BenchmarkPodcastTitlePage.jpg|200px|link=https://www.youtube.com/watch?v=HQP8dwc3jJA&index=5&list=PLGB2s-U5FSWOmEStMt3JqlMFJvRYqeVW5]]<br />
<br />
== News and Events ==<br />
* LOOKING FOR VOLUNTEERS!! - We are looking for individuals and organizations to join and make this a much more community driven project, including additional coleaders to help take this project to the next level. Contributors could work on things like new test cases, additional tool scorecard generators, adding support for languages beyond Java, and a host of other improvements. Please contact [mailto:dave.wichers@owasp.org me] if you are interested in contributing at any level.<br />
* June 5, 2016 - Benchmark Version 1.2 Released<br />
* Sep 24, 2015 - Benchmark introduced to broader OWASP community at [https://appsecusa2015.sched.org/event/3r9k/using-the-owasp-benchmark-to-assess-automated-vulnerability-analysis-tools AppSec USA]<br />
* Aug 27, 2015 - U.S. Dept. of Homeland Security (DHS) is financially supporting the Benchmark project.<br />
* Aug 15, 2015 - Benchmark Version 1.2beta Released with full DAST Support. Checkmarx and ZAP scorecard generators also released.<br />
* July 10, 2015 - Benchmark Scorecard generator and open source scorecards released<br />
* May 23, 2015 - Benchmark Version 1.1 Released<br />
* April 15, 2015 - Benchmark Version 1.0 Released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Test Cases =<br />
<br />
Version 1.0 of the Benchmark was published on April 15, 2015 and had 20,983 test cases. On May 23, 2015, version 1.1 of the Benchmark was released. The 1.1 release improves on the previous version by making sure that there are both true positives and false positives in every vulnerability area. Version 1.2 was released on June 5, 2016 (and the 1.2beta August 15, 2015).<br />
<br />
Version 1.2 and forward of the Benchmark is a fully executable web application, which means it is scannable by any kind of vulnerability detection tool. The 1.2 has been limited to slightly less than 3,000 test cases, to make it easier for DAST tools to scan it (so it doesn't take so long and they don't run out of memory, or blow up the size of their database). The 1.2 release covers the same vulnerability areas that 1.1 covers. We added a few Spring database SQL Injection tests, but that's it. The bulk of the work was turning each test case into something that actually runs correctly AND is fully exploitable, and then generating a UI on top of it that works in order to turn the test cases into a real running application.<br />
<br />
You can still download Benchmark version 1.1 by cloning the release marked with the GIT tag '1.1'.<br />
<br />
The test case areas and quantities for the Benchmark releases are:<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! Vulnerability Area<br />
! # of Tests in v1.1<br />
! # of Tests in v1.2<br />
! CWE Number<br />
|-<br />
| [[Command Injection]]<br />
| 2708<br />
| 251<br />
| [https://cwe.mitre.org/data/definitions/78.html 78]<br />
|-<br />
| Weak Cryptography<br />
| 1440<br />
| 246<br />
| [https://cwe.mitre.org/data/definitions/327.html 327]<br />
|-<br />
| Weak Hashing<br />
| 1421<br />
| 236<br />
| [https://cwe.mitre.org/data/definitions/328.html 328]<br />
|-<br />
| [[LDAP injection | LDAP Injection]]<br />
| 736<br />
| 59<br />
| [https://cwe.mitre.org/data/definitions/90.html 90]<br />
|-<br />
| [[Path Traversal]]<br />
| 2630<br />
| 268<br />
| [https://cwe.mitre.org/data/definitions/22.html 22]<br />
|-<br />
| Secure Cookie Flag<br />
| 416<br />
| 67<br />
| [https://cwe.mitre.org/data/definitions/614.html 614]<br />
|-<br />
| [[SQL Injection]]<br />
| 3529<br />
| 504<br />
| [https://cwe.mitre.org/data/definitions/89.html 89]<br />
|-<br />
| [[Trust Boundary Violation]]<br />
| 725<br />
| 126<br />
| [https://cwe.mitre.org/data/definitions/501.html 501]<br />
|-<br />
| Weak Randomness<br />
| 3640<br />
| 493<br />
| [https://cwe.mitre.org/data/definitions/330.html 330]<br />
|-<br />
| [[XPATH Injection]]<br />
| 347<br />
| 35<br />
| [https://cwe.mitre.org/data/definitions/643.html 643]<br />
|-<br />
| [[XSS]] (Cross-Site Scripting)<br />
| 3449<br />
| 455<br />
| [https://cwe.mitre.org/data/definitions/79.html 79]<br />
|-<br />
| Total Test Cases<br />
| 21,041<br />
| 2,740<br />
|}<br />
<br />
Each Benchmark version comes with a spreadsheet that lists every test case, the vulnerability category, the CWE number, and the expected result (true finding/false positive). Look for the file: expectedresults-VERSION#.csv in the project root directory.<br />
<br />
Every test case is:<br />
* a servlet or JSP (currently they are all servlets, but we plan to add JSPs)<br />
* either a true vulnerability or a false positive for a single issue<br />
<br />
The Benchmark is intended to help determine how well analysis tools correctly analyze a broad array of application and framework behavior, including:<br />
<br />
* HTTP request and response problems<br />
* Simple and complex data flow<br />
* Simple and complex control flow<br />
* Popular frameworks<br />
* Inversion of control<br />
* Reflection<br />
* Class loading<br />
* Annotations<br />
* Popular UI technologies (particularly JavaScript frameworks)<br />
<br />
Not all of these are yet tested by the Benchmark but future enhancements intend to provide more coverage of these issues.<br />
<br />
Additional future enhancements could cover:<br />
* All vulnerability types in the [[Top10 | OWASP Top 10]]<br />
* Does the tool find flaws in libraries?<br />
* Does the tool find flaws spanning custom code and libraries?<br />
* Does tool handle web services? REST, XML, GWT, etc…<br />
* Does tool work with different app servers? Java platforms?<br />
<br />
== Example Test Case ==<br />
<br />
Each test case is a simple Java EE servlet. BenchmarkTest00001 in version 1.0 of the Benchmark was an LDAP Injection test with the following metadata in the accompanying BenchmarkTest00001.xml file:<br />
<br />
<test-metadata><br />
<category>ldapi</category><br />
<test-number>00001</test-number><br />
<vulnerability>true</vulnerability><br />
<cwe>90</cwe><br />
</test-metadata><br />
<br />
BenchmarkTest00001.java in the OWASP Benchmark 1.0 simply reads in all the cookie values, looks for a cookie named "foo", and uses the value of this cookie when performing an LDAP query. Here's the code for BenchmarkTest00001.java:<br />
<br />
package org.owasp.benchmark.testcode;<br />
<br />
import java.io.IOException;<br />
<br />
import javax.servlet.ServletException;<br />
import javax.servlet.annotation.WebServlet;<br />
import javax.servlet.http.HttpServlet;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
<br />
@WebServlet("/BenchmarkTest00001")<br />
public class BenchmarkTest00001 extends HttpServlet {<br />
<br />
private static final long serialVersionUID = 1L;<br />
<br />
@Override<br />
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
doPost(request, response);<br />
}<br />
<br />
@Override<br />
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
// some code<br />
<br />
javax.servlet.http.Cookie[] cookies = request.getCookies();<br />
<br />
String param = null;<br />
boolean foundit = false;<br />
if (cookies != null) {<br />
for (javax.servlet.http.Cookie cookie : cookies) {<br />
if (cookie.getName().equals("foo")) {<br />
param = cookie.getValue();<br />
foundit = true;<br />
}<br />
}<br />
if (!foundit) {<br />
// no cookie found in collection<br />
param = "";<br />
}<br />
} else {<br />
// no cookies<br />
param = "";<br />
}<br />
<br />
try {<br />
javax.naming.directory.DirContext dc = org.owasp.benchmark.helpers.Utils.getDirContext();<br />
Object[] filterArgs = {"a","b"};<br />
dc.search("name", param, filterArgs, new javax.naming.directory.SearchControls());<br />
} catch (javax.naming.NamingException e) {<br />
throw new ServletException(e);<br />
}<br />
}<br />
}<br />
<br />
= Test Case Details =<br />
<br />
The following describes situations in the Benchmark that have come up for debate as to the validity/accuracy of the test cases in these scenarios. <br />
<br />
== Cookies as a Source of Attack for XSS ==<br />
<br />
Benchmark v1.1 and early versions of the 1.2beta included test cases that used cookies as a source of data that flowed into XSS vulnerabilities. The Benchmark treated these tests as False Positives because the Benchmark team figured that you'd have to use an XSS vulnerability in the first place to set the cookie value, and so it wasn't fair/reasonable to consider an XSS vulnerability whose data source was a cookie value as actually exploitable. However, we got feedback from some tool vendors, like Fortify, Burp, and Arachni, that they disagreed with this analysis and felt that, in fact, cookies were a valid source of attack against XSS vulnerabilities. Given that there are good arguments on both sides of this safe vs. unsafe question, we decided on Aug 25, 2015 to simply remove those test cases from the Benchmark. If, in the future, we decide who is right, we may add such test cases back in.<br />
<br />
== Headers as a Source of Attack for XSS ==<br />
<br />
Similarly, the Benchmark team believes that the names of headers aren't a valid source of XSS attack for the same reason we thought cookie values aren't a valid source. Because it would require an XSS vulnerability to be exploited in the first place to set them. In fact, we feel that this argument is much stronger for header names, than cookie values. Right now, the Benchmark doesn't include any header names as sources for XSS test cases, but we plan to add them, and mark them as false positive in the Benchmark.<br />
<br />
We do have header values as sources for some XSS test cases in the Benchmark and only 'referer' is treated as a valid XSS source (i.e., true positives) because other headers are not viable XSS sources. Other headers are, of course, valid sources for other attack vectors, like SQL injection or Command Injection.<br />
<br />
== False Positive Scenario: Static Values Passed to Unsafe (Weak) Sinks ==<br />
<br />
The Benchmark has MANY test cases where unsafe data flows in from the browser, but that data is replaced with static content as it goes through the propagators in the that specific test case. This static (safe) data then flows to the sink, which may be a weak/unsafe sink, like, for example, an unsafely constructed SQL statement. The Benchmark treats those test cases as false positives because there is absolutely no way for that weakness to be exploited. The NSA Juliet SAST benchmark treats such test cases exactly the same way, as false positives. We do recognize that there are weaknesses in those test cases, even though they aren't exploitable.<br />
<br />
Some SAST tool vendors feel it is appropriate to point out those weaknesses, and that's fine. However, if the tool points those weaknesses out, and does not distinguish them from truly exploitable vulnerabilities, then the Benchmark treats those findings as false positives. If the tool allows a user to differentiate these non-exploitable weaknesses from exploitable vulnerabilities, then the Benchmark scorecard generator can use that information to filter out these extra findings (along with any other similarly marked findings) so they don't count against that tool when calculating that tool's Benchmark score. In the real world, its important for analysts to be able to filter out such findings if they only have time to deal with the most critical, actually exploitable, vulnerabilities. If a tool doesn't make it easy for an analyst to distinguish the two situations, then they are providing a disservice to the analyst.<br />
<br />
This issue doesn't affect DAST tools. They only report what appears to be exploitable to them. So this has no affect on them.<br />
<br />
If you are a SAST tool vendor or user, and you believe the Benchmark scorecard generator is counting such findings against that tool, and there is a way to tell them apart, please let the project team know so the scorecard generator can be adjusted to not count those findings against the tool. The Benchmark project's goal is the generate the most fair and accurate results it can generate. If such an adjustment is made to how a scorecard is generated for that tool, we plan to document this was done for that tool, and explain how others could perform the same filtering within that tool in order to get the same focused set of results.<br />
<br />
== Dead Code ==<br />
<br />
Some SAST tools point out weaknesses in dead code because they might eventually end up being used, and serve as bad coding examples (think cut/paste of code). We think this is fine/appropriate. However, there is no dead code in the OWASP Benchmark (at least not intentionally). So dead code should not be causing any tool to report unnecessary false positives.<br />
<br />
= Tool Support/Results =<br />
<br />
The results for 5 free tools, PMD, FindBugs, FindBugs with the FindSecBugs plugin, SonarQube and OWASP ZAP are available here against version 1.2 of the Benchmark: https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html. We've included multiple versions of FindSecBugs' and ZAP's results so you can see the improvements they are making finding vulnerabilities in Benchmark.<br />
<br />
We have Benchmark results for all the following tools, but haven't publicly released the results for any commercial tools. However, we included a 'Commercial Average' page, which includes a summary of results for 6 commercial SAST tools along with anonymous versions of each SAST tool's scorecard.<br />
<br />
The Benchmark can generate results for the following tools: <br />
<br />
'''Free Static Application Security Testing (SAST) Tools:'''<br />
<br />
* [https://pmd.github.io/ PMD] (which really has no security rules) - .xml results file<br />
* [http://findbugs.sourceforge.net/ FindBugs] - .xml results file (Note: FindBugs hasn't been updated since 2015. Use SpotBugs instead (see below))<br />
* [https://www.sonarqube.org/downloads/ SonarQube] - .xml results file<br />
* [https://spotbugs.github.io/ SpotBugs] - .xml results file. This is the successor to FindBugs.<br />
* SpotBugs with the [http://find-sec-bugs.github.io/ FindSecurityBugs plugin] - .xml results file<br />
<br />
Note: We looked into supporting [http://checkstyle.sourceforge.net/ Checkstyle] but it has no security rules, just like PMD. The [http://fb-contrib.sourceforge.net/ fb-contrib] FindBugs plugin doesn't have any security rules either. We did test [http://errorprone.info/ Error Prone], and found that it does report some use of [http://errorprone.info/bugpattern/InsecureCipherMode) insecure ciphers (CWE-327)], but that's it.<br />
<br />
'''Commercial SAST Tools:'''<br />
<br />
* [https://www.castsoftware.com/products/application-intelligence-platform CAST Application Intelligence Platform (AIP)] - .xml results file<br />
* [https://www.checkmarx.com/products/static-application-security-testing/ Checkmarx CxSAST] - .xml results file<br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source IBM AppScan Source (Standalone and Cloud)] - .ozasmt or .xml results file<br />
* [https://juliasoft.com/solutions/julia-for-security/ Julia Analyzer] - .xml results file<br />
* [https://www.kiuwan.com/code-security-sast/ Kiuwan Code Security] - .threadfix results file<br />
* [https://software.microfocus.com/en-us/products/static-code-analysis-sast/overview Micro Focus (Formally HPE) Fortify (On-Demand and stand-alone versions)] - .fpr results file<br />
* [https://www.parasoft.com/products/jtest/ Parasoft Jtest] - .xml results file<br />
* [https://semmle.com/lgtm Semmle LGTM] - .sarif results file<br />
* [https://www.shiftleft.io/product/ ShiftLeft SAST] - .sl results file (Benchmark specific format. Ask vendor how to generate this)<br />
* [https://snappycodeaudit.com/category/static-code-analysis Snappycode Audit's SnappyTick Source Edition (SAST)] - .xml results file<br />
* [https://www.sourcemeter.com/features/ SourceMeter] - .txt results file of ALL results from VulnerabilityHunter<br />
* [https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/SAST-Coverity-datasheet.pdf Synopsys Static Analysis (Formerly Coverity Code Advisor) (On-Demand and stand-alone versions)] - .json results file (You can scan Benchmark w/Coverity for free. See: https://scan.coverity.com/)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] - .xml results file<br />
* [https://www.veracode.com/products/binary-static-analysis-sast Veracode SAST] - .xml results file<br />
* [https://www.rigs-it.com/xanitizer/ XANITIZER] - xml results file ([https://www.rigs-it.com/wp-content/uploads/2018/03/howtosetupxanitizerforowaspbenchmarkproject.pdf Their white paper on how to setup Xanitizer to scan Benchmark.]) (Free trial available)<br />
<br />
We are looking for results for other commercial static analysis tools like: [https://www.grammatech.com/products/codesonar Grammatech CodeSonar], [https://www.roguewave.com/products-services/klocwork RogueWave's Klocwork], etc. If you have a license for any static analysis tool not already listed above and can run it on the Benchmark and send us the results file that would be very helpful. <br />
<br />
The free SAST tools come bundled with the Benchmark so you can run them yourselves. If you have a license for any commercial SAST tool, you can also run them against the Benchmark. Just put your results files in the /results folder of the project, and then run the BenchmarkScore script for your platform (.sh / .bat) and it will generate a scorecard in the /scorecard directory for all the tools you have results for that are currently supported.<br />
<br />
'''Free Dynamic Application Security Testing (DAST) Tools:'''<br />
<br />
Note: While we support scorecard generators for these Free and Commercial DAST tools, we haven't been able to get a full/clean run against the Benchmark from most of these tools. As such, some of these scorecard generators might still need some work to properly reflect their results. If you notice any problems, let us know.<br />
<br />
* [http://www.arachni-scanner.com/ Arachni] - .xml results file<br />
** To generate .xml, run: ./bin/arachni_reporter "Your_AFR_Results_Filename.afr" --reporter=xml:outfile=Benchmark1.2-Arachni.xml<br />
* [https://www.owasp.org/index.php/ZAP OWASP ZAP] - .xml results file. To generate a complete ZAP XML results file so you can generate a valid scorecard, make sure you:<br />
** Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
** Then: Report > Generate XML Report...<br />
<br />
'''Commercial DAST Tools:'''<br />
<br />
* [https://www.acunetix.com/vulnerability-scanner/ Acunetix Web Vulnerability Scanner (WVS)] - .xml results file (Generated using [https://www.acunetix.com/resources/wvs7manual.pdf command line interface (see Chapter 10.)] /ExportXML switch)<br />
* [https://portswigger.net/burp Burp Pro] - .xml results file<br />
* [https://www.ibm.com/us-en/marketplace/appscan-standard IBM AppScan] - .xml results file<br />
* [https://software.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/overview Micro Focus (Formally HPE) WebInspect] - .xml results file<br />
* [https://www.netsparker.com/web-vulnerability-scanner/ Netsparker] - .xml results file<br />
* [https://www.qualys.com/apps/web-app-scanning/ Qualys Web App Scanner] - .xml results file<br />
* [https://www.rapid7.com/products/appspider/ Rapid7 AppSpider] - .xml results file<br />
<br />
If you have access to other DAST Tools, PLEASE RUN THEM FOR US against the Benchmark, and send us the results file so we can build a scorecard generator for that tool.<br />
<br />
'''Commercial Interactive Application Security Testing (IAST) Tools:'''<br />
<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] - .zip results file (You can scan Benchmark w/Contrast for free. See: https://www.contrastsecurity.com/contrast-community-edition)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection (IAST)] - .hlg results file<br />
* [https://www.synopsys.com/software-integrity/security-testing/interactive-application-security-testing.html Seeker IAST] - .csv results file<br />
<br />
'''Commercial Hybrid Analysis Application Security Testing Tools:'''<br />
<br />
* [http://www.iappsecure.com/products.html Fusion Lite Insight] - .xml results file<br />
<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It may be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.'''<br />
<br />
The project has automated test harnesses for these vulnerability detection tools, so we can repeatably run the tools against each version of the Benchmark and automatically produce scorecards in our desired format.<br />
<br />
We want to test as many tools as possible against the Benchmark. If you are:<br />
<br />
* A tool vendor and want to participate in the project<br />
* Someone who wants to help score a free tool against the project<br />
* Someone who has a license to a commercial tool and the terms of the license allow you to publish tool results, and you want to participate<br />
<br />
please let [mailto:dave.wichers@owasp.org me] know!<br />
<br />
= Quick Start =<br />
<br />
==What is in the Benchmark?==<br />
The Benchmark is a Java Maven project. Its primary component is thousands of test cases (e.g., BenchmarkTest00001.java) , each of which is a single Java servlet that contains a single vulnerability (either a true positive or false positive). The vulnerabilities span about a dozen different types currently and are expected to expand significantly in the future.<br />
<br />
An expectedresults.csv is published with each version of the Benchmark (e.g., expectedresults-1.1.csv) and it specifically lists the expected results for each test case. Here’s what the first two rows in this file looks like for version 1.1 of the Benchmark:<br />
<br />
# test name category real vulnerability CWE Benchmark version: 1.1 2015-05-22<br />
BenchmarkTest00001 crypto TRUE 327<br />
<br />
This simply means that the first test case is a crypto test case (use of weak cryptographic algorithms), this is a real vulnerability (as opposed to a false positive), and this issue maps to CWE 327. It also indicates this expected results file is for Benchmark version 1.1 (produced May 22, 2015). There is a row in this file for each of the tens of thousands of test cases in the Benchmark. Each time a new version of the Benchmark is published, a new corresponding results file is generated and each test case can be completely different from one version to the next.<br />
<br />
The Benchmark also comes with a bunch of different utilities, commands, and prepackaged open source security analysis tools, all of which can be executed through Maven goals, including:<br />
<br />
* Open source vulnerability detection tools to be run against the Benchmark<br />
* A scorecard generator, which computes a scorecard for each of the tools you have results files for.<br />
<br />
==What Can You Do With the Benchmark?==<br />
* Compile all the software in the Benchmark project (e.g., mvn compile)<br />
* Run a static vulnerability analysis tool (SAST) against the Benchmark test case code<br />
<br />
* Scan a running version of the Benchmark with a dynamic application security testing tool (DAST)<br />
** Instructions on how to run it are provided below<br />
<br />
* Generate scorecards for each of the tools you have results files for<br />
** See the Tool Support/Results page for the list of tools the Benchmark supports generating scorecards for<br />
<br />
==Getting Started==<br />
Before downloading or using the Benchmark make sure you have the following installed and configured properly:<br />
<br />
GIT: http://git-scm.com/ or https://github.com/<br />
Maven: https://maven.apache.org/ (Version: 3.2.3 or newer works.)<br />
Java: http://www.oracle.com/technetwork/java/javase/downloads/index.html (Java 7 or 8) (64-bit)<br />
<br />
==Getting, Building, and Running the Benchmark==<br />
<br />
To download and build everything:<br />
<br />
$ git clone https://github.com/OWASP/benchmark <br />
$ cd benchmark<br />
$ mvn compile (This compiles it)<br />
$ runBenchmark.sh/.bat - This compiles and runs it.<br />
<br />
Then navigate to: https://localhost:8443/benchmark/ to go to its home page. It uses a self signed SSL certificate, so you'll get a security warning when you hit the home page.<br />
<br />
Note: We have set the Benchmark app to use up to 6 Gig of RAM, which it may need when it is fully scanned by a DAST scanner. The DAST tool probably also requires 3+ Gig of RAM. As such, we recommend having a 16 Gig machine if you are going to try to run a full DAST scan. And at least 4 or ideally 8 Gig if you are going to play around with the running Benchmark app.<br />
<br />
== Using a VM instead ==<br />
We have several preconstructed VMs or instructions on how to build one that you can use instead:<br />
<br />
* Docker: A Dockerfile is checked into the project [https://github.com/OWASP/Benchmark/blob/master/VMs/Dockerfile here]. This Docker file should automatically produce a Docker VM with the latest Benchmark project files. After you have Docker installed, cd to /VMs then run: <br />
./buildDockerImage.sh --> This builds the Docker Benchmark VM (This will take a WHILE)<br />
docker images --> You should see the new benchmark:latest image in the list provided<br />
# The Benchmark Docker Image only has to be created once. <br />
<br />
To run the Benchmark in your Docker VM, just run:<br />
./runDockerImage.sh --> This pulls in any updates to Benchmark since the Image was built, builds everything, and starts a remotely accessible Benchmark web app.<br />
If successful, you should see this at the end:<br />
[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]<br />
[INFO] Press Ctrl-C to stop the container...<br />
Then simply navigate to: https://localhost:8443/benchmark from the machine you are running Docker<br />
<br />
Or if you want to access from a different machine:<br />
docker-machine ls (in a different terminal) --> To get IP Docker VM is exporting (e.g., tcp://192.168.99.100:2376)<br />
Navigate to: https://192.168.99.100:8443/benchmark in your browser (using the above IP as an example)<br />
<br />
* Amazon Web Services (AWS) - Here's how you set up the Benchmark on an AWS VM:<br />
sudo yum install git<br />
sudo yum install maven<br />
sudo yum install mvn<br />
sudo wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo sed -i s/\$releasever/6/g /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo yum install -y apache-maven<br />
git clone https://github.com/OWASP/benchmark<br />
cd benchmark<br />
chmod 755 *.sh<br />
./runBenchmark.sh -- to run it locally on the VM.<br />
./runRemoteAccessibleBenchmark.sh -- to run it so it can be accessed outside the VM (on port 8443).<br />
<br />
==Running Free Static Analysis Tools Against the Benchmark==<br />
There are scripts for running each of the free SAST vulnerability detection tools included with the Benchmark against the Benchmark test cases. On Linux, you might have to make them executable (e.g., chmod 755 *.sh) before you can run them.<br />
<br />
Generating Test Results for PMD:<br />
<br />
$ ./scripts/runPMD.sh (Linux) or .\scripts\runPMD.bat (Windows)<br />
<br />
Generating Test Results for FindBugs:<br />
<br />
$ ./scripts/runFindBugs.sh (Linux) or .\scripts\runFindBugs.bat (Windows)<br />
<br />
Generating Test Results for FindBugs with the FindSecBugs plugin:<br />
<br />
$ ./scripts/runFindSecBugs.sh (Linux) or .\scripts\runFindSecBugs.bat (Windows)<br />
<br />
In each case, the script will generate a results file and put it in the /results directory. For example: <br />
<br />
Benchmark_1.2-findbugs-v3.0.1-1026.xml<br />
<br />
This results file name is carefully constructed to mean the following: It's a results file against the OWASP Benchmark version 1.2, FindBugs was the analysis tool, it was version 3.0.1 of FindBugs, and it took 1026 seconds to run the analysis.<br />
<br />
NOTE: If you create a results file yourself, by running a commercial tool for example, you can add the version # and the compute time to the filename just like this and the Benchmark Scorecard generator will pick this information up and include it in the generated scorecard. If you don't, depending on what metadata is included in the tool results, the Scorecard generator might do this automatically anyway.<br />
<br />
==Generating Scorecards==<br />
The scorecard generation application BenchmarkScore is included with the Benchmark. It parses the output files generated by any of the supported security tools run against the Benchmark and compares them against the expected results, and produces a set of web pages that detail the accuracy and speed of the tools involved. For the list of currently supported tools, check out the: Tools Support/Results tab. If you are using a tool that is not yet supported, simply send us a results file from that tool and we'll write a parser for that tool and add it to the supported tools list.<br />
<br />
The following command will compute a Benchmark scorecard for all the results files in the '''/results''' directory. The generated scorecard is put into the '''/scorecard''' directory.<br />
<br />
createScorecard.sh (Linux) or createScorecard.bat (Windows)<br />
<br />
An example of a real scorecard for some open source tools is provided at the top of the Tool Support/Results tab so you can see what one looks like.<br />
<br />
We recommend including the Benchmark version number in any results file name, in order to help prevent mismatches between the expected results and the actual results files. A tool will not score well against the wrong expected results.<br />
<br />
===Customizing Your Scorecard Generation===<br />
<br />
The createScorecard scripts are very simple. They only have one line. Here's what the 1.2 version looks like:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv results"<br />
<br />
This Maven command simply says to run the BenchmarkScore application, passing in two parameters. The 1st is the Benchmark expected results file to compare the tool results against. And the 2nd is the name of the directory that contains all the results from tools run against that version of the Benchmark. If you have tool results older than the current version of the Benchmark, like 1.1 results for example, then you would do something like this instead:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.1.csv 1.1_results"<br />
<br />
To keep things organized, we actually put the expected results file inside the same results folder for that version of the Benchmark, so our command looks like this:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="1.1_results/expectedresults-1.1.csv 1.1_results"<br />
<br />
In all cases, the generated scorecard is put in the /scorecard folder.<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It is likely to be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.''' It is for just this reason that the Benchmark project isn't releasing such results itself.<br />
<br />
= Tool Scanning Tips =<br />
<br />
People frequently have difficulty scanning the Benchmark with various tools due to many reasons, including size of the Benchmark app and its codebase, and complexity of the tools used. Here is some guidance for some of the tools we have used to scan the Benchmark. If you've learned any tricks on how to get better or easier results for a particular tool against the Benchmark, let us know or update this page directly.<br />
<br />
== Generic Tips ==<br />
<br />
Because of the size of the Benchmark, you may need to give your tool more memory before it starts the scan. If its a Java based tool, you may want to pass more memory to it like this:<br />
<br />
-Xmx4G (This gives the Java application 4 Gig of memory)<br />
<br />
== SAST Tools ==<br />
<br />
=== Checkmarx ===<br />
<br />
The Checkmarx SAST Tool (CxSAST) is ready to scan the OWASP Benchmark out-of-the-box. <br />
Please notice that the OWASP Benchmark “hides” some vulnerabilities in dead code areas, for example:<br />
<syntaxhighlight lang="java"><br />
if (0>1)<br />
{<br />
//vulnerable code<br />
}</syntaxhighlight><br />
By default, CxSAST will find these vulnerabilities since Checkmarx believes that including dead code in the scan results is a SAST best practice. <br />
<br />
Checkmarx's experience shows that security experts expect to find these types of code vulnerabilities, and demand that their developers fix them. However, OWASP Benchmark considers the flagging of these vulnerabilities as False Positives, as a result lowering Checkmarx's overall score. <br />
<br />
Therefore, in order to receive an OWASP score untainted by dead code, re-configure CxSAST as follows:<br />
# Open the CxAudit client for editing Java queries.<br />
# Override the "Find_Dead_Code" query.<br />
# Add the commented text of the original query to the new override query.<br />
# Save the queries.<br />
<br />
=== FindBugs ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindBugs.(sh or bat). If you want to run a different version of FindBugs, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== FindBugs with FindSecBugs ===<br />
<br />
[http://h3xstream.github.io/find-sec-bugs/ FindSecurityBugs] is a great plugin for FindBugs that significantly increases the ability for FindBugs to find security issues. We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindSecBugs.(sh or bat). If you want to run a different version of FindSecBugs, just change the version number of the findsecbugs-plugin artifact in the Benchmark pom.xml file.<br />
<br />
=== Micro Focus (Formally HP) Fortify ===<br />
<br />
If you are using the Audit Workbench, you can give it more memory and make sure you invoke it in 64-bit mode by doing this:<br />
<br />
set AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
export AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
auditworkbench -64<br />
<br />
We found it was easier to use the Maven support in Fortify to scan the Benchmark and to do it in 2 phases, translate, and then scan. We did something like this:<br />
<br />
Translate Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_17.10/bin<br />
export SCA_VM_OPTS="-Xmx2G -version 1.7"<br />
mvn sca:clean<br />
mvn sca:translate<br />
<br />
Scan Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_4.10/bin<br />
export SCA_VM_OPTS="-Xmx10G -version 1.7"<br />
mvn sca:scan<br />
<br />
=== PMD ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runPMD.(sh or bat). If you want to run a different version of PMD, just change its version number in the Benchmark pom.xml file. (NOTE: PMD doesn't find any security issues. We include it because its interesting to know that it doesn't.)<br />
<br />
=== SonarQube ===<br />
<br />
We include this free tool in the Benchmark and its mostly dialed in. But its a bit tricky because SonarQube requires two parts. There is a stand alone scanner for Java. And then there is a web application that accepts the results, and in turn can then produce the results file required by the Benchmark scorecard generator for SonarQube. Running the script runSonarQube.(sh or bat) will generate the results, but if the SonarQube Web Application isn't running where the runSonarQube script expects it to be, then the script will fail.<br />
<br />
If you want to run a different version of SonarQube, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== Xanitizer ===<br />
<br />
The vendor has written their own guide to [http://www.rigs-it.net/opendownloads/whitepapers/HowToSetUpXanitizerForOWASPBenchmarkProject.pdf How to Set Up Xanitizer for OWASP Benchmark].<br />
<br />
== DAST Tools ==<br />
<br />
=== Burp Pro ===<br />
<br />
You must use Burp Pro v1.6.29 or greater to scan the Benchmark due to a previous limitation in Burp Pro related to ensuring the path attribute for cookies was honored. This issue was fixed in the v1.6.29 release.<br />
<br />
To scan, first spider the entire Benchmark, and then select the /Benchmark URL and actively scan that branch. You can skip all the .html pages and any other pages that Burp says have no parameters.<br />
<br />
NOTE: We have been unable to simply run Burp Pro against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get Burp Pro to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
=== OWASP ZAP ===<br />
<br />
ZAP may require additional memory to be able to scan the Benchmark. To configure the amount of memory:<br />
* Tools --> Options --> JVM: Recommend setting to: -Xmx2048m (or larger). (Then restart ZAP).<br />
<br />
To run ZAP against Benchmark:<br />
# Because Benchmark uses Cookies and Headers as sources of attack for many test cases: Tools --> Options --> Active Scan Input Vectors: Then check the HTTP Headers, All Requests, and Cookie Data checkboxes and hit OK<br />
# Click on Show All Tabs button (if spider tab isn't visible)<br />
# Go to Spider tab (the black spider) and click on New Scan button<br />
# Enter: https://localhost:8443/benchmark/ into the 'Starting Point' box and hit 'Start Scan'<br />
#* Do this again. For some reason it takes 2 passes with the Spider before it stops finding more Benchmark endpoints.<br />
# When Spider completes, click on 'benchmark' folder in Site Map, right click and select: 'Attack --> Active Scan'<br />
#* It will take several hours, like 3+ to complete (it's actually likely to simply freeze before completing the scan - see NOTE: below)<br />
<br />
For faster active scan you can<br />
* Disable the ZAP DB log (in ZAP 2.5.0+):<br />
** Disable it via Options / Database / Recover Log<br />
** Set it on the command line using "-config database.recoverylog=false"<br />
* Disable unnecessary plugins / Technologies: When you launch the Active Scan<br />
** On the Policy tab, disable all plugins except: XSS (Reflected), Path Traversal, SQLi, OS Command Injection<br />
** Go the Technology Tab, disable everything and only enable: MySQL, YOUR_OS, Tomcat<br />
** Note: This 2nd performance improvement step is a bit like cheating as you wouldn't do this for a normal site scan. You'd want to leave all this on in case these other plugins/technologies are helpful in finding more issues. So a fair performance comparison of ZAP to other tools would leave all this on.<br />
<br />
To generate the ZAP XML results file so you can generate its scorecard:<br />
* Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
* Then: Report > Generate XML Report...<br />
<br />
NOTE: Similar to Burp, we can't simply run ZAP against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get ZAP to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
Things we tried that didn't improve the score:<br />
* AJAX Spider - the traditional spider appears to find all (or 99%) of the test cases so the AJAX Spider does not appear to be needed against Benchmark v1.2<br />
* XSS (Persistent) - There are 3 of these plugins that run by default. There aren't any stored XSS in Benchmark, so you can disable these plugins for a faster scan.<br />
* DOM XSS Plugin - This is an optional plugin that didn't seem to find any additional XSS issues. There aren't an DOM specific XSS issues in Benchmark v1.2, so not surprising.<br />
<br />
== IAST Tools ==<br />
<br />
Interactive Application Security Testing (IAST) tools work differently than scanners. IAST tools monitor an application as it runs to identify application vulnerabilities using context from inside the running application. Typically these tools run continuously, immediately notifying users of vulnerabilities, but you can also get a full report of an entire application. To do this, we simply run the Benchmark application with an IAST agent and use a crawler to hit all the pages.<br />
<br />
=== Contrast Assess ===<br />
<br />
To use Contrast Assess, we simply add the Java agent to the Benchmark environment and run the BenchmarkCrawler. The entire process should only take a few minutes. We provided a few scripts, which simply add the -javaagent:contrast.jar flag to the Benchmark launch configuration. We have tested on MacOS, Ubuntu, and Windows. Be sure your VM has at least 4M of memory.<br />
<br />
* Ensure your environment has Java, Maven, and git installed, then build the Benchmark project<br />
'''$ git clone https://github.com/OWASP/Benchmark.git'''<br />
'''$ cd Benchmark'''<br />
'''$ mvn compile'''<br />
<br />
* Download a licensed copy of the Contrast Assess Java Agent (contrast.jar) from your Contrast TeamServer account and put it in the /Benchmark/tools/Contrast directory.<br />
'''$ cp ~/Downloads/contrast.jar tools/Contrast'''<br />
<br />
* In Terminal 1, launch the Benchmark application and wait until it starts<br />
'''$ cd tools/Contrast <br />
'''$ ./runBenchmark_wContrast.sh''' (.bat on Windows)<br />
'''[INFO] Scanning for projects...<br />
'''[INFO] <br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] Building OWASP Benchmark Project 1.2<br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] <br />
'''...<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]'''<br />
'''[INFO] Press Ctrl-C to stop the container...'''<br />
<br />
* In Terminal 2, launch the crawler and wait a minute or two for the crawl to complete.<br />
'''$ ./runCrawler.sh''' (.bat on Windows)<br />
<br />
* A Contrast report has been generated in /Benchmark/tools/Contrast/working/contrast.log. This report will be automatically copied (and renamed with version number) to /Benchmark/results directory.<br />
'''$ more tools/Contrast/working/contrast.log'''<br />
'''2016-04-22 12:29:29,716 [main b] INFO - Contrast Runtime Engine<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Copyright (C) 2012<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Pat. 8,458,789 B2<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Contrast Security, Inc.<br />
'''2016-04-22 12:29:29,717 [main b] INFO - All Rights Reserved<br />
'''2016-04-22 12:29:29,717 [main b] INFO - https://www.contrastsecurity.com/<br />
'''...'''<br />
<br />
* Press Ctrl-C to stop the Benchmark in Terminal 1. Note: on Windows, select "N" when asked Terminate batch job (Y/N))<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x is stopped'''<br />
'''Copying Contrast report to results directory'''<br />
<br />
* In Terminal 2, generate scorecards in /Benchmark/scorecard<br />
'''$ ./createScorecards.sh''' (.bat on Windows)<br />
'''Analyzing results from Benchmark_1.2-Contrast.log<br />
'''Actual results file generated: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.csv<br />
'''Report written to: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html<br />
<br />
* Open the Benchmark Scorecard in your browser<br />
'''/Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html'''<br />
<br />
=== Hdiv Detection ===<br />
<br />
Hdiv has written their own instructions on how to run the detection component of their product on the Benchmark here: https://hdivsecurity.com/docs/features/benchmark/#how-to-run-hdiv-in-owasp-benchmark-project. You'll see that these instructions involve using the same crawler used to exercise all the test cases in the Benchmark, just like Contrast above.<br />
<br />
= RoadMap =<br />
<br />
Benchmark v1.0 - Released April 15, 2015 - This initial release included over 20,000 test cases in 11 different vulnerability categories. As this initial version was not a runnable application, it was only suitable for assessing static analysis tools (SAST).<br />
<br />
Benchmark v1.1 - Released May 23, 2015 - This update fixed some inaccurate test cases, and made sure that every vulnerability area included both True Positives and False Positives.<br />
<br />
Benchmark Scorecard Generator - Released July 10, 2015 - The ability to automatically and repeatably produce a scorecard of how well tools do against the Benchmark was released for most of the SAST tools supported by the Benchmark. Scorecards present graphical as well as statistical data on how well a tool does against the Benchmark down to the level of detail of how exactly it did against each individual test in the Benchmark. [https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html Here are the latest public scorecards]. Support for producing scorecards for additional tools is being added all the time and the current full set is documented on the '''Tool Support/Results''' and '''Quick Start''' tabs of this wiki.<br />
<br />
Benchmark v1.2beta - Released Aug 15, 2015 - The 1st release of a fully runnable version of the Benchmark to support assessing all types of vulnerability detection and prevention technologies, including DAST, IAST, RASP, WAFs, etc. This involved creating a user interface for every test case, and enhancing each test case to make sure its actually exploitable, not just uses something that is theoretically weak. This release is under 3,000 test cases to make it practical to scan the entire Benchmark with a DAST tool in a reasonable amount of time, with commodity hardware specs.<br />
<br />
Benchmark 1.2 - Released June 5, 2016 - Based on feedback from a number of DAST tool developers, and other vendors as well, we made the Benchmark more realistic in a number of ways to facilitate external DAST scanning, and also made the Benchmark more resilient against attack so it could properly survive various DAST vulnerability detection and exploit verification techniques.<br />
<br />
Plans for Benchmark 1.3:<br />
<br />
While we don't have hard and fast rules of exactly what we are going to do next, enhancements in the following areas are planned for the next release:<br />
<br />
* Add new vulnerability categories (e.g., XXE, Hibernate Injection)<br />
* Add support for popular server side Java frameworks (e.g., Spring)<br />
* Add web services test cases<br />
<br />
We are also starting to work on the ability to score WAFs/RASPs and other defensive technology against Benchmark.<br />
<br />
= FAQ =<br />
<br />
==1. How are the scores computed for the Benchmark?==<br />
<br />
Each test case has a single vulnerability of a specific type. Its either a real vulnerability (True Positive) or not (a False Positive). We document all the test cases for each version of the Benchmark in the expectedresults-VERSION#.csv file (e.g., expectedresults-1.1.csv). This file lists the test case name, the CWE type of the vulnerability, and whether it is a True Positive or not. The Benchmark supports scorecard generators for computing exactly how a tool did when analyzing a version of the Benchmark. The full list of supported tools is on the Tools Support/Results tab. For each tool there is a parser that can parse the native results format for that tool (usually XML). This parser simply, for each test case, looks to see if that tool reported a vulnerability of the type expected in the test case source code file (for SAST) or the test case URL (for DAST/IAST). If it did, and the test case was a True Positive, the tool gets credit for finding it. If it is a False Positive test, and the tool reports that type of finding, then its recorded as a False Positive. If the tool didn't report that type of vulnerability for a test case, then they get either a False Negative, or a True Negative as appropriate. After calculating all of the individual test case results, a scorecard is generated providing a chart and statistics for that tool across all the vulnerability categories, and pages are also created comparing different tools to each other in each vulnerability category (if multiple tools are being scored together).<br />
<br />
A detailed file explaining exactly how that tool did against each individual test case in that version of the Benchmark is produced as part of scorecard generation, and is available via the Actual Results link on each tool's scorecard page. (e.g., Benchmark_v1.1_Scorecard_for_FindBugs.csv).<br />
<br />
==2. What if the tool I'm using doesn't have a scorecard generator for it?==<br />
<br />
Send us the results file! We'll be happy to create a parser for that tool so its now supported.<br />
<br />
==3. What if a tool finds other unexpected vulnerabilities?==<br />
<br />
We are sure there are vulnerabilities we didn't intend to be there and we are eliminating them as we find them. If you find some, let us know and we'll fix them too. We are primarily focused on unintentional vulnerabilities in the categories of vulnerabilities the Benchmark currently supports, since that is what is actually measured.<br />
<br />
Right now, two types of vulnerabilities that get reported are ignored by the scorecard generator:<br />
# Vulnerabilities in categories not yet supported<br />
# Vulnerabilities of a type that is supported, but reported in test cases not of that type<br />
<br />
In the case of #2, false positives reported in unexpected areas are also ignored, which is primarily a DAST problem. Right now those false positives are completely ignored, but we are thinking about including them in the false positive score in some fashion. We just haven't decided how yet.<br />
<br />
==4. How should I configure my tool to scan the Benchmark?==<br />
<br />
All tools support various levels of configuration in order to improve their results. The Benchmark project, in general, is trying to '''compare out of the box capabilities of tools'''. However, if a few simple tweaks to a tool can be done to improve that tool's score, that's fine. We'd like to understand what those simple tweaks are, and document them here, so others can repeat those tests in exactly the same way. For example, just turn on the 'test cookies and headers' flag, which is off by default. Or turn on the 'advanced' scan, so it will work harder, find more vulnerabilities. Its simple things like this we are talking about, not an extensive effort to teach the tool about the app, or perform 'expert' configuration of the tool.<br />
<br />
So, if you know of some simple tweaks to improve a tool's results, let us know what they are and we'll document them here so everyone can benefit and make it easier to do apples to apples comparisons. And we'll link to that guidance once we start documenting it, but we don't have any such guidance right now.<br />
<br />
==5. I'm having difficulty scanning the Benchmark with a DAST tool. How can I get it to work?==<br />
<br />
We've run into 2 primary issues giving DAST tools problems.<br />
<br />
a) The Benchmark Generates Lots of Cookies<br />
<br />
The Burp team pointed out a cookies bug in the 1.2beta Benchmark. Each Weak Randomness test case generates its own cookie, 1 per test case. This caused the creation of so many cookies that servers would eventually start returning 400 errors because there were simply too many cookies being submitted in a request. This was fixed in the Aug 27, 2015 update to the Benchmark by setting the path attribute for each of these cookies to be the path to that individual test case. Now, only at most one of these cookies should be submitted with each request, eliminating this 'too many cookies' problem. However, if a DAST tool doesn't honor this path attribute, it may continue to send too many cookies, making the Benchmark unscannable for that tool. Burp Pro prior to 1.6.29 had this issue, but it was fixed in the 1.6.29 release.<br />
<br />
b) The Benchmark is a BIG Application<br />
<br />
Yes. It is, so you might have to give your scanner more memory than it normally uses by default in order to successfully scan the entire Benchmark. Please consult your tool vendor's documentation on how to give it more memory.<br />
<br />
Your machine itself might not have enough memory in the first place. For example, we were not able to successfully scan the 1.2beta with OWASP ZAP with only 8 Gig of RAM. So, you might need a more powerful machine or use a cloud provided machine to successfully scan the Benchmark with certain DAST tools. You may have similar problems with SAST tools against large versions of the Benchmark, like the 1.1 release.<br />
<br />
= Acknowledgements =<br />
<br />
The following people, organizations, and many others, have contributed to this project and their contributions are much appreciated!<br />
<br />
* Lots of Vendors - Many vendors have provided us with either trial licenses we can use, or they have run their tools themselves and either sent us results files, or written and contributed scorecard generators for their tool. Many have also provided valuable feedback so we can make the Benchmark more accurate and more realistic.<br />
* Juan Gama - Development of initial release and continued support<br />
* Ken Prole - Assistance with automated scorecard development using CodeDx<br />
* Nick Sanidas - Development of initial release<br />
* Denim Group - Contribution of scan results to facilitate scorecard development<br />
* Tasos Laskos - Significant feedback on the DAST version of the Benchmark<br />
* Ann Campbell - From SonarSource - for fixing our SonarQube results parser<br />
* Dhiraj Mishra - OWASP Member - contributed SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring<br />
<br />
[[File:CWE_Logo.jpeg|link=https://cwe.mitre.org/]] - The CWE project for providing a mapping mechanism to easily map test cases to issues found by vulnerability detection tools.<br />
<br />
We are looking for volunteers. Please contact [mailto:dave.wichers@owasp.org Dave Wichers] if you are interested in contributing new test cases, tool results run against the benchmark, or anything else.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]]</div>Wichershttps://wiki.owasp.org/index.php?title=Free_for_Open_Source_Application_Security_Tools&diff=255697Free for Open Source Application Security Tools2019-10-24T15:41:47Z<p>Wichers: /* IAST Tools */</p>
<hr />
<div>__NOTOC__<br />
== Introduction ==<br />
OWASP's mission is to help the world improve the security of its software. One of the best ways OWASP can do that is to help Open Source developers improve the software they are producing that everyone else relies on. As such, the following lists of '''automated vulnerability detection tools''' that are '''free for open source''' projects have been gathered together here to raise awareness of their availability.<br />
<br />
We would encourage open source projects to use the following types of tools to improve the security and quality of their code:<br />
* Static Application Security Testing ([[SAST]]) Tools <br />
* Dynamic Application Security Testing ([[DAST]]) Tools - (Primarily for web apps)<br />
* Interactive Application Security Testing (IAST) Tools - (Primarily for web apps and web APIs)<br />
* Keeping Open Source libraries up-to-date (to avoid [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]])<br />
* Static Code Quality Tools<br />
<br />
<br> '''Disclaimer:''' <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them below. They are simply listed if we believe they are free for use by open source projects. We have made every effort to provide this information as accurately as possible. If you are the vendor of a free for open source tool and think this information is incomplete or incorrect, please send an e-mail to dave.wichers (at) owasp.org and we will make every effort to correct this information.</b><br />
<br />
== Free for Open Source Tools ==<br />
Tools that are free for open source projects in each of the above categories are listed below.<br />
<br />
=== SAST Tools ===<br />
OWASP already maintains a page of known SAST tools: [[Source Code Analysis Tools]], which includes a list of those that are "Open Source or Free Tools Of This Type". Any such tools could certainly be used. One such cloud service that looks promising is:<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM.com] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Go (in beta), Java, JavaScript/TypeScript, Python<br />
In addition, we are aware of the following commercial SAST tools that are free for Open Source projects:<br />
* [https://scan.coverity.com/ Coverity Scan Static Analysis] - Can be lashed into Travis-CI so it's done automatically with online resources. Supports over a dozen programming languages as documented here in the section [https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html Comprehensive support for these programming languages and frameworks].<br />
* [https://www.reshiftsecurity.com reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019. If you go to the Pricing section on this page, it says it is free for public repositories.<br />
<br />
=== DAST Tools ===<br />
If your project has a web application component, we recommend running automated scans against it to look for vulnerabilities. OWASP maintains a page of known DAST Tools: [[:Category:Vulnerability Scanning Tools|Vulnerability Scanning Tools]], and the '''Licence''' column on this page indicates which of those tools have free capabilities. Our primary recommendation is to use one of these:<br />
* [[OWASP Zed Attack Proxy Project|OWASP ZAP]] - A full featured free and open source DAST tool that includes both automated scanning for vulnerabilities and tools to assist expert manual web app pen testing.<br />
** The ZAP team has also been working hard to make it easier to integrate ZAP into your CI/CD pipeline. (e.g., here's a [https://www.we45.com/blog/how-to-integrate-zap-into-jenkins-ci-pipeline-we45-blog blog post on how to integrate ZAP with Jenkins]).<br />
* [http://www.arachni-scanner.com/ Arachni] - Arachni is a commercially supported scanner, but its free for most use cases, including scanning open source projects.<br />
We are not aware of any other commercial grade tools that offer their full featured DAST product free for open source projects.<br />
<br />
=== IAST Tools ===<br />
IAST tools are typically geared to analyze Web Applications and Web APIs, but that is vendor specific. There may be IAST products that can perform good security analysis on non-web applications as well.<br />
<br />
We are aware of only one IAST Tool that is free after registration at this time:<br />
* [https://www.contrastsecurity.com/contrast-community-edition Contrast Community Edition (CE)] - Fully featured version for 1 app and up to 5 users (some Enterprise features disabled). Contrast CE supports Java and .NET only.<br />
<br />
=== Open Source Software (OSS) Security Tools ===<br />
OSS refers to the open source libraries or components that application developers leverage to quickly develop new applications and add features to existing apps. Gartner refers to the analysis of the security of these components as software composition analysis (SCA). So OSS Analysis and SCA are the same thing.<br />
<br />
OWASP recommends that all software projects generally try to keep the libraries they use as up-to-date as possible to reduce the likelihood of [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]]. There are two recommended approaches for this:<br />
<br />
==== Keeping Your Libraries Updated ====<br />
Using the latest version of each library is recommended because security issues are frequently fixed 'silently' by the component maintainer. By silently, we mean without publishing a [https://cve.mitre.org/ CVE] for the security fix.<br />
* [https://www.mojohaus.org/versions-maven-plugin/ Maven Versions plugin]<br />
** For Maven projects, can be used to generate a report of all dependencies used and when upgrades are available for them. Either a direct report, or part of the overall project documentation using: mvn site.<br />
* Dependabot - https://dependabot.com/<br />
** A GitHub only service that creates pull requests to keep your dependencies up-to-date. It automatically generates a pull request for each dependency you can upgrade, which you can then ignore, or accept, as you like. It supports tons of languages.<br />
** Recommended for all open source projects maintained on GitHub!<br />
<br />
==== Detecting Known Vulnerable Components ====<br />
As an alternative, or in addition to, trying to keep all your components up-to-date, a project can specifically monitor whether any of the components they use have known vulnerable components.<br />
<br />
Free tools of this type:<br />
* OWASP has its own free open source tool [[OWASP Dependency Check]] that is free for anyone to use.<br />
* GitHub: Security alerts for vulnerable dependencies - https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/<br />
** A native GitHub feature that reports known vulnerable dependencies in your GitHub projects. Supports: Java, .NET, JavaScript, Ruby, and Python. Your GitHub projects are automatically signed up for this service.<br />
Commercial tools of this type that are free for open source:<br />
* Contrast Community Edition (CE) (mentioned earlier) also has both Known Vulnerable Component detection and Available Updates reporting for OSS. CE supports Java only.<br />
* Snyk - https://www.snyk.io - Supports Node.js, Ruby, Java, Python, Scala, Golang, .NET, PHP - Latest list here: https://snyk.io/docs<br />
** A Commercial tool that identifies vulnerable components and integrates with numerous CI/CD pipelines. It is free for open source: https://snyk.io/plans<br />
** If you don't want to grant Snyk write access to your repo (see it can auto-create pull requests) you can use the Command Line Interface (CLI) instead. See: https://snyk.io/docs/using-snyk. If you do this and want it to be free, you have to configure Snyk so it know its open source: https://support.snyk.io/snyk-cli/how-can-i-set-a-snyk-cli-project-as-open-source<br />
*** Another benefit of using the Snyk CLI is that it won't auto create Pull requests for you (which makes these 'issues' more public than you might prefer)<br />
** They also provide detailed information and remediation guidance for known vulnerabilities here: https://snyk.io/vuln<br />
* SourceClear - https://www.sourceclear.com/ - Supports: Java, Ruby, JavaScript, Python, Objective C, GO, PHP<br />
** They have a free trial right from their [https://www.sourceclear.com/ home page]. When the 30 day trial expires, it converts into a free "Personal Account" per: "Upgrade at any time to get the features that matter most to you, or choose the Personal plan when your trial ends." Personal Account described here: https://www.sourceclear.com/pricing/<br />
** They also make their component vulnerability data (for publicly known vulns) free to search: https://www.sourceclear.com/vulnerability-database/search#_ (Very useful when trying to research a particular library)<br />
* WhiteSource Bolt - Supports 200+ programming languages. https://www.whitesourcesoftware.com/<br />
** Azure version: https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt<br />
** GitHub version: https://github.com/apps/whitesource-bolt-for-github Available starting in Nov. 2018.<br />
<br />
=== Code Quality tools ===<br />
Quality has a significant correlation to security. As such, we recommend open source projects also consider using good code quality tools. A few that we are aware of are:<br />
* SpotBugs (https://github.com/spotbugs/spotbugs) - Open source code quality tool for Java<br />
** This is the active fork for FindBugs, so if you use Findbugs, you should switch to this.<br />
** SpotBugs users should add the FindSecBugs plugin (http://find-sec-bugs.github.io/) to their SpotBugs setup, as it significantly improves on the very basic security checking native to SpotBugs.<br />
<br />
* SonarQube (https://www.sonarqube.org/)<br />
** This is a commercially supported, very popular, free (and commercial) code quality tool. It includes most if not all the FindSecBugs security rules plus lots more for quality, including a free, internet online CI setup to run it against your open source projects. SonarQube supports numerous languages: https://www.sonarqube.org/features/multi-languages/<br />
<br />
Please let us know if you are aware of any other high quality application security tools that are free for open source (or simply add them to this page). We are particularly interested in identifying and listing commercial tools that are free for open source, as they tend to be better and easier to use than open source (free) tools. If you are aware of any missing from this list, please add them, or let us know (dave.wichers (at) owasp.org) and we'll confirm they are free, and add them for you. Please encourage your favorite commercial tool vendor to make their tool free for open source projects as well!!<br />
<br />
Finally, please forward this page to the open source projects you rely on and encourage them to use these free tools!</div>Wichershttps://wiki.owasp.org/index.php?title=Free_for_Open_Source_Application_Security_Tools&diff=255696Free for Open Source Application Security Tools2019-10-24T15:40:42Z<p>Wichers: /* Free for Open Source Tools */</p>
<hr />
<div>__NOTOC__<br />
== Introduction ==<br />
OWASP's mission is to help the world improve the security of its software. One of the best ways OWASP can do that is to help Open Source developers improve the software they are producing that everyone else relies on. As such, the following lists of '''automated vulnerability detection tools''' that are '''free for open source''' projects have been gathered together here to raise awareness of their availability.<br />
<br />
We would encourage open source projects to use the following types of tools to improve the security and quality of their code:<br />
* Static Application Security Testing ([[SAST]]) Tools <br />
* Dynamic Application Security Testing ([[DAST]]) Tools - (Primarily for web apps)<br />
* Interactive Application Security Testing (IAST) Tools - (Primarily for web apps and web APIs)<br />
* Keeping Open Source libraries up-to-date (to avoid [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]])<br />
* Static Code Quality Tools<br />
<br />
<br> '''Disclaimer:''' <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them below. They are simply listed if we believe they are free for use by open source projects. We have made every effort to provide this information as accurately as possible. If you are the vendor of a free for open source tool and think this information is incomplete or incorrect, please send an e-mail to dave.wichers (at) owasp.org and we will make every effort to correct this information.</b><br />
<br />
== Free for Open Source Tools ==<br />
Tools that are free for open source projects in each of the above categories are listed below.<br />
<br />
=== SAST Tools ===<br />
OWASP already maintains a page of known SAST tools: [[Source Code Analysis Tools]], which includes a list of those that are "Open Source or Free Tools Of This Type". Any such tools could certainly be used. One such cloud service that looks promising is:<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM.com] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Go (in beta), Java, JavaScript/TypeScript, Python<br />
In addition, we are aware of the following commercial SAST tools that are free for Open Source projects:<br />
* [https://scan.coverity.com/ Coverity Scan Static Analysis] - Can be lashed into Travis-CI so it's done automatically with online resources. Supports over a dozen programming languages as documented here in the section [https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html Comprehensive support for these programming languages and frameworks].<br />
* [https://www.reshiftsecurity.com reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019. If you go to the Pricing section on this page, it says it is free for public repositories.<br />
<br />
=== DAST Tools ===<br />
If your project has a web application component, we recommend running automated scans against it to look for vulnerabilities. OWASP maintains a page of known DAST Tools: [[:Category:Vulnerability Scanning Tools|Vulnerability Scanning Tools]], and the '''Licence''' column on this page indicates which of those tools have free capabilities. Our primary recommendation is to use one of these:<br />
* [[OWASP Zed Attack Proxy Project|OWASP ZAP]] - A full featured free and open source DAST tool that includes both automated scanning for vulnerabilities and tools to assist expert manual web app pen testing.<br />
** The ZAP team has also been working hard to make it easier to integrate ZAP into your CI/CD pipeline. (e.g., here's a [https://www.we45.com/blog/how-to-integrate-zap-into-jenkins-ci-pipeline-we45-blog blog post on how to integrate ZAP with Jenkins]).<br />
* [http://www.arachni-scanner.com/ Arachni] - Arachni is a commercially supported scanner, but its free for most use cases, including scanning open source projects.<br />
We are not aware of any other commercial grade tools that offer their full featured DAST product free for open source projects.<br />
<br />
=== IAST Tools ===<br />
IAST tools are typically geared to analyze Web Applications and Web APIs, but that is vendor specific. There may be IAST products that can perform good security analysis on non-web applications as well.<br />
<br />
We are aware of only one IAST Tool that is free after registration at this time:<br />
* [https://www.contrastsecurity.com/contrast-community-edition Contrast Community Edition (CE)] - Fully featured version for 1 app and up to 5 users (some Enterprise features disabled). Contrast CE supports Java only.<br />
<br />
=== Open Source Software (OSS) Security Tools ===<br />
OSS refers to the open source libraries or components that application developers leverage to quickly develop new applications and add features to existing apps. Gartner refers to the analysis of the security of these components as software composition analysis (SCA). So OSS Analysis and SCA are the same thing.<br />
<br />
OWASP recommends that all software projects generally try to keep the libraries they use as up-to-date as possible to reduce the likelihood of [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]]. There are two recommended approaches for this:<br />
<br />
==== Keeping Your Libraries Updated ====<br />
Using the latest version of each library is recommended because security issues are frequently fixed 'silently' by the component maintainer. By silently, we mean without publishing a [https://cve.mitre.org/ CVE] for the security fix.<br />
* [https://www.mojohaus.org/versions-maven-plugin/ Maven Versions plugin]<br />
** For Maven projects, can be used to generate a report of all dependencies used and when upgrades are available for them. Either a direct report, or part of the overall project documentation using: mvn site.<br />
* Dependabot - https://dependabot.com/<br />
** A GitHub only service that creates pull requests to keep your dependencies up-to-date. It automatically generates a pull request for each dependency you can upgrade, which you can then ignore, or accept, as you like. It supports tons of languages.<br />
** Recommended for all open source projects maintained on GitHub!<br />
<br />
==== Detecting Known Vulnerable Components ====<br />
As an alternative, or in addition to, trying to keep all your components up-to-date, a project can specifically monitor whether any of the components they use have known vulnerable components.<br />
<br />
Free tools of this type:<br />
* OWASP has its own free open source tool [[OWASP Dependency Check]] that is free for anyone to use.<br />
* GitHub: Security alerts for vulnerable dependencies - https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/<br />
** A native GitHub feature that reports known vulnerable dependencies in your GitHub projects. Supports: Java, .NET, JavaScript, Ruby, and Python. Your GitHub projects are automatically signed up for this service.<br />
Commercial tools of this type that are free for open source:<br />
* Contrast Community Edition (CE) (mentioned earlier) also has both Known Vulnerable Component detection and Available Updates reporting for OSS. CE supports Java only.<br />
* Snyk - https://www.snyk.io - Supports Node.js, Ruby, Java, Python, Scala, Golang, .NET, PHP - Latest list here: https://snyk.io/docs<br />
** A Commercial tool that identifies vulnerable components and integrates with numerous CI/CD pipelines. It is free for open source: https://snyk.io/plans<br />
** If you don't want to grant Snyk write access to your repo (see it can auto-create pull requests) you can use the Command Line Interface (CLI) instead. See: https://snyk.io/docs/using-snyk. If you do this and want it to be free, you have to configure Snyk so it know its open source: https://support.snyk.io/snyk-cli/how-can-i-set-a-snyk-cli-project-as-open-source<br />
*** Another benefit of using the Snyk CLI is that it won't auto create Pull requests for you (which makes these 'issues' more public than you might prefer)<br />
** They also provide detailed information and remediation guidance for known vulnerabilities here: https://snyk.io/vuln<br />
* SourceClear - https://www.sourceclear.com/ - Supports: Java, Ruby, JavaScript, Python, Objective C, GO, PHP<br />
** They have a free trial right from their [https://www.sourceclear.com/ home page]. When the 30 day trial expires, it converts into a free "Personal Account" per: "Upgrade at any time to get the features that matter most to you, or choose the Personal plan when your trial ends." Personal Account described here: https://www.sourceclear.com/pricing/<br />
** They also make their component vulnerability data (for publicly known vulns) free to search: https://www.sourceclear.com/vulnerability-database/search#_ (Very useful when trying to research a particular library)<br />
* WhiteSource Bolt - Supports 200+ programming languages. https://www.whitesourcesoftware.com/<br />
** Azure version: https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt<br />
** GitHub version: https://github.com/apps/whitesource-bolt-for-github Available starting in Nov. 2018.<br />
<br />
=== Code Quality tools ===<br />
Quality has a significant correlation to security. As such, we recommend open source projects also consider using good code quality tools. A few that we are aware of are:<br />
* SpotBugs (https://github.com/spotbugs/spotbugs) - Open source code quality tool for Java<br />
** This is the active fork for FindBugs, so if you use Findbugs, you should switch to this.<br />
** SpotBugs users should add the FindSecBugs plugin (http://find-sec-bugs.github.io/) to their SpotBugs setup, as it significantly improves on the very basic security checking native to SpotBugs.<br />
<br />
* SonarQube (https://www.sonarqube.org/)<br />
** This is a commercially supported, very popular, free (and commercial) code quality tool. It includes most if not all the FindSecBugs security rules plus lots more for quality, including a free, internet online CI setup to run it against your open source projects. SonarQube supports numerous languages: https://www.sonarqube.org/features/multi-languages/<br />
<br />
Please let us know if you are aware of any other high quality application security tools that are free for open source (or simply add them to this page). We are particularly interested in identifying and listing commercial tools that are free for open source, as they tend to be better and easier to use than open source (free) tools. If you are aware of any missing from this list, please add them, or let us know (dave.wichers (at) owasp.org) and we'll confirm they are free, and add them for you. Please encourage your favorite commercial tool vendor to make their tool free for open source projects as well!!<br />
<br />
Finally, please forward this page to the open source projects you rely on and encourage them to use these free tools!</div>Wichershttps://wiki.owasp.org/index.php?title=Source_Code_Analysis_Tools&diff=255695Source Code Analysis Tools2019-10-24T15:38:23Z<p>Wichers: /* Open Source or Free Tools Of This Type */</p>
<hr />
<div>[[Static_Code_Analysis | Source code analysis]] tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. <br />
<br />
Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.<br />
<br />
== Strengths and Weaknesses ==<br />
<br />
=== Strengths ===<br />
<br />
* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)<br />
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth<br />
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected<br />
<br />
=== Weaknesses ===<br />
<br />
* Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.<br />
* High numbers of false positives.<br />
* Frequently can't find configuration issues, since they are not represented in the code.<br />
* Difficult to 'prove' that an identified security issue is an actual vulnerability.<br />
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.<br />
<br />
==Important Selection Criteria==<br />
<br />
* Requirement: Must support your programming language, but not usually a key factor once it does.<br />
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)<br />
* How accurate is it? False Positive/False Negative rates?<br />
** Does the tool have an OWASP [[Benchmark]] score?<br />
* Does it understand the libraries/frameworks you use?<br />
* Does it require a fully buildable set of source?<br />
* Can it run against binaries instead of source?<br />
* Can it be integrated into the developer's IDE?<br />
* How hard is it to setup/use?<br />
* Can it be run continuously and automatically?<br />
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)<br />
<br />
==OWASP Tools Of This Type==<br />
<br />
* [[OWASP SonarQube Project]]<br />
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]<br />
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]<br />
* [[OWASP O2 Platform]]<br />
* [[OWASP WAP-Web Application Protection]]<br />
<br />
==Disclaimer==<br />
<br />
Disclaimer: <b>The tools listed in the tables below are presented in alphabetical order. <i>OWASP does not endorse any of the vendors or tools by listing them in the table below.</i> We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.</b><br />
<br />
==Open Source or Free Tools Of This Type==<br />
<br />
* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python<br />
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications<br />
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby<br />
* [https://discotek.ca/deepdive.xhtml Deep Dive] - Byte code analysis tool for discovering vulnerabilities in Java deployments (Ear, War, Jar).<br />
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs<br />
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,<br />
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++<br />
* [https://github.com/golangci/golangci-lint GolangCI-Lint] - A Go Linters aggregator - One of the Linters is [https://github.com/securego/gosec gosec (Go Security)], which is off by default but can easily be enabled.<br />
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''<br />
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python<br />
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.<br />
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.<br />
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)<br />
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.<br />
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.<br />
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.<br />
* [https://pyre-check.org/ Pyre] - A performant type-checker for Python 3, that also has [https://pyre-check.org/docs/static-analysis.html limited security/data flow analysis] capabilities.<br />
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS Open Source is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.<br />
* [https://discotek.ca/sinktank.xhtml Sink Tank] - Byte code static code analyzer for performing source/sink (taint) analysis.<br />
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].<br />
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.<br />
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.<br />
<br />
[https://docs.gitlab.com/ee/user/application_security/sast/index.html#supported-languages-and-frameworks GitLab has lashed a free SAST tool for a bunch of different languages natively into GitLab. So you might be able to use that, or at least identify a free SAST tool for the language you need from that list].<br />
<br />
An even broader list of free static analysis tools (not just for security) for lots of different languages is here called: [https://endler.dev/awesome-static-analysis/ Awesome Static Analysis]<br />
<br />
==Commercial Tools Of This Type==<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. <br />
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service. <br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source AppScan Source] (IBM)<br />
* [https://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.<br />
* [https://bugscout.io/en/ bugScout] (Nalbatech, Formally Buguroo)<br />
* [https://www.castsoftware.com/products/application-intelligence-platform CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. [https://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards AIP's security specific coverage is here].<br />
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)<br />
* [https://www.grammatech.com/products/codesonar CodeSonar] tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.<br />
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)<br />
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)<br />
* [https://www.microfocus.com/en-us/products/static-code-analysis-sast Fortify] (Micro Focus, Formally HP)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection] (Hdiv Security) - Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis.<br />
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis<br />
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)<br />
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis<br />
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)<br />
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ PT Application Inspector] combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation for high accuracy rate with minimum false positives; has a unique capability to generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis; integrates with CI/CD, VCS, etc. PT AI helps to easily understand, verify, and fix flaws; has a simple UI; is highly automated and easy to use. Supported languages are Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.<br />
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.<br />
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#<br />
* [https://www.reshiftsecurity.com reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019.<br />
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for Java and PHP that detects unknown security vulnerabilities and code quality issues.<br />
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)<br />
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)<br />
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.<br />
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)<br />
* [http://www.xanitizer.net Xanitizer] - Scans Java and Scala for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).<br />
<br />
==More info==<br />
<br />
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]<br />
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]<br />
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools<br />
* [[Free for Open Source Application Security Tools]] - This page lists the Commercial Source Code Analysis Tools (SAST) we know of that are free for Open Source<br />
<br />
[[Category:OWASP .NET Project]]<br />
[[Category:SAMM-CR-2]]<br />
__NOTOC__</div>Wichershttps://wiki.owasp.org/index.php?title=Benchmark&diff=254840Benchmark2019-09-22T22:18:46Z<p>Wichers: Add Semmle LGTM Scorecard Generation Support to Tools tab</p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Benchmark Project ==<br />
The OWASP Benchmark for Security Automation (OWASP Benchmark) is a free and open test suite designed to evaluate the speed, coverage, and accuracy of automated software vulnerability detection tools and services (henceforth simply referred to as 'tools'). Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other. Each version of the OWASP Benchmark contains thousands of test cases that are fully runnable and exploitable, each of which maps to the appropriate CWE number for that vulnerability.<br />
<br />
You can use the OWASP Benchmark with [[Source_Code_Analysis_Tools | Static Application Security Testing (SAST)]] tools, [[:Category:Vulnerability_Scanning_Tools | Dynamic Application Security Testing (DAST)]] tools like OWASP [[ZAP]] and Interactive Application Security Testing (IAST) tools. Benchmark is implemented in Java. Future versions may expand to include other languages.<br />
<br />
==Benchmark Project Scoring Philosophy==<br />
<br />
Security tools (SAST, DAST, and IAST) are amazing when they find a complex vulnerability in your code. But with widespread misunderstanding of the specific vulnerabilities automated tools cover, end users are often left with a false sense of security.<br />
<br />
We are on a quest to measure just how good these tools are at discovering and properly diagnosing security problems in applications. We rely on the [http://en.wikipedia.org/wiki/Receiver_operating_characteristic long history] of military and medical evaluation of detection technology as a foundation for our research. Therefore, the test suite tests both real and fake vulnerabilities.<br />
<br />
There are four possible test outcomes in the Benchmark:<br />
<br />
# Tool correctly identifies a real vulnerability (True Positive - TP)<br />
# Tool fails to identify a real vulnerability (False Negative - FN)<br />
# Tool correctly ignores a false alarm (True Negative - TN)<br />
# Tool fails to ignore a false alarm (False Positive - FP)<br />
<br />
We can learn a lot about a tool from these four metrics. Consider a tool that simply flags every line of code as vulnerable. This tool will perfectly identify all vulnerabilities! But it will also have 100% false positives and thus adds no value. Similarly, consider a tool that reports absolutely nothing. This tool will have zero false positives, but will also identify zero real vulnerabilities and is also worthless. You can even imagine a tool that flips a coin to decide whether to report whether each test case contains a vulnerability. The result would be 50% true positives and 50% false positives. We need a way to distinguish valuable security tools from these trivial ones.<br />
<br />
If you imagine the line that connects all these points, from 0,0 to 100,100 establishes a line that roughly translates to "random guessing." The ultimate measure of a security tool is how much better it can do than this line. The diagram below shows how we will evaluate security tools against the Benchmark.<br />
<br />
[[File:Wbe guide.png]]<br />
<br />
A point plotted on this chart provides a visual indication of how well a tool did considering both the True Positives the tool reported, as well as the False Positives it reported. We also want to compute an individual score for that point in the range 0 - 100, which we call the Benchmark Accuracy Score.<br />
<br />
The Benchmark Accuracy Score is essentially a [https://en.wikipedia.org/wiki/Youden%27s_J_statistic Youden Index], which is a standard way of summarizing the accuracy of a set of tests. Youden's index is one of the oldest measures for diagnostic accuracy. It is also a global measure of a test performance, used for the evaluation of overall discriminative power of a diagnostic procedure and for comparison of this test with other tests. Youden's index is calculated by deducting 1 from the sum of a test’s sensitivity and specificity expressed not as percentage but as a part of a whole number: (sensitivity + specificity) – 1. For a test with poor diagnostic accuracy, Youden's index equals 0, and in a perfect test Youden's index equals 1.<br />
<br />
So for example, if a tool has a True Positive Rate (TPR) of .98 (i.e., 98%) <br />
and False Positive Rate (FPR) of .05 (i.e., 5%)<br />
Sensitivity = TPR (.98)<br />
Specificity = 1-FPR (.95)<br />
So the Youden Index is (.98+.95) - 1 = .93<br />
<br />
And this would equate to a Benchmark score of 93 (since we normalize this to the range 0 - 100)<br />
<br />
On the graph, the Benchmark Score is the length of the line from the point down to the diagonal “guessing” line. Note that a Benchmark score can actually be negative if the point is below the line. This is caused when the False Positive Rate is actually higher than the True Positive Rate.<br />
<br />
==Benchmark Validity==<br />
<br />
The Benchmark tests are not exactly like real applications. The tests are derived from coding patterns observed in real applications, but the majority of them are considerably '''simpler''' than real applications. That is, most real world applications will be considerably harder to successfully analyze than the OWASP Benchmark Test Suite. Although the tests are based on real code, it is possible that some tests may have coding patterns that don't occur frequently in real code.<br />
<br />
Remember, we are trying to test the capabilities of the tools and make them explicit, so that users can make informed decisions about what tools to use, how to use them, and what results to expect. This is exactly aligned with the OWASP mission to make application security visible.<br />
<br />
==Generating Benchmark Scores==<br />
<br />
Anyone can use this Benchmark to evaluate vulnerability detection tools. The basic steps are:<br />
# Download the Benchmark from GitHub<br />
# Run your tools against the Benchmark<br />
# Run the BenchmarkScore tool on the reports from your tools<br />
<br />
That's it!<br />
<br />
Full details on how to do this are at the bottom of the page on the Quick_Start tab.<br />
<br />
We encourage both vendors, open source tools, and end users to verify their application security tools against the Benchmark. In order to ensure that the results are fair and useful, we ask that you follow a few simple rules when publishing results. We won't recognize any results that aren't easily reproducible:<br />
<br />
# A description of the default “out-of-the-box” installation, version numbers, etc…<br />
# Any and all configuration, tailoring, onboarding, etc… performed to make the tool run<br />
# Any and all changes to default security rules, tests, or checks used to achieve the results<br />
# Easily reproducible steps to run the tool<br />
<br />
== Reporting Format==<br />
<br />
The Benchmark includes tools to interpret raw tool output, compare it to the expected results, and generate summary charts and graphs. We use the following table format in order to capture all the information generated during the evaluation.<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! style="background:#DDDDDD" | Security Category<br />
! TP<br />
! FN<br />
! TN<br />
! FP<br />
! style="background:#DDDDDD" | Total<br />
! TPR<br />
! FPR<br />
! style="background:#DDDDDD" | Score<br />
|-<br />
! style="background:#DDDDDD" valign="top" width="11%"| General security category for test cases.<br />
| valign="top" width="11%"| '''True Positives''': Tests with real vulnerabilities that were correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Negative''': Tests with real vulnerabilities that were not correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''True Negative''': Tests with fake vulnerabilities that were correctly not reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Positive''':Tests with fake vulnerabilities that were incorrectly reported as vulnerable by the tool.<br />
| style="background:#DDDDDD" valign="top" width="11%"| Total test cases for this category.<br />
| valign="top" width="11%"| '''True Positive Rate''': TP / ( TP + FN ) - Also referred to as Precision, as defined at [https://en.wikipedia.org/wiki/Precision_and_recall Wikipedia].<br />
| valign="top" width="11%"| '''False Positive Rate''': FP / ( FP + TN ).<br />
| style="background:#DDDDDD" valign="top" width="11%"| Normalized distance from the “guess line” TPR - FPR.<br />
|-<br />
! style="background:#DDDDDD" | Command Injection<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | Etc...<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | <br />
! Total TP<br />
! Total FN<br />
! Total TN<br />
! Total FP<br />
! style="background:#DDDDDD" | Total TC<br />
! Average TPR<br />
! Average FPR<br />
! style="background:#DDDDDD" | Average Score<br />
|}<br />
<br />
==Code Repo and Build/Run Instructions ==<br />
<br />
See the '''Getting Started''' and '''Getting, Building, and Running the Benchmark''' sections on the Quick Start tab.<br />
<br />
==Licensing==<br />
<br />
The OWASP Benchmark is free to use under the [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0].<br />
<br />
== Mailing List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-benchmark-project OWASP Benchmark Mailing List]<br />
<br />
== Project Leaders ==<br />
<br />
[https://www.owasp.org/index.php/User:Wichers Dave Wichers] [mailto:dave.wichers@owasp.org @]<br />
<br />
== Project References ==<br />
* [https://www.mir-swamp.org/#packages/public Software Assurance Marketplace (SWAMP) - set of curated packages to test tools against]<br />
* [http://samate.nist.gov/Other_Test_Collections.html SAMATE List of Test Collections]<br />
<br />
== Related Projects ==<br />
<br />
* [http://samate.nist.gov/SARD/testsuite.php NSA's Juliet for Java]<br />
* [http://sectoolmarket.com/ The Web Application Vulnerability Scanner Evaluation Project (WAVSEP)]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
All test code and project files can be downloaded from [https://github.com/OWASP/benchmark OWASP GitHub].<br />
<br />
== Project Intro Video ==<br />
<br />
[[File:BenchmarkPodcastTitlePage.jpg|200px|link=https://www.youtube.com/watch?v=HQP8dwc3jJA&index=5&list=PLGB2s-U5FSWOmEStMt3JqlMFJvRYqeVW5]]<br />
<br />
== News and Events ==<br />
* LOOKING FOR VOLUNTEERS!! - We are looking for individuals and organizations to join and make this a much more community driven project, including additional coleaders to help take this project to the next level. Contributors could work on things like new test cases, additional tool scorecard generators, adding support for languages beyond Java, and a host of other improvements. Please contact [mailto:dave.wichers@owasp.org me] if you are interested in contributing at any level.<br />
* June 5, 2016 - Benchmark Version 1.2 Released<br />
* Sep 24, 2015 - Benchmark introduced to broader OWASP community at [https://appsecusa2015.sched.org/event/3r9k/using-the-owasp-benchmark-to-assess-automated-vulnerability-analysis-tools AppSec USA]<br />
* Aug 27, 2015 - U.S. Dept. of Homeland Security (DHS) is financially supporting the Benchmark project.<br />
* Aug 15, 2015 - Benchmark Version 1.2beta Released with full DAST Support. Checkmarx and ZAP scorecard generators also released.<br />
* July 10, 2015 - Benchmark Scorecard generator and open source scorecards released<br />
* May 23, 2015 - Benchmark Version 1.1 Released<br />
* April 15, 2015 - Benchmark Version 1.0 Released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Test Cases =<br />
<br />
Version 1.0 of the Benchmark was published on April 15, 2015 and had 20,983 test cases. On May 23, 2015, version 1.1 of the Benchmark was released. The 1.1 release improves on the previous version by making sure that there are both true positives and false positives in every vulnerability area. Version 1.2 was released on June 5, 2016 (and the 1.2beta August 15, 2015).<br />
<br />
Version 1.2 and forward of the Benchmark is a fully executable web application, which means it is scannable by any kind of vulnerability detection tool. The 1.2 has been limited to slightly less than 3,000 test cases, to make it easier for DAST tools to scan it (so it doesn't take so long and they don't run out of memory, or blow up the size of their database). The 1.2 release covers the same vulnerability areas that 1.1 covers. We added a few Spring database SQL Injection tests, but that's it. The bulk of the work was turning each test case into something that actually runs correctly AND is fully exploitable, and then generating a UI on top of it that works in order to turn the test cases into a real running application.<br />
<br />
You can still download Benchmark version 1.1 by cloning the release marked with the GIT tag '1.1'.<br />
<br />
The test case areas and quantities for the Benchmark releases are:<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! Vulnerability Area<br />
! # of Tests in v1.1<br />
! # of Tests in v1.2<br />
! CWE Number<br />
|-<br />
| [[Command Injection]]<br />
| 2708<br />
| 251<br />
| [https://cwe.mitre.org/data/definitions/78.html 78]<br />
|-<br />
| Weak Cryptography<br />
| 1440<br />
| 246<br />
| [https://cwe.mitre.org/data/definitions/327.html 327]<br />
|-<br />
| Weak Hashing<br />
| 1421<br />
| 236<br />
| [https://cwe.mitre.org/data/definitions/328.html 328]<br />
|-<br />
| [[LDAP injection | LDAP Injection]]<br />
| 736<br />
| 59<br />
| [https://cwe.mitre.org/data/definitions/90.html 90]<br />
|-<br />
| [[Path Traversal]]<br />
| 2630<br />
| 268<br />
| [https://cwe.mitre.org/data/definitions/22.html 22]<br />
|-<br />
| Secure Cookie Flag<br />
| 416<br />
| 67<br />
| [https://cwe.mitre.org/data/definitions/614.html 614]<br />
|-<br />
| [[SQL Injection]]<br />
| 3529<br />
| 504<br />
| [https://cwe.mitre.org/data/definitions/89.html 89]<br />
|-<br />
| [[Trust Boundary Violation]]<br />
| 725<br />
| 126<br />
| [https://cwe.mitre.org/data/definitions/501.html 501]<br />
|-<br />
| Weak Randomness<br />
| 3640<br />
| 493<br />
| [https://cwe.mitre.org/data/definitions/330.html 330]<br />
|-<br />
| [[XPATH Injection]]<br />
| 347<br />
| 35<br />
| [https://cwe.mitre.org/data/definitions/643.html 643]<br />
|-<br />
| [[XSS]] (Cross-Site Scripting)<br />
| 3449<br />
| 455<br />
| [https://cwe.mitre.org/data/definitions/79.html 79]<br />
|-<br />
| Total Test Cases<br />
| 21,041<br />
| 2,740<br />
|}<br />
<br />
Each Benchmark version comes with a spreadsheet that lists every test case, the vulnerability category, the CWE number, and the expected result (true finding/false positive). Look for the file: expectedresults-VERSION#.csv in the project root directory.<br />
<br />
Every test case is:<br />
* a servlet or JSP (currently they are all servlets, but we plan to add JSPs)<br />
* either a true vulnerability or a false positive for a single issue<br />
<br />
The Benchmark is intended to help determine how well analysis tools correctly analyze a broad array of application and framework behavior, including:<br />
<br />
* HTTP request and response problems<br />
* Simple and complex data flow<br />
* Simple and complex control flow<br />
* Popular frameworks<br />
* Inversion of control<br />
* Reflection<br />
* Class loading<br />
* Annotations<br />
* Popular UI technologies (particularly JavaScript frameworks)<br />
<br />
Not all of these are yet tested by the Benchmark but future enhancements intend to provide more coverage of these issues.<br />
<br />
Additional future enhancements could cover:<br />
* All vulnerability types in the [[Top10 | OWASP Top 10]]<br />
* Does the tool find flaws in libraries?<br />
* Does the tool find flaws spanning custom code and libraries?<br />
* Does tool handle web services? REST, XML, GWT, etc…<br />
* Does tool work with different app servers? Java platforms?<br />
<br />
== Example Test Case ==<br />
<br />
Each test case is a simple Java EE servlet. BenchmarkTest00001 in version 1.0 of the Benchmark was an LDAP Injection test with the following metadata in the accompanying BenchmarkTest00001.xml file:<br />
<br />
<test-metadata><br />
<category>ldapi</category><br />
<test-number>00001</test-number><br />
<vulnerability>true</vulnerability><br />
<cwe>90</cwe><br />
</test-metadata><br />
<br />
BenchmarkTest00001.java in the OWASP Benchmark 1.0 simply reads in all the cookie values, looks for a cookie named "foo", and uses the value of this cookie when performing an LDAP query. Here's the code for BenchmarkTest00001.java:<br />
<br />
package org.owasp.benchmark.testcode;<br />
<br />
import java.io.IOException;<br />
<br />
import javax.servlet.ServletException;<br />
import javax.servlet.annotation.WebServlet;<br />
import javax.servlet.http.HttpServlet;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
<br />
@WebServlet("/BenchmarkTest00001")<br />
public class BenchmarkTest00001 extends HttpServlet {<br />
<br />
private static final long serialVersionUID = 1L;<br />
<br />
@Override<br />
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
doPost(request, response);<br />
}<br />
<br />
@Override<br />
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
// some code<br />
<br />
javax.servlet.http.Cookie[] cookies = request.getCookies();<br />
<br />
String param = null;<br />
boolean foundit = false;<br />
if (cookies != null) {<br />
for (javax.servlet.http.Cookie cookie : cookies) {<br />
if (cookie.getName().equals("foo")) {<br />
param = cookie.getValue();<br />
foundit = true;<br />
}<br />
}<br />
if (!foundit) {<br />
// no cookie found in collection<br />
param = "";<br />
}<br />
} else {<br />
// no cookies<br />
param = "";<br />
}<br />
<br />
try {<br />
javax.naming.directory.DirContext dc = org.owasp.benchmark.helpers.Utils.getDirContext();<br />
Object[] filterArgs = {"a","b"};<br />
dc.search("name", param, filterArgs, new javax.naming.directory.SearchControls());<br />
} catch (javax.naming.NamingException e) {<br />
throw new ServletException(e);<br />
}<br />
}<br />
}<br />
<br />
= Test Case Details =<br />
<br />
The following describes situations in the Benchmark that have come up for debate as to the validity/accuracy of the test cases in these scenarios. <br />
<br />
== Cookies as a Source of Attack for XSS ==<br />
<br />
Benchmark v1.1 and early versions of the 1.2beta included test cases that used cookies as a source of data that flowed into XSS vulnerabilities. The Benchmark treated these tests as False Positives because the Benchmark team figured that you'd have to use an XSS vulnerability in the first place to set the cookie value, and so it wasn't fair/reasonable to consider an XSS vulnerability whose data source was a cookie value as actually exploitable. However, we got feedback from some tool vendors, like Fortify, Burp, and Arachni, that they disagreed with this analysis and felt that, in fact, cookies were a valid source of attack against XSS vulnerabilities. Given that there are good arguments on both sides of this safe vs. unsafe question, we decided on Aug 25, 2015 to simply remove those test cases from the Benchmark. If, in the future, we decide who is right, we may add such test cases back in.<br />
<br />
== Headers as a Source of Attack for XSS ==<br />
<br />
Similarly, the Benchmark team believes that the names of headers aren't a valid source of XSS attack for the same reason we thought cookie values aren't a valid source. Because it would require an XSS vulnerability to be exploited in the first place to set them. In fact, we feel that this argument is much stronger for header names, than cookie values. Right now, the Benchmark doesn't include any header names as sources for XSS test cases, but we plan to add them, and mark them as false positive in the Benchmark.<br />
<br />
We do have header values as sources for some XSS test cases in the Benchmark and only 'referer' is treated as a valid XSS source (i.e., true positives) because other headers are not viable XSS sources. Other headers are, of course, valid sources for other attack vectors, like SQL injection or Command Injection.<br />
<br />
== False Positive Scenario: Static Values Passed to Unsafe (Weak) Sinks ==<br />
<br />
The Benchmark has MANY test cases where unsafe data flows in from the browser, but that data is replaced with static content as it goes through the propagators in the that specific test case. This static (safe) data then flows to the sink, which may be a weak/unsafe sink, like, for example, an unsafely constructed SQL statement. The Benchmark treats those test cases as false positives because there is absolutely no way for that weakness to be exploited. The NSA Juliet SAST benchmark treats such test cases exactly the same way, as false positives. We do recognize that there are weaknesses in those test cases, even though they aren't exploitable.<br />
<br />
Some SAST tool vendors feel it is appropriate to point out those weaknesses, and that's fine. However, if the tool points those weaknesses out, and does not distinguish them from truly exploitable vulnerabilities, then the Benchmark treats those findings as false positives. If the tool allows a user to differentiate these non-exploitable weaknesses from exploitable vulnerabilities, then the Benchmark scorecard generator can use that information to filter out these extra findings (along with any other similarly marked findings) so they don't count against that tool when calculating that tool's Benchmark score. In the real world, its important for analysts to be able to filter out such findings if they only have time to deal with the most critical, actually exploitable, vulnerabilities. If a tool doesn't make it easy for an analyst to distinguish the two situations, then they are providing a disservice to the analyst.<br />
<br />
This issue doesn't affect DAST tools. They only report what appears to be exploitable to them. So this has no affect on them.<br />
<br />
If you are a SAST tool vendor or user, and you believe the Benchmark scorecard generator is counting such findings against that tool, and there is a way to tell them apart, please let the project team know so the scorecard generator can be adjusted to not count those findings against the tool. The Benchmark project's goal is the generate the most fair and accurate results it can generate. If such an adjustment is made to how a scorecard is generated for that tool, we plan to document this was done for that tool, and explain how others could perform the same filtering within that tool in order to get the same focused set of results.<br />
<br />
== Dead Code ==<br />
<br />
Some SAST tools point out weaknesses in dead code because they might eventually end up being used, and serve as bad coding examples (think cut/paste of code). We think this is fine/appropriate. However, there is no dead code in the OWASP Benchmark (at least not intentionally). So dead code should not be causing any tool to report unnecessary false positives.<br />
<br />
= Tool Support/Results =<br />
<br />
The results for 5 free tools, PMD, FindBugs, FindBugs with the FindSecBugs plugin, SonarQube and OWASP ZAP are available here against version 1.2 of the Benchmark: https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html. We've included multiple versions of FindSecBugs' and ZAP's results so you can see the improvements they are making finding vulnerabilities in Benchmark.<br />
<br />
We have Benchmark results for all the following tools, but haven't publicly released the results for any commercial tools. However, we included a 'Commercial Average' page, which includes a summary of results for 6 commercial SAST tools along with anonymous versions of each SAST tool's scorecard.<br />
<br />
The Benchmark can generate results for the following tools: <br />
<br />
'''Free Static Application Security Testing (SAST) Tools:'''<br />
<br />
* [https://pmd.github.io/ PMD] (which really has no security rules) - .xml results file<br />
* [http://findbugs.sourceforge.net/ FindBugs] - .xml results file (Note: FindBugs hasn't been updated since 2015. Use SpotBugs instead (see below))<br />
* [https://www.sonarqube.org/downloads/ SonarQube] - .xml results file<br />
* [https://spotbugs.github.io/ SpotBugs] - .xml results file. This is the successor to FindBugs.<br />
* SpotBugs with the [http://find-sec-bugs.github.io/ FindSecurityBugs plugin] - .xml results file<br />
<br />
Note: We looked into supporting [http://checkstyle.sourceforge.net/ Checkstyle] but it has no security rules, just like PMD. The [http://fb-contrib.sourceforge.net/ fb-contrib] FindBugs plugin doesn't have any security rules either. We did test [http://errorprone.info/ Error Prone], and found that it does report some use of [http://errorprone.info/bugpattern/InsecureCipherMode) insecure ciphers (CWE-327)], but that's it.<br />
<br />
'''Commercial SAST Tools:'''<br />
<br />
* [https://www.castsoftware.com/products/application-intelligence-platform CAST Application Intelligence Platform (AIP)] - .xml results file<br />
* [https://www.checkmarx.com/products/static-application-security-testing/ Checkmarx CxSAST] - .xml results file<br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source IBM AppScan Source (Standalone and Cloud)] - .ozasmt or .xml results file<br />
* [https://juliasoft.com/solutions/julia-for-security/ Julia Analyzer] - .xml results file<br />
* [https://software.microfocus.com/en-us/products/static-code-analysis-sast/overview Micro Focus (Formally HPE) Fortify (On-Demand and stand-alone versions)] - .fpr results file<br />
* [https://www.parasoft.com/products/jtest/ Parasoft Jtest] - .xml results file<br />
* [https://semmle.com/lgtm Semmle LGTM] - .sarif results file<br />
* [https://www.shiftleft.io/product/ ShiftLeft SAST] - .sl results file (Benchmark specific format. Ask vendor how to generate this)<br />
* [https://snappycodeaudit.com/category/static-code-analysis Snappycode Audit's SnappyTick Source Edition (SAST)] - .xml results file<br />
* [https://www.sourcemeter.com/features/ SourceMeter] - .txt results file of ALL results from VulnerabilityHunter<br />
* [https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/SAST-Coverity-datasheet.pdf Synopsys Static Analysis (Formerly Coverity Code Advisor) (On-Demand and stand-alone versions)] - .json results file (You can scan Benchmark w/Coverity for free. See: https://scan.coverity.com/)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] - .xml results file<br />
* [https://www.veracode.com/products/binary-static-analysis-sast Veracode SAST] - .xml results file<br />
* [https://www.rigs-it.com/xanitizer/ XANITIZER] - xml results file ([https://www.rigs-it.com/wp-content/uploads/2018/03/howtosetupxanitizerforowaspbenchmarkproject.pdf Their white paper on how to setup Xanitizer to scan Benchmark.]) (Free trial available)<br />
<br />
We are looking for results for other commercial static analysis tools like: [https://www.grammatech.com/products/codesonar Grammatech CodeSonar], [https://www.roguewave.com/products-services/klocwork RogueWave's Klocwork], etc. If you have a license for any static analysis tool not already listed above and can run it on the Benchmark and send us the results file that would be very helpful. <br />
<br />
The free SAST tools come bundled with the Benchmark so you can run them yourselves. If you have a license for any commercial SAST tool, you can also run them against the Benchmark. Just put your results files in the /results folder of the project, and then run the BenchmarkScore script for your platform (.sh / .bat) and it will generate a scorecard in the /scorecard directory for all the tools you have results for that are currently supported.<br />
<br />
'''Free Dynamic Application Security Testing (DAST) Tools:'''<br />
<br />
Note: While we support scorecard generators for these Free and Commercial DAST tools, we haven't been able to get a full/clean run against the Benchmark from most of these tools. As such, some of these scorecard generators might still need some work to properly reflect their results. If you notice any problems, let us know.<br />
<br />
* [http://www.arachni-scanner.com/ Arachni] - .xml results file<br />
** To generate .xml, run: ./bin/arachni_reporter "Your_AFR_Results_Filename.afr" --reporter=xml:outfile=Benchmark1.2-Arachni.xml<br />
* [https://www.owasp.org/index.php/ZAP OWASP ZAP] - .xml results file. To generate a complete ZAP XML results file so you can generate a valid scorecard, make sure you:<br />
** Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
** Then: Report > Generate XML Report...<br />
<br />
'''Commercial DAST Tools:'''<br />
<br />
* [https://www.acunetix.com/vulnerability-scanner/ Acunetix Web Vulnerability Scanner (WVS)] - .xml results file (Generated using [https://www.acunetix.com/resources/wvs7manual.pdf command line interface (see Chapter 10.)] /ExportXML switch)<br />
* [https://portswigger.net/burp Burp Pro] - .xml results file<br />
* [https://www.ibm.com/us-en/marketplace/appscan-standard IBM AppScan] - .xml results file<br />
* [https://software.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/overview Micro Focus (Formally HPE) WebInspect] - .xml results file<br />
* [https://www.netsparker.com/web-vulnerability-scanner/ Netsparker] - .xml results file<br />
* [https://www.qualys.com/apps/web-app-scanning/ Qualys Web App Scanner] - .xml results file<br />
* [https://www.rapid7.com/products/appspider/ Rapid7 AppSpider] - .xml results file<br />
<br />
If you have access to other DAST Tools, PLEASE RUN THEM FOR US against the Benchmark, and send us the results file so we can build a scorecard generator for that tool.<br />
<br />
'''Commercial Interactive Application Security Testing (IAST) Tools:'''<br />
<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] - .zip results file (You can scan Benchmark w/Contrast for free. See: https://www.contrastsecurity.com/contrast-community-edition)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection (IAST)] - .hlg results file<br />
* [https://www.synopsys.com/software-integrity/security-testing/interactive-application-security-testing.html Seeker IAST] - .csv results file<br />
<br />
'''Commercial Hybrid Analysis Application Security Testing Tools:'''<br />
<br />
* [http://www.iappsecure.com/products.html Fusion Lite Insight] - .xml results file<br />
<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It may be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.'''<br />
<br />
The project has automated test harnesses for these vulnerability detection tools, so we can repeatably run the tools against each version of the Benchmark and automatically produce scorecards in our desired format.<br />
<br />
We want to test as many tools as possible against the Benchmark. If you are:<br />
<br />
* A tool vendor and want to participate in the project<br />
* Someone who wants to help score a free tool against the project<br />
* Someone who has a license to a commercial tool and the terms of the license allow you to publish tool results, and you want to participate<br />
<br />
please let [mailto:dave.wichers@owasp.org me] know!<br />
<br />
= Quick Start =<br />
<br />
==What is in the Benchmark?==<br />
The Benchmark is a Java Maven project. Its primary component is thousands of test cases (e.g., BenchmarkTest00001.java) , each of which is a single Java servlet that contains a single vulnerability (either a true positive or false positive). The vulnerabilities span about a dozen different types currently and are expected to expand significantly in the future.<br />
<br />
An expectedresults.csv is published with each version of the Benchmark (e.g., expectedresults-1.1.csv) and it specifically lists the expected results for each test case. Here’s what the first two rows in this file looks like for version 1.1 of the Benchmark:<br />
<br />
# test name category real vulnerability CWE Benchmark version: 1.1 2015-05-22<br />
BenchmarkTest00001 crypto TRUE 327<br />
<br />
This simply means that the first test case is a crypto test case (use of weak cryptographic algorithms), this is a real vulnerability (as opposed to a false positive), and this issue maps to CWE 327. It also indicates this expected results file is for Benchmark version 1.1 (produced May 22, 2015). There is a row in this file for each of the tens of thousands of test cases in the Benchmark. Each time a new version of the Benchmark is published, a new corresponding results file is generated and each test case can be completely different from one version to the next.<br />
<br />
The Benchmark also comes with a bunch of different utilities, commands, and prepackaged open source security analysis tools, all of which can be executed through Maven goals, including:<br />
<br />
* Open source vulnerability detection tools to be run against the Benchmark<br />
* A scorecard generator, which computes a scorecard for each of the tools you have results files for.<br />
<br />
==What Can You Do With the Benchmark?==<br />
* Compile all the software in the Benchmark project (e.g., mvn compile)<br />
* Run a static vulnerability analysis tool (SAST) against the Benchmark test case code<br />
<br />
* Scan a running version of the Benchmark with a dynamic application security testing tool (DAST)<br />
** Instructions on how to run it are provided below<br />
<br />
* Generate scorecards for each of the tools you have results files for<br />
** See the Tool Support/Results page for the list of tools the Benchmark supports generating scorecards for<br />
<br />
==Getting Started==<br />
Before downloading or using the Benchmark make sure you have the following installed and configured properly:<br />
<br />
GIT: http://git-scm.com/ or https://github.com/<br />
Maven: https://maven.apache.org/ (Version: 3.2.3 or newer works.)<br />
Java: http://www.oracle.com/technetwork/java/javase/downloads/index.html (Java 7 or 8) (64-bit)<br />
<br />
==Getting, Building, and Running the Benchmark==<br />
<br />
To download and build everything:<br />
<br />
$ git clone https://github.com/OWASP/benchmark <br />
$ cd benchmark<br />
$ mvn compile (This compiles it)<br />
$ runBenchmark.sh/.bat - This compiles and runs it.<br />
<br />
Then navigate to: https://localhost:8443/benchmark/ to go to its home page. It uses a self signed SSL certificate, so you'll get a security warning when you hit the home page.<br />
<br />
Note: We have set the Benchmark app to use up to 6 Gig of RAM, which it may need when it is fully scanned by a DAST scanner. The DAST tool probably also requires 3+ Gig of RAM. As such, we recommend having a 16 Gig machine if you are going to try to run a full DAST scan. And at least 4 or ideally 8 Gig if you are going to play around with the running Benchmark app.<br />
<br />
== Using a VM instead ==<br />
We have several preconstructed VMs or instructions on how to build one that you can use instead:<br />
<br />
* Docker: A Dockerfile is checked into the project [https://github.com/OWASP/Benchmark/blob/master/VMs/Dockerfile here]. This Docker file should automatically produce a Docker VM with the latest Benchmark project files. After you have Docker installed, cd to /VMs then run: <br />
./buildDockerImage.sh --> This builds the Docker Benchmark VM (This will take a WHILE)<br />
docker images --> You should see the new benchmark:latest image in the list provided<br />
# The Benchmark Docker Image only has to be created once. <br />
<br />
To run the Benchmark in your Docker VM, just run:<br />
./runDockerImage.sh --> This pulls in any updates to Benchmark since the Image was built, builds everything, and starts a remotely accessible Benchmark web app.<br />
If successful, you should see this at the end:<br />
[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]<br />
[INFO] Press Ctrl-C to stop the container...<br />
Then simply navigate to: https://localhost:8443/benchmark from the machine you are running Docker<br />
<br />
Or if you want to access from a different machine:<br />
docker-machine ls (in a different terminal) --> To get IP Docker VM is exporting (e.g., tcp://192.168.99.100:2376)<br />
Navigate to: https://192.168.99.100:8443/benchmark in your browser (using the above IP as an example)<br />
<br />
* Amazon Web Services (AWS) - Here's how you set up the Benchmark on an AWS VM:<br />
sudo yum install git<br />
sudo yum install maven<br />
sudo yum install mvn<br />
sudo wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo sed -i s/\$releasever/6/g /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo yum install -y apache-maven<br />
git clone https://github.com/OWASP/benchmark<br />
cd benchmark<br />
chmod 755 *.sh<br />
./runBenchmark.sh -- to run it locally on the VM.<br />
./runRemoteAccessibleBenchmark.sh -- to run it so it can be accessed outside the VM (on port 8443).<br />
<br />
==Running Free Static Analysis Tools Against the Benchmark==<br />
There are scripts for running each of the free SAST vulnerability detection tools included with the Benchmark against the Benchmark test cases. On Linux, you might have to make them executable (e.g., chmod 755 *.sh) before you can run them.<br />
<br />
Generating Test Results for PMD:<br />
<br />
$ ./scripts/runPMD.sh (Linux) or .\scripts\runPMD.bat (Windows)<br />
<br />
Generating Test Results for FindBugs:<br />
<br />
$ ./scripts/runFindBugs.sh (Linux) or .\scripts\runFindBugs.bat (Windows)<br />
<br />
Generating Test Results for FindBugs with the FindSecBugs plugin:<br />
<br />
$ ./scripts/runFindSecBugs.sh (Linux) or .\scripts\runFindSecBugs.bat (Windows)<br />
<br />
In each case, the script will generate a results file and put it in the /results directory. For example: <br />
<br />
Benchmark_1.2-findbugs-v3.0.1-1026.xml<br />
<br />
This results file name is carefully constructed to mean the following: It's a results file against the OWASP Benchmark version 1.2, FindBugs was the analysis tool, it was version 3.0.1 of FindBugs, and it took 1026 seconds to run the analysis.<br />
<br />
NOTE: If you create a results file yourself, by running a commercial tool for example, you can add the version # and the compute time to the filename just like this and the Benchmark Scorecard generator will pick this information up and include it in the generated scorecard. If you don't, depending on what metadata is included in the tool results, the Scorecard generator might do this automatically anyway.<br />
<br />
==Generating Scorecards==<br />
The scorecard generation application BenchmarkScore is included with the Benchmark. It parses the output files generated by any of the supported security tools run against the Benchmark and compares them against the expected results, and produces a set of web pages that detail the accuracy and speed of the tools involved. For the list of currently supported tools, check out the: Tools Support/Results tab. If you are using a tool that is not yet supported, simply send us a results file from that tool and we'll write a parser for that tool and add it to the supported tools list.<br />
<br />
The following command will compute a Benchmark scorecard for all the results files in the '''/results''' directory. The generated scorecard is put into the '''/scorecard''' directory.<br />
<br />
createScorecard.sh (Linux) or createScorecard.bat (Windows)<br />
<br />
An example of a real scorecard for some open source tools is provided at the top of the Tool Support/Results tab so you can see what one looks like.<br />
<br />
We recommend including the Benchmark version number in any results file name, in order to help prevent mismatches between the expected results and the actual results files. A tool will not score well against the wrong expected results.<br />
<br />
===Customizing Your Scorecard Generation===<br />
<br />
The createScorecard scripts are very simple. They only have one line. Here's what the 1.2 version looks like:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv results"<br />
<br />
This Maven command simply says to run the BenchmarkScore application, passing in two parameters. The 1st is the Benchmark expected results file to compare the tool results against. And the 2nd is the name of the directory that contains all the results from tools run against that version of the Benchmark. If you have tool results older than the current version of the Benchmark, like 1.1 results for example, then you would do something like this instead:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.1.csv 1.1_results"<br />
<br />
To keep things organized, we actually put the expected results file inside the same results folder for that version of the Benchmark, so our command looks like this:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="1.1_results/expectedresults-1.1.csv 1.1_results"<br />
<br />
In all cases, the generated scorecard is put in the /scorecard folder.<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It is likely to be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.''' It is for just this reason that the Benchmark project isn't releasing such results itself.<br />
<br />
= Tool Scanning Tips =<br />
<br />
People frequently have difficulty scanning the Benchmark with various tools due to many reasons, including size of the Benchmark app and its codebase, and complexity of the tools used. Here is some guidance for some of the tools we have used to scan the Benchmark. If you've learned any tricks on how to get better or easier results for a particular tool against the Benchmark, let us know or update this page directly.<br />
<br />
== Generic Tips ==<br />
<br />
Because of the size of the Benchmark, you may need to give your tool more memory before it starts the scan. If its a Java based tool, you may want to pass more memory to it like this:<br />
<br />
-Xmx4G (This gives the Java application 4 Gig of memory)<br />
<br />
== SAST Tools ==<br />
<br />
=== Checkmarx ===<br />
<br />
The Checkmarx SAST Tool (CxSAST) is ready to scan the OWASP Benchmark out-of-the-box. <br />
Please notice that the OWASP Benchmark “hides” some vulnerabilities in dead code areas, for example:<br />
<syntaxhighlight lang="java"><br />
if (0>1)<br />
{<br />
//vulnerable code<br />
}</syntaxhighlight><br />
By default, CxSAST will find these vulnerabilities since Checkmarx believes that including dead code in the scan results is a SAST best practice. <br />
<br />
Checkmarx's experience shows that security experts expect to find these types of code vulnerabilities, and demand that their developers fix them. However, OWASP Benchmark considers the flagging of these vulnerabilities as False Positives, as a result lowering Checkmarx's overall score. <br />
<br />
Therefore, in order to receive an OWASP score untainted by dead code, re-configure CxSAST as follows:<br />
# Open the CxAudit client for editing Java queries.<br />
# Override the "Find_Dead_Code" query.<br />
# Add the commented text of the original query to the new override query.<br />
# Save the queries.<br />
<br />
=== FindBugs ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindBugs.(sh or bat). If you want to run a different version of FindBugs, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== FindBugs with FindSecBugs ===<br />
<br />
[http://h3xstream.github.io/find-sec-bugs/ FindSecurityBugs] is a great plugin for FindBugs that significantly increases the ability for FindBugs to find security issues. We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindSecBugs.(sh or bat). If you want to run a different version of FindSecBugs, just change the version number of the findsecbugs-plugin artifact in the Benchmark pom.xml file.<br />
<br />
=== Micro Focus (Formally HP) Fortify ===<br />
<br />
If you are using the Audit Workbench, you can give it more memory and make sure you invoke it in 64-bit mode by doing this:<br />
<br />
set AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
export AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
auditworkbench -64<br />
<br />
We found it was easier to use the Maven support in Fortify to scan the Benchmark and to do it in 2 phases, translate, and then scan. We did something like this:<br />
<br />
Translate Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_17.10/bin<br />
export SCA_VM_OPTS="-Xmx2G -version 1.7"<br />
mvn sca:clean<br />
mvn sca:translate<br />
<br />
Scan Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_4.10/bin<br />
export SCA_VM_OPTS="-Xmx10G -version 1.7"<br />
mvn sca:scan<br />
<br />
=== PMD ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runPMD.(sh or bat). If you want to run a different version of PMD, just change its version number in the Benchmark pom.xml file. (NOTE: PMD doesn't find any security issues. We include it because its interesting to know that it doesn't.)<br />
<br />
=== SonarQube ===<br />
<br />
We include this free tool in the Benchmark and its mostly dialed in. But its a bit tricky because SonarQube requires two parts. There is a stand alone scanner for Java. And then there is a web application that accepts the results, and in turn can then produce the results file required by the Benchmark scorecard generator for SonarQube. Running the script runSonarQube.(sh or bat) will generate the results, but if the SonarQube Web Application isn't running where the runSonarQube script expects it to be, then the script will fail.<br />
<br />
If you want to run a different version of SonarQube, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== Xanitizer ===<br />
<br />
The vendor has written their own guide to [http://www.rigs-it.net/opendownloads/whitepapers/HowToSetUpXanitizerForOWASPBenchmarkProject.pdf How to Set Up Xanitizer for OWASP Benchmark].<br />
<br />
== DAST Tools ==<br />
<br />
=== Burp Pro ===<br />
<br />
You must use Burp Pro v1.6.29 or greater to scan the Benchmark due to a previous limitation in Burp Pro related to ensuring the path attribute for cookies was honored. This issue was fixed in the v1.6.29 release.<br />
<br />
To scan, first spider the entire Benchmark, and then select the /Benchmark URL and actively scan that branch. You can skip all the .html pages and any other pages that Burp says have no parameters.<br />
<br />
NOTE: We have been unable to simply run Burp Pro against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get Burp Pro to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
=== OWASP ZAP ===<br />
<br />
ZAP may require additional memory to be able to scan the Benchmark. To configure the amount of memory:<br />
* Tools --> Options --> JVM: Recommend setting to: -Xmx2048m (or larger). (Then restart ZAP).<br />
<br />
To run ZAP against Benchmark:<br />
# Because Benchmark uses Cookies and Headers as sources of attack for many test cases: Tools --> Options --> Active Scan Input Vectors: Then check the HTTP Headers, All Requests, and Cookie Data checkboxes and hit OK<br />
# Click on Show All Tabs button (if spider tab isn't visible)<br />
# Go to Spider tab (the black spider) and click on New Scan button<br />
# Enter: https://localhost:8443/benchmark/ into the 'Starting Point' box and hit 'Start Scan'<br />
#* Do this again. For some reason it takes 2 passes with the Spider before it stops finding more Benchmark endpoints.<br />
# When Spider completes, click on 'benchmark' folder in Site Map, right click and select: 'Attack --> Active Scan'<br />
#* It will take several hours, like 3+ to complete (it's actually likely to simply freeze before completing the scan - see NOTE: below)<br />
<br />
For faster active scan you can<br />
* Disable the ZAP DB log (in ZAP 2.5.0+):<br />
** Disable it via Options / Database / Recover Log<br />
** Set it on the command line using "-config database.recoverylog=false"<br />
* Disable unnecessary plugins / Technologies: When you launch the Active Scan<br />
** On the Policy tab, disable all plugins except: XSS (Reflected), Path Traversal, SQLi, OS Command Injection<br />
** Go the Technology Tab, disable everything and only enable: MySQL, YOUR_OS, Tomcat<br />
** Note: This 2nd performance improvement step is a bit like cheating as you wouldn't do this for a normal site scan. You'd want to leave all this on in case these other plugins/technologies are helpful in finding more issues. So a fair performance comparison of ZAP to other tools would leave all this on.<br />
<br />
To generate the ZAP XML results file so you can generate its scorecard:<br />
* Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
* Then: Report > Generate XML Report...<br />
<br />
NOTE: Similar to Burp, we can't simply run ZAP against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get ZAP to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
Things we tried that didn't improve the score:<br />
* AJAX Spider - the traditional spider appears to find all (or 99%) of the test cases so the AJAX Spider does not appear to be needed against Benchmark v1.2<br />
* XSS (Persistent) - There are 3 of these plugins that run by default. There aren't any stored XSS in Benchmark, so you can disable these plugins for a faster scan.<br />
* DOM XSS Plugin - This is an optional plugin that didn't seem to find any additional XSS issues. There aren't an DOM specific XSS issues in Benchmark v1.2, so not surprising.<br />
<br />
== IAST Tools ==<br />
<br />
Interactive Application Security Testing (IAST) tools work differently than scanners. IAST tools monitor an application as it runs to identify application vulnerabilities using context from inside the running application. Typically these tools run continuously, immediately notifying users of vulnerabilities, but you can also get a full report of an entire application. To do this, we simply run the Benchmark application with an IAST agent and use a crawler to hit all the pages.<br />
<br />
=== Contrast Assess ===<br />
<br />
To use Contrast Assess, we simply add the Java agent to the Benchmark environment and run the BenchmarkCrawler. The entire process should only take a few minutes. We provided a few scripts, which simply add the -javaagent:contrast.jar flag to the Benchmark launch configuration. We have tested on MacOS, Ubuntu, and Windows. Be sure your VM has at least 4M of memory.<br />
<br />
* Ensure your environment has Java, Maven, and git installed, then build the Benchmark project<br />
'''$ git clone https://github.com/OWASP/Benchmark.git'''<br />
'''$ cd Benchmark'''<br />
'''$ mvn compile'''<br />
<br />
* Download a licensed copy of the Contrast Assess Java Agent (contrast.jar) from your Contrast TeamServer account and put it in the /Benchmark/tools/Contrast directory.<br />
'''$ cp ~/Downloads/contrast.jar tools/Contrast'''<br />
<br />
* In Terminal 1, launch the Benchmark application and wait until it starts<br />
'''$ cd tools/Contrast <br />
'''$ ./runBenchmark_wContrast.sh''' (.bat on Windows)<br />
'''[INFO] Scanning for projects...<br />
'''[INFO] <br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] Building OWASP Benchmark Project 1.2<br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] <br />
'''...<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]'''<br />
'''[INFO] Press Ctrl-C to stop the container...'''<br />
<br />
* In Terminal 2, launch the crawler and wait a minute or two for the crawl to complete.<br />
'''$ ./runCrawler.sh''' (.bat on Windows)<br />
<br />
* A Contrast report has been generated in /Benchmark/tools/Contrast/working/contrast.log. This report will be automatically copied (and renamed with version number) to /Benchmark/results directory.<br />
'''$ more tools/Contrast/working/contrast.log'''<br />
'''2016-04-22 12:29:29,716 [main b] INFO - Contrast Runtime Engine<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Copyright (C) 2012<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Pat. 8,458,789 B2<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Contrast Security, Inc.<br />
'''2016-04-22 12:29:29,717 [main b] INFO - All Rights Reserved<br />
'''2016-04-22 12:29:29,717 [main b] INFO - https://www.contrastsecurity.com/<br />
'''...'''<br />
<br />
* Press Ctrl-C to stop the Benchmark in Terminal 1. Note: on Windows, select "N" when asked Terminate batch job (Y/N))<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x is stopped'''<br />
'''Copying Contrast report to results directory'''<br />
<br />
* In Terminal 2, generate scorecards in /Benchmark/scorecard<br />
'''$ ./createScorecards.sh''' (.bat on Windows)<br />
'''Analyzing results from Benchmark_1.2-Contrast.log<br />
'''Actual results file generated: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.csv<br />
'''Report written to: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html<br />
<br />
* Open the Benchmark Scorecard in your browser<br />
'''/Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html'''<br />
<br />
=== Hdiv Detection ===<br />
<br />
Hdiv has written their own instructions on how to run the detection component of their product on the Benchmark here: https://hdivsecurity.com/docs/features/benchmark/#how-to-run-hdiv-in-owasp-benchmark-project. You'll see that these instructions involve using the same crawler used to exercise all the test cases in the Benchmark, just like Contrast above.<br />
<br />
= RoadMap =<br />
<br />
Benchmark v1.0 - Released April 15, 2015 - This initial release included over 20,000 test cases in 11 different vulnerability categories. As this initial version was not a runnable application, it was only suitable for assessing static analysis tools (SAST).<br />
<br />
Benchmark v1.1 - Released May 23, 2015 - This update fixed some inaccurate test cases, and made sure that every vulnerability area included both True Positives and False Positives.<br />
<br />
Benchmark Scorecard Generator - Released July 10, 2015 - The ability to automatically and repeatably produce a scorecard of how well tools do against the Benchmark was released for most of the SAST tools supported by the Benchmark. Scorecards present graphical as well as statistical data on how well a tool does against the Benchmark down to the level of detail of how exactly it did against each individual test in the Benchmark. [https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html Here are the latest public scorecards]. Support for producing scorecards for additional tools is being added all the time and the current full set is documented on the '''Tool Support/Results''' and '''Quick Start''' tabs of this wiki.<br />
<br />
Benchmark v1.2beta - Released Aug 15, 2015 - The 1st release of a fully runnable version of the Benchmark to support assessing all types of vulnerability detection and prevention technologies, including DAST, IAST, RASP, WAFs, etc. This involved creating a user interface for every test case, and enhancing each test case to make sure its actually exploitable, not just uses something that is theoretically weak. This release is under 3,000 test cases to make it practical to scan the entire Benchmark with a DAST tool in a reasonable amount of time, with commodity hardware specs.<br />
<br />
Benchmark 1.2 - Released June 5, 2016 - Based on feedback from a number of DAST tool developers, and other vendors as well, we made the Benchmark more realistic in a number of ways to facilitate external DAST scanning, and also made the Benchmark more resilient against attack so it could properly survive various DAST vulnerability detection and exploit verification techniques.<br />
<br />
Plans for Benchmark 1.3:<br />
<br />
While we don't have hard and fast rules of exactly what we are going to do next, enhancements in the following areas are planned for the next release:<br />
<br />
* Add new vulnerability categories (e.g., XXE, Hibernate Injection)<br />
* Add support for popular server side Java frameworks (e.g., Spring)<br />
* Add web services test cases<br />
<br />
We are also starting to work on the ability to score WAFs/RASPs and other defensive technology against Benchmark.<br />
<br />
= FAQ =<br />
<br />
==1. How are the scores computed for the Benchmark?==<br />
<br />
Each test case has a single vulnerability of a specific type. Its either a real vulnerability (True Positive) or not (a False Positive). We document all the test cases for each version of the Benchmark in the expectedresults-VERSION#.csv file (e.g., expectedresults-1.1.csv). This file lists the test case name, the CWE type of the vulnerability, and whether it is a True Positive or not. The Benchmark supports scorecard generators for computing exactly how a tool did when analyzing a version of the Benchmark. The full list of supported tools is on the Tools Support/Results tab. For each tool there is a parser that can parse the native results format for that tool (usually XML). This parser simply, for each test case, looks to see if that tool reported a vulnerability of the type expected in the test case source code file (for SAST) or the test case URL (for DAST/IAST). If it did, and the test case was a True Positive, the tool gets credit for finding it. If it is a False Positive test, and the tool reports that type of finding, then its recorded as a False Positive. If the tool didn't report that type of vulnerability for a test case, then they get either a False Negative, or a True Negative as appropriate. After calculating all of the individual test case results, a scorecard is generated providing a chart and statistics for that tool across all the vulnerability categories, and pages are also created comparing different tools to each other in each vulnerability category (if multiple tools are being scored together).<br />
<br />
A detailed file explaining exactly how that tool did against each individual test case in that version of the Benchmark is produced as part of scorecard generation, and is available via the Actual Results link on each tool's scorecard page. (e.g., Benchmark_v1.1_Scorecard_for_FindBugs.csv).<br />
<br />
==2. What if the tool I'm using doesn't have a scorecard generator for it?==<br />
<br />
Send us the results file! We'll be happy to create a parser for that tool so its now supported.<br />
<br />
==3. What if a tool finds other unexpected vulnerabilities?==<br />
<br />
We are sure there are vulnerabilities we didn't intend to be there and we are eliminating them as we find them. If you find some, let us know and we'll fix them too. We are primarily focused on unintentional vulnerabilities in the categories of vulnerabilities the Benchmark currently supports, since that is what is actually measured.<br />
<br />
Right now, two types of vulnerabilities that get reported are ignored by the scorecard generator:<br />
# Vulnerabilities in categories not yet supported<br />
# Vulnerabilities of a type that is supported, but reported in test cases not of that type<br />
<br />
In the case of #2, false positives reported in unexpected areas are also ignored, which is primarily a DAST problem. Right now those false positives are completely ignored, but we are thinking about including them in the false positive score in some fashion. We just haven't decided how yet.<br />
<br />
==4. How should I configure my tool to scan the Benchmark?==<br />
<br />
All tools support various levels of configuration in order to improve their results. The Benchmark project, in general, is trying to '''compare out of the box capabilities of tools'''. However, if a few simple tweaks to a tool can be done to improve that tool's score, that's fine. We'd like to understand what those simple tweaks are, and document them here, so others can repeat those tests in exactly the same way. For example, just turn on the 'test cookies and headers' flag, which is off by default. Or turn on the 'advanced' scan, so it will work harder, find more vulnerabilities. Its simple things like this we are talking about, not an extensive effort to teach the tool about the app, or perform 'expert' configuration of the tool.<br />
<br />
So, if you know of some simple tweaks to improve a tool's results, let us know what they are and we'll document them here so everyone can benefit and make it easier to do apples to apples comparisons. And we'll link to that guidance once we start documenting it, but we don't have any such guidance right now.<br />
<br />
==5. I'm having difficulty scanning the Benchmark with a DAST tool. How can I get it to work?==<br />
<br />
We've run into 2 primary issues giving DAST tools problems.<br />
<br />
a) The Benchmark Generates Lots of Cookies<br />
<br />
The Burp team pointed out a cookies bug in the 1.2beta Benchmark. Each Weak Randomness test case generates its own cookie, 1 per test case. This caused the creation of so many cookies that servers would eventually start returning 400 errors because there were simply too many cookies being submitted in a request. This was fixed in the Aug 27, 2015 update to the Benchmark by setting the path attribute for each of these cookies to be the path to that individual test case. Now, only at most one of these cookies should be submitted with each request, eliminating this 'too many cookies' problem. However, if a DAST tool doesn't honor this path attribute, it may continue to send too many cookies, making the Benchmark unscannable for that tool. Burp Pro prior to 1.6.29 had this issue, but it was fixed in the 1.6.29 release.<br />
<br />
b) The Benchmark is a BIG Application<br />
<br />
Yes. It is, so you might have to give your scanner more memory than it normally uses by default in order to successfully scan the entire Benchmark. Please consult your tool vendor's documentation on how to give it more memory.<br />
<br />
Your machine itself might not have enough memory in the first place. For example, we were not able to successfully scan the 1.2beta with OWASP ZAP with only 8 Gig of RAM. So, you might need a more powerful machine or use a cloud provided machine to successfully scan the Benchmark with certain DAST tools. You may have similar problems with SAST tools against large versions of the Benchmark, like the 1.1 release.<br />
<br />
= Acknowledgements =<br />
<br />
The following people, organizations, and many others, have contributed to this project and their contributions are much appreciated!<br />
<br />
* Lots of Vendors - Many vendors have provided us with either trial licenses we can use, or they have run their tools themselves and either sent us results files, or written and contributed scorecard generators for their tool. Many have also provided valuable feedback so we can make the Benchmark more accurate and more realistic.<br />
* Juan Gama - Development of initial release and continued support<br />
* Ken Prole - Assistance with automated scorecard development using CodeDx<br />
* Nick Sanidas - Development of initial release<br />
* Denim Group - Contribution of scan results to facilitate scorecard development<br />
* Tasos Laskos - Significant feedback on the DAST version of the Benchmark<br />
* Ann Campbell - From SonarSource - for fixing our SonarQube results parser<br />
* Dhiraj Mishra - OWASP Member - contributed SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring<br />
<br />
[[File:CWE_Logo.jpeg|link=https://cwe.mitre.org/]] - The CWE project for providing a mapping mechanism to easily map test cases to issues found by vulnerability detection tools.<br />
<br />
We are looking for volunteers. Please contact [mailto:dave.wichers@owasp.org Dave Wichers] if you are interested in contributing new test cases, tool results run against the benchmark, or anything else.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]]</div>Wichershttps://wiki.owasp.org/index.php?title=Benchmark&diff=252754Benchmark2019-07-01T19:20:45Z<p>Wichers: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Benchmark Project ==<br />
The OWASP Benchmark for Security Automation (OWASP Benchmark) is a free and open test suite designed to evaluate the speed, coverage, and accuracy of automated software vulnerability detection tools and services (henceforth simply referred to as 'tools'). Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other. Each version of the OWASP Benchmark contains thousands of test cases that are fully runnable and exploitable, each of which maps to the appropriate CWE number for that vulnerability.<br />
<br />
You can use the OWASP Benchmark with [[Source_Code_Analysis_Tools | Static Application Security Testing (SAST)]] tools, [[:Category:Vulnerability_Scanning_Tools | Dynamic Application Security Testing (DAST)]] tools like OWASP [[ZAP]] and Interactive Application Security Testing (IAST) tools. Benchmark is implemented in Java. Future versions may expand to include other languages.<br />
<br />
==Benchmark Project Scoring Philosophy==<br />
<br />
Security tools (SAST, DAST, and IAST) are amazing when they find a complex vulnerability in your code. But with widespread misunderstanding of the specific vulnerabilities automated tools cover, end users are often left with a false sense of security.<br />
<br />
We are on a quest to measure just how good these tools are at discovering and properly diagnosing security problems in applications. We rely on the [http://en.wikipedia.org/wiki/Receiver_operating_characteristic long history] of military and medical evaluation of detection technology as a foundation for our research. Therefore, the test suite tests both real and fake vulnerabilities.<br />
<br />
There are four possible test outcomes in the Benchmark:<br />
<br />
# Tool correctly identifies a real vulnerability (True Positive - TP)<br />
# Tool fails to identify a real vulnerability (False Negative - FN)<br />
# Tool correctly ignores a false alarm (True Negative - TN)<br />
# Tool fails to ignore a false alarm (False Positive - FP)<br />
<br />
We can learn a lot about a tool from these four metrics. Consider a tool that simply flags every line of code as vulnerable. This tool will perfectly identify all vulnerabilities! But it will also have 100% false positives and thus adds no value. Similarly, consider a tool that reports absolutely nothing. This tool will have zero false positives, but will also identify zero real vulnerabilities and is also worthless. You can even imagine a tool that flips a coin to decide whether to report whether each test case contains a vulnerability. The result would be 50% true positives and 50% false positives. We need a way to distinguish valuable security tools from these trivial ones.<br />
<br />
If you imagine the line that connects all these points, from 0,0 to 100,100 establishes a line that roughly translates to "random guessing." The ultimate measure of a security tool is how much better it can do than this line. The diagram below shows how we will evaluate security tools against the Benchmark.<br />
<br />
[[File:Wbe guide.png]]<br />
<br />
A point plotted on this chart provides a visual indication of how well a tool did considering both the True Positives the tool reported, as well as the False Positives it reported. We also want to compute an individual score for that point in the range 0 - 100, which we call the Benchmark Accuracy Score.<br />
<br />
The Benchmark Accuracy Score is essentially a [https://en.wikipedia.org/wiki/Youden%27s_J_statistic Youden Index], which is a standard way of summarizing the accuracy of a set of tests. Youden's index is one of the oldest measures for diagnostic accuracy. It is also a global measure of a test performance, used for the evaluation of overall discriminative power of a diagnostic procedure and for comparison of this test with other tests. Youden's index is calculated by deducting 1 from the sum of a test’s sensitivity and specificity expressed not as percentage but as a part of a whole number: (sensitivity + specificity) – 1. For a test with poor diagnostic accuracy, Youden's index equals 0, and in a perfect test Youden's index equals 1.<br />
<br />
So for example, if a tool has a True Positive Rate (TPR) of .98 (i.e., 98%) <br />
and False Positive Rate (FPR) of .05 (i.e., 5%)<br />
Sensitivity = TPR (.98)<br />
Specificity = 1-FPR (.95)<br />
So the Youden Index is (.98+.95) - 1 = .93<br />
<br />
And this would equate to a Benchmark score of 93 (since we normalize this to the range 0 - 100)<br />
<br />
On the graph, the Benchmark Score is the length of the line from the point down to the diagonal “guessing” line. Note that a Benchmark score can actually be negative if the point is below the line. This is caused when the False Positive Rate is actually higher than the True Positive Rate.<br />
<br />
==Benchmark Validity==<br />
<br />
The Benchmark tests are not exactly like real applications. The tests are derived from coding patterns observed in real applications, but the majority of them are considerably '''simpler''' than real applications. That is, most real world applications will be considerably harder to successfully analyze than the OWASP Benchmark Test Suite. Although the tests are based on real code, it is possible that some tests may have coding patterns that don't occur frequently in real code.<br />
<br />
Remember, we are trying to test the capabilities of the tools and make them explicit, so that users can make informed decisions about what tools to use, how to use them, and what results to expect. This is exactly aligned with the OWASP mission to make application security visible.<br />
<br />
==Generating Benchmark Scores==<br />
<br />
Anyone can use this Benchmark to evaluate vulnerability detection tools. The basic steps are:<br />
# Download the Benchmark from GitHub<br />
# Run your tools against the Benchmark<br />
# Run the BenchmarkScore tool on the reports from your tools<br />
<br />
That's it!<br />
<br />
Full details on how to do this are at the bottom of the page on the Quick_Start tab.<br />
<br />
We encourage both vendors, open source tools, and end users to verify their application security tools against the Benchmark. In order to ensure that the results are fair and useful, we ask that you follow a few simple rules when publishing results. We won't recognize any results that aren't easily reproducible:<br />
<br />
# A description of the default “out-of-the-box” installation, version numbers, etc…<br />
# Any and all configuration, tailoring, onboarding, etc… performed to make the tool run<br />
# Any and all changes to default security rules, tests, or checks used to achieve the results<br />
# Easily reproducible steps to run the tool<br />
<br />
== Reporting Format==<br />
<br />
The Benchmark includes tools to interpret raw tool output, compare it to the expected results, and generate summary charts and graphs. We use the following table format in order to capture all the information generated during the evaluation.<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! style="background:#DDDDDD" | Security Category<br />
! TP<br />
! FN<br />
! TN<br />
! FP<br />
! style="background:#DDDDDD" | Total<br />
! TPR<br />
! FPR<br />
! style="background:#DDDDDD" | Score<br />
|-<br />
! style="background:#DDDDDD" valign="top" width="11%"| General security category for test cases.<br />
| valign="top" width="11%"| '''True Positives''': Tests with real vulnerabilities that were correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Negative''': Tests with real vulnerabilities that were not correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''True Negative''': Tests with fake vulnerabilities that were correctly not reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Positive''':Tests with fake vulnerabilities that were incorrectly reported as vulnerable by the tool.<br />
| style="background:#DDDDDD" valign="top" width="11%"| Total test cases for this category.<br />
| valign="top" width="11%"| '''True Positive Rate''': TP / ( TP + FN ) - Also referred to as Precision, as defined at [https://en.wikipedia.org/wiki/Precision_and_recall Wikipedia].<br />
| valign="top" width="11%"| '''False Positive Rate''': FP / ( FP + TN ).<br />
| style="background:#DDDDDD" valign="top" width="11%"| Normalized distance from the “guess line” TPR - FPR.<br />
|-<br />
! style="background:#DDDDDD" | Command Injection<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | Etc...<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | <br />
! Total TP<br />
! Total FN<br />
! Total TN<br />
! Total FP<br />
! style="background:#DDDDDD" | Total TC<br />
! Average TPR<br />
! Average FPR<br />
! style="background:#DDDDDD" | Average Score<br />
|}<br />
<br />
==Code Repo and Build/Run Instructions ==<br />
<br />
See the '''Getting Started''' and '''Getting, Building, and Running the Benchmark''' sections on the Quick Start tab.<br />
<br />
==Licensing==<br />
<br />
The OWASP Benchmark is free to use under the [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0].<br />
<br />
== Mailing List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-benchmark-project OWASP Benchmark Mailing List]<br />
<br />
== Project Leaders ==<br />
<br />
[https://www.owasp.org/index.php/User:Wichers Dave Wichers] [mailto:dave.wichers@owasp.org @]<br />
<br />
== Project References ==<br />
* [https://www.mir-swamp.org/#packages/public Software Assurance Marketplace (SWAMP) - set of curated packages to test tools against]<br />
* [http://samate.nist.gov/Other_Test_Collections.html SAMATE List of Test Collections]<br />
<br />
== Related Projects ==<br />
<br />
* [http://samate.nist.gov/SARD/testsuite.php NSA's Juliet for Java]<br />
* [http://sectoolmarket.com/ The Web Application Vulnerability Scanner Evaluation Project (WAVSEP)]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
All test code and project files can be downloaded from [https://github.com/OWASP/benchmark OWASP GitHub].<br />
<br />
== Project Intro Video ==<br />
<br />
[[File:BenchmarkPodcastTitlePage.jpg|200px|link=https://www.youtube.com/watch?v=HQP8dwc3jJA&index=5&list=PLGB2s-U5FSWOmEStMt3JqlMFJvRYqeVW5]]<br />
<br />
== News and Events ==<br />
* LOOKING FOR VOLUNTEERS!! - We are looking for individuals and organizations to join and make this a much more community driven project, including additional coleaders to help take this project to the next level. Contributors could work on things like new test cases, additional tool scorecard generators, adding support for languages beyond Java, and a host of other improvements. Please contact [mailto:dave.wichers@owasp.org me] if you are interested in contributing at any level.<br />
* June 5, 2016 - Benchmark Version 1.2 Released<br />
* Sep 24, 2015 - Benchmark introduced to broader OWASP community at [https://appsecusa2015.sched.org/event/3r9k/using-the-owasp-benchmark-to-assess-automated-vulnerability-analysis-tools AppSec USA]<br />
* Aug 27, 2015 - U.S. Dept. of Homeland Security (DHS) is financially supporting the Benchmark project.<br />
* Aug 15, 2015 - Benchmark Version 1.2beta Released with full DAST Support. Checkmarx and ZAP scorecard generators also released.<br />
* July 10, 2015 - Benchmark Scorecard generator and open source scorecards released<br />
* May 23, 2015 - Benchmark Version 1.1 Released<br />
* April 15, 2015 - Benchmark Version 1.0 Released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Test Cases =<br />
<br />
Version 1.0 of the Benchmark was published on April 15, 2015 and had 20,983 test cases. On May 23, 2015, version 1.1 of the Benchmark was released. The 1.1 release improves on the previous version by making sure that there are both true positives and false positives in every vulnerability area. Version 1.2 was released on June 5, 2016 (and the 1.2beta August 15, 2015).<br />
<br />
Version 1.2 and forward of the Benchmark is a fully executable web application, which means it is scannable by any kind of vulnerability detection tool. The 1.2 has been limited to slightly less than 3,000 test cases, to make it easier for DAST tools to scan it (so it doesn't take so long and they don't run out of memory, or blow up the size of their database). The 1.2 release covers the same vulnerability areas that 1.1 covers. We added a few Spring database SQL Injection tests, but that's it. The bulk of the work was turning each test case into something that actually runs correctly AND is fully exploitable, and then generating a UI on top of it that works in order to turn the test cases into a real running application.<br />
<br />
You can still download Benchmark version 1.1 by cloning the release marked with the GIT tag '1.1'.<br />
<br />
The test case areas and quantities for the Benchmark releases are:<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! Vulnerability Area<br />
! # of Tests in v1.1<br />
! # of Tests in v1.2<br />
! CWE Number<br />
|-<br />
| [[Command Injection]]<br />
| 2708<br />
| 251<br />
| [https://cwe.mitre.org/data/definitions/78.html 78]<br />
|-<br />
| Weak Cryptography<br />
| 1440<br />
| 246<br />
| [https://cwe.mitre.org/data/definitions/327.html 327]<br />
|-<br />
| Weak Hashing<br />
| 1421<br />
| 236<br />
| [https://cwe.mitre.org/data/definitions/328.html 328]<br />
|-<br />
| [[LDAP injection | LDAP Injection]]<br />
| 736<br />
| 59<br />
| [https://cwe.mitre.org/data/definitions/90.html 90]<br />
|-<br />
| [[Path Traversal]]<br />
| 2630<br />
| 268<br />
| [https://cwe.mitre.org/data/definitions/22.html 22]<br />
|-<br />
| Secure Cookie Flag<br />
| 416<br />
| 67<br />
| [https://cwe.mitre.org/data/definitions/614.html 614]<br />
|-<br />
| [[SQL Injection]]<br />
| 3529<br />
| 504<br />
| [https://cwe.mitre.org/data/definitions/89.html 89]<br />
|-<br />
| [[Trust Boundary Violation]]<br />
| 725<br />
| 126<br />
| [https://cwe.mitre.org/data/definitions/501.html 501]<br />
|-<br />
| Weak Randomness<br />
| 3640<br />
| 493<br />
| [https://cwe.mitre.org/data/definitions/330.html 330]<br />
|-<br />
| [[XPATH Injection]]<br />
| 347<br />
| 35<br />
| [https://cwe.mitre.org/data/definitions/643.html 643]<br />
|-<br />
| [[XSS]] (Cross-Site Scripting)<br />
| 3449<br />
| 455<br />
| [https://cwe.mitre.org/data/definitions/79.html 79]<br />
|-<br />
| Total Test Cases<br />
| 21,041<br />
| 2,740<br />
|}<br />
<br />
Each Benchmark version comes with a spreadsheet that lists every test case, the vulnerability category, the CWE number, and the expected result (true finding/false positive). Look for the file: expectedresults-VERSION#.csv in the project root directory.<br />
<br />
Every test case is:<br />
* a servlet or JSP (currently they are all servlets, but we plan to add JSPs)<br />
* either a true vulnerability or a false positive for a single issue<br />
<br />
The Benchmark is intended to help determine how well analysis tools correctly analyze a broad array of application and framework behavior, including:<br />
<br />
* HTTP request and response problems<br />
* Simple and complex data flow<br />
* Simple and complex control flow<br />
* Popular frameworks<br />
* Inversion of control<br />
* Reflection<br />
* Class loading<br />
* Annotations<br />
* Popular UI technologies (particularly JavaScript frameworks)<br />
<br />
Not all of these are yet tested by the Benchmark but future enhancements intend to provide more coverage of these issues.<br />
<br />
Additional future enhancements could cover:<br />
* All vulnerability types in the [[Top10 | OWASP Top 10]]<br />
* Does the tool find flaws in libraries?<br />
* Does the tool find flaws spanning custom code and libraries?<br />
* Does tool handle web services? REST, XML, GWT, etc…<br />
* Does tool work with different app servers? Java platforms?<br />
<br />
== Example Test Case ==<br />
<br />
Each test case is a simple Java EE servlet. BenchmarkTest00001 in version 1.0 of the Benchmark was an LDAP Injection test with the following metadata in the accompanying BenchmarkTest00001.xml file:<br />
<br />
<test-metadata><br />
<category>ldapi</category><br />
<test-number>00001</test-number><br />
<vulnerability>true</vulnerability><br />
<cwe>90</cwe><br />
</test-metadata><br />
<br />
BenchmarkTest00001.java in the OWASP Benchmark 1.0 simply reads in all the cookie values, looks for a cookie named "foo", and uses the value of this cookie when performing an LDAP query. Here's the code for BenchmarkTest00001.java:<br />
<br />
package org.owasp.benchmark.testcode;<br />
<br />
import java.io.IOException;<br />
<br />
import javax.servlet.ServletException;<br />
import javax.servlet.annotation.WebServlet;<br />
import javax.servlet.http.HttpServlet;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
<br />
@WebServlet("/BenchmarkTest00001")<br />
public class BenchmarkTest00001 extends HttpServlet {<br />
<br />
private static final long serialVersionUID = 1L;<br />
<br />
@Override<br />
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
doPost(request, response);<br />
}<br />
<br />
@Override<br />
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
// some code<br />
<br />
javax.servlet.http.Cookie[] cookies = request.getCookies();<br />
<br />
String param = null;<br />
boolean foundit = false;<br />
if (cookies != null) {<br />
for (javax.servlet.http.Cookie cookie : cookies) {<br />
if (cookie.getName().equals("foo")) {<br />
param = cookie.getValue();<br />
foundit = true;<br />
}<br />
}<br />
if (!foundit) {<br />
// no cookie found in collection<br />
param = "";<br />
}<br />
} else {<br />
// no cookies<br />
param = "";<br />
}<br />
<br />
try {<br />
javax.naming.directory.DirContext dc = org.owasp.benchmark.helpers.Utils.getDirContext();<br />
Object[] filterArgs = {"a","b"};<br />
dc.search("name", param, filterArgs, new javax.naming.directory.SearchControls());<br />
} catch (javax.naming.NamingException e) {<br />
throw new ServletException(e);<br />
}<br />
}<br />
}<br />
<br />
= Test Case Details =<br />
<br />
The following describes situations in the Benchmark that have come up for debate as to the validity/accuracy of the test cases in these scenarios. <br />
<br />
== Cookies as a Source of Attack for XSS ==<br />
<br />
Benchmark v1.1 and early versions of the 1.2beta included test cases that used cookies as a source of data that flowed into XSS vulnerabilities. The Benchmark treated these tests as False Positives because the Benchmark team figured that you'd have to use an XSS vulnerability in the first place to set the cookie value, and so it wasn't fair/reasonable to consider an XSS vulnerability whose data source was a cookie value as actually exploitable. However, we got feedback from some tool vendors, like Fortify, Burp, and Arachni, that they disagreed with this analysis and felt that, in fact, cookies were a valid source of attack against XSS vulnerabilities. Given that there are good arguments on both sides of this safe vs. unsafe question, we decided on Aug 25, 2015 to simply remove those test cases from the Benchmark. If, in the future, we decide who is right, we may add such test cases back in.<br />
<br />
== Headers as a Source of Attack for XSS ==<br />
<br />
Similarly, the Benchmark team believes that the names of headers aren't a valid source of XSS attack for the same reason we thought cookie values aren't a valid source. Because it would require an XSS vulnerability to be exploited in the first place to set them. In fact, we feel that this argument is much stronger for header names, than cookie values. Right now, the Benchmark doesn't include any header names as sources for XSS test cases, but we plan to add them, and mark them as false positive in the Benchmark.<br />
<br />
We do have header values as sources for some XSS test cases in the Benchmark and only 'referer' is treated as a valid XSS source (i.e., true positives) because other headers are not viable XSS sources. Other headers are, of course, valid sources for other attack vectors, like SQL injection or Command Injection.<br />
<br />
== False Positive Scenario: Static Values Passed to Unsafe (Weak) Sinks ==<br />
<br />
The Benchmark has MANY test cases where unsafe data flows in from the browser, but that data is replaced with static content as it goes through the propagators in the that specific test case. This static (safe) data then flows to the sink, which may be a weak/unsafe sink, like, for example, an unsafely constructed SQL statement. The Benchmark treats those test cases as false positives because there is absolutely no way for that weakness to be exploited. The NSA Juliet SAST benchmark treats such test cases exactly the same way, as false positives. We do recognize that there are weaknesses in those test cases, even though they aren't exploitable.<br />
<br />
Some SAST tool vendors feel it is appropriate to point out those weaknesses, and that's fine. However, if the tool points those weaknesses out, and does not distinguish them from truly exploitable vulnerabilities, then the Benchmark treats those findings as false positives. If the tool allows a user to differentiate these non-exploitable weaknesses from exploitable vulnerabilities, then the Benchmark scorecard generator can use that information to filter out these extra findings (along with any other similarly marked findings) so they don't count against that tool when calculating that tool's Benchmark score. In the real world, its important for analysts to be able to filter out such findings if they only have time to deal with the most critical, actually exploitable, vulnerabilities. If a tool doesn't make it easy for an analyst to distinguish the two situations, then they are providing a disservice to the analyst.<br />
<br />
This issue doesn't affect DAST tools. They only report what appears to be exploitable to them. So this has no affect on them.<br />
<br />
If you are a SAST tool vendor or user, and you believe the Benchmark scorecard generator is counting such findings against that tool, and there is a way to tell them apart, please let the project team know so the scorecard generator can be adjusted to not count those findings against the tool. The Benchmark project's goal is the generate the most fair and accurate results it can generate. If such an adjustment is made to how a scorecard is generated for that tool, we plan to document this was done for that tool, and explain how others could perform the same filtering within that tool in order to get the same focused set of results.<br />
<br />
== Dead Code ==<br />
<br />
Some SAST tools point out weaknesses in dead code because they might eventually end up being used, and serve as bad coding examples (think cut/paste of code). We think this is fine/appropriate. However, there is no dead code in the OWASP Benchmark (at least not intentionally). So dead code should not be causing any tool to report unnecessary false positives.<br />
<br />
= Tool Support/Results =<br />
<br />
The results for 5 free tools, PMD, FindBugs, FindBugs with the FindSecBugs plugin, SonarQube and OWASP ZAP are available here against version 1.2 of the Benchmark: https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html. We've included multiple versions of FindSecBugs' and ZAP's results so you can see the improvements they are making finding vulnerabilities in Benchmark.<br />
<br />
We have Benchmark results for all the following tools, but haven't publicly released the results for any commercial tools. However, we included a 'Commercial Average' page, which includes a summary of results for 6 commercial SAST tools along with anonymous versions of each SAST tool's scorecard.<br />
<br />
The Benchmark can generate results for the following tools: <br />
<br />
'''Free Static Application Security Testing (SAST) Tools:'''<br />
<br />
* [https://pmd.github.io/ PMD] (which really has no security rules) - .xml results file<br />
* [http://findbugs.sourceforge.net/ FindBugs] - .xml results file (Note: FindBugs hasn't been updated since 2015. Use SpotBugs instead (see below))<br />
* [https://www.sonarqube.org/downloads/ SonarQube] - .xml results file<br />
* [https://spotbugs.github.io/ SpotBugs] - .xml results file. This is the successor to FindBugs.<br />
* SpotBugs with the [http://find-sec-bugs.github.io/ FindSecurityBugs plugin] - .xml results file<br />
<br />
Note: We looked into supporting [http://checkstyle.sourceforge.net/ Checkstyle] but it has no security rules, just like PMD. The [http://fb-contrib.sourceforge.net/ fb-contrib] FindBugs plugin doesn't have any security rules either. We did test [http://errorprone.info/ Error Prone], and found that it does report some use of [http://errorprone.info/bugpattern/InsecureCipherMode) insecure ciphers (CWE-327)], but that's it.<br />
<br />
'''Commercial SAST Tools:'''<br />
<br />
* [https://www.castsoftware.com/products/application-intelligence-platform CAST Application Intelligence Platform (AIP)] - .xml results file<br />
* [https://www.checkmarx.com/products/static-application-security-testing/ Checkmarx CxSAST] - .xml results file<br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source IBM AppScan Source (Standalone and Cloud)] - .ozasmt or .xml results file<br />
* [https://juliasoft.com/solutions/julia-for-security/ Julia Analyzer] - .xml results file<br />
* [https://software.microfocus.com/en-us/products/static-code-analysis-sast/overview Micro Focus (Formally HPE) Fortify (On-Demand and stand-alone versions)] - .fpr results file<br />
* [https://www.parasoft.com/products/jtest/ Parasoft Jtest] - .xml results file<br />
* [https://www.shiftleft.io/product/ ShiftLeft SAST] - .sl results file (Benchmark specific format. Ask vendor how to generate this)<br />
* [https://snappycodeaudit.com/category/static-code-analysis Snappycode Audit's SnappyTick Source Edition (SAST)] - .xml results file<br />
* [https://www.sourcemeter.com/features/ SourceMeter] - .txt results file of ALL results from VulnerabilityHunter<br />
* [https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/SAST-Coverity-datasheet.pdf Synopsys Static Analysis (Formerly Coverity Code Advisor) (On-Demand and stand-alone versions)] - .json results file (You can scan Benchmark w/Coverity for free. See: https://scan.coverity.com/)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] - .xml results file<br />
* [https://www.veracode.com/products/binary-static-analysis-sast Veracode SAST] - .xml results file<br />
* [https://www.rigs-it.com/xanitizer/ XANITIZER] - xml results file ([https://www.rigs-it.com/wp-content/uploads/2018/03/howtosetupxanitizerforowaspbenchmarkproject.pdf Their white paper on how to setup Xanitizer to scan Benchmark.]) (Free trial available)<br />
<br />
We are looking for results for other commercial static analysis tools like: [https://www.grammatech.com/products/codesonar Grammatech CodeSonar], [https://www.roguewave.com/products-services/klocwork RogueWave's Klocwork], etc. If you have a license for any static analysis tool not already listed above and can run it on the Benchmark and send us the results file that would be very helpful. <br />
<br />
The free SAST tools come bundled with the Benchmark so you can run them yourselves. If you have a license for any commercial SAST tool, you can also run them against the Benchmark. Just put your results files in the /results folder of the project, and then run the BenchmarkScore script for your platform (.sh / .bat) and it will generate a scorecard in the /scorecard directory for all the tools you have results for that are currently supported.<br />
<br />
'''Free Dynamic Application Security Testing (DAST) Tools:'''<br />
<br />
Note: While we support scorecard generators for these Free and Commercial DAST tools, we haven't been able to get a full/clean run against the Benchmark from most of these tools. As such, some of these scorecard generators might still need some work to properly reflect their results. If you notice any problems, let us know.<br />
<br />
* [http://www.arachni-scanner.com/ Arachni] - .xml results file<br />
** To generate .xml, run: ./bin/arachni_reporter "Your_AFR_Results_Filename.afr" --reporter=xml:outfile=Benchmark1.2-Arachni.xml<br />
* [https://www.owasp.org/index.php/ZAP OWASP ZAP] - .xml results file. To generate a complete ZAP XML results file so you can generate a valid scorecard, make sure you:<br />
** Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
** Then: Report > Generate XML Report...<br />
<br />
'''Commercial DAST Tools:'''<br />
<br />
* [https://www.acunetix.com/vulnerability-scanner/ Acunetix Web Vulnerability Scanner (WVS)] - .xml results file (Generated using [https://www.acunetix.com/resources/wvs7manual.pdf command line interface (see Chapter 10.)] /ExportXML switch)<br />
* [https://portswigger.net/burp Burp Pro] - .xml results file<br />
* [https://www.ibm.com/us-en/marketplace/appscan-standard IBM AppScan] - .xml results file<br />
* [https://software.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/overview Micro Focus (Formally HPE) WebInspect] - .xml results file<br />
* [https://www.netsparker.com/web-vulnerability-scanner/ Netsparker] - .xml results file<br />
* [https://www.qualys.com/apps/web-app-scanning/ Qualys Web App Scanner] - .xml results file<br />
* [https://www.rapid7.com/products/appspider/ Rapid7 AppSpider] - .xml results file<br />
<br />
If you have access to other DAST Tools, PLEASE RUN THEM FOR US against the Benchmark, and send us the results file so we can build a scorecard generator for that tool.<br />
<br />
'''Commercial Interactive Application Security Testing (IAST) Tools:'''<br />
<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] - .zip results file (You can scan Benchmark w/Contrast for free. See: https://www.contrastsecurity.com/contrast-community-edition)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection (IAST)] - .hlg results file<br />
* [https://www.synopsys.com/software-integrity/security-testing/interactive-application-security-testing.html Seeker IAST] - .csv results file<br />
<br />
'''Commercial Hybrid Analysis Application Security Testing Tools:'''<br />
<br />
* [http://www.iappsecure.com/products.html Fusion Lite Insight] - .xml results file<br />
<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It may be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.'''<br />
<br />
The project has automated test harnesses for these vulnerability detection tools, so we can repeatably run the tools against each version of the Benchmark and automatically produce scorecards in our desired format.<br />
<br />
We want to test as many tools as possible against the Benchmark. If you are:<br />
<br />
* A tool vendor and want to participate in the project<br />
* Someone who wants to help score a free tool against the project<br />
* Someone who has a license to a commercial tool and the terms of the license allow you to publish tool results, and you want to participate<br />
<br />
please let [mailto:dave.wichers@owasp.org me] know!<br />
<br />
= Quick Start =<br />
<br />
==What is in the Benchmark?==<br />
The Benchmark is a Java Maven project. Its primary component is thousands of test cases (e.g., BenchmarkTest00001.java) , each of which is a single Java servlet that contains a single vulnerability (either a true positive or false positive). The vulnerabilities span about a dozen different types currently and are expected to expand significantly in the future.<br />
<br />
An expectedresults.csv is published with each version of the Benchmark (e.g., expectedresults-1.1.csv) and it specifically lists the expected results for each test case. Here’s what the first two rows in this file looks like for version 1.1 of the Benchmark:<br />
<br />
# test name category real vulnerability CWE Benchmark version: 1.1 2015-05-22<br />
BenchmarkTest00001 crypto TRUE 327<br />
<br />
This simply means that the first test case is a crypto test case (use of weak cryptographic algorithms), this is a real vulnerability (as opposed to a false positive), and this issue maps to CWE 327. It also indicates this expected results file is for Benchmark version 1.1 (produced May 22, 2015). There is a row in this file for each of the tens of thousands of test cases in the Benchmark. Each time a new version of the Benchmark is published, a new corresponding results file is generated and each test case can be completely different from one version to the next.<br />
<br />
The Benchmark also comes with a bunch of different utilities, commands, and prepackaged open source security analysis tools, all of which can be executed through Maven goals, including:<br />
<br />
* Open source vulnerability detection tools to be run against the Benchmark<br />
* A scorecard generator, which computes a scorecard for each of the tools you have results files for.<br />
<br />
==What Can You Do With the Benchmark?==<br />
* Compile all the software in the Benchmark project (e.g., mvn compile)<br />
* Run a static vulnerability analysis tool (SAST) against the Benchmark test case code<br />
<br />
* Scan a running version of the Benchmark with a dynamic application security testing tool (DAST)<br />
** Instructions on how to run it are provided below<br />
<br />
* Generate scorecards for each of the tools you have results files for<br />
** See the Tool Support/Results page for the list of tools the Benchmark supports generating scorecards for<br />
<br />
==Getting Started==<br />
Before downloading or using the Benchmark make sure you have the following installed and configured properly:<br />
<br />
GIT: http://git-scm.com/ or https://github.com/<br />
Maven: https://maven.apache.org/ (Version: 3.2.3 or newer works.)<br />
Java: http://www.oracle.com/technetwork/java/javase/downloads/index.html (Java 7 or 8) (64-bit)<br />
<br />
==Getting, Building, and Running the Benchmark==<br />
<br />
To download and build everything:<br />
<br />
$ git clone https://github.com/OWASP/benchmark <br />
$ cd benchmark<br />
$ mvn compile (This compiles it)<br />
$ runBenchmark.sh/.bat - This compiles and runs it.<br />
<br />
Then navigate to: https://localhost:8443/benchmark/ to go to its home page. It uses a self signed SSL certificate, so you'll get a security warning when you hit the home page.<br />
<br />
Note: We have set the Benchmark app to use up to 6 Gig of RAM, which it may need when it is fully scanned by a DAST scanner. The DAST tool probably also requires 3+ Gig of RAM. As such, we recommend having a 16 Gig machine if you are going to try to run a full DAST scan. And at least 4 or ideally 8 Gig if you are going to play around with the running Benchmark app.<br />
<br />
== Using a VM instead ==<br />
We have several preconstructed VMs or instructions on how to build one that you can use instead:<br />
<br />
* Docker: A Dockerfile is checked into the project [https://github.com/OWASP/Benchmark/blob/master/VMs/Dockerfile here]. This Docker file should automatically produce a Docker VM with the latest Benchmark project files. After you have Docker installed, cd to /VMs then run: <br />
./buildDockerImage.sh --> This builds the Docker Benchmark VM (This will take a WHILE)<br />
docker images --> You should see the new benchmark:latest image in the list provided<br />
# The Benchmark Docker Image only has to be created once. <br />
<br />
To run the Benchmark in your Docker VM, just run:<br />
./runDockerImage.sh --> This pulls in any updates to Benchmark since the Image was built, builds everything, and starts a remotely accessible Benchmark web app.<br />
If successful, you should see this at the end:<br />
[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]<br />
[INFO] Press Ctrl-C to stop the container...<br />
Then simply navigate to: https://localhost:8443/benchmark from the machine you are running Docker<br />
<br />
Or if you want to access from a different machine:<br />
docker-machine ls (in a different terminal) --> To get IP Docker VM is exporting (e.g., tcp://192.168.99.100:2376)<br />
Navigate to: https://192.168.99.100:8443/benchmark in your browser (using the above IP as an example)<br />
<br />
* Amazon Web Services (AWS) - Here's how you set up the Benchmark on an AWS VM:<br />
sudo yum install git<br />
sudo yum install maven<br />
sudo yum install mvn<br />
sudo wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo sed -i s/\$releasever/6/g /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo yum install -y apache-maven<br />
git clone https://github.com/OWASP/benchmark<br />
cd benchmark<br />
chmod 755 *.sh<br />
./runBenchmark.sh -- to run it locally on the VM.<br />
./runRemoteAccessibleBenchmark.sh -- to run it so it can be accessed outside the VM (on port 8443).<br />
<br />
==Running Free Static Analysis Tools Against the Benchmark==<br />
There are scripts for running each of the free SAST vulnerability detection tools included with the Benchmark against the Benchmark test cases. On Linux, you might have to make them executable (e.g., chmod 755 *.sh) before you can run them.<br />
<br />
Generating Test Results for PMD:<br />
<br />
$ ./scripts/runPMD.sh (Linux) or .\scripts\runPMD.bat (Windows)<br />
<br />
Generating Test Results for FindBugs:<br />
<br />
$ ./scripts/runFindBugs.sh (Linux) or .\scripts\runFindBugs.bat (Windows)<br />
<br />
Generating Test Results for FindBugs with the FindSecBugs plugin:<br />
<br />
$ ./scripts/runFindSecBugs.sh (Linux) or .\scripts\runFindSecBugs.bat (Windows)<br />
<br />
In each case, the script will generate a results file and put it in the /results directory. For example: <br />
<br />
Benchmark_1.2-findbugs-v3.0.1-1026.xml<br />
<br />
This results file name is carefully constructed to mean the following: It's a results file against the OWASP Benchmark version 1.2, FindBugs was the analysis tool, it was version 3.0.1 of FindBugs, and it took 1026 seconds to run the analysis.<br />
<br />
NOTE: If you create a results file yourself, by running a commercial tool for example, you can add the version # and the compute time to the filename just like this and the Benchmark Scorecard generator will pick this information up and include it in the generated scorecard. If you don't, depending on what metadata is included in the tool results, the Scorecard generator might do this automatically anyway.<br />
<br />
==Generating Scorecards==<br />
The scorecard generation application BenchmarkScore is included with the Benchmark. It parses the output files generated by any of the supported security tools run against the Benchmark and compares them against the expected results, and produces a set of web pages that detail the accuracy and speed of the tools involved. For the list of currently supported tools, check out the: Tools Support/Results tab. If you are using a tool that is not yet supported, simply send us a results file from that tool and we'll write a parser for that tool and add it to the supported tools list.<br />
<br />
The following command will compute a Benchmark scorecard for all the results files in the '''/results''' directory. The generated scorecard is put into the '''/scorecard''' directory.<br />
<br />
createScorecard.sh (Linux) or createScorecard.bat (Windows)<br />
<br />
An example of a real scorecard for some open source tools is provided at the top of the Tool Support/Results tab so you can see what one looks like.<br />
<br />
We recommend including the Benchmark version number in any results file name, in order to help prevent mismatches between the expected results and the actual results files. A tool will not score well against the wrong expected results.<br />
<br />
===Customizing Your Scorecard Generation===<br />
<br />
The createScorecard scripts are very simple. They only have one line. Here's what the 1.2 version looks like:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv results"<br />
<br />
This Maven command simply says to run the BenchmarkScore application, passing in two parameters. The 1st is the Benchmark expected results file to compare the tool results against. And the 2nd is the name of the directory that contains all the results from tools run against that version of the Benchmark. If you have tool results older than the current version of the Benchmark, like 1.1 results for example, then you would do something like this instead:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.1.csv 1.1_results"<br />
<br />
To keep things organized, we actually put the expected results file inside the same results folder for that version of the Benchmark, so our command looks like this:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="1.1_results/expectedresults-1.1.csv 1.1_results"<br />
<br />
In all cases, the generated scorecard is put in the /scorecard folder.<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It is likely to be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.''' It is for just this reason that the Benchmark project isn't releasing such results itself.<br />
<br />
= Tool Scanning Tips =<br />
<br />
People frequently have difficulty scanning the Benchmark with various tools due to many reasons, including size of the Benchmark app and its codebase, and complexity of the tools used. Here is some guidance for some of the tools we have used to scan the Benchmark. If you've learned any tricks on how to get better or easier results for a particular tool against the Benchmark, let us know or update this page directly.<br />
<br />
== Generic Tips ==<br />
<br />
Because of the size of the Benchmark, you may need to give your tool more memory before it starts the scan. If its a Java based tool, you may want to pass more memory to it like this:<br />
<br />
-Xmx4G (This gives the Java application 4 Gig of memory)<br />
<br />
== SAST Tools ==<br />
<br />
=== Checkmarx ===<br />
<br />
The Checkmarx SAST Tool (CxSAST) is ready to scan the OWASP Benchmark out-of-the-box. <br />
Please notice that the OWASP Benchmark “hides” some vulnerabilities in dead code areas, for example:<br />
<syntaxhighlight lang="java"><br />
if (0>1)<br />
{<br />
//vulnerable code<br />
}</syntaxhighlight><br />
By default, CxSAST will find these vulnerabilities since Checkmarx believes that including dead code in the scan results is a SAST best practice. <br />
<br />
Checkmarx's experience shows that security experts expect to find these types of code vulnerabilities, and demand that their developers fix them. However, OWASP Benchmark considers the flagging of these vulnerabilities as False Positives, as a result lowering Checkmarx's overall score. <br />
<br />
Therefore, in order to receive an OWASP score untainted by dead code, re-configure CxSAST as follows:<br />
# Open the CxAudit client for editing Java queries.<br />
# Override the "Find_Dead_Code" query.<br />
# Add the commented text of the original query to the new override query.<br />
# Save the queries.<br />
<br />
=== FindBugs ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindBugs.(sh or bat). If you want to run a different version of FindBugs, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== FindBugs with FindSecBugs ===<br />
<br />
[http://h3xstream.github.io/find-sec-bugs/ FindSecurityBugs] is a great plugin for FindBugs that significantly increases the ability for FindBugs to find security issues. We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindSecBugs.(sh or bat). If you want to run a different version of FindSecBugs, just change the version number of the findsecbugs-plugin artifact in the Benchmark pom.xml file.<br />
<br />
=== Micro Focus (Formally HP) Fortify ===<br />
<br />
If you are using the Audit Workbench, you can give it more memory and make sure you invoke it in 64-bit mode by doing this:<br />
<br />
set AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
export AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
auditworkbench -64<br />
<br />
We found it was easier to use the Maven support in Fortify to scan the Benchmark and to do it in 2 phases, translate, and then scan. We did something like this:<br />
<br />
Translate Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_17.10/bin<br />
export SCA_VM_OPTS="-Xmx2G -version 1.7"<br />
mvn sca:clean<br />
mvn sca:translate<br />
<br />
Scan Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_4.10/bin<br />
export SCA_VM_OPTS="-Xmx10G -version 1.7"<br />
mvn sca:scan<br />
<br />
=== PMD ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runPMD.(sh or bat). If you want to run a different version of PMD, just change its version number in the Benchmark pom.xml file. (NOTE: PMD doesn't find any security issues. We include it because its interesting to know that it doesn't.)<br />
<br />
=== SonarQube ===<br />
<br />
We include this free tool in the Benchmark and its mostly dialed in. But its a bit tricky because SonarQube requires two parts. There is a stand alone scanner for Java. And then there is a web application that accepts the results, and in turn can then produce the results file required by the Benchmark scorecard generator for SonarQube. Running the script runSonarQube.(sh or bat) will generate the results, but if the SonarQube Web Application isn't running where the runSonarQube script expects it to be, then the script will fail.<br />
<br />
If you want to run a different version of SonarQube, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== Xanitizer ===<br />
<br />
The vendor has written their own guide to [http://www.rigs-it.net/opendownloads/whitepapers/HowToSetUpXanitizerForOWASPBenchmarkProject.pdf How to Set Up Xanitizer for OWASP Benchmark].<br />
<br />
== DAST Tools ==<br />
<br />
=== Burp Pro ===<br />
<br />
You must use Burp Pro v1.6.29 or greater to scan the Benchmark due to a previous limitation in Burp Pro related to ensuring the path attribute for cookies was honored. This issue was fixed in the v1.6.29 release.<br />
<br />
To scan, first spider the entire Benchmark, and then select the /Benchmark URL and actively scan that branch. You can skip all the .html pages and any other pages that Burp says have no parameters.<br />
<br />
NOTE: We have been unable to simply run Burp Pro against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get Burp Pro to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
=== OWASP ZAP ===<br />
<br />
ZAP may require additional memory to be able to scan the Benchmark. To configure the amount of memory:<br />
* Tools --> Options --> JVM: Recommend setting to: -Xmx2048m (or larger). (Then restart ZAP).<br />
<br />
To run ZAP against Benchmark:<br />
# Because Benchmark uses Cookies and Headers as sources of attack for many test cases: Tools --> Options --> Active Scan Input Vectors: Then check the HTTP Headers, All Requests, and Cookie Data checkboxes and hit OK<br />
# Click on Show All Tabs button (if spider tab isn't visible)<br />
# Go to Spider tab (the black spider) and click on New Scan button<br />
# Enter: https://localhost:8443/benchmark/ into the 'Starting Point' box and hit 'Start Scan'<br />
#* Do this again. For some reason it takes 2 passes with the Spider before it stops finding more Benchmark endpoints.<br />
# When Spider completes, click on 'benchmark' folder in Site Map, right click and select: 'Attack --> Active Scan'<br />
#* It will take several hours, like 3+ to complete (it's actually likely to simply freeze before completing the scan - see NOTE: below)<br />
<br />
For faster active scan you can<br />
* Disable the ZAP DB log (in ZAP 2.5.0+):<br />
** Disable it via Options / Database / Recover Log<br />
** Set it on the command line using "-config database.recoverylog=false"<br />
* Disable unnecessary plugins / Technologies: When you launch the Active Scan<br />
** On the Policy tab, disable all plugins except: XSS (Reflected), Path Traversal, SQLi, OS Command Injection<br />
** Go the Technology Tab, disable everything and only enable: MySQL, YOUR_OS, Tomcat<br />
** Note: This 2nd performance improvement step is a bit like cheating as you wouldn't do this for a normal site scan. You'd want to leave all this on in case these other plugins/technologies are helpful in finding more issues. So a fair performance comparison of ZAP to other tools would leave all this on.<br />
<br />
To generate the ZAP XML results file so you can generate its scorecard:<br />
* Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
* Then: Report > Generate XML Report...<br />
<br />
NOTE: Similar to Burp, we can't simply run ZAP against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get ZAP to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
Things we tried that didn't improve the score:<br />
* AJAX Spider - the traditional spider appears to find all (or 99%) of the test cases so the AJAX Spider does not appear to be needed against Benchmark v1.2<br />
* XSS (Persistent) - There are 3 of these plugins that run by default. There aren't any stored XSS in Benchmark, so you can disable these plugins for a faster scan.<br />
* DOM XSS Plugin - This is an optional plugin that didn't seem to find any additional XSS issues. There aren't an DOM specific XSS issues in Benchmark v1.2, so not surprising.<br />
<br />
== IAST Tools ==<br />
<br />
Interactive Application Security Testing (IAST) tools work differently than scanners. IAST tools monitor an application as it runs to identify application vulnerabilities using context from inside the running application. Typically these tools run continuously, immediately notifying users of vulnerabilities, but you can also get a full report of an entire application. To do this, we simply run the Benchmark application with an IAST agent and use a crawler to hit all the pages.<br />
<br />
=== Contrast Assess ===<br />
<br />
To use Contrast Assess, we simply add the Java agent to the Benchmark environment and run the BenchmarkCrawler. The entire process should only take a few minutes. We provided a few scripts, which simply add the -javaagent:contrast.jar flag to the Benchmark launch configuration. We have tested on MacOS, Ubuntu, and Windows. Be sure your VM has at least 4M of memory.<br />
<br />
* Ensure your environment has Java, Maven, and git installed, then build the Benchmark project<br />
'''$ git clone https://github.com/OWASP/Benchmark.git'''<br />
'''$ cd Benchmark'''<br />
'''$ mvn compile'''<br />
<br />
* Download a licensed copy of the Contrast Assess Java Agent (contrast.jar) from your Contrast TeamServer account and put it in the /Benchmark/tools/Contrast directory.<br />
'''$ cp ~/Downloads/contrast.jar tools/Contrast'''<br />
<br />
* In Terminal 1, launch the Benchmark application and wait until it starts<br />
'''$ cd tools/Contrast <br />
'''$ ./runBenchmark_wContrast.sh''' (.bat on Windows)<br />
'''[INFO] Scanning for projects...<br />
'''[INFO] <br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] Building OWASP Benchmark Project 1.2<br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] <br />
'''...<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]'''<br />
'''[INFO] Press Ctrl-C to stop the container...'''<br />
<br />
* In Terminal 2, launch the crawler and wait a minute or two for the crawl to complete.<br />
'''$ ./runCrawler.sh''' (.bat on Windows)<br />
<br />
* A Contrast report has been generated in /Benchmark/tools/Contrast/working/contrast.log. This report will be automatically copied (and renamed with version number) to /Benchmark/results directory.<br />
'''$ more tools/Contrast/working/contrast.log'''<br />
'''2016-04-22 12:29:29,716 [main b] INFO - Contrast Runtime Engine<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Copyright (C) 2012<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Pat. 8,458,789 B2<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Contrast Security, Inc.<br />
'''2016-04-22 12:29:29,717 [main b] INFO - All Rights Reserved<br />
'''2016-04-22 12:29:29,717 [main b] INFO - https://www.contrastsecurity.com/<br />
'''...'''<br />
<br />
* Press Ctrl-C to stop the Benchmark in Terminal 1. Note: on Windows, select "N" when asked Terminate batch job (Y/N))<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x is stopped'''<br />
'''Copying Contrast report to results directory'''<br />
<br />
* In Terminal 2, generate scorecards in /Benchmark/scorecard<br />
'''$ ./createScorecards.sh''' (.bat on Windows)<br />
'''Analyzing results from Benchmark_1.2-Contrast.log<br />
'''Actual results file generated: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.csv<br />
'''Report written to: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html<br />
<br />
* Open the Benchmark Scorecard in your browser<br />
'''/Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html'''<br />
<br />
=== Hdiv Detection ===<br />
<br />
Hdiv has written their own instructions on how to run the detection component of their product on the Benchmark here: https://hdivsecurity.com/docs/features/benchmark/#how-to-run-hdiv-in-owasp-benchmark-project. You'll see that these instructions involve using the same crawler used to exercise all the test cases in the Benchmark, just like Contrast above.<br />
<br />
= RoadMap =<br />
<br />
Benchmark v1.0 - Released April 15, 2015 - This initial release included over 20,000 test cases in 11 different vulnerability categories. As this initial version was not a runnable application, it was only suitable for assessing static analysis tools (SAST).<br />
<br />
Benchmark v1.1 - Released May 23, 2015 - This update fixed some inaccurate test cases, and made sure that every vulnerability area included both True Positives and False Positives.<br />
<br />
Benchmark Scorecard Generator - Released July 10, 2015 - The ability to automatically and repeatably produce a scorecard of how well tools do against the Benchmark was released for most of the SAST tools supported by the Benchmark. Scorecards present graphical as well as statistical data on how well a tool does against the Benchmark down to the level of detail of how exactly it did against each individual test in the Benchmark. [https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html Here are the latest public scorecards]. Support for producing scorecards for additional tools is being added all the time and the current full set is documented on the '''Tool Support/Results''' and '''Quick Start''' tabs of this wiki.<br />
<br />
Benchmark v1.2beta - Released Aug 15, 2015 - The 1st release of a fully runnable version of the Benchmark to support assessing all types of vulnerability detection and prevention technologies, including DAST, IAST, RASP, WAFs, etc. This involved creating a user interface for every test case, and enhancing each test case to make sure its actually exploitable, not just uses something that is theoretically weak. This release is under 3,000 test cases to make it practical to scan the entire Benchmark with a DAST tool in a reasonable amount of time, with commodity hardware specs.<br />
<br />
Benchmark 1.2 - Released June 5, 2016 - Based on feedback from a number of DAST tool developers, and other vendors as well, we made the Benchmark more realistic in a number of ways to facilitate external DAST scanning, and also made the Benchmark more resilient against attack so it could properly survive various DAST vulnerability detection and exploit verification techniques.<br />
<br />
Plans for Benchmark 1.3:<br />
<br />
While we don't have hard and fast rules of exactly what we are going to do next, enhancements in the following areas are planned for the next release:<br />
<br />
* Add new vulnerability categories (e.g., XXE, Hibernate Injection)<br />
* Add support for popular server side Java frameworks (e.g., Spring)<br />
* Add web services test cases<br />
<br />
We are also starting to work on the ability to score WAFs/RASPs and other defensive technology against Benchmark.<br />
<br />
= FAQ =<br />
<br />
==1. How are the scores computed for the Benchmark?==<br />
<br />
Each test case has a single vulnerability of a specific type. Its either a real vulnerability (True Positive) or not (a False Positive). We document all the test cases for each version of the Benchmark in the expectedresults-VERSION#.csv file (e.g., expectedresults-1.1.csv). This file lists the test case name, the CWE type of the vulnerability, and whether it is a True Positive or not. The Benchmark supports scorecard generators for computing exactly how a tool did when analyzing a version of the Benchmark. The full list of supported tools is on the Tools Support/Results tab. For each tool there is a parser that can parse the native results format for that tool (usually XML). This parser simply, for each test case, looks to see if that tool reported a vulnerability of the type expected in the test case source code file (for SAST) or the test case URL (for DAST/IAST). If it did, and the test case was a True Positive, the tool gets credit for finding it. If it is a False Positive test, and the tool reports that type of finding, then its recorded as a False Positive. If the tool didn't report that type of vulnerability for a test case, then they get either a False Negative, or a True Negative as appropriate. After calculating all of the individual test case results, a scorecard is generated providing a chart and statistics for that tool across all the vulnerability categories, and pages are also created comparing different tools to each other in each vulnerability category (if multiple tools are being scored together).<br />
<br />
A detailed file explaining exactly how that tool did against each individual test case in that version of the Benchmark is produced as part of scorecard generation, and is available via the Actual Results link on each tool's scorecard page. (e.g., Benchmark_v1.1_Scorecard_for_FindBugs.csv).<br />
<br />
==2. What if the tool I'm using doesn't have a scorecard generator for it?==<br />
<br />
Send us the results file! We'll be happy to create a parser for that tool so its now supported.<br />
<br />
==3. What if a tool finds other unexpected vulnerabilities?==<br />
<br />
We are sure there are vulnerabilities we didn't intend to be there and we are eliminating them as we find them. If you find some, let us know and we'll fix them too. We are primarily focused on unintentional vulnerabilities in the categories of vulnerabilities the Benchmark currently supports, since that is what is actually measured.<br />
<br />
Right now, two types of vulnerabilities that get reported are ignored by the scorecard generator:<br />
# Vulnerabilities in categories not yet supported<br />
# Vulnerabilities of a type that is supported, but reported in test cases not of that type<br />
<br />
In the case of #2, false positives reported in unexpected areas are also ignored, which is primarily a DAST problem. Right now those false positives are completely ignored, but we are thinking about including them in the false positive score in some fashion. We just haven't decided how yet.<br />
<br />
==4. How should I configure my tool to scan the Benchmark?==<br />
<br />
All tools support various levels of configuration in order to improve their results. The Benchmark project, in general, is trying to '''compare out of the box capabilities of tools'''. However, if a few simple tweaks to a tool can be done to improve that tool's score, that's fine. We'd like to understand what those simple tweaks are, and document them here, so others can repeat those tests in exactly the same way. For example, just turn on the 'test cookies and headers' flag, which is off by default. Or turn on the 'advanced' scan, so it will work harder, find more vulnerabilities. Its simple things like this we are talking about, not an extensive effort to teach the tool about the app, or perform 'expert' configuration of the tool.<br />
<br />
So, if you know of some simple tweaks to improve a tool's results, let us know what they are and we'll document them here so everyone can benefit and make it easier to do apples to apples comparisons. And we'll link to that guidance once we start documenting it, but we don't have any such guidance right now.<br />
<br />
==5. I'm having difficulty scanning the Benchmark with a DAST tool. How can I get it to work?==<br />
<br />
We've run into 2 primary issues giving DAST tools problems.<br />
<br />
a) The Benchmark Generates Lots of Cookies<br />
<br />
The Burp team pointed out a cookies bug in the 1.2beta Benchmark. Each Weak Randomness test case generates its own cookie, 1 per test case. This caused the creation of so many cookies that servers would eventually start returning 400 errors because there were simply too many cookies being submitted in a request. This was fixed in the Aug 27, 2015 update to the Benchmark by setting the path attribute for each of these cookies to be the path to that individual test case. Now, only at most one of these cookies should be submitted with each request, eliminating this 'too many cookies' problem. However, if a DAST tool doesn't honor this path attribute, it may continue to send too many cookies, making the Benchmark unscannable for that tool. Burp Pro prior to 1.6.29 had this issue, but it was fixed in the 1.6.29 release.<br />
<br />
b) The Benchmark is a BIG Application<br />
<br />
Yes. It is, so you might have to give your scanner more memory than it normally uses by default in order to successfully scan the entire Benchmark. Please consult your tool vendor's documentation on how to give it more memory.<br />
<br />
Your machine itself might not have enough memory in the first place. For example, we were not able to successfully scan the 1.2beta with OWASP ZAP with only 8 Gig of RAM. So, you might need a more powerful machine or use a cloud provided machine to successfully scan the Benchmark with certain DAST tools. You may have similar problems with SAST tools against large versions of the Benchmark, like the 1.1 release.<br />
<br />
= Acknowledgements =<br />
<br />
The following people, organizations, and many others, have contributed to this project and their contributions are much appreciated!<br />
<br />
* Lots of Vendors - Many vendors have provided us with either trial licenses we can use, or they have run their tools themselves and either sent us results files, or written and contributed scorecard generators for their tool. Many have also provided valuable feedback so we can make the Benchmark more accurate and more realistic.<br />
* Juan Gama - Development of initial release and continued support<br />
* Ken Prole - Assistance with automated scorecard development using CodeDx<br />
* Nick Sanidas - Development of initial release<br />
* Denim Group - Contribution of scan results to facilitate scorecard development<br />
* Tasos Laskos - Significant feedback on the DAST version of the Benchmark<br />
* Ann Campbell - From SonarSource - for fixing our SonarQube results parser<br />
* Dhiraj Mishra - OWASP Member - contributed SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring<br />
<br />
[[File:CWE_Logo.jpeg|link=https://cwe.mitre.org/]] - The CWE project for providing a mapping mechanism to easily map test cases to issues found by vulnerability detection tools.<br />
<br />
We are looking for volunteers. Please contact [mailto:dave.wichers@owasp.org Dave Wichers] if you are interested in contributing new test cases, tool results run against the benchmark, or anything else.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]]</div>Wichershttps://wiki.owasp.org/index.php?title=Source_Code_Analysis_Tools&diff=252065Source Code Analysis Tools2019-06-03T22:09:42Z<p>Wichers: </p>
<hr />
<div>[[Static_Code_Analysis | Source code analysis]] tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. <br />
<br />
Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.<br />
<br />
== Strengths and Weaknesses ==<br />
<br />
=== Strengths ===<br />
<br />
* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)<br />
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth<br />
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected<br />
<br />
=== Weaknesses ===<br />
<br />
* Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.<br />
* High numbers of false positives.<br />
* Frequently can't find configuration issues, since they are not represented in the code.<br />
* Difficult to 'prove' that an identified security issue is an actual vulnerability.<br />
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.<br />
<br />
==Important Selection Criteria==<br />
<br />
* Requirement: Must support your programming language, but not usually a key factor once it does.<br />
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)<br />
* How accurate is it? False Positive/False Negative rates?<br />
** Does the tool have an OWASP [[Benchmark]] score?<br />
* Does it understand the libraries/frameworks you use?<br />
* Does it require a fully buildable set of source?<br />
* Can it run against binaries instead of source?<br />
* Can it be integrated into the developer's IDE?<br />
* How hard is it to setup/use?<br />
* Can it be run continuously and automatically?<br />
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)<br />
<br />
==OWASP Tools Of This Type==<br />
<br />
* [[OWASP SonarQube Project]]<br />
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]<br />
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]<br />
* [[OWASP O2 Platform]]<br />
* [[OWASP WAP-Web Application Protection]]<br />
<br />
==Disclaimer==<br />
<br />
Disclaimer: <b>The tools listed in the tables below are presented in alphabetical order. <i>OWASP does not endorse any of the vendors or tools by listing them in the table below.</i> We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.</b><br />
<br />
==Open Source or Free Tools Of This Type==<br />
<br />
* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python<br />
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications<br />
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby<br />
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs<br />
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,<br />
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++<br />
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''<br />
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python<br />
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.<br />
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.<br />
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)<br />
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.<br />
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.<br />
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.<br />
* [https://pyre-check.org/ Pyre] - A performant type-checker for Python 3, that also has [https://pyre-check.org/docs/static-analysis.html limited security/data flow analysis] capabilities.<br />
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS Open Source is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.<br />
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].<br />
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.<br />
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.<br />
<br />
[https://docs.gitlab.com/ee/user/application_security/sast/index.html#supported-languages-and-frameworks GitLab has lashed a free SAST tool for a bunch of different languages natively into GitLab. So you might be able to use that, or at least identify a free SAST tool for the language you need from that list].<br />
<br />
==Commercial Tools Of This Type==<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. <br />
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service. <br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source AppScan Source] (IBM)<br />
* [https://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.<br />
* [https://bugscout.io/en/ bugScout] (Nalbatech, Formally Buguroo)<br />
* [https://www.castsoftware.com/products/application-intelligence-platform CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. [https://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards AIP's security specific coverage is here].<br />
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)<br />
* [https://www.grammatech.com/products/codesonar CodeSonar] tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.<br />
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)<br />
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)<br />
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (Micro Focus, Formally HP)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection] (Hdiv Security) - Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis.<br />
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis<br />
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)<br />
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis<br />
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)<br />
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ PT Application Inspector] combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation for high accuracy rate with minimum false positives; has a unique capability to generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis; integrates with CI/CD, VCS, etc. PT AI helps to easily understand, verify, and fix flaws; has a simple UI; is highly automated and easy to use. Supported languages are Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.<br />
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.<br />
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#<br />
* [https://www.softwaresecured.com/reshift reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019.<br />
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for Java and PHP that detects unknown security vulnerabilities and code quality issues.<br />
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)<br />
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)<br />
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.<br />
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)<br />
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).<br />
<br />
==More info==<br />
<br />
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]<br />
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]<br />
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools<br />
* [[Free for Open Source Application Security Tools]] - This page lists the Commercial Source Code Analysis Tools (SAST) we know of that are free for Open Source<br />
<br />
[[Category:OWASP .NET Project]]<br />
[[Category:SAMM-CR-2]]<br />
__NOTOC__</div>Wichershttps://wiki.owasp.org/index.php?title=Category:OWASP_AntiSamy_Project_.Java&diff=251474Category:OWASP AntiSamy Project .Java2019-05-13T22:08:12Z<p>Wichers: Delete this page.</p>
<hr />
<div></div>Wichershttps://wiki.owasp.org/index.php?title=Category:OWASP_AntiSamy_Project&diff=251471Category:OWASP AntiSamy Project2019-05-13T22:06:29Z<p>Wichers: </p>
<hr />
<div>{|<br />
|-<br />
! width="700" align="center" | <br> <br />
! width="500" align="center" | <br><br />
|-<br />
| align="right" | <br />
| align="right" | <br />
|}<br />
=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP AntiSamy Project==<br />
<br />
OWASP AntiSamy is a library for HTML and CSS encoding.<br />
<br />
==Introduction==<br />
<br />
AntiSamy was originally authored by Arshan Dabirsiaghi (arshan.dabirsiaghi [at the] gmail.com) of Contrast Security with help from Jason Li (jason.li [at the] owasp.org) of Aspect Security (http://www.aspectsecurity.com/).<br />
<br />
==Description==<br />
<br />
The OWASP AntiSamy project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc., that get persisted on the server. The term "malicious code" in regards to web applications usually mean "JavaScript." Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner. So we take care of that too.<br />
<br />
Philosophically, AntiSamy is a departure from contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. We get that.<br />
<br />
Unfortunately, that's just not very usable in this situation. Typical Internet users are largely pretty bad when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.<br />
<br />
The [[OWASP_Licenses|OWASP licensing policy]] (further explained in the [[Membership|membership FAQ]]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is AntiSamy ==<br />
<br />
OWASP AntiSamy provides:<br />
<br />
[[AntiSamy Version Differences|This page]] shows a big-picture comparison between the versions. Since it's an unfunded open source project, the ports can't be expected to mirror functionality exactly. If there's something a port is missing -- let us know, and we'll try to accommodate, or write a patch! <br />
<br />
<br />
== Presentations ==<br />
<br />
From OWASP & WASC AppSec U.S. 2007 Conference (San Jose, CA): [http://www.owasp.org/images/e/e9/OWASP-WASCAppSec2007SanJose_AntiSamy.ppt AntiSamy - Picking a Fight with XSS (ppt)] - by Arshan Dabirsiaghi - AntiSamy project lead<br />
<br />
From OWASP AppSec Europe 2008 (Ghent, Belgium): [http://www.owasp.org/images/4/47/AppSecEU08-AntiSamy.ppt The OWASP AntiSamy project (ppt)] - by Jason Li - AntiSamy project contributor<br />
<br />
From OWASP AppSec India 2008 (Delhi, India): [https://www.owasp.org/images/9/9d/AppSecIN08-ValidatingRichUserContent.ppt Validating Rich User Content (ppt)] - by Jason Li - AntiSamy project contributor<br />
<br />
From Shmoocon 2009 (Washington, DC): [http://www.shmoocon.org/2009/slides/OWASP%20Winter%202009%20Shmoocon%20-%20Anti%20Samy.pptx AntiSamy - Picking a Fight with XSS (pptx)] - by Arshan Dabirsiaghi - AntiSamy project lead<br />
<br />
<br />
== Project Leader ==<br />
<br />
[mailto:arshan.dabirsiaghi@gmail.com Arshan Dabirsiaghi]<br />
<br />
<br />
== Related Projects ==<br />
<br />
== Ohloh ==<br />
<br />
* https://www.ohloh.net/p/owaspantisamy<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== News and Events ==<br />
* [26 Sep 2017] Please update AntiSamy to 1.5.5 or later per [https://nvd.nist.gov/vuln/detail/CVE-2016-10006 CVE-2016-10006]<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= How do I get started? =<br />
<br />
There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:<br />
# Download AntiSamy from Maven<br />
# Choose one of the standard policy files that matches as close to the functionality you need:<br />
#* antisamy-tinymce-X.X.X.xml<br />
#* antisamy-slashdot-X.X.X.xml<br />
#* antisamy-ebay-X.X.X.xml<br />
#* antisamy-myspace-X.X.X.xml<br />
#* antisamy-anythinggoes-X.X.X.xml<br />
# Tailor the policy file according to your site's rules<br />
# Call the API from the code<br />
<br />
=== Stage 1 - Downloading AntiSamy ===<br />
<br />
First, add the dependency from Maven:<br />
<br />
<dependency><br />
<groupId>org.owasp.antisamy</groupId><br />
<projectId>antisamy</projectId><br />
</dependency><br />
<br />
=== Stage 2 - Choosing a base policy file ===<br />
<br />
Chances are that your site's use case for AntiSamy is at least roughly comparable to one of the predefined policy files. They each represent a "typical" scenario for allowing users to provide HTML (and possibly CSS) formatting information. Let's look into the different policy files:<br />
<br />
1) antisamy-slashdot.xml<br />
<br />
Slashdot (http://www.slashdot.org/) is a techie news site that allows users to respond anonymously to news posts with very limited HTML markup. Now Slashdot is not only one of the coolest sites around, it's also one that's been subject to many different successful attacks. Even more unfortunate is the fact that most of the attacks led users to the infamous goatse.cx picture (please don't go look it up). The rules for Slashdot are fairly strict: users can only submit the following HTML tags and no CSS: &lt;b&gt;, &lt;u&gt;, &lt;i&gt;, &lt;a&gt;, &lt;blockquote&gt;. <br />
<br />
Accordingly, we've built a policy file that allows fairly similar functionality. All text-formatting tags that operate directly on the font, color or emphasis have been allowed. <br />
<br />
2) antisamy-ebay.xml<br />
<br />
eBay (http://www.ebay.com/) is the most popular online auction site in the universe, as far as I can tell. It is a public site so anyone is allowed to post listings with rich HTML content. It's not surprising that given the attractiveness of eBay as a target that it has been subject to a few complex XSS attacks. Listings are allowed to contain much more rich content than, say, Slashdot- so it's attack surface is considerably larger. The following tags appear to be accepted by eBay (they don't publish rules): <a>,...<br />
<br />
3) antisamy-myspace.xml<br />
<br />
MySpace (http://www.myspace.com/) was, at the time this project was born, arguably the most popular social networking site today. Users were allowed to submit pretty much all HTML and CSS they want - as long as it doesn't contain JavaScript. MySpace was using a word blacklist to validate users' HTML, which is why they were subject to the infamous Samy worm (http://namb.la/). The Samy worm, which used fragmentation attacks combined with a word that should have been blacklisted (eval) - was the inspiration for the project. <br />
<br />
4) antisamy-anythinggoes.xml<br />
<br />
I don't know of a possible use case for this policy file. If you wanted to allow every single valid HTML and CSS element (but without JavaScript or blatant CSS-related phishing attacks), you can use this policy file. Not even MySpace was _this_ crazy. However, it does serve as a good reference because it contains base rules for every element, so you can use it as a knowledge base when using tailoring the other policy files.<br />
<br />
=== Stage 3 - Tailoring the policy file ===<br />
<br />
Smaller organizations may want to deploy AntiSamy in a default configuration, but it's equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.<br />
<br />
You may also want to enable/modify some "directives", which are basically advanced user options. [[AntiSamy Directives|This page]] tells you what the directives are and which versions support them.<br />
<br />
=== Stage 4 - Calling the AntiSamy API ===<br />
<br />
Using AntiSamy is easy. Here is an example of invoking AntiSamy with a policy file:<br />
<br />
import org.owasp.validator.html.*;<br />
<br />
Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);<br />
<br />
AntiSamy as = new AntiSamy();<br />
CleanResults cr = as.scan(dirtyInput, policy);<br />
<br />
MyUserDAO.storeUserProfile(cr.getCleanHTML()); // some custom function<br />
<br />
There are a few ways to create a Policy object. The <code>getInstance()</code> method can take any of the following:<br />
* a String filename<br />
* a File object<br />
* an InputStream <br />
<br />
Policy files can also be referenced by filename by passing a second argument to the <code>AntiSamy:scan()</code> method as the following examples show:<br />
<br />
AntiSamy as = new AntiSamy();<br />
CleanResults cr = as.scan(dirtyInput, policyFilePath);</pre></code><br />
<br />
Finally, policy files can also be referenced by File objects directly in the second parameter:<br />
<br />
AntiSamy as = new AntiSamy();<br />
CleanResults cr = as.scan(dirtyInput, new File(policyFilePath));<br />
<br />
=== Stage 5 - Analyzing CleanResults ===<br />
<br />
The CleanResults object provides a lot of useful stuff. <br />
<br />
<code>getErrorMessages()</code> - a list of <code>String</code> error messages<br />
<br />
<code>getCleanHTML()</code> - the clean, safe HTML output<br />
<br />
<code>getCleanXMLDocumentFragment()</code> - the clean, safe <code>XMLDocumentFragment</code> which is reflected in <code>getCleanHTML()</code><br />
<br />
<code>getScanTime()</code> - returns the scan time in seconds<br />
<br />
= Acknowledgements =<br />
== Contacting us ==<br />
There are two ways of getting information on AntiSamy. The mailing list, and contacting the project lead directly.<br />
<br />
=== OWASP AntiSamy mailing list ===<br />
The first is the mailing list which is located at https://lists.owasp.org/mailman/listinfo/owasp-antisamy. The list was previously private and the archives have been cleared with the release of version 1.0. We encourage all prospective and current users and bored attackers to join in the conversation. We're happy to brainstorm attack scenarios, discuss regular expressions and help with integration.<br />
<br />
=== Emailing the project lead ===<br />
<br />
For content which is not appropriate for the public mailing list, you can alternatively contact the project lead, Arshan Dabirsiaghi, at [arshan.dabirsiaghi] at [contrastsecurity.com] or Dave Wichers at [dave.wichers] at [owasp.org].<br />
<br />
=== Issue tracking ===<br />
<br />
Visit the [https://github.com/nahsra/antisamy/issues GitHub issue tracker].<br />
<br />
==Sponsors==<br />
The AntiSamy project is sponsored by [https://www.contrastsecurity.com/ Contrast Security].<br />
<br />
The initial Java project was sponsored by the [[OWASP Spring Of Code 2007|OWASP Spring Of Code 2007]]. The .NET project was sponsored by the [[OWASP Summer of Code 2008]].<br />
<br />
= Road Map =<br />
This section details the status of the various ports of AntiSamy.<br />
<br />
=== Grails ===<br />
Daniel Bower created a [http://www.grails.org/plugin/sanitizer Grails plugin] for AntiSamy.<br />
<br />
=== .NET ===<br />
A .NET port of AntiSamy is available now at the [[:Category:OWASP AntiSamy Project .NET|OWASP AntiSamy .NET]] page. The project was funded by a Summer of Code 2008 grant and was developed by Jerry Hoff. However, this version of AntiSamy has not been updated in a while.<br />
<br />
This port is no longer under active development, and is looking for a few good developers to help make it feature-synchronized with the Java version. If it doesn't suit your needs, consider Microsoft's [http://blogs.msdn.com/b/securitytools/archive/2009/09/01/html-sanitization-in-anti-xss-library.aspx AntiXSS] library.<br />
<br />
=== Python ===<br />
A port of AntiSamy to Python was attempted, but has been abandoned since 2010. Michael Coates suggests you check out project Bleach instead: https://pypi.org/project/bleach/<br />
<br />
=== PHP ===<br />
Although a PHP version was initially planned, we now suggest [http://htmlpurifier.org HTMLPurifier] for safe rich input validation for PHP applications.<br />
<br />
=Project About=<br />
== Project's Assessment ==<br />
<br />
This project was assessed by [[:User:Jeff Williams|Jeff Williams]] and his evaluation can be seen [http://spreadsheets.google.com/ccc?key=pAX6n7m2zaTW-JtGBqixbTw '''here'''].<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project|AntiSamy Project]]<br />
[[Category:OWASP Tool]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Release Quality Tool]]<br />
<br />
{{OWASP Builders}}</div>Wichershttps://wiki.owasp.org/index.php?title=Source_Code_Analysis_Tools&diff=250775Source Code Analysis Tools2019-04-29T18:21:37Z<p>Wichers: </p>
<hr />
<div>[[Static_Code_Analysis | Source code analysis]] tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. <br />
<br />
Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.<br />
<br />
== Strengths and Weaknesses ==<br />
<br />
=== Strengths ===<br />
<br />
* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)<br />
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth<br />
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected<br />
<br />
=== Weaknesses ===<br />
<br />
* Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.<br />
* High numbers of false positives.<br />
* Frequently can't find configuration issues, since they are not represented in the code.<br />
* Difficult to 'prove' that an identified security issue is an actual vulnerability.<br />
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.<br />
<br />
==Important Selection Criteria==<br />
<br />
* Requirement: Must support your programming language, but not usually a key factor once it does.<br />
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)<br />
* How accurate is it? False Positive/False Negative rates?<br />
** Does the tool have an OWASP [[Benchmark]] score?<br />
* Does it understand the libraries/frameworks you use?<br />
* Does it require a fully buildable set of source?<br />
* Can it run against binaries instead of source?<br />
* Can it be integrated into the developer's IDE?<br />
* How hard is it to setup/use?<br />
* Can it be run continuously and automatically?<br />
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)<br />
<br />
==OWASP Tools Of This Type==<br />
<br />
* [[OWASP SonarQube Project]]<br />
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]<br />
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]<br />
* [[OWASP O2 Platform]]<br />
* [[OWASP WAP-Web Application Protection]]<br />
<br />
==Disclaimer==<br />
<br />
Disclaimer: <b>The tools listed in the tables below are presented in alphabetical order. <i>OWASP does not endorse any of the vendors or tools by listing them in the table below.</i> We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.</b><br />
<br />
==Open Source or Free Tools Of This Type==<br />
<br />
* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python<br />
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications<br />
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby<br />
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs<br />
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,<br />
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++<br />
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''<br />
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python<br />
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)<br />
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.<br />
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.<br />
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.<br />
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.<br />
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.<br />
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.<br />
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].<br />
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.<br />
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.<br />
<br />
[https://docs.gitlab.com/ee/user/application_security/sast/index.html#supported-languages-and-frameworks GitLab has lashed a free SAST tool for a bunch of different languages natively into GitLab. So you might be able to use that, or at least identify a free SAST tool for the language you need from that list].<br />
<br />
==Commercial Tools Of This Type==<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. <br />
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service. <br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source AppScan Source] (IBM)<br />
* [https://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.<br />
* [https://bugscout.io/en/ bugScout] (Nalbatech, Formally Buguroo)<br />
* [https://www.castsoftware.com/products/application-intelligence-platform CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. [https://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards AIP's security specific coverage is here].<br />
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)<br />
* [https://www.grammatech.com/products/codesonar CodeSonar] tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.<br />
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)<br />
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)<br />
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (Micro Focus, Formally HP)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection] (Hdiv Security) - Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis.<br />
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis<br />
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)<br />
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis<br />
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)<br />
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ PT Application Inspector] combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation for high accuracy rate with minimum false positives; has a unique capability to generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis; integrates with CI/CD, VCS, etc. PT AI helps to easily understand, verify, and fix flaws; has a simple UI; is highly automated and easy to use. Supported languages are Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.<br />
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.<br />
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#<br />
* [https://www.softwaresecured.com/reshift reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019.<br />
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for PHP that detects unknown security vulnerabilities and code quality issues.<br />
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)<br />
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)<br />
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.<br />
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)<br />
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).<br />
<br />
==More info==<br />
<br />
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]<br />
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]<br />
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools<br />
* [[Free for Open Source Application Security Tools]] - This page lists the Commercial Source Code Analysis Tools (SAST) we know of that are free for Open Source<br />
<br />
[[Category:OWASP .NET Project]]<br />
[[Category:SAMM-CR-2]]<br />
__NOTOC__</div>Wichershttps://wiki.owasp.org/index.php?title=Source_Code_Analysis_Tools&diff=250774Source Code Analysis Tools2019-04-29T18:20:50Z<p>Wichers: Add gitlab link.</p>
<hr />
<div>[[Static_Code_Analysis | Source code analysis]] tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. <br />
<br />
Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.<br />
<br />
== Strengths and Weaknesses ==<br />
<br />
=== Strengths ===<br />
<br />
* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)<br />
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth<br />
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected<br />
<br />
=== Weaknesses ===<br />
<br />
* Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.<br />
* High numbers of false positives.<br />
* Frequently can't find configuration issues, since they are not represented in the code.<br />
* Difficult to 'prove' that an identified security issue is an actual vulnerability.<br />
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.<br />
<br />
==Important Selection Criteria==<br />
<br />
* Requirement: Must support your programming language, but not usually a key factor once it does.<br />
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)<br />
* How accurate is it? False Positive/False Negative rates?<br />
** Does the tool have an OWASP [[Benchmark]] score?<br />
* Does it understand the libraries/frameworks you use?<br />
* Does it require a fully buildable set of source?<br />
* Can it run against binaries instead of source?<br />
* Can it be integrated into the developer's IDE?<br />
* How hard is it to setup/use?<br />
* Can it be run continuously and automatically?<br />
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)<br />
<br />
==OWASP Tools Of This Type==<br />
<br />
* [[OWASP SonarQube Project]]<br />
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]<br />
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]<br />
* [[OWASP O2 Platform]]<br />
* [[OWASP WAP-Web Application Protection]]<br />
<br />
==Disclaimer==<br />
<br />
Disclaimer: <b>The tools listed in the tables below are presented in alphabetical order. <i>OWASP does not endorse any of the vendors or tools by listing them in the table below.</i> We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.</b><br />
<br />
==Open Source or Free Tools Of This Type==<br />
<br />
* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python<br />
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications<br />
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby<br />
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs<br />
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,<br />
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++<br />
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''<br />
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python<br />
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)<br />
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.<br />
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.<br />
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.<br />
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.<br />
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.<br />
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.<br />
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].<br />
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.<br />
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.<br />
<br />
[https://docs.gitlab.com/ee/user/application_security/sast/index.html GitLab has lashed a free SAST tool for a bunch of different languages natively into GitLab. So you might be able to use that, or at least identify a free SAST tool for the language you need from that list].<br />
<br />
==Commercial Tools Of This Type==<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. <br />
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service. <br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source AppScan Source] (IBM)<br />
* [https://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.<br />
* [https://bugscout.io/en/ bugScout] (Nalbatech, Formally Buguroo)<br />
* [https://www.castsoftware.com/products/application-intelligence-platform CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. [https://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards AIP's security specific coverage is here].<br />
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)<br />
* [https://www.grammatech.com/products/codesonar CodeSonar] tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.<br />
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)<br />
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)<br />
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (Micro Focus, Formally HP)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection] (Hdiv Security) - Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis.<br />
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis<br />
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)<br />
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis<br />
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)<br />
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ PT Application Inspector] combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation for high accuracy rate with minimum false positives; has a unique capability to generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis; integrates with CI/CD, VCS, etc. PT AI helps to easily understand, verify, and fix flaws; has a simple UI; is highly automated and easy to use. Supported languages are Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.<br />
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.<br />
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#<br />
* [https://www.softwaresecured.com/reshift reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019.<br />
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for PHP that detects unknown security vulnerabilities and code quality issues.<br />
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)<br />
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)<br />
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.<br />
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)<br />
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).<br />
<br />
==More info==<br />
<br />
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]<br />
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]<br />
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools<br />
* [[Free for Open Source Application Security Tools]] - This page lists the Commercial Source Code Analysis Tools (SAST) we know of that are free for Open Source<br />
<br />
[[Category:OWASP .NET Project]]<br />
[[Category:SAMM-CR-2]]<br />
__NOTOC__</div>Wichershttps://wiki.owasp.org/index.php?title=User:Wichers&diff=250412User:Wichers2019-04-22T18:33:12Z<p>Wichers: </p>
<hr />
<div>=About=<br />
<br />
==BIO==<br />
<br />
Dave Wichers is a managing director for application security at Ernst & Young (www.ey.com). He was a cofounder of [https://www.aspectsecurity.com/ Aspect Security], a consulting company that specializes in application security services, that was acquired by EY in 2017. He is also a long time contributor to OWASP, helping to establish the OWASP Foundation in 2004, serving on the [[Board | OWASP Board]] since it was formed from 2004 through 2013, served as [[Conferences | OWASP Conferences Chair]] from 2005 through 2008, was a coauthor of the [[Top10 | OWASP Top 10]] since its inception until 2017 release candidate 1 and led the project from 2007 thru May 2017. Dave is also the lead of the new OWASP [[Benchmark]] project and has also contributed to numerous other important OWASP projects including [[WebGoat]], [[ESAPI]], [[ASVS]], and the [[Cheat Sheets | OWASP Cheat Sheet Series]].<br />
<br />
Dave has over 30 years of experience in the information security field, and has focused exclusively on application security since 1998. At EY, he provides a wide variety of application security consulting services to EY's clients. Prior to starting Aspect, he ran the Application Security Services Group at Exodus Communications. Dave has a Bachelors and Masters degree in Computer Science and is a CISSP.<br />
<br />
==OWASP Contributions==<br />
<br />
I have been contributing to OWASP since 2002. In 2004, along with Jeff Williams, we established the 501c3 organization that is now the OWASP Foundation. Since establishing the OWASP Foundation, I served as the de facto Chief Financial Officer of OWASP, until the OWASP Board established an Executive Director in mid 2013. In late 2004, I volunteered to become the OWASP Conferences Chair where I launched the OWASP Conferences Series, personally organized all the U.S. and European AppSec conferences from 2005 through 2008, and helped launch the Global Conferences Committee in 2009, which organized the conferences from 2009 through 2012. The OWASP Conferences have since grown to serve as a primary revenue generating resource for OWASP.<br />
<br />
As a volunteer to OWASP, Dave is or has been:<br />
<br />
* A member of the [[About_OWASP#Global_Board_Members|OWASP Board]] since it was established in 2004 through the end of 2013, <br />
* The [[:Category:OWASP_AppSec_Conference | OWASP Conferences]] Chair from 2005 through 2008,<br />
* Project lead and coauthor of the [[OWASP_Top_Ten_Project | OWASP Top 10]] thru May 2017,<br />
* Coauthor of the first version of the [[ASVS | OWASP Application Security Verification Standard]],<br />
* Contributor to the [[ESAPI | OWASP Enterprise Security API (ESAPI)]] project,<br />
* Past lead of the [[OWASP_Cheat_Sheet_Series | OWASP Prevention Cheat Sheet Series]] and primary author of the [[SQL_Injection_Prevention_Cheat_Sheet | SQL Injection Prevention Cheat Sheet]].<br />
* Lead of the OWASP [[Benchmark]] project. Benchmark project intro video: [[File:BenchmarkPodcastTitlePage.jpg|200px|link=https://www.youtube.com/watch?v=HQP8dwc3jJA&index=5&list=PLGB2s-U5FSWOmEStMt3JqlMFJvRYqeVW5]]<br />
<br />
For more details than this short bio on what I've done at OWASP, listen to my [https://www.owasp.org/download/jmanico/owasp_podcast_82.mp3 OWASP podcast].<br />
<br />
[[:Special:Contributions/Wichers|Wiki Contributions]]<br />
<br />
I've also done lots of OWASP conference presentations. Here are some of them:<br />
<br />
* 2015 AppSec USA: [https://appsecusa2015.sched.org/event/3r9k/using-the-owasp-benchmark-to-assess-automated-vulnerability-analysis-tools Using the OWASP Benchmark to Assess Automated Vulnerability Analysis Tools]<br />
* 2014 AppSec AsiaPac: [http://owaspappsecapac2014.sched.org/event/fec0f8c8cecafa44b1925641fbfee8fa#.U8hO02dOWJA AppSec at DevOps Speed and Portfolio Scale talk abstract]<br />
* 2014 AppSec AsiaPac: [http://owaspappsecapac2014.sched.org/event/c7ba6e43fa6f4a7e242c40c44c7164c9#.U8hObGdOWJA OWASP Top 10 2013 talk abstract]<br />
* 2013 AppSec USA: [http://appsecusa2013.sched.org/event/817cc39ce670549247d2d0ba05b02701#.Up99XsRDuO2 OWASP Top 10 2013 talk abstract] - [http://appsecusa.org/2013/wp-content/uploads/2013/12/OWASP-Top-10-2013-AppSec-USA.pptx Slides] - [https://www.youtube.com/watch?v=bWqb3Hemepc&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=17 Video]<br />
* 2013 AppSec EU: [https://www.owasp.org/images/1/17/OWASP_Top-10_2013--AppSec_EU_2013_-_Dave_Wichers.pdf OWASP Top 10 2013 - Slides] - [https://www.its.fh-muenster.de/owasp-appseceu13/rooms/Aussichtsreich_+_Freiraum/high_quality/OWASP-AppsecEU13-DaveWichers-OWASPTop10-2013_720p.mp4 Video]<br />
* 2012 AppSec USA: [https://www.owasp.org/images/c/c5/Unraveling_some_Mysteries_around_DOM-based_XSS.pdf Unraveling some of the Mysteries around DOM-based XSS]<br />
* 2012 AppSec EU: [https://www.owasp.org/images/3/30/AppSecEU2012_DOM-based_XSS.pdf Unraveling some of the Mysteries around DOM-based XSS]<br />
* 2012 AppSec DC: [[OWASP_AppSec_DC_2012/Unraveling_some_of_the_Mysteries_around_DOMbased_XSS | Unraveling some of the Mysteries around DOM-based XSS]]<br />
* 2010 AppSec DC: [[The_Strengths_of_Combining_Code_Review_with_Application_Penetration_Testing | Strengths of Combining Code Review with Application Penetration Testing]] - [http://vimeo.com/groups/asdc10/videos/19104928 Video] | [[Media: 2010-DC_The_Power_of_Code_Review.pptx|Slides]]<br />
* 2010 AppSec Europe: [[OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#OWASP_Top_10_2010 | OWASP Top 10 for 2010 - Final]] - [http://owasp.blip.tv/file/3917942/ Video] |[[Media:OWASP_AppSec_Research_2010_OWASP_Top_10_by_Wichers.pdf | PDF]]<br />
* 2009 AppSec DC: [[OWASP_Top_10_2010_AppSecDC | Debut of the OWASP Top 10 for 2010 Release Candidate]] - [http://www.vimeo.com/9006276 Video] | [[Media: AppSec DC 2009 - OWASP Top 10 - 2010 rc1.pptx | Slides]]<br />
* 2009 Appsec Ireland: [[How_to_Avoid_Flaws_in_the_First_Place:_The_OWASP_Enterprise_Security_API_(ESAPI)_Project | How to Avoid Flaws in the First Place: The OWASP ESAPI Project]]<br />
* 2009 AppSec Europe: [[ASVS | OWASP ASVS Project]] - [http://www.owasp.org/images/7/78/AppsecEU09_OWASP_ASVS_WebApp_Standard.ppt Slides]<br />
* 2009 AppSec Europe: [[ESAPI | OWASP Enterprise Security API (ESAPI) Project]] - [http://blip.tv/file/2215191 Video] | [http://www.owasp.org/images/1/11/AppSecEU09Poland_ESAPI.pptx Slides]<br />
* 2008 AppSec NY: Security in Agile Development - [http://video.google.com/videoplay?docid=-8287209466278543377&hl=en Video] | [http://www.owasp.org/images/a/a3/AppSecNYC08-Agile_and_Secure.ppt Slides]<br />
* 2008 AppSec Europe: [[AppSecEU08_The_OWASP_ESAPI_project | Fundamental Application Security Building Blocks - The Benefits of Establishing an Enterprise Security API (ESAPI) for Your Organization]] - [http://www.owasp.org/images/c/cd/AppSecEU08-ESAPI.ppt Slides]<br />
* 2008 AppSec Europe: [[AppSecEU08_Agile_Security_Breaking_the_Waterfall_Mindset | Agile Security - Breaking the Waterfall Mindset of the Security Industry]] - [http://www.owasp.org/images/b/b8/AppSecEU08-Agile_and_Secure.ppt Slides]<br />
* 2007 AppSec Europe: OWASP WebGoat and WebScarab - [http://www.owasp.org/images/5/55/OWASPAppSec2007Milan_WebGoatv5.ppt WebGoat Slides] | [http://www.owasp.org/images/d/d7/OWASPAppSec2007Milan_WebScarabNG.ppt WebScarab Slides]<br />
* 2006 AppSec Seattle: Why AJAX Applications are far more likely to be insecure, and What to do about it - [http://www.owasp.org/index.php/Image:OWASPAppSec2006Seattle_Why_AJAX_Applications_More_Likely_Insecure.ppt Slides]<br />
<br />
Dave can be reached at: dave.wichers (at) ey.com or dave.wichers (at) owasp.org</div>Wichershttps://wiki.owasp.org/index.php?title=Source_Code_Analysis_Tools&diff=249336Source Code Analysis Tools2019-03-27T14:16:59Z<p>Wichers: /* Commercial Tools Of This Type */</p>
<hr />
<div>[[Static_Code_Analysis | Source code analysis]] tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. <br />
<br />
Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.<br />
<br />
== Strengths and Weaknesses ==<br />
<br />
=== Strengths ===<br />
<br />
* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)<br />
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth<br />
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected<br />
<br />
=== Weaknesses ===<br />
<br />
* Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.<br />
* High numbers of false positives.<br />
* Frequently can't find configuration issues, since they are not represented in the code.<br />
* Difficult to 'prove' that an identified security issue is an actual vulnerability.<br />
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.<br />
<br />
==Important Selection Criteria==<br />
<br />
* Requirement: Must support your programming language, but not usually a key factor once it does.<br />
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)<br />
* How accurate is it? False Positive/False Negative rates?<br />
** Does the tool have an OWASP [[Benchmark]] score?<br />
* Does it understand the libraries/frameworks you use?<br />
* Does it require a fully buildable set of source?<br />
* Can it run against binaries instead of source?<br />
* Can it be integrated into the developer's IDE?<br />
* How hard is it to setup/use?<br />
* Can it be run continuously and automatically?<br />
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)<br />
<br />
==OWASP Tools Of This Type==<br />
<br />
* [[OWASP SonarQube Project]]<br />
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]<br />
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]<br />
* [[OWASP O2 Platform]]<br />
* [[OWASP WAP-Web Application Protection]]<br />
<br />
==Disclaimer==<br />
<br />
Disclaimer: <b>The tools listed in the tables below are presented in alphabetical order. <i>OWASP does not endorse any of the vendors or tools by listing them in the table below.</i> We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.</b><br />
<br />
==Open Source or Free Tools Of This Type==<br />
<br />
* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python<br />
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications<br />
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby<br />
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs<br />
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,<br />
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++<br />
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''<br />
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python<br />
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)<br />
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.<br />
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.<br />
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.<br />
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.<br />
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.<br />
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.<br />
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].<br />
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.<br />
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.<br />
<br />
==Commercial Tools Of This Type==<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. <br />
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service. <br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source AppScan Source] (IBM)<br />
* [https://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.<br />
* [https://bugscout.io/en/ bugScout] (Nalbatech, Formally Buguroo)<br />
* [https://www.castsoftware.com/products/application-intelligence-platform CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. [https://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards AIP's security specific coverage is here].<br />
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)<br />
* [https://www.grammatech.com/products/codesonar CodeSonar] tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.<br />
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)<br />
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)<br />
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (Micro Focus, Formally HP)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection] (Hdiv Security) - Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis.<br />
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis<br />
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)<br />
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis<br />
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)<br />
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ PT Application Inspector] combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation for high accuracy rate with minimum false positives; has a unique capability to generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis; integrates with CI/CD, VCS, etc. PT AI helps to easily understand, verify, and fix flaws; has a simple UI; is highly automated and easy to use. Supported languages are Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.<br />
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.<br />
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#<br />
* [https://www.softwaresecured.com/reshift reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019.<br />
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for PHP that detects unknown security vulnerabilities and code quality issues.<br />
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)<br />
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)<br />
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.<br />
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)<br />
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).<br />
<br />
==More info==<br />
<br />
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]<br />
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]<br />
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools<br />
* [[Free for Open Source Application Security Tools]] - This page lists the Commercial Source Code Analysis Tools (SAST) we know of that are free for Open Source<br />
<br />
[[Category:OWASP .NET Project]]<br />
[[Category:SAMM-CR-2]]<br />
__NOTOC__</div>Wichershttps://wiki.owasp.org/index.php?title=Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet&diff=247222Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet2019-02-07T23:28:10Z<p>Wichers: /* Not a Simple HTTP Request Verification */</p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
__TOC__{{TOC hidden}}<br />
<br />
== Introduction ==<br />
[[Cross-Site Request Forgery (CSRF)]] is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim. We would need a token/identifier that is not accessible to attacker and would not be sent along (like cookies) with forged requests that attacker initiates. For more information on CSRF, see OWASP [[Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) page]].<br />
<br />
The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or making a purchase with the user’s credentials. In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser, without the user’s knowledge, at least until the unauthorized transaction has been committed.<br />
<br />
Impacts of successful CSRF exploits vary greatly based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. If the targeted end user is an administrator account, a CSRF attack can compromise the entire web application. Using social engineering, an attacker can embed malicious HTML or JavaScript code into an email or website to request a specific 'task URL'. The task then executes with or without the user's knowledge, either directly or by using a Cross-Site Scripting flaw. For example, see [https://en.wikipedia.org/wiki/Samy_(computer_worm) Samy MySpace Worm].<br />
<br />
==Warning: No Cross-Site Scripting (XSS) Vulnerabilities ==<br />
[[Cross-Site Scripting]] is not necessary for CSRF to work. However, any cross-site scripting vulnerability can be used to defeat all CSRF mitigation techniques available in the market today (except mitigation techniques that involve user interaction and described later in this cheat sheet). This is because an XSS payload can simply read any page on the site using an XMLHttpRequest (direct DOM access can be done, if on same page) and obtain the generated token from the response, and include that token with a forged request. This technique is exactly how the [https://en.wikipedia.org/wiki/Samy_(computer_worm) MySpace (Samy) worm] defeated MySpace's anti-CSRF defenses in 2005, which enabled the worm to propagate.<br />
<br />
It is imperative that no XSS vulnerabilities are present to ensure that CSRF defenses can't be circumvented. Please see the OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet|XSS Prevention Cheat Sheet]] for detailed guidance on how to prevent XSS flaws. <br />
<br />
== Resources that need to be protected from CSRF attacks ==<br />
The following list assumes that you are not violating [http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 RFC2616], section 9.1.1, by using GET requests for state changing operations. <br />
<br />
'''Note:''' If for any reason you violate, you would also need to protect those resources, which is mostly achieved with default <code>form tag [GET method]</code>, <code>href</code>, and <code>src</code> attributes. <br />
<br />
* Form tags with POST <br />
* Ajax/XHR calls<br />
<br />
== CSRF Defense Recommendations Summary ==<br />
We recommend token based CSRF defense (either stateful/stateless) as a primary defense to mitigate CSRF in your applications. For highly sensitive operations, we also recommend user interaction based protection (either re-authentication/one-time token, detailed in section 6.5) along with token based mitigation.<br />
<br />
As a defense-in-depth measure, consider implementing one mitigation from the Defense-in-Depth Techniques section (you can choose the mitigation that fits your ecosystem considering the issues mentioned under them). These defense-in-depth mitigation techniques are not recommended to be used by themselves (without token based mitigation) for mitigating CSRF in your applications.<br />
<br />
== Primary Defense Techniques ==<br />
<br />
=== Token Based Mitigation ===<br />
This defense is one the most popular and recommended methods to mitigate CSRF. It can be achieved either with state (synchronizer token pattern) or stateless (encrypted/hash based token pattern). For all the mitigation's, it is implicit that general security principles should be adhered.<br />
* Strict key rotation and token lifetime policies should be maintained. Policies can be set according to your organizational needs. Generic key management guidance from OWASP can be found in the [[Key Management Cheat Sheet]].<br />
<br />
==== Synchronizer Token Pattern ====<br />
Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks. A CSRF token should be unique per user session, large random value, and also generated by a cryptographically secure random number generator. The CSRF token is added as a hidden field for forms headers/parameters for AJAX calls, and within the URL if the state changing operation occurs via a GET. See "Disclosure of Token in URL" section below. The server rejects the requested action if the CSRF token fails validation.<br />
<br />
In order to facilitate a "transparent but visible" CSRF solution, developers are encouraged to adopt a pattern similar to [http://www.corej2eepatterns.com/Design/PresoDesign.htm Synchronizer Token Pattern] (The original intention of this synchronizer token pattern was to detect duplicate submissions in forms). The synchronizer token pattern requires the generation of random "challenge" tokens that are associated with the user's current session. These challenge tokens are then inserted within the HTML forms and calls associated with sensitive server-side operations. It is the responsibility of the server application to verify the existence and correctness of this token. By including a challenge token with each request, the developer has a strong control to verify that the user actually intended to submit the desired requests. Inclusion of a required security token in HTTP requests associated with sensitive business functions helps mitigate CSRF attacks as successful exploitation assumes the attacker knows the randomly generated token for the target victim's session. <br />
<br />
'''Note:''' These tokens aren’t like cookies that are automatically sent with forged requests made from your browser from the attacker website. <br />
<br />
This is analogous to the attacker being able to guess the target victim's session identifier. <br />
<br />
The following describes a general approach to incorporate challenge tokens within the request.<br />
<br />
When a Web application formulates a request, the application should include a hidden input parameter with a common name such as "CSRFToken" (for forms)/ as header/parameter value for Ajax calls. The value of this token must be randomly generated such that it cannot be guessed by an attacker. Consider leveraging the java.security.SecureRandom class for Java applications to generate a sufficiently long random token. Alternative generation algorithms include the use of 256-bit BASE64 encoded hashes. Developers that choose this generation algorithm must make sure that there is randomness and uniqueness utilized in the data that is hashed to generate the random token.<br />
<br />
<syntaxhighlight lang="html"><br />
<form action="/transfer.do" method="post"><br />
<br />
<input type="hidden" name="CSRFToken" <br />
value="OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZMGYwMGEwOA=="><br />
...<br />
</form><br />
</syntaxhighlight><br />
<br />
In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is used for each subsequent request until the session expires. When a request is issued by the end-user, the server-side component must verify the existence and validity of the token in the request compared to the token found in the user session. If the token was not found within the request, or the value provided does not match the value within the user session, then the request should be aborted, and the event logged as a potential CSRF attack in progress.<br />
<br />
To further enhance the security of this proposed design, consider randomizing the CSRF token parameter name and/or value for each request. Implementing this approach results in the generation of per-request tokens as opposed to per-session tokens. This is more secure than per-session tokens as the time range for an attacker to exploit the stolen tokens is minimal. However, this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server. Few applications that need high security typically implement this approach (such as banks). You have to check what suits your needs. Regardless of the approach taken, developers are encouraged to protect the CSRF token the same way they protect authenticated session identifiers, such as the use of TLS.<br />
<br />
'''Existing Synchronizer Implementations'''<br />
<br />
Synchronizer token defenses have been built into many frameworks, so we strongly recommend using them first when they are available. External components that add CSRF defenses to existing applications are also recommended. OWASP has the following: <br />
<br />
* For Java: OWASP [[CSRF Guard]]<br />
* For PHP and Apache: [[CSRFProtector Project]]<br />
<br />
'''Disclosure of Token in URL'''<br />
<br />
Some implementations of synchronizer tokens include the challenge token in GET (URL) requests as well as POST requests. This is often implemented as a result of sensitive server-side operations being invoked as a result of embedded links in the page or other general design patterns. These patterns are often implemented without knowledge of CSRF and an understanding of CSRF prevention design strategies. While this control does help mitigate the risk of CSRF attacks, the unique per-session token is being exposed for GET requests. CSRF tokens in GET requests are potentially leaked at several locations: browser history, log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site. In the latter case (leaked CSRF token due to the Referer header being parsed by a linked site), it is trivially easy for the linked site to launch a CSRF attack on the protected site, and they will be able to target this attack very effectively, since the Referer header tells them the site as well as the CSRF token. The attack could be run entirely from JavaScript, so that a simple addition of a script tag to the HTML of a site can launch an attack (whether on an originally malicious site or on a hacked site). Additionally, since HTTPS requests from HTTPS contexts will not strip the Referer header (as opposed to HTTPS to HTTP requests) CSRF token leaks via Referer can still happen on HTTPS Applications.<br />
<br />
The ideal solution is to only include the CSRF token in POST requests and modify server-side actions that have state changing affect to only respond to POST requests. This is in fact what the <nowiki>RFC 2616</nowiki> requires for GET requests. If sensitive server-side actions are guaranteed to only ever respond to POST requests, then there is no need to include the token in GET requests.<br />
<br />
In most JavaEE web applications, however, HTTP method scoping is rarely ever utilized when retrieving HTTP parameters from a request. Calls to "HttpServletRequest.getParameter" will return a parameter value regardless if it was a GET or POST. This is not to say HTTP method scoping cannot be enforced. It can be achieved if a developer explicitly overrides doPost() in the HttpServlet class or leverages framework specific capabilities such as the AbstractFormController class in Spring.<br />
<br />
For these cases, attempting to retrofit this pattern in existing applications requires significant development time and cost, and as a temporary measure it may be better to pass CSRF tokens in the URL. Once the application has been fixed to respond to HTTP GET and POST verbs correctly, CSRF tokens for GET requests should be turned off.<br />
<br />
==== Encryption based Token Pattern ====<br />
The Encrypted Token Pattern leverages an encryption, rather than comparison method of Token-validation. It is most suitable for applications that do not want to maintain any state at server side. <br />
<br />
After successful authentication, the server generates a unique token comprised of the user's ID, a timestamp value and a [http://en.wikipedia.org/wiki/Cryptographic_nonce nonce], using a unique key available only on the server. This token is returned to the client and embedded in a hidden field for forms, in the request-header/parameter for AJAX requests. On receipt of this request, the server reads and decrypts the token value with the same key used to create the token. The inability to correctly decrypt suggests an intrusion attempt. Once decrypted, the UserId and timestamp contained within the token are validated; the UserId is compared against the currently logged in user, and the timestamp is compared against the current time.<br />
<br />
On successful token-decryption, the server has access to parsed values, ideally in the form of [http://en.wikipedia.org/wiki/Claims-based_identity claims]. These claims are processed by comparing the UserId claim to any potentially stored UserId (in a Cookie or Session variable, if the site already contains a means of authentication). The Timestamp is validated against the current time, preventing replay attacks. Alternatively, in the case of a CSRF attack, the server will be unable to decrypt the poisoned token, and can block and log the attack.<br />
<br />
This technique addresses some of the shortfalls in other stateless approaches, such as the need to store data in a Cookie, circumventing the Cookie-subdomain and [[HttpOnly]] issues. Your solution should use a strong encryption function. We recommend AES256-GCM or stronger.<br />
<br />
==== HMAC Based Token Pattern ====<br />
[https://en.wikipedia.org/wiki/HMAC HMAC (hash-based message authentication code)] is a cryptographic function that helps to guarantee integrity and authentication of a message. HMAC Tokens can be used as a CSRF mitigation technique without requiring server side state. It is similar to the encryption token-based pattern with two main differences:<br />
* Uses a strong HMAC function instead of an encryption function to generate the token<br />
* Includes an additional field called ‘operation’ that would indicate the purpose of the operation for which you are including the CSRF token (may it be form tag/ajax call) <br />
(Ex: ‘oneclickpurchase’ (or) buy/asin=SDFH&category=2&quantity=3)<br />
<br />
'''Note:''' Fields mentioned in encryption token pattern (user's ID, a timestamp value and a nonce) are included. <br />
<br />
The operation field helps in mitigating the fact that the hash function generates the same value irrespective of multiple iterations (unlike strong encryption functions that generate different values when they are encrypted each time). So, it would help in avoiding having repeated token values across your application. Nonce field serves the same purpose as in encrypted token pattern (i.e., to avoid rare collisions due to weak cryptographic functions and acts as a defense-in-depth measure). <br />
<br />
Generate the token using HMAC including all four fields mentioned previously (user's ID, a timestamp value, nonce, and operation) and then include it in hidden fields for form tags, headers/parameters for ajax calls. Once you receive the HMAC from the client in the requests, re-generate HMAC with the same fields that you used to generate it, and then verify that the HMAC you re-generated matches the HMAC received from the client. If it does, it is a legitimate user request and if it does not, flag it as a CSRF intrusion and alert your incident response teams. Because an attacker has no visibility into the key used for generating the hash fields used in generating it, there is no way for them to re-generate it to use in forged request.<br />
<br />
Your solution should use a strong HMAC function. We recommend SHA256/512 or stronger.<br />
<br />
=== Auto CSRF Mitigation Techniques ===<br />
Though the technique of mitigating tokens is widely used (stateful with synchronizer token and stateless with encrypted/HMAC token), the major problem associated with these techniques is the human tendency to forget things at times. If a developer forgets to add the token to any state changing operation, they are making the application vulnerable to CSRF. To avoid this, you can try to automate the process of adding tokens to CSRF vulnerable resources (mentioned earlier in this document). You can achieve this by doing the following:<br />
* Write wrappers (that would auto add tokens when used) around default form tags/ajax calls and educate your developers to use those wrappers instead of standard tags. Though this approach is better than depending purely on developers to add tokens, it still is vulnerable to the issue of human tendency to forget things. [https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html Spring Security] uses this technique to add CSRF tokens by default when a custom <form:form> tag is used, you can opt to use after verifying that its enabled and properly configured in the Spring Security version you are using.<br />
* Write a hook (that would capture the traffic and add tokens to CSRF vulnerable resources before rendering to customers) in your organizational web rendering frameworks. Because it is hard to analyze when a particular response is doing any state change (and thus needing a token), you might want to include tokens in all CSRF vulnerable resources (ex: include tokens in all POST responses). This is one recommended approach, but you need to consider the performance costs it might incur.<br />
* Get the tokens automatically added on the client side when the page is being rendered in user’s browser, with help of a client side script (this approach is used by [[CSRF Guard]]). You need to consider any possible JavaScript hijacking attacks.<br />
We recommend researching if the framework you are using has an option to achieve CSRF protection by default before trying to build your custom auto tokening system. For example, .NET has an [https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1 in-built protection] that adds token to CSRF vulnerable resources. You are responsible for proper configuration (such as key management and token management) before using these in-built CSRF protections that do auto tokening to CSRF vulnerable resources.<br />
<br />
=== Stateless/Tokenless Defense Techniques ===<br />
<br />
Given the popularity of REST services (which are stateless) and the desire to implement the minimum changes required to defend against CSRF attacks, there are a couple of techniques you can rely on to verify that a request is not cross origin with minimal changes to your application. They are:<br />
<br />
* Verify presence of "X-Requested-With: XMLHttpRequest" Header and value<br />
* Verify it's NOT a "Simple HTTP Request"<br />
<br />
If these techniques don't defend every state changing endpoint in your application, you might be able to fill the gap with another stateless/tokenless technique described later: "Verifying origin with standard headers".<br />
<br />
==== X-Requested-With: XMLHttpRequest Header Verification ====<br />
<br />
This is a specific instance of the Custom Request Header Defense which is described more fully later. This HTTP headername/value is particularly attractive because most JavaScript libraries already add this header to requests they generate by default. If you have built, or plan to build, a pure AJAX/REST web app then all you have to do is verify server-side the presence of this headername/value pair on all POST requests, and you are done. If your AJAX calls don't include this (or a similar) header, you'll have to tweak your JavaScript framework to add this custom header.<br />
<br />
This defense works because JavaScript can't submit cross-origin requests and only JavaScript can add custom headers to an HTTP request.<br />
<br />
==== Not a Simple HTTP Request Verification ====<br />
<br />
A Simple HTTP Request is described, but not given this actual name, in the [https://www.w3.org/TR/cors/#terminology W3C CORS spec]. We define a Simple HTTP Request to be a request that uses both a 'simple method' and has a 'simple header'. This W3C article defines a simple method as any of these three: GET, HEAD, POST, and also defines a simple header as one of these four: Accept, Accept-Language, Content-Language, Content-Type. However, the Content-Type header, if present, must also have a value of: application/x-www-form-urlencoded, multipart/form-data, or text/plain. It further defines, not very succinctly, at the beginning of [https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 section 7.5.1 Cross-Origin Request with Preflight - Step 1] that a CORS preflight request is required for cross-origin requests UNLESS the request uses a simple method with simple headers. Meaning, that the ONLY cross-origin requests allowed by browsers (without requesting permission using CORS) are 'Simple HTTP Requests'.<br />
<br />
We can take advantage of this knowledge by simply verifying that all state changing requests to our application are NOT Simple HTTP Requests. And if they are not, then they can't be a CSRF attack. If you've built your application properly, then GET and HEAD requests cannot change state, so that leaves us with POSTs. If you then verify that all POST requests include a Content-Type header, whose value is either NOT any of the three allowed to go cross origin (application/x-www-form-urlencoded, multipart/form-data, or text/plain), or is an explicitly required Content-Type that is NOT one of those three, then you are all set.<br />
<br />
For example, if have a pure AJAX app that submits all of it's POST requests with Content-Types of application/xml or application/json, and you verify on the server side that all POSTs include a Content-Type with one of those two values, your app is completely defended against CSRF attacks. If your application also happens to accept other HTTP methods that do state changing things, like PUT, DELETE, etc. you don't have to do anything to defend those endpoints because browsers can't generate anything but Simple HTTP Requests cross-origin (i.e., GET, HEAD, or POST only). If you need to accept the uploading of files (multipart/form-data), explicit CSRF protection is still needed for those endpoints.<br />
<br />
Acknowledgement: This Simple HTTP Request verification technique was found in this [https://blog.jdriven.com/2014/10/stateless-spring-security-part-1-stateless-csrf-protection/ Stateless CSRF Protection blog post], where it explicitly stated "Stateless approach 1: SWITCH TO A FULL AND PROPERLY DESIGNED JSON BASED REST API. - Single-Origin Policy only allows cross-site HEAD/GET and POSTs. POSTs may only be one of the following mime-types: application/x-www-form-urlencoded, multipart/form-data, or text/plain. Indeed no JSON! Now considering GETs should never ever trigger side-effects in any properly designed HTTP based API, this leaves it up to you to simply disallow any non-JSON POST/PUT/DELETEs and all is well."<br />
<br />
== Defense-In-Depth Techniques ==<br />
<br />
=== Verifying origin with standard headers ===<br />
This defense technique is specifically proposed in section 5.0 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. This paper proposes the first creation of the Origin header and its use as a CSRF defense mechanism.<br />
<br />
There are two steps to this mitigation, both of which rely on examining an HTTP request header value.<br />
<br />
1. Determining the origin the request is coming from (source origin). Can be done via Origin and/or referer header.<br />
<br />
2. Determining the origin the request is going to (target origin).<br />
<br />
At server side we verify if both of them match. If they do, we accept the request as legitimate (meaning it’s the same origin request) and if they don’t, we discard the request (meaning that the request originated from cross-domain). Reliability on these headers comes from the fact that they cannot be altered programmatically (using JavaScript in an XSS) as they fall under [https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name forbidden headers] list (i.e., only browsers can set them).<br />
<br />
====Identifying Source Origin (via Origin/Referer header) ====<br />
'''Checking the Origin Header'''<br />
<br />
If the Origin header is present, verify that its value matches the target origin. Unlike the Referer, the Origin header will be present in HTTP requests that originate from an HTTPS URL.<br />
<br />
'''Checking the Referer Header'''<br />
<br />
If the Origin header is not present, verify the hostname in the Referer header matches the target origin. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state, which is required to keep track of a synchronization token.<br />
<br />
In both cases, make sure the target origin check is strong. For example, if your site is "site.com" make sure "site.com.attacker.com" does not pass your origin check (i.e., match through the trailing/after the origin to make sure you are matching against the entire origin).<br />
<br />
If neither of these headers are present, you can either accept or block the request. We recommend '''blocking'''. Alternatively, you might want to log all such instances, monitor their use cases/behavior, and then start blocking requests only after you get enough confidence.<br />
<br />
==== Identifying the Target Origin ====<br />
You might think it’s easy to determine the target origin, but it’s frequently not. The first thought is to simply grab the target origin (i.e., its hostname and port #) from the URL in the request. However, the application server is frequently sitting behind one or more proxies and the original URL is different from the URL the app server actually receives. If your application server is directly accessed by its users, then using the origin in the URL is fine and you're all set.<br />
<br />
If you are behind a proxy, there are a number of options to consider.<br />
* '''Configure your application to simply know its target origin:''' It’s your application, so you can find its target origin and set that value in some server configuration entry. This would be the most secure approach as its defined server side, so it is a trusted value. However, this might be problematic to maintain if your application is deployed in many places, e.g., dev, test, QA, production, and possibly multiple production instances. Setting the correct value for each of these situations might be difficult, but if you can do it via some central configuration and providing your instances to grab value from it, that's great! ('''Note:''' Make sure the centralized configuration store is maintained securely because major part of your CSRF defense depends on it.)<br />
<br />
* '''Use the Host header value:''' If you prefer that the application find its own target so it doesn't have to be configured for each deployed instance, we recommend using the Host family of headers. The Host header's purpose is to contain the target origin of the request. But, if your app server is sitting behind a proxy, the Host header value is most likely changed by the proxy to the target origin of the URL behind the proxy, which is different than the original URL. This modified Host header origin won't match the source origin in the original Origin or Referer headers.<br />
<br />
* '''Use the X-Forwarded-Host header value:''' To avoid the issue of proxy altering the host header, there is another header called X-Forwarded-Host, whose purpose is to contain the original Host header value the proxy received. Most proxies will pass along the original Host header value in the X-Forwarded-Host header. So that header value is likely to be the target origin value you need to compare to the source origin in the Origin or Referer header.<br />
<br />
This mitigation in earlier versions of the CSRF Cheat Sheet is treated as a primary defense. For reasons mentioned below, it is now moved to the Defense-in-Depth section.<br />
<br />
As it’s implicit, this mitigation would work properly when origin or referer headers are present in the requests. Though these headers are included '''majority''' of the time, there are few use cases where they are not included (most of them are for legitimate reasons to safeguard users privacy/to tune to browsers ecosystem). The following lists some use cases:<br />
* Internet Explorer 11 does not add the Origin header on a CORS request across sites of a trusted zone. The Referer header will remain the only indication of the UI origin. See the following references in stackoverflow [https://stackoverflow.com/questions/20784209/internet-explorer-11-does-not-add-the-origin-header-on-a-cors-request here] and [https://github.com/silverstripe/silverstripe-graphql/issues/118 here].<br />
* In an instance following a [https://stackoverflow.com/questions/22397072/are-there-any-browsers-that-set-the-origin-header-to-null-for-privacy-sensitiv 302 redirect cross-origin], Origin is not included in the redirected request because that may be considered sensitive information that should not be sent to the other origin.<br />
* There are some [https://wiki.mozilla.org/Security/Origin#Privacy-Sensitive_Contexts privacy contexts] where Origin is set to “null” For example, see the following [https://www.google.com/search?q=origin+header+sent+null+value+site%3Astackoverflow.com&oq=origin+header+sent+null+value+site%3Astackoverflow.com here].<br />
* Origin header is included for all cross origin requests but for same origin requests, in most browsers it is only included in POST/DELETE/PUT '''Note:''' Although it is not ideal, many developers use GET requests to do state changing operations.<br />
* Referer header is no exception. There are multiple use cases where referer header is omitted as well ([https://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty <nowiki>[1]</nowiki>], [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer <nowiki>[2]</nowiki>], [https://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding <nowiki>[3]</nowiki>], [https://seclab.stanford.edu/websec/csrf/csrf.pdf <nowiki>[4]</nowiki>] and [https://www.google.com/search?q=referer+header+sent+null+value+site:stackoverflow.com <nowiki>[5]</nowiki>]). Load balancers, proxies and embedded network devices are also well known to strip the referer header due to privacy reasons in logging them.<br />
<br />
Though exceptions can be written for above cases in your source and target origin check logic, there is currently no central repository (even there is one, keeping it up-to-date is a problem) that references all such use cases. Each browser might also handle these use cases differently (browsers are known to handle things differently considering their ecosystem. IE example of not sending origin header within trusted zone is such example). Rejecting requests that do not contain origin and/or referer headers might sound like a good idea but it can impact legitimate users. Keeping this system in monitoring mode and trying to investigate use cases such as stated above, then adding them into exception logic is a process that you may consider to make this defense more stable in your environment.<br />
<br />
This CSRF defense relies on browser behavior that can change at times. For example, when new privacy contexts are discovered, under which situations you have to keep your validation logic updated, where as in token based mitigation, you have full control on the CSRF mitigation. If browsers alter CSRF tokens, they are literally changing the HTML content on rendering pages (which no browser would ever want to do!).<br />
<br />
When there is an XSS vulnerability on a page of an application protected with Origin and/or Referer header, the level of effort required to exploit state changing operations (that are typically vulnerable to CSRF) on other pages is very easy (grab the parameters and forge a request, as Origin and Referer header is included by default by browsers) than compared to token based mitigation (where attacker needs to download the target page, parse the DOM for the token, construct a forge request, and send it to server).<br />
<br />
'''Note:''' Although the concept of an origin header stemmed from [https://seclab.stanford.edu/websec/csrf/csrf.pdf the Stanford CSRF] paper that references robust CSRF defenses, the initial [https://tools.ietf.org/html/rfc6454 origin header RFC] does not reference mitigating CSRF in any way (another [https://tools.ietf.org/id/draft-abarth-origin-03.html draft version] does, however).<br />
<br />
=== Double Submit Cookie ===<br />
If maintaining the state for CSRF token at server side is problematic, an alternative defense is to use the double submit cookie technique. This technique is easy to implement and is stateless. In this technique, we send a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match. When a user visits (even before authenticating to prevent login CSRF), the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session identifier. The site then requires that every transaction request include this pseudorandom value as a hidden form value (or other request parameter/header). If both of them match at server side, the server accepts it as legitimate request and if they don’t, it would reject the request.<br />
<br />
There’s a belief that this technique would work because a cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie (with which the server compares the token value).<br />
<br />
There are a couple of drawbacks associated with the assumptions made here. The problem of "trusting of sub domains and proper configuration of whole site in general to accept HTTPS connections only". The [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf Blackhat talk] by Rich Lundeen references these drawbacks.<br />
<br />
"''With double submit, if an attacker can write a cookie they can obviously defeat the protection. And again, writing cookies is significantly easier then reading them. The fact that cookies can be written is difficult for many people to understand. After all, doesn't the same origin policy specify that one domain cannot access cookies from another domain? However, there are two common scenarios where writing cookies across domains is possible:''<br />
<br />
''a) While it's true that hellokitty.marketing.example.com cannot read cookies or access the DOM from secure.example.com because of the same origin policy, hellokitty.marketing.example.com can write cookies to the parent domain (example.com), and these cookies are then consumed by secure.example.com (secure.example.com has no good way to distinguish which site set the cookie). Additionally, there are methods of forcing secure.example.com to always accept your cookie first. What this means is that XSS in hellokitty.marketing.example.com is able to overwrite cookies in secure.example.com.''<br />
<br />
''b) If an attacker is in the middle, they can usually force a request to the same domain over HTTP. If an application is hosted at <nowiki>https://secure.example.com</nowiki>, even if the cookies are set with the secure flag, a man in the middle can force connections to <nowiki>http://secure.example.com</nowiki> and set (overwrite) any arbitrary cookies (even though the secure flag prevents the attacker from reading those cookies). Even if the HSTS header is set on the server and the browser visiting the site supports HSTS (this would prevent a man in the middle from forcing plain text HTTP requests) unless the HSTS header is set in a way that includes all subdomains, a man in the middle can simply force a request to a separate subdomain and overwrite cookies similar to 1. In other words, as long as <nowiki>http://hellokitty.marketing.example.com</nowiki> doesn't force HTTPS, then an attacker can overwrite cookies on any example.com subdomain.''"<br />
<br />
So, unless you are sure that your subdomains are fully secured and only accept HTTPS connections (we believe it’s difficult to guarantee at large enterprises), you should not rely on the Double Submit Cookie technique as a primary mitigation for CSRF.<br />
<br />
A variant of double submit cookie that can mitigate both the risks mentioned above is including the token in an encrypted cookie - often within the authentication cookie - and then at the server side matching it (after decrypting the authentication cookie) with the token in hidden form field or parameter/header for ajax calls. This works because a sub domain has no way to over-write an properly crafted encrypted cookie without the necessary information such as encryption key.<br />
<br />
=== SameSite Cookie Attribute ===<br />
SameSite is a cookie attribute (similar to [[HttpOnly]], Secure etc.) introduced by Google to mitigate CSRF attacks. It is defined in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 this] Internet Draft. This attribute helps in preventing the browser from sending cookies along with cross-site requests. Possible values for this attribute are lax or strict.<br />
<br />
The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link. For example, for a GitHub-like website this would mean that if a logged-in user follows a link to a private GitHub project posted on a corporate discussion forum or email, GitHub will not receive the session cookie and the user will not be able to access the project. A bank website however most likely doesn't want to allow any transactional pages to be linked from external sites, so the strict flag would be most appropriate.<br />
<br />
The default lax value provides a reasonable balance between security and usability for websites that want to maintain user's logged-in session after the user arrives from an external link. In the above GitHub scenario, the session cookie would be allowed when following a regular link from an external website while blocking it in CSRF-prone request methods such as POST. Only cross-site requests that are allowed in lax mode are the ones that have top-level navigations and are also “safe” HTTP methods (more details [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7.1 here]).<br />
<br />
Example of cookies using this attribute:<br />
<br />
<pre><br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Strict<br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Lax<br />
</pre><br />
<br />
Support for this attribute in different browsers is increasing but there are still browsers that need to adopt this. As of August 2018, SameSite attribute is on browsers used by 68.92% of Internet users (detailed statistics are [https://caniuse.com/#feat=same-site-cookie-attribute here]).<br />
<br />
Though this technique seems to be efficient in mitigating CSRF attacks, it is still in early stages (in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft]) and does not have full browser support as mentioned above. Google’s [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft] also mentions a couple cases where forged requests can be simulated by attackers as same-site requests (and thus allowing to send SameSite cookies).<br />
<br />
Considering the factors above, it is not recommended to be used as a primary defense. Google agrees with this stance and strongly encourages developers to deploy server-side defenses such as tokens to mitigate CSRF more fully.<br />
<br />
=== Use of Custom Request Headers ===<br />
<br />
Adding CSRF tokens, a double submit cookie and value, encrypted token, or other defense that involves changing the UI can frequently be complex or otherwise problematic. An alternate defense that is particularly well suited for AJAX/XHR endpoints is the use of a custom request header. This defense relies on the [https://en.wikipedia.org/wiki/Same-origin_policy same-origin policy (SOP)] restriction that only JavaScript can be used to add a custom header, and only within its origin. By default, browsers do not allow JavaScript to make cross origin requests.<br />
<br />
A particularly attractive custom header and value to use is “X-Requested-With: XMLHttpRequest” because most JavaScript libraries already add this header to requests they generate by default. However, some do not. For example, AngularJS used to, but does not anymore. For more information, see [https://github.com/angular/angular.js/commit/3a75b1124d062f64093a90b26630938558909e8d their rationale] and how to add it back.<br />
<br />
If this is the case for your system, you can simply verify the presence of this header and value on all your server side AJAX endpoints in order to protect against CSRF attacks. This approach has the double advantage of usually requiring no UI changes and not introducing any server side state, which is particularly attractive to REST services. You can always add your own custom header and value if that is preferred.<br />
<br />
This defense technique is specifically discussed in section 4.3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. However, bypasses of this defense using Flash were documented as early as 2008 and again as recently as 2015 by Mathias Karlsson to [https://hackerone.com/reports/44146 exploit a CSRF flaw in Vimeo]. A Flash attack can't spoof the Origin or Referer headers, so by checking both of them we believe this combination of checks should prevent Flash bypass CSRF attacks (if any comes up in future). <br />
<br />
Besides any possible future bypasses such as Flash, using a static header will make it easy to exploit other state changing operations in the application (similar to the previous explanation on why ease of exploitation is easier in origin/referer header check than token based mitigation). Including a random token instead of static header value is more or less equal to the token based approach described in the Primary Defenses section. Developers also need to consider that if you are using this approach in an application with both Ajax calls and form tags, this technique would only help Ajax calls in protecting from CSRF and you would still need protect <form> tags with approaches described in this document such as tokens. Setting custom headers on form tags is not possible directly. Also, CORS configuration should also be robust to make this solution work effectively (as custom headers for requests coming from other domains trigger a pre-flight CORS check).<br />
<br />
=== User Interaction Based CSRF Defense ===<br />
<br />
While all the techniques referenced here do not require any user interaction, sometimes it’s easier or more appropriate to involve the user in the transaction to prevent unauthorized operations (forged via CSRF or otherwise). The following are some examples of techniques that can act as strong CSRF defense when implemented correctly.<br />
* Re-Authentication (password or stronger)<br />
* One-time Token<br />
* CAPTCHA<br />
While these are a very strong CSRF defense, it does create a huge impact on the user experience. For applications that are in need of high security for some operations (password change, money transfer etc.), these techniques should be used along with token based mitigation. Please note that tokens by themselves can mitigate CSRF, developers should use these techniques only to achieve additional security for their high sensitive operations.<br />
<br />
=== Login CSRF ===<br />
Most developers tend to ignore CSRF vulnerability on login forms as they assume that CSRF would not be applicable on login forms because user is not authenticated at that stage. That assumption is false. CSRF vulnerability can still occur on login forms where the user is not authenticated, but the impact/risk view for it is quite different from the impact/risk view of a general CSRF vulnerability (when a user is authenticated).<br />
<br />
With a CSRF vulnerability on login form, an attacker can make a victim login to the attacker's account and learn behavior from the victim's searches. For more information about login CSRF and other risks, see section 3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf the Stanford CSRF] paper.<br />
<br />
Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form. You can use any of the techniques mentioned above to generate tokens. Pre-sessions can be transitioned to real sessions once the user is authenticated. This technique is described in [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery section 4.1].<br />
<br />
If sub-domains under your master domain are treated as not trusted in your threat model, it is difficult to mitigate login CSRF. A strict subdomain and path level referer header (because most login pages are served on HTTPS - no stripping of referer - and are also linked from home pages) validation (detailed in section 6.1) can be used in these cases for mitigating CSRF on login forms to an extent.<br />
<br />
== Not So Popular CSRF Mitigations ==<br />
<br />
=== Triple Submit Cookie ===<br />
This mitigation is proposed by [https://www.owasp.org/images/e/e6/AppSecEU2012_Wilander.pdf John Wilander in 2012 at OWASP Appsec Research]. This technique adds an additional step to double submit cookie approach by verifying if the request contains two cookies with same name (please note, attacker need to write an additional cookie to bypass double submit cookie mitigation). Though it mitigates the issues discussed in bypass of double submit cookie, it introduces new problems such as cookie jar overflow (in-details and more issue details [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf here] and [https://webstersprodigy.net/2012/08/03/analysis-of-john-wilanders-triple-submit-cookies/ here]). We were not able to find any real-time implementations of this mitigation so far.<br />
<br />
=== Content-Type Header Validation ===<br />
This technique is better known than the triple submit cookie mitigation. In first place, this header is not designed for security (initial RFC [https://tools.ietf.org/html/rfc1049 here] and later well-defined in [https://www.ietf.org/rfc/rfc2045.txt this] RFC) but only to let receiving agents know the type of data they would be handling, so that they can invoke corresponding parsers. The pre-flighting behavior of this header (pre-flight if header has value other than application/x-www-form-urlencoded, multipart/form-data, or text/plain) is what treated as a CSRF mitigation and thus forcing all requests to have a header value that would force a pre-flight (such as application/json. Server side can reject cross-origin requests with CORS/SOP during this pre-flight).<br />
<br />
This approach has two main problems. One that it would mandate all requests to have a header value that would force pre-flight despite the real use case and the other that this technique is relying on a feature that is not designed for security, to mitigate a security vulnerability. When a bug was discovered in the Chrome API, browser architects even considered to removing this pre-flighting behavior. Because this header was not designed as a security control, architects can re-design it to better cater its primary purpose. In the future, there’s a possibility that new content-type header types can be included (to better support various use-cases), which can put systems relying on this header for CSRF mitigation in trouble. For more information, see [https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/september/common-csrf-prevention-misconceptions/ Common CSRF Prevention Misconceptions].<br />
<br />
== CSRF Mitigation Myths ==<br />
The following shows techniques presumed to be CSRF mitigations but none of them fully/actually mitigates a CSRF vulnerability.<br />
* '''CORS''': CORS is a header designed to relax Same-Origin-Policy when cross-origin communication between sites is required. It is not designed, nor prevents CSRF attacks.<br />
* '''Using HTTPS''': Using HTTPS has nothing to do with the protection from CSRF attacks. Resources that are under HTTPS are still vulnerable to CSRF if proper CSRF mitigations described above are not included.<br />
* More myths can be found [[Cross-Site Request Forgery (CSRF)|here]]<br />
<br />
== Implementation reference example ==<br />
The following JEE web filter provides an example reference for some of the concepts described in this cheat sheet. It implements the following stateless mitigations ([https://github.com/aramrami/OWASP-CSRFGuard OWASP CSRFGuard], cover a stateful approach).<br />
* Verifying same origin with standard headers<br />
* Double submit cookie<br />
* SameSite cookie attribute<br />
'''Please note''' that it only acts a reference sample and is not complete (for example: it doesn’t have a block to direct the control flow when origin and referer header check succeeds nor it has a port/host/protocol level validation for referer header). Developers are recommended to build their complete mitigation on top of this reference sample. Developers should also implement standard authentication or authorization checks before checking for CSRF.<br />
<br />
Source is also located [https://github.com/righettod/poc-csrf here] and provides a runnable POC.<br />
<br />
<syntaxhighlight lang="java"><br />
import org.slf4j.Logger;<br />
import org.slf4j.LoggerFactory;<br />
<br />
import javax.servlet.Filter;<br />
import javax.servlet.FilterChain;<br />
import javax.servlet.FilterConfig;<br />
import javax.servlet.ServletException;<br />
import javax.servlet.ServletRequest;<br />
import javax.servlet.ServletResponse;<br />
import javax.servlet.annotation.WebFilter;<br />
import javax.servlet.http.Cookie;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
import javax.servlet.http.HttpServletResponseWrapper;<br />
import javax.xml.bind.DatatypeConverter;<br />
import java.io.IOException;<br />
import java.net.MalformedURLException;<br />
import java.net.URL;<br />
import java.security.SecureRandom;<br />
import java.util.Arrays;<br />
<br />
/**<br />
* Filter in charge of validating each incoming HTTP request about Headers and CSRF token.<br />
* It is called for all requests to backend destination.<br />
*<br />
* We use the approach in which:<br />
* - The CSRF token is changed after each valid HTTP exchange<br />
* - The custom Header name for the CSRF token transmission is fixed<br />
* - A CSRF token is associated to a backend service URI in order to enable the support for multiple parallel Ajax request from the same application<br />
* - The CSRF cookie name is the backend service name prefixed with a fixed prefix<br />
*<br />
* Here for the POC we show the "access denied" reason in the response but in production code only return a generic message !<br />
*<br />
* @see "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet"<br />
* @see "https://wiki.mozilla.org/Security/Origin"<br />
* @see "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie"<br />
* @see "https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/"<br />
*/<br />
@WebFilter("/backend/*")<br />
public class CSRFValidationFilter implements Filter {<br />
<br />
/**<br />
* JVM param name used to define the target origin<br />
*/<br />
public static final String TARGET_ORIGIN_JVM_PARAM_NAME = "target.origin";<br />
<br />
/**<br />
* Name of the custom HTTP header used to transmit the CSRF token and also to prefix <br />
* the CSRF cookie for the expected backend service<br />
*/<br />
private static final String CSRF_TOKEN_NAME = "X-TOKEN";<br />
<br />
/**<br />
* Logger<br />
*/<br />
private static final Logger LOG = LoggerFactory.getLogger(CSRFValidationFilter.class);<br />
<br />
/**<br />
* Application expected deployment domain: named "Target Origin" in OWASP CSRF article<br />
*/<br />
private URL targetOrigin;<br />
<br />
/***<br />
* Secure generator<br />
*/<br />
private final SecureRandom secureRandom = new SecureRandom();<br />
<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {<br />
HttpServletRequest httpReq = (HttpServletRequest) request;<br />
HttpServletResponse httpResp = (HttpServletResponse) response;<br />
String accessDeniedReason;<br />
<br />
/* STEP 1: Verifying Same Origin with Standard Headers */<br />
//Try to get the source from the "Origin" header<br />
String source = httpReq.getHeader("Origin");<br />
if (this.isBlank(source)) {<br />
//If empty then fallback on "Referer" header<br />
source = httpReq.getHeader("Referer");<br />
//If this one is empty too then we trace the event and we block the request (recommendation of the article)...<br />
if (this.isBlank(source)) {<br />
accessDeniedReason = "CSRFValidationFilter: ORIGIN and REFERER request headers are both absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
}<br />
<br />
//Compare the source against the expected target origin<br />
URL sourceURL = new URL(source);<br />
if (!this.targetOrigin.getProtocol().equals(sourceURL.getProtocol()) || !this.targetOrigin.getHost().equals(sourceURL.getHost()) <br />
|| this.targetOrigin.getPort() != sourceURL.getPort()) {<br />
//One the part do not match so we trace the event and we block the request<br />
accessDeniedReason = String.format("CSRFValidationFilter: Protocol/Host/Port do not fully matches so we block the request! (%s != %s) ", <br />
this.targetOrigin, sourceURL);<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
<br />
/* STEP 2: Verifying CSRF token using "Double Submit Cookie" approach */<br />
//If CSRF token cookie is absent from the request then we provide one in response but we stop the process at this stage.<br />
//Using this way we implement the first providing of token<br />
Cookie tokenCookie = null;<br />
if (httpReq.getCookies() != null) {<br />
String csrfCookieExpectedName = this.determineCookieName(httpReq);<br />
tokenCookie = Arrays.stream(httpReq.getCookies()).filter(c -> c.getName().equals(csrfCookieExpectedName)).findFirst().orElse(null);<br />
}<br />
if (tokenCookie == null || this.isBlank(tokenCookie.getValue())) {<br />
LOG.info("CSRFValidationFilter: CSRF cookie absent or value is null/empty so we provide one and return an HTTP NO_CONTENT response !");<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpResp);<br />
//Set response state to "204 No Content" in order to allow the requester to clearly identify an initial response providing the initial CSRF token<br />
httpResp.setStatus(HttpServletResponse.SC_NO_CONTENT);<br />
} else {<br />
//If the cookie is present then we pass to validation phase<br />
//Get token from the custom HTTP header (part under control of the requester)<br />
String tokenFromHeader = httpReq.getHeader(CSRF_TOKEN_NAME);<br />
//If empty then we trace the event and we block the request<br />
if (this.isBlank(tokenFromHeader)) {<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header is absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else if (!tokenFromHeader.equals(tokenCookie.getValue())) {<br />
//Verify that token from header and one from cookie are the same<br />
//Here is not the case so we trace the event and we block the request<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header and via Cookie are not equals so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else {<br />
//Verify that token from header and one from cookie matches<br />
//Here is the case so we let the request reach the target component (ServiceServlet, jsp...) and add a new token when we get back the bucket<br />
HttpServletResponseWrapper httpRespWrapper = new HttpServletResponseWrapper(httpResp);<br />
chain.doFilter(request, httpRespWrapper);<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpRespWrapper);<br />
}<br />
}<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void init(FilterConfig filterConfig) throws ServletException {<br />
//To easier the configuration, we load the target expected origin from an JVM property<br />
//Reconfiguration only require an application restart that is generally acceptable<br />
try {<br />
this.targetOrigin = new URL(System.getProperty(TARGET_ORIGIN_JVM_PARAM_NAME));<br />
} catch (MalformedURLException e) {<br />
LOG.error("Cannot init the filter !", e);<br />
throw new ServletException(e);<br />
}<br />
LOG.info("CSRFValidationFilter: Filter init, set expected target origin to '{}'.", this.targetOrigin);<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void destroy() {<br />
LOG.info("CSRFValidationFilter: Filter shutdown");<br />
}<br />
<br />
/**<br />
* Check if a string is null or empty (including containing only spaces)<br />
*<br />
* @param s Source string<br />
* @return TRUE if source string is null or empty (including containing only spaces)<br />
*/<br />
private boolean isBlank(String s) {<br />
return s == null || s.trim().isEmpty();<br />
}<br />
<br />
/**<br />
* Generate a new CSRF token<br />
*<br />
* @return The token a string<br />
*/<br />
private String generateToken() {<br />
byte[] buffer = new byte[50];<br />
this.secureRandom.nextBytes(buffer);<br />
return DatatypeConverter.printHexBinary(buffer);<br />
}<br />
<br />
/**<br />
* Determine the name of the CSRF cookie for the targeted backend service<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @return The name of the cookie as a string<br />
*/<br />
private String determineCookieName(HttpServletRequest httpRequest) {<br />
String backendServiceName = httpRequest.getRequestURI().replaceAll("/", "-");<br />
return CSRF_TOKEN_NAME + "-" + backendServiceName;<br />
}<br />
<br />
/**<br />
* Add the CSRF token cookie and header to the provided HTTP response object<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @param httpResponse HTTP response object to update<br />
*/<br />
private void addTokenCookieAndHeader(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {<br />
//Get new token<br />
String token = this.generateToken();<br />
//Add cookie manually because the current Cookie class implementation do not support the "SameSite" attribute<br />
//We let the adding of the "Secure" cookie attribute to the reverse proxy rewriting...<br />
//Here we lock the cookie from JS access and we use the SameSite new attribute protection<br />
String cookieSpec = String.format("%s=%s; Path=%s; HttpOnly; SameSite=Strict", this.determineCookieName(httpRequest), token, httpRequest.getRequestURI());<br />
httpResponse.addHeader("Set-Cookie", cookieSpec);<br />
//Add cookie header to give access to the token to the JS code<br />
httpResponse.setHeader(CSRF_TOKEN_NAME, token);<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
== Authors and Primary Editors ==<br />
Manideep Konakandla (Amazon Application Security Team) - http://www.manideepk.com<br />
<br />
Dave Wichers - dave.wichers[at]owasp.org<br />
<br />
Paul Petefish - https://www.linkedin.com/in/paulpetefish<br />
<br />
Eric Sheridan - eric.sheridan[at]owasp.org<br />
<br />
Dominique Righetto - dominique.righetto[at]owasp.org<br /><br />
<br />
== Other Cheat Sheets ==<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]<br />
[[Category:Popular]]</div>Wichershttps://wiki.owasp.org/index.php?title=Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet&diff=247194Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet2019-02-06T22:52:16Z<p>Wichers: </p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
__TOC__{{TOC hidden}}<br />
<br />
== Introduction ==<br />
[[Cross-Site Request Forgery (CSRF)]] is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim. We would need a token/identifier that is not accessible to attacker and would not be sent along (like cookies) with forged requests that attacker initiates. For more information on CSRF, see OWASP [[Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) page]].<br />
<br />
The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or making a purchase with the user’s credentials. In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser, without the user’s knowledge, at least until the unauthorized transaction has been committed.<br />
<br />
Impacts of successful CSRF exploits vary greatly based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. If the targeted end user is an administrator account, a CSRF attack can compromise the entire web application. Using social engineering, an attacker can embed malicious HTML or JavaScript code into an email or website to request a specific 'task URL'. The task then executes with or without the user's knowledge, either directly or by using a Cross-Site Scripting flaw. For example, see [https://en.wikipedia.org/wiki/Samy_(computer_worm) Samy MySpace Worm].<br />
<br />
==Warning: No Cross-Site Scripting (XSS) Vulnerabilities ==<br />
[[Cross-Site Scripting]] is not necessary for CSRF to work. However, any cross-site scripting vulnerability can be used to defeat all CSRF mitigation techniques available in the market today (except mitigation techniques that involve user interaction and described later in this cheat sheet). This is because an XSS payload can simply read any page on the site using an XMLHttpRequest (direct DOM access can be done, if on same page) and obtain the generated token from the response, and include that token with a forged request. This technique is exactly how the [https://en.wikipedia.org/wiki/Samy_(computer_worm) MySpace (Samy) worm] defeated MySpace's anti-CSRF defenses in 2005, which enabled the worm to propagate.<br />
<br />
It is imperative that no XSS vulnerabilities are present to ensure that CSRF defenses can't be circumvented. Please see the OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet|XSS Prevention Cheat Sheet]] for detailed guidance on how to prevent XSS flaws. <br />
<br />
== Resources that need to be protected from CSRF attacks ==<br />
The following list assumes that you are not violating [http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 RFC2616], section 9.1.1, by using GET requests for state changing operations. <br />
<br />
'''Note:''' If for any reason you violate, you would also need to protect those resources, which is mostly achieved with default <code>form tag [GET method]</code>, <code>href</code>, and <code>src</code> attributes. <br />
<br />
* Form tags with POST <br />
* Ajax/XHR calls<br />
<br />
== CSRF Defense Recommendations Summary ==<br />
We recommend token based CSRF defense (either stateful/stateless) as a primary defense to mitigate CSRF in your applications. For highly sensitive operations, we also recommend user interaction based protection (either re-authentication/one-time token, detailed in section 6.5) along with token based mitigation.<br />
<br />
As a defense-in-depth measure, consider implementing one mitigation from the Defense-in-Depth Techniques section (you can choose the mitigation that fits your ecosystem considering the issues mentioned under them). These defense-in-depth mitigation techniques are not recommended to be used by themselves (without token based mitigation) for mitigating CSRF in your applications.<br />
<br />
== Primary Defense Techniques ==<br />
<br />
=== Token Based Mitigation ===<br />
This defense is one the most popular and recommended methods to mitigate CSRF. It can be achieved either with state (synchronizer token pattern) or stateless (encrypted/hash based token pattern). For all the mitigation's, it is implicit that general security principles should be adhered.<br />
* Strict key rotation and token lifetime policies should be maintained. Policies can be set according to your organizational needs. Generic key management guidance from OWASP can be found in the [[Key Management Cheat Sheet]].<br />
<br />
==== Synchronizer Token Pattern ====<br />
Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks. A CSRF token should be unique per user session, large random value, and also generated by a cryptographically secure random number generator. The CSRF token is added as a hidden field for forms headers/parameters for AJAX calls, and within the URL if the state changing operation occurs via a GET. See "Disclosure of Token in URL" section below. The server rejects the requested action if the CSRF token fails validation.<br />
<br />
In order to facilitate a "transparent but visible" CSRF solution, developers are encouraged to adopt a pattern similar to [http://www.corej2eepatterns.com/Design/PresoDesign.htm Synchronizer Token Pattern] (The original intention of this synchronizer token pattern was to detect duplicate submissions in forms). The synchronizer token pattern requires the generation of random "challenge" tokens that are associated with the user's current session. These challenge tokens are then inserted within the HTML forms and calls associated with sensitive server-side operations. It is the responsibility of the server application to verify the existence and correctness of this token. By including a challenge token with each request, the developer has a strong control to verify that the user actually intended to submit the desired requests. Inclusion of a required security token in HTTP requests associated with sensitive business functions helps mitigate CSRF attacks as successful exploitation assumes the attacker knows the randomly generated token for the target victim's session. <br />
<br />
'''Note:''' These tokens aren’t like cookies that are automatically sent with forged requests made from your browser from the attacker website. <br />
<br />
This is analogous to the attacker being able to guess the target victim's session identifier. <br />
<br />
The following describes a general approach to incorporate challenge tokens within the request.<br />
<br />
When a Web application formulates a request, the application should include a hidden input parameter with a common name such as "CSRFToken" (for forms)/ as header/parameter value for Ajax calls. The value of this token must be randomly generated such that it cannot be guessed by an attacker. Consider leveraging the java.security.SecureRandom class for Java applications to generate a sufficiently long random token. Alternative generation algorithms include the use of 256-bit BASE64 encoded hashes. Developers that choose this generation algorithm must make sure that there is randomness and uniqueness utilized in the data that is hashed to generate the random token.<br />
<br />
<syntaxhighlight lang="html"><br />
<form action="/transfer.do" method="post"><br />
<br />
<input type="hidden" name="CSRFToken" <br />
value="OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZMGYwMGEwOA=="><br />
...<br />
</form><br />
</syntaxhighlight><br />
<br />
In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is used for each subsequent request until the session expires. When a request is issued by the end-user, the server-side component must verify the existence and validity of the token in the request compared to the token found in the user session. If the token was not found within the request, or the value provided does not match the value within the user session, then the request should be aborted, and the event logged as a potential CSRF attack in progress.<br />
<br />
To further enhance the security of this proposed design, consider randomizing the CSRF token parameter name and/or value for each request. Implementing this approach results in the generation of per-request tokens as opposed to per-session tokens. This is more secure than per-session tokens as the time range for an attacker to exploit the stolen tokens is minimal. However, this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server. Few applications that need high security typically implement this approach (such as banks). You have to check what suits your needs. Regardless of the approach taken, developers are encouraged to protect the CSRF token the same way they protect authenticated session identifiers, such as the use of TLS.<br />
<br />
'''Existing Synchronizer Implementations'''<br />
<br />
Synchronizer token defenses have been built into many frameworks, so we strongly recommend using them first when they are available. External components that add CSRF defenses to existing applications are also recommended. OWASP has the following: <br />
<br />
* For Java: OWASP [[CSRF Guard]]<br />
* For PHP and Apache: [[CSRFProtector Project]]<br />
<br />
'''Disclosure of Token in URL'''<br />
<br />
Some implementations of synchronizer tokens include the challenge token in GET (URL) requests as well as POST requests. This is often implemented as a result of sensitive server-side operations being invoked as a result of embedded links in the page or other general design patterns. These patterns are often implemented without knowledge of CSRF and an understanding of CSRF prevention design strategies. While this control does help mitigate the risk of CSRF attacks, the unique per-session token is being exposed for GET requests. CSRF tokens in GET requests are potentially leaked at several locations: browser history, log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site. In the latter case (leaked CSRF token due to the Referer header being parsed by a linked site), it is trivially easy for the linked site to launch a CSRF attack on the protected site, and they will be able to target this attack very effectively, since the Referer header tells them the site as well as the CSRF token. The attack could be run entirely from JavaScript, so that a simple addition of a script tag to the HTML of a site can launch an attack (whether on an originally malicious site or on a hacked site). Additionally, since HTTPS requests from HTTPS contexts will not strip the Referer header (as opposed to HTTPS to HTTP requests) CSRF token leaks via Referer can still happen on HTTPS Applications.<br />
<br />
The ideal solution is to only include the CSRF token in POST requests and modify server-side actions that have state changing affect to only respond to POST requests. This is in fact what the <nowiki>RFC 2616</nowiki> requires for GET requests. If sensitive server-side actions are guaranteed to only ever respond to POST requests, then there is no need to include the token in GET requests.<br />
<br />
In most JavaEE web applications, however, HTTP method scoping is rarely ever utilized when retrieving HTTP parameters from a request. Calls to "HttpServletRequest.getParameter" will return a parameter value regardless if it was a GET or POST. This is not to say HTTP method scoping cannot be enforced. It can be achieved if a developer explicitly overrides doPost() in the HttpServlet class or leverages framework specific capabilities such as the AbstractFormController class in Spring.<br />
<br />
For these cases, attempting to retrofit this pattern in existing applications requires significant development time and cost, and as a temporary measure it may be better to pass CSRF tokens in the URL. Once the application has been fixed to respond to HTTP GET and POST verbs correctly, CSRF tokens for GET requests should be turned off.<br />
<br />
==== Encryption based Token Pattern ====<br />
The Encrypted Token Pattern leverages an encryption, rather than comparison method of Token-validation. It is most suitable for applications that do not want to maintain any state at server side. <br />
<br />
After successful authentication, the server generates a unique token comprised of the user's ID, a timestamp value and a [http://en.wikipedia.org/wiki/Cryptographic_nonce nonce], using a unique key available only on the server. This token is returned to the client and embedded in a hidden field for forms, in the request-header/parameter for AJAX requests. On receipt of this request, the server reads and decrypts the token value with the same key used to create the token. The inability to correctly decrypt suggests an intrusion attempt. Once decrypted, the UserId and timestamp contained within the token are validated; the UserId is compared against the currently logged in user, and the timestamp is compared against the current time.<br />
<br />
On successful token-decryption, the server has access to parsed values, ideally in the form of [http://en.wikipedia.org/wiki/Claims-based_identity claims]. These claims are processed by comparing the UserId claim to any potentially stored UserId (in a Cookie or Session variable, if the site already contains a means of authentication). The Timestamp is validated against the current time, preventing replay attacks. Alternatively, in the case of a CSRF attack, the server will be unable to decrypt the poisoned token, and can block and log the attack.<br />
<br />
This technique addresses some of the shortfalls in other stateless approaches, such as the need to store data in a Cookie, circumventing the Cookie-subdomain and [[HttpOnly]] issues. Your solution should use a strong encryption function. We recommend AES256-GCM or stronger.<br />
<br />
==== HMAC Based Token Pattern ====<br />
[https://en.wikipedia.org/wiki/HMAC HMAC (hash-based message authentication code)] is a cryptographic function that helps to guarantee integrity and authentication of a message. HMAC Tokens can be used as a CSRF mitigation technique without requiring server side state. It is similar to the encryption token-based pattern with two main differences:<br />
* Uses a strong HMAC function instead of an encryption function to generate the token<br />
* Includes an additional field called ‘operation’ that would indicate the purpose of the operation for which you are including the CSRF token (may it be form tag/ajax call) <br />
(Ex: ‘oneclickpurchase’ (or) buy/asin=SDFH&category=2&quantity=3)<br />
<br />
'''Note:''' Fields mentioned in encryption token pattern (user's ID, a timestamp value and a nonce) are included. <br />
<br />
The operation field helps in mitigating the fact that the hash function generates the same value irrespective of multiple iterations (unlike strong encryption functions that generate different values when they are encrypted each time). So, it would help in avoiding having repeated token values across your application. Nonce field serves the same purpose as in encrypted token pattern (i.e., to avoid rare collisions due to weak cryptographic functions and acts as a defense-in-depth measure). <br />
<br />
Generate the token using HMAC including all four fields mentioned previously (user's ID, a timestamp value, nonce, and operation) and then include it in hidden fields for form tags, headers/parameters for ajax calls. Once you receive the HMAC from the client in the requests, re-generate HMAC with the same fields that you used to generate it, and then verify that the HMAC you re-generated matches the HMAC received from the client. If it does, it is a legitimate user request and if it does not, flag it as a CSRF intrusion and alert your incident response teams. Because an attacker has no visibility into the key used for generating the hash fields used in generating it, there is no way for them to re-generate it to use in forged request.<br />
<br />
Your solution should use a strong HMAC function. We recommend SHA256/512 or stronger.<br />
<br />
=== Auto CSRF Mitigation Techniques ===<br />
Though the technique of mitigating tokens is widely used (stateful with synchronizer token and stateless with encrypted/HMAC token), the major problem associated with these techniques is the human tendency to forget things at times. If a developer forgets to add the token to any state changing operation, they are making the application vulnerable to CSRF. To avoid this, you can try to automate the process of adding tokens to CSRF vulnerable resources (mentioned earlier in this document). You can achieve this by doing the following:<br />
* Write wrappers (that would auto add tokens when used) around default form tags/ajax calls and educate your developers to use those wrappers instead of standard tags. Though this approach is better than depending purely on developers to add tokens, it still is vulnerable to the issue of human tendency to forget things. [https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html Spring Security] uses this technique to add CSRF tokens by default when a custom <form:form> tag is used, you can opt to use after verifying that its enabled and properly configured in the Spring Security version you are using.<br />
* Write a hook (that would capture the traffic and add tokens to CSRF vulnerable resources before rendering to customers) in your organizational web rendering frameworks. Because it is hard to analyze when a particular response is doing any state change (and thus needing a token), you might want to include tokens in all CSRF vulnerable resources (ex: include tokens in all POST responses). This is one recommended approach, but you need to consider the performance costs it might incur.<br />
* Get the tokens automatically added on the client side when the page is being rendered in user’s browser, with help of a client side script (this approach is used by [[CSRF Guard]]). You need to consider any possible JavaScript hijacking attacks.<br />
We recommend researching if the framework you are using has an option to achieve CSRF protection by default before trying to build your custom auto tokening system. For example, .NET has an [https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1 in-built protection] that adds token to CSRF vulnerable resources. You are responsible for proper configuration (such as key management and token management) before using these in-built CSRF protections that do auto tokening to CSRF vulnerable resources.<br />
<br />
=== Stateless/Tokenless Defense Techniques ===<br />
<br />
Given the popularity of REST services (which are stateless) and the desire to implement the minimum changes required to defend against CSRF attacks, there are a couple of techniques you can rely on to verify that a request is not cross origin with minimal changes to your application. They are:<br />
<br />
* Verify presence of "X-Requested-With: XMLHttpRequest" Header and value<br />
* Verify it's NOT a "Simple HTTP Request"<br />
<br />
If these techniques don't defend every state changing endpoint in your application, you might be able to fill the gap with another stateless/tokenless technique described later: "Verifying origin with standard headers".<br />
<br />
==== X-Requested-With: XMLHttpRequest Header Verification ====<br />
<br />
This is a specific instance of the Custom Request Header Defense which is described more fully later. This HTTP headername/value is particularly attractive because most JavaScript libraries already add this header to requests they generate by default. If you have built, or plan to build, a pure AJAX/REST web app then all you have to do is verify server-side the presence of this headername/value pair on all POST requests, and you are done. If your AJAX calls don't include this (or a similar) header, you'll have to tweak your JavaScript framework to add this custom header.<br />
<br />
This defense works because JavaScript can't submit cross-origin requests and only JavaScript can add custom headers to an HTTP request.<br />
<br />
==== Not a Simple HTTP Request Verification ====<br />
<br />
A Simple HTTP Request is described, but not given this actual name, in the W3C CORS spec: [https://www.w3.org/TR/cors/#terminology]. We define a Simple HTTP Request to be a request that uses both a 'simple method' and has a 'simple header'. This W3C article defines a simple method as any of these three: GET, HEAD, POST, and also defines a simple header as one of these four: Accept, Accept-Language, Content-Language, Content-Type. However, the Content-Type header, if present, must also have a value of: application/x-www-form-urlencoded, multipart/form-data, or text/plain. It further defines, not very succinctly, at the beginning of section 7.5.1 Cross-Origin Request with Preflight - Step 1. [https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0] that a CORS preflight request is required for cross-origin requests UNLESS the request uses a simple method with simple headers. Meaning, that the ONLY cross-origin requests allowed by browsers (without requesting permission using CORS) are 'Simple HTTP Requests'.<br />
<br />
We can take advantage of this knowledge by simply verifying that all state changing requests to our application are NOT Simple HTTP Requests. And if they are not, then they can't be a CSRF attack. If you've built your application properly, then GET and HEAD requests cannot change state, so that leaves us with POSTs. If you then verify that all POST requests include a Content-Type header, whose value is either NOT any of the three allowed to go cross origin (application/x-www-form-urlencoded, multipart/form-data, or text/plain), or is an explicitly required Content-Type that is NOT one of those three, then you are all set.<br />
<br />
For example, if have a pure AJAX app that submits all of it's POST requests with Content-Types of application/xml or application/json, and you verify on the server side that all POSTs include a Content-Type with one of those two values, your app is completely defended against CSRF attacks. If your application also happens to accept other HTTP methods that do state changing things, like PUT, DELETE, etc. you don't have to do anything to defend those endpoints because browsers can't generate anything but Simple HTTP Requests cross-origin (i.e., GET, HEAD, or POST only). If you need to accept the uploading of files (multipart/form-data), explicit CSRF protection is still needed for those endpoints.<br />
<br />
Acknowledgement: This Simple HTTP Request verification technique was found in: [https://blog.jdriven.com/2014/10/stateless-spring-security-part-1-stateless-csrf-protection/], where it explicitly stated "Stateless approach 1: SWITCH TO A FULL AND PROPERLY DESIGNED JSON BASED REST API. - Single-Origin Policy only allows cross-site HEAD/GET and POSTs. POSTs may only be one of the following mime-types: application/x-www-form-urlencoded, multipart/form-data, or text/plain. Indeed no JSON! Now considering GETs should never ever trigger side-effects in any properly designed HTTP based API, this leaves it up to you to simply disallow any non-JSON POST/PUT/DELETEs and all is well."<br />
<br />
== Defense-In-Depth Techniques ==<br />
<br />
=== Verifying origin with standard headers ===<br />
This defense technique is specifically proposed in section 5.0 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. This paper proposes the first creation of the Origin header and its use as a CSRF defense mechanism.<br />
<br />
There are two steps to this mitigation, both of which rely on examining an HTTP request header value.<br />
<br />
1. Determining the origin the request is coming from (source origin). Can be done via Origin and/or referer header.<br />
<br />
2. Determining the origin the request is going to (target origin).<br />
<br />
At server side we verify if both of them match. If they do, we accept the request as legitimate (meaning it’s the same origin request) and if they don’t, we discard the request (meaning that the request originated from cross-domain). Reliability on these headers comes from the fact that they cannot be altered programmatically (using JavaScript in an XSS) as they fall under [https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name forbidden headers] list (i.e., only browsers can set them).<br />
<br />
====Identifying Source Origin (via Origin/Referer header) ====<br />
'''Checking the Origin Header'''<br />
<br />
If the Origin header is present, verify that its value matches the target origin. Unlike the Referer, the Origin header will be present in HTTP requests that originate from an HTTPS URL.<br />
<br />
'''Checking the Referer Header'''<br />
<br />
If the Origin header is not present, verify the hostname in the Referer header matches the target origin. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state, which is required to keep track of a synchronization token.<br />
<br />
In both cases, make sure the target origin check is strong. For example, if your site is "site.com" make sure "site.com.attacker.com" does not pass your origin check (i.e., match through the trailing/after the origin to make sure you are matching against the entire origin).<br />
<br />
If neither of these headers are present, you can either accept or block the request. We recommend '''blocking'''. Alternatively, you might want to log all such instances, monitor their use cases/behavior, and then start blocking requests only after you get enough confidence.<br />
<br />
==== Identifying the Target Origin ====<br />
You might think it’s easy to determine the target origin, but it’s frequently not. The first thought is to simply grab the target origin (i.e., its hostname and port #) from the URL in the request. However, the application server is frequently sitting behind one or more proxies and the original URL is different from the URL the app server actually receives. If your application server is directly accessed by its users, then using the origin in the URL is fine and you're all set.<br />
<br />
If you are behind a proxy, there are a number of options to consider.<br />
* '''Configure your application to simply know its target origin:''' It’s your application, so you can find its target origin and set that value in some server configuration entry. This would be the most secure approach as its defined server side, so it is a trusted value. However, this might be problematic to maintain if your application is deployed in many places, e.g., dev, test, QA, production, and possibly multiple production instances. Setting the correct value for each of these situations might be difficult, but if you can do it via some central configuration and providing your instances to grab value from it, that's great! ('''Note:''' Make sure the centralized configuration store is maintained securely because major part of your CSRF defense depends on it.)<br />
<br />
* '''Use the Host header value:''' If you prefer that the application find its own target so it doesn't have to be configured for each deployed instance, we recommend using the Host family of headers. The Host header's purpose is to contain the target origin of the request. But, if your app server is sitting behind a proxy, the Host header value is most likely changed by the proxy to the target origin of the URL behind the proxy, which is different than the original URL. This modified Host header origin won't match the source origin in the original Origin or Referer headers.<br />
<br />
* '''Use the X-Forwarded-Host header value:''' To avoid the issue of proxy altering the host header, there is another header called X-Forwarded-Host, whose purpose is to contain the original Host header value the proxy received. Most proxies will pass along the original Host header value in the X-Forwarded-Host header. So that header value is likely to be the target origin value you need to compare to the source origin in the Origin or Referer header.<br />
<br />
This mitigation in earlier versions of the CSRF Cheat Sheet is treated as a primary defense. For reasons mentioned below, it is now moved to the Defense-in-Depth section.<br />
<br />
As it’s implicit, this mitigation would work properly when origin or referer headers are present in the requests. Though these headers are included '''majority''' of the time, there are few use cases where they are not included (most of them are for legitimate reasons to safeguard users privacy/to tune to browsers ecosystem). The following lists some use cases:<br />
* Internet Explorer 11 does not add the Origin header on a CORS request across sites of a trusted zone. The Referer header will remain the only indication of the UI origin. See the following references in stackoverflow [https://stackoverflow.com/questions/20784209/internet-explorer-11-does-not-add-the-origin-header-on-a-cors-request here] and [https://github.com/silverstripe/silverstripe-graphql/issues/118 here].<br />
* In an instance following a [https://stackoverflow.com/questions/22397072/are-there-any-browsers-that-set-the-origin-header-to-null-for-privacy-sensitiv 302 redirect cross-origin], Origin is not included in the redirected request because that may be considered sensitive information that should not be sent to the other origin.<br />
* There are some [https://wiki.mozilla.org/Security/Origin#Privacy-Sensitive_Contexts privacy contexts] where Origin is set to “null” For example, see the following [https://www.google.com/search?q=origin+header+sent+null+value+site%3Astackoverflow.com&oq=origin+header+sent+null+value+site%3Astackoverflow.com here].<br />
* Origin header is included for all cross origin requests but for same origin requests, in most browsers it is only included in POST/DELETE/PUT '''Note:''' Although it is not ideal, many developers use GET requests to do state changing operations.<br />
* Referer header is no exception. There are multiple use cases where referer header is omitted as well ([https://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty <nowiki>[1]</nowiki>], [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer <nowiki>[2]</nowiki>], [https://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding <nowiki>[3]</nowiki>], [https://seclab.stanford.edu/websec/csrf/csrf.pdf <nowiki>[4]</nowiki>] and [https://www.google.com/search?q=referer+header+sent+null+value+site:stackoverflow.com <nowiki>[5]</nowiki>]). Load balancers, proxies and embedded network devices are also well known to strip the referer header due to privacy reasons in logging them.<br />
<br />
Though exceptions can be written for above cases in your source and target origin check logic, there is currently no central repository (even there is one, keeping it up-to-date is a problem) that references all such use cases. Each browser might also handle these use cases differently (browsers are known to handle things differently considering their ecosystem. IE example of not sending origin header within trusted zone is such example). Rejecting requests that do not contain origin and/or referer headers might sound like a good idea but it can impact legitimate users. Keeping this system in monitoring mode and trying to investigate use cases such as stated above, then adding them into exception logic is a process that you may consider to make this defense more stable in your environment.<br />
<br />
This CSRF defense relies on browser behavior that can change at times. For example, when new privacy contexts are discovered, under which situations you have to keep your validation logic updated, where as in token based mitigation, you have full control on the CSRF mitigation. If browsers alter CSRF tokens, they are literally changing the HTML content on rendering pages (which no browser would ever want to do!).<br />
<br />
When there is an XSS vulnerability on a page of an application protected with Origin and/or Referer header, the level of effort required to exploit state changing operations (that are typically vulnerable to CSRF) on other pages is very easy (grab the parameters and forge a request, as Origin and Referer header is included by default by browsers) than compared to token based mitigation (where attacker needs to download the target page, parse the DOM for the token, construct a forge request, and send it to server).<br />
<br />
'''Note:''' Although the concept of an origin header stemmed from [https://seclab.stanford.edu/websec/csrf/csrf.pdf the Stanford CSRF] paper that references robust CSRF defenses, the initial [https://tools.ietf.org/html/rfc6454 origin header RFC] does not reference mitigating CSRF in any way (another [https://tools.ietf.org/id/draft-abarth-origin-03.html draft version] does, however).<br />
<br />
=== Double Submit Cookie ===<br />
If maintaining the state for CSRF token at server side is problematic, an alternative defense is to use the double submit cookie technique. This technique is easy to implement and is stateless. In this technique, we send a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match. When a user visits (even before authenticating to prevent login CSRF), the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session identifier. The site then requires that every transaction request include this pseudorandom value as a hidden form value (or other request parameter/header). If both of them match at server side, the server accepts it as legitimate request and if they don’t, it would reject the request.<br />
<br />
There’s a belief that this technique would work because a cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie (with which the server compares the token value).<br />
<br />
There are a couple of drawbacks associated with the assumptions made here. The problem of "trusting of sub domains and proper configuration of whole site in general to accept HTTPS connections only". The [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf Blackhat talk] by Rich Lundeen references these drawbacks.<br />
<br />
"''With double submit, if an attacker can write a cookie they can obviously defeat the protection. And again, writing cookies is significantly easier then reading them. The fact that cookies can be written is difficult for many people to understand. After all, doesn't the same origin policy specify that one domain cannot access cookies from another domain? However, there are two common scenarios where writing cookies across domains is possible:''<br />
<br />
''a) While it's true that hellokitty.marketing.example.com cannot read cookies or access the DOM from secure.example.com because of the same origin policy, hellokitty.marketing.example.com can write cookies to the parent domain (example.com), and these cookies are then consumed by secure.example.com (secure.example.com has no good way to distinguish which site set the cookie). Additionally, there are methods of forcing secure.example.com to always accept your cookie first. What this means is that XSS in hellokitty.marketing.example.com is able to overwrite cookies in secure.example.com.''<br />
<br />
''b) If an attacker is in the middle, they can usually force a request to the same domain over HTTP. If an application is hosted at <nowiki>https://secure.example.com</nowiki>, even if the cookies are set with the secure flag, a man in the middle can force connections to <nowiki>http://secure.example.com</nowiki> and set (overwrite) any arbitrary cookies (even though the secure flag prevents the attacker from reading those cookies). Even if the HSTS header is set on the server and the browser visiting the site supports HSTS (this would prevent a man in the middle from forcing plain text HTTP requests) unless the HSTS header is set in a way that includes all subdomains, a man in the middle can simply force a request to a separate subdomain and overwrite cookies similar to 1. In other words, as long as <nowiki>http://hellokitty.marketing.example.com</nowiki> doesn't force HTTPS, then an attacker can overwrite cookies on any example.com subdomain.''"<br />
<br />
So, unless you are sure that your subdomains are fully secured and only accept HTTPS connections (we believe it’s difficult to guarantee at large enterprises), you should not rely on the Double Submit Cookie technique as a primary mitigation for CSRF.<br />
<br />
A variant of double submit cookie that can mitigate both the risks mentioned above is including the token in an encrypted cookie - often within the authentication cookie - and then at the server side matching it (after decrypting the authentication cookie) with the token in hidden form field or parameter/header for ajax calls. This works because a sub domain has no way to over-write an properly crafted encrypted cookie without the necessary information such as encryption key.<br />
<br />
=== SameSite Cookie Attribute ===<br />
SameSite is a cookie attribute (similar to [[HttpOnly]], Secure etc.) introduced by Google to mitigate CSRF attacks. It is defined in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 this] Internet Draft. This attribute helps in preventing the browser from sending cookies along with cross-site requests. Possible values for this attribute are lax or strict.<br />
<br />
The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link. For example, for a GitHub-like website this would mean that if a logged-in user follows a link to a private GitHub project posted on a corporate discussion forum or email, GitHub will not receive the session cookie and the user will not be able to access the project. A bank website however most likely doesn't want to allow any transactional pages to be linked from external sites, so the strict flag would be most appropriate.<br />
<br />
The default lax value provides a reasonable balance between security and usability for websites that want to maintain user's logged-in session after the user arrives from an external link. In the above GitHub scenario, the session cookie would be allowed when following a regular link from an external website while blocking it in CSRF-prone request methods such as POST. Only cross-site requests that are allowed in lax mode are the ones that have top-level navigations and are also “safe” HTTP methods (more details [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7.1 here]).<br />
<br />
Example of cookies using this attribute:<br />
<br />
<pre><br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Strict<br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Lax<br />
</pre><br />
<br />
Support for this attribute in different browsers is increasing but there are still browsers that need to adopt this. As of August 2018, SameSite attribute is on browsers used by 68.92% of Internet users (detailed statistics are [https://caniuse.com/#feat=same-site-cookie-attribute here]).<br />
<br />
Though this technique seems to be efficient in mitigating CSRF attacks, it is still in early stages (in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft]) and does not have full browser support as mentioned above. Google’s [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft] also mentions a couple cases where forged requests can be simulated by attackers as same-site requests (and thus allowing to send SameSite cookies).<br />
<br />
Considering the factors above, it is not recommended to be used as a primary defense. Google agrees with this stance and strongly encourages developers to deploy server-side defenses such as tokens to mitigate CSRF more fully.<br />
<br />
=== Use of Custom Request Headers ===<br />
<br />
Adding CSRF tokens, a double submit cookie and value, encrypted token, or other defense that involves changing the UI can frequently be complex or otherwise problematic. An alternate defense that is particularly well suited for AJAX/XHR endpoints is the use of a custom request header. This defense relies on the [https://en.wikipedia.org/wiki/Same-origin_policy same-origin policy (SOP)] restriction that only JavaScript can be used to add a custom header, and only within its origin. By default, browsers do not allow JavaScript to make cross origin requests.<br />
<br />
A particularly attractive custom header and value to use is “X-Requested-With: XMLHttpRequest” because most JavaScript libraries already add this header to requests they generate by default. However, some do not. For example, AngularJS used to, but does not anymore. For more information, see [https://github.com/angular/angular.js/commit/3a75b1124d062f64093a90b26630938558909e8d their rationale] and how to add it back.<br />
<br />
If this is the case for your system, you can simply verify the presence of this header and value on all your server side AJAX endpoints in order to protect against CSRF attacks. This approach has the double advantage of usually requiring no UI changes and not introducing any server side state, which is particularly attractive to REST services. You can always add your own custom header and value if that is preferred.<br />
<br />
This defense technique is specifically discussed in section 4.3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. However, bypasses of this defense using Flash were documented as early as 2008 and again as recently as 2015 by Mathias Karlsson to [https://hackerone.com/reports/44146 exploit a CSRF flaw in Vimeo]. A Flash attack can't spoof the Origin or Referer headers, so by checking both of them we believe this combination of checks should prevent Flash bypass CSRF attacks (if any comes up in future). <br />
<br />
Besides any possible future bypasses such as Flash, using a static header will make it easy to exploit other state changing operations in the application (similar to the previous explanation on why ease of exploitation is easier in origin/referer header check than token based mitigation). Including a random token instead of static header value is more or less equal to the token based approach described in the Primary Defenses section. Developers also need to consider that if you are using this approach in an application with both Ajax calls and form tags, this technique would only help Ajax calls in protecting from CSRF and you would still need protect <form> tags with approaches described in this document such as tokens. Setting custom headers on form tags is not possible directly. Also, CORS configuration should also be robust to make this solution work effectively (as custom headers for requests coming from other domains trigger a pre-flight CORS check).<br />
<br />
=== User Interaction Based CSRF Defense ===<br />
<br />
While all the techniques referenced here do not require any user interaction, sometimes it’s easier or more appropriate to involve the user in the transaction to prevent unauthorized operations (forged via CSRF or otherwise). The following are some examples of techniques that can act as strong CSRF defense when implemented correctly.<br />
* Re-Authentication (password or stronger)<br />
* One-time Token<br />
* CAPTCHA<br />
While these are a very strong CSRF defense, it does create a huge impact on the user experience. For applications that are in need of high security for some operations (password change, money transfer etc.), these techniques should be used along with token based mitigation. Please note that tokens by themselves can mitigate CSRF, developers should use these techniques only to achieve additional security for their high sensitive operations.<br />
<br />
=== Login CSRF ===<br />
Most developers tend to ignore CSRF vulnerability on login forms as they assume that CSRF would not be applicable on login forms because user is not authenticated at that stage. That assumption is false. CSRF vulnerability can still occur on login forms where the user is not authenticated, but the impact/risk view for it is quite different from the impact/risk view of a general CSRF vulnerability (when a user is authenticated).<br />
<br />
With a CSRF vulnerability on login form, an attacker can make a victim login to the attacker's account and learn behavior from the victim's searches. For more information about login CSRF and other risks, see section 3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf the Stanford CSRF] paper.<br />
<br />
Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form. You can use any of the techniques mentioned above to generate tokens. Pre-sessions can be transitioned to real sessions once the user is authenticated. This technique is described in [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery section 4.1].<br />
<br />
If sub-domains under your master domain are treated as not trusted in your threat model, it is difficult to mitigate login CSRF. A strict subdomain and path level referer header (because most login pages are served on HTTPS - no stripping of referer - and are also linked from home pages) validation (detailed in section 6.1) can be used in these cases for mitigating CSRF on login forms to an extent.<br />
<br />
== Not So Popular CSRF Mitigations ==<br />
<br />
=== Triple Submit Cookie ===<br />
This mitigation is proposed by [https://www.owasp.org/images/e/e6/AppSecEU2012_Wilander.pdf John Wilander in 2012 at OWASP Appsec Research]. This technique adds an additional step to double submit cookie approach by verifying if the request contains two cookies with same name (please note, attacker need to write an additional cookie to bypass double submit cookie mitigation). Though it mitigates the issues discussed in bypass of double submit cookie, it introduces new problems such as cookie jar overflow (in-details and more issue details [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf here] and [https://webstersprodigy.net/2012/08/03/analysis-of-john-wilanders-triple-submit-cookies/ here]). We were not able to find any real-time implementations of this mitigation so far.<br />
<br />
=== Content-Type Header Validation ===<br />
This technique is better known than the triple submit cookie mitigation. In first place, this header is not designed for security (initial RFC [https://tools.ietf.org/html/rfc1049 here] and later well-defined in [https://www.ietf.org/rfc/rfc2045.txt this] RFC) but only to let receiving agents know the type of data they would be handling, so that they can invoke corresponding parsers. The pre-flighting behavior of this header (pre-flight if header has value other than application/x-www-form-urlencoded, multipart/form-data, or text/plain) is what treated as a CSRF mitigation and thus forcing all requests to have a header value that would force a pre-flight (such as application/json. Server side can reject cross-origin requests with CORS/SOP during this pre-flight).<br />
<br />
This approach has two main problems. One that it would mandate all requests to have a header value that would force pre-flight despite the real use case and the other that this technique is relying on a feature that is not designed for security, to mitigate a security vulnerability. When a bug was discovered in the Chrome API, browser architects even considered to removing this pre-flighting behavior. Because this header was not designed as a security control, architects can re-design it to better cater its primary purpose. In the future, there’s a possibility that new content-type header types can be included (to better support various use-cases), which can put systems relying on this header for CSRF mitigation in trouble. For more information, see [https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/september/common-csrf-prevention-misconceptions/ Common CSRF Prevention Misconceptions].<br />
<br />
== CSRF Mitigation Myths ==<br />
The following shows techniques presumed to be CSRF mitigations but none of them fully/actually mitigates a CSRF vulnerability.<br />
* '''CORS''': CORS is a header designed to relax Same-Origin-Policy when cross-origin communication between sites is required. It is not designed, nor prevents CSRF attacks.<br />
* '''Using HTTPS''': Using HTTPS has nothing to do with the protection from CSRF attacks. Resources that are under HTTPS are still vulnerable to CSRF if proper CSRF mitigations described above are not included.<br />
* More myths can be found [[Cross-Site Request Forgery (CSRF)|here]]<br />
<br />
== Implementation reference example ==<br />
The following JEE web filter provides an example reference for some of the concepts described in this cheat sheet. It implements the following stateless mitigations ([https://github.com/aramrami/OWASP-CSRFGuard OWASP CSRFGuard], cover a stateful approach).<br />
* Verifying same origin with standard headers<br />
* Double submit cookie<br />
* SameSite cookie attribute<br />
'''Please note''' that it only acts a reference sample and is not complete (for example: it doesn’t have a block to direct the control flow when origin and referer header check succeeds nor it has a port/host/protocol level validation for referer header). Developers are recommended to build their complete mitigation on top of this reference sample. Developers should also implement standard authentication or authorization checks before checking for CSRF.<br />
<br />
Source is also located [https://github.com/righettod/poc-csrf here] and provides a runnable POC.<br />
<br />
<syntaxhighlight lang="java"><br />
import org.slf4j.Logger;<br />
import org.slf4j.LoggerFactory;<br />
<br />
import javax.servlet.Filter;<br />
import javax.servlet.FilterChain;<br />
import javax.servlet.FilterConfig;<br />
import javax.servlet.ServletException;<br />
import javax.servlet.ServletRequest;<br />
import javax.servlet.ServletResponse;<br />
import javax.servlet.annotation.WebFilter;<br />
import javax.servlet.http.Cookie;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
import javax.servlet.http.HttpServletResponseWrapper;<br />
import javax.xml.bind.DatatypeConverter;<br />
import java.io.IOException;<br />
import java.net.MalformedURLException;<br />
import java.net.URL;<br />
import java.security.SecureRandom;<br />
import java.util.Arrays;<br />
<br />
/**<br />
* Filter in charge of validating each incoming HTTP request about Headers and CSRF token.<br />
* It is called for all requests to backend destination.<br />
*<br />
* We use the approach in which:<br />
* - The CSRF token is changed after each valid HTTP exchange<br />
* - The custom Header name for the CSRF token transmission is fixed<br />
* - A CSRF token is associated to a backend service URI in order to enable the support for multiple parallel Ajax request from the same application<br />
* - The CSRF cookie name is the backend service name prefixed with a fixed prefix<br />
*<br />
* Here for the POC we show the "access denied" reason in the response but in production code only return a generic message !<br />
*<br />
* @see "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet"<br />
* @see "https://wiki.mozilla.org/Security/Origin"<br />
* @see "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie"<br />
* @see "https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/"<br />
*/<br />
@WebFilter("/backend/*")<br />
public class CSRFValidationFilter implements Filter {<br />
<br />
/**<br />
* JVM param name used to define the target origin<br />
*/<br />
public static final String TARGET_ORIGIN_JVM_PARAM_NAME = "target.origin";<br />
<br />
/**<br />
* Name of the custom HTTP header used to transmit the CSRF token and also to prefix <br />
* the CSRF cookie for the expected backend service<br />
*/<br />
private static final String CSRF_TOKEN_NAME = "X-TOKEN";<br />
<br />
/**<br />
* Logger<br />
*/<br />
private static final Logger LOG = LoggerFactory.getLogger(CSRFValidationFilter.class);<br />
<br />
/**<br />
* Application expected deployment domain: named "Target Origin" in OWASP CSRF article<br />
*/<br />
private URL targetOrigin;<br />
<br />
/***<br />
* Secure generator<br />
*/<br />
private final SecureRandom secureRandom = new SecureRandom();<br />
<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {<br />
HttpServletRequest httpReq = (HttpServletRequest) request;<br />
HttpServletResponse httpResp = (HttpServletResponse) response;<br />
String accessDeniedReason;<br />
<br />
/* STEP 1: Verifying Same Origin with Standard Headers */<br />
//Try to get the source from the "Origin" header<br />
String source = httpReq.getHeader("Origin");<br />
if (this.isBlank(source)) {<br />
//If empty then fallback on "Referer" header<br />
source = httpReq.getHeader("Referer");<br />
//If this one is empty too then we trace the event and we block the request (recommendation of the article)...<br />
if (this.isBlank(source)) {<br />
accessDeniedReason = "CSRFValidationFilter: ORIGIN and REFERER request headers are both absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
}<br />
<br />
//Compare the source against the expected target origin<br />
URL sourceURL = new URL(source);<br />
if (!this.targetOrigin.getProtocol().equals(sourceURL.getProtocol()) || !this.targetOrigin.getHost().equals(sourceURL.getHost()) <br />
|| this.targetOrigin.getPort() != sourceURL.getPort()) {<br />
//One the part do not match so we trace the event and we block the request<br />
accessDeniedReason = String.format("CSRFValidationFilter: Protocol/Host/Port do not fully matches so we block the request! (%s != %s) ", <br />
this.targetOrigin, sourceURL);<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
<br />
/* STEP 2: Verifying CSRF token using "Double Submit Cookie" approach */<br />
//If CSRF token cookie is absent from the request then we provide one in response but we stop the process at this stage.<br />
//Using this way we implement the first providing of token<br />
Cookie tokenCookie = null;<br />
if (httpReq.getCookies() != null) {<br />
String csrfCookieExpectedName = this.determineCookieName(httpReq);<br />
tokenCookie = Arrays.stream(httpReq.getCookies()).filter(c -> c.getName().equals(csrfCookieExpectedName)).findFirst().orElse(null);<br />
}<br />
if (tokenCookie == null || this.isBlank(tokenCookie.getValue())) {<br />
LOG.info("CSRFValidationFilter: CSRF cookie absent or value is null/empty so we provide one and return an HTTP NO_CONTENT response !");<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpResp);<br />
//Set response state to "204 No Content" in order to allow the requester to clearly identify an initial response providing the initial CSRF token<br />
httpResp.setStatus(HttpServletResponse.SC_NO_CONTENT);<br />
} else {<br />
//If the cookie is present then we pass to validation phase<br />
//Get token from the custom HTTP header (part under control of the requester)<br />
String tokenFromHeader = httpReq.getHeader(CSRF_TOKEN_NAME);<br />
//If empty then we trace the event and we block the request<br />
if (this.isBlank(tokenFromHeader)) {<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header is absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else if (!tokenFromHeader.equals(tokenCookie.getValue())) {<br />
//Verify that token from header and one from cookie are the same<br />
//Here is not the case so we trace the event and we block the request<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header and via Cookie are not equals so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else {<br />
//Verify that token from header and one from cookie matches<br />
//Here is the case so we let the request reach the target component (ServiceServlet, jsp...) and add a new token when we get back the bucket<br />
HttpServletResponseWrapper httpRespWrapper = new HttpServletResponseWrapper(httpResp);<br />
chain.doFilter(request, httpRespWrapper);<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpRespWrapper);<br />
}<br />
}<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void init(FilterConfig filterConfig) throws ServletException {<br />
//To easier the configuration, we load the target expected origin from an JVM property<br />
//Reconfiguration only require an application restart that is generally acceptable<br />
try {<br />
this.targetOrigin = new URL(System.getProperty(TARGET_ORIGIN_JVM_PARAM_NAME));<br />
} catch (MalformedURLException e) {<br />
LOG.error("Cannot init the filter !", e);<br />
throw new ServletException(e);<br />
}<br />
LOG.info("CSRFValidationFilter: Filter init, set expected target origin to '{}'.", this.targetOrigin);<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void destroy() {<br />
LOG.info("CSRFValidationFilter: Filter shutdown");<br />
}<br />
<br />
/**<br />
* Check if a string is null or empty (including containing only spaces)<br />
*<br />
* @param s Source string<br />
* @return TRUE if source string is null or empty (including containing only spaces)<br />
*/<br />
private boolean isBlank(String s) {<br />
return s == null || s.trim().isEmpty();<br />
}<br />
<br />
/**<br />
* Generate a new CSRF token<br />
*<br />
* @return The token a string<br />
*/<br />
private String generateToken() {<br />
byte[] buffer = new byte[50];<br />
this.secureRandom.nextBytes(buffer);<br />
return DatatypeConverter.printHexBinary(buffer);<br />
}<br />
<br />
/**<br />
* Determine the name of the CSRF cookie for the targeted backend service<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @return The name of the cookie as a string<br />
*/<br />
private String determineCookieName(HttpServletRequest httpRequest) {<br />
String backendServiceName = httpRequest.getRequestURI().replaceAll("/", "-");<br />
return CSRF_TOKEN_NAME + "-" + backendServiceName;<br />
}<br />
<br />
/**<br />
* Add the CSRF token cookie and header to the provided HTTP response object<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @param httpResponse HTTP response object to update<br />
*/<br />
private void addTokenCookieAndHeader(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {<br />
//Get new token<br />
String token = this.generateToken();<br />
//Add cookie manually because the current Cookie class implementation do not support the "SameSite" attribute<br />
//We let the adding of the "Secure" cookie attribute to the reverse proxy rewriting...<br />
//Here we lock the cookie from JS access and we use the SameSite new attribute protection<br />
String cookieSpec = String.format("%s=%s; Path=%s; HttpOnly; SameSite=Strict", this.determineCookieName(httpRequest), token, httpRequest.getRequestURI());<br />
httpResponse.addHeader("Set-Cookie", cookieSpec);<br />
//Add cookie header to give access to the token to the JS code<br />
httpResponse.setHeader(CSRF_TOKEN_NAME, token);<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
== Authors and Primary Editors ==<br />
Manideep Konakandla (Amazon Application Security Team) - http://www.manideepk.com<br />
<br />
Dave Wichers - dave.wichers[at]owasp.org<br />
<br />
Paul Petefish - https://www.linkedin.com/in/paulpetefish<br />
<br />
Eric Sheridan - eric.sheridan[at]owasp.org<br />
<br />
Dominique Righetto - dominique.righetto[at]owasp.org<br /><br />
<br />
== Other Cheat Sheets ==<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]<br />
[[Category:Popular]]</div>Wichershttps://wiki.owasp.org/index.php?title=Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet&diff=247193Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet2019-02-06T21:36:24Z<p>Wichers: Eliminate some unnecessary content, move some later in the article.</p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
__TOC__{{TOC hidden}}<br />
<br />
== Introduction ==<br />
[[Cross-Site Request Forgery (CSRF)]] is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim. We would need a token/identifier that is not accessible to attacker and would not be sent along (like cookies) with forged requests that attacker initiates. For more information on CSRF, see OWASP [[Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) page]].<br />
<br />
The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or making a purchase with the user’s credentials. In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser, without the user’s knowledge, at least until the unauthorized transaction has been committed.<br />
<br />
Impacts of successful CSRF exploits vary greatly based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. If the targeted end user is an administrator account, a CSRF attack can compromise the entire web application. Using social engineering, an attacker can embed malicious HTML or JavaScript code into an email or website to request a specific 'task URL'. The task then executes with or without the user's knowledge, either directly or by using a Cross-Site Scripting flaw. For example, see [https://en.wikipedia.org/wiki/Samy_(computer_worm) Samy MySpace Worm].<br />
<br />
==Warning: No Cross-Site Scripting (XSS) Vulnerabilities ==<br />
[[Cross-Site Scripting]] is not necessary for CSRF to work. However, any cross-site scripting vulnerability can be used to defeat all CSRF mitigation techniques available in the market today (except mitigation techniques that involve user interaction and described later in this cheat sheet). This is because an XSS payload can simply read any page on the site using an XMLHttpRequest (direct DOM access can be done, if on same page) and obtain the generated token from the response, and include that token with a forged request. This technique is exactly how the [https://en.wikipedia.org/wiki/Samy_(computer_worm) MySpace (Samy) worm] defeated MySpace's anti-CSRF defenses in 2005, which enabled the worm to propagate.<br />
<br />
It is imperative that no XSS vulnerabilities are present to ensure that CSRF defenses can't be circumvented. Please see the OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet|XSS Prevention Cheat Sheet]] for detailed guidance on how to prevent XSS flaws. <br />
<br />
== Resources that need to be protected from CSRF attacks ==<br />
The following list assumes that you are not violating [http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 RFC2616], section 9.1.1, by using GET requests for state changing operations. <br />
<br />
'''Note:''' If for any reason you violate, you would also need to protect those resources, which is mostly achieved with default <code>form tag [GET method]</code>, <code>href</code>, and <code>src</code> attributes. <br />
<br />
* Form tags with POST <br />
* Ajax/XHR calls<br />
<br />
== CSRF Defense Recommendations Summary ==<br />
We recommend token based CSRF defense (either stateful/stateless) as a primary defense to mitigate CSRF in your applications. For highly sensitive operations, we also recommend user interaction based protection (either re-authentication/one-time token, detailed in sectio 6.5) along with token based mitigation.<br />
<br />
As a defense-in-depth measure, consider implementing one mitigation from the Defense-in-Depth Techniques section (you can choose the mitigation that fits your ecosystem considering the issues mentioned under them). These defense-in-depth mitigation techniques are not recommended to be used by themselves (without token based mitigation) for mitigating CSRF in your applications.<br />
<br />
== Primary Defense Techniques ==<br />
<br />
=== Token Based Mitigation ===<br />
This defense is one the most popular and recommended methods to mitigate CSRF. It can be achieved either with state (synchronizer token pattern) or stateless (encrypted/hash based token pattern). For all the mitigation's, it is implicit that general security principles should be adhered.<br />
* Strict key rotation and token lifetime policies should be maintained. Policies can be set according to your organizational needs. Generic key management guidance from OWASP can be found in the [[Key Management Cheat Sheet]].<br />
<br />
==== Synchronizer Token Pattern ====<br />
Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks. A CSRF token should be unique per user session, large random value, and also generated by a cryptographically secure random number generator. The CSRF token is added as a hidden field for forms headers/parameters for AJAX calls, and within the URL if the state changing operation occurs via a GET. See "Disclosure of Token in URL" section below. The server rejects the requested action if the CSRF token fails validation.<br />
<br />
In order to facilitate a "transparent but visible" CSRF solution, developers are encouraged to adopt a pattern similar to [http://www.corej2eepatterns.com/Design/PresoDesign.htm Synchronizer Token Pattern] (The original intention of this synchronizer token pattern was to detect duplicate submissions in forms). The synchronizer token pattern requires the generation of random "challenge" tokens that are associated with the user's current session. These challenge tokens are then inserted within the HTML forms and calls associated with sensitive server-side operations. It is the responsibility of the server application to verify the existence and correctness of this token. By including a challenge token with each request, the developer has a strong control to verify that the user actually intended to submit the desired requests. Inclusion of a required security token in HTTP requests associated with sensitive business functions helps mitigate CSRF attacks as successful exploitation assumes the attacker knows the randomly generated token for the target victim's session. <br />
<br />
'''Note:''' These tokens aren’t like cookies that are automatically sent with forged requests made from your browser from the attacker website. <br />
<br />
This is analogous to the attacker being able to guess the target victim's session identifier. <br />
<br />
The following describes a general approach to incorporate challenge tokens within the request.<br />
<br />
When a Web application formulates a request, the application should include a hidden input parameter with a common name such as "CSRFToken" (for forms)/ as header/parameter value for Ajax calls. The value of this token must be randomly generated such that it cannot be guessed by an attacker. Consider leveraging the java.security.SecureRandom class for Java applications to generate a sufficiently long random token. Alternative generation algorithms include the use of 256-bit BASE64 encoded hashes. Developers that choose this generation algorithm must make sure that there is randomness and uniqueness utilized in the data that is hashed to generate the random token.<br />
<br />
<syntaxhighlight lang="html"><br />
<form action="/transfer.do" method="post"><br />
<br />
<input type="hidden" name="CSRFToken" <br />
value="OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZMGYwMGEwOA=="><br />
...<br />
</form><br />
</syntaxhighlight><br />
<br />
In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is used for each subsequent request until the session expires. When a request is issued by the end-user, the server-side component must verify the existence and validity of the token in the request compared to the token found in the user session. If the token was not found within the request, or the value provided does not match the value within the user session, then the request should be aborted, and the event logged as a potential CSRF attack in progress.<br />
<br />
To further enhance the security of this proposed design, consider randomizing the CSRF token parameter name and/or value for each request. Implementing this approach results in the generation of per-request tokens as opposed to per-session tokens. This is more secure than per-session tokens as the time range for an attacker to exploit the stolen tokens is minimal. However, this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server. Few applications that need high security typically implement this approach (such as banks). You have to check what suits your needs. Regardless of the approach taken, developers are encouraged to protect the CSRF token the same way they protect authenticated session identifiers, such as the use of TLS.<br />
<br />
'''Existing Synchronizer Implementations'''<br />
<br />
Synchronizer token defenses have been built into many frameworks, so we strongly recommend using them first when they are available. External components that add CSRF defenses to existing applications are also recommended. OWASP has the following: <br />
<br />
* For Java: OWASP [[CSRF Guard]]<br />
* For PHP and Apache: [[CSRFProtector Project]]<br />
<br />
'''Disclosure of Token in URL'''<br />
<br />
Some implementations of synchronizer tokens include the challenge token in GET (URL) requests as well as POST requests. This is often implemented as a result of sensitive server-side operations being invoked as a result of embedded links in the page or other general design patterns. These patterns are often implemented without knowledge of CSRF and an understanding of CSRF prevention design strategies. While this control does help mitigate the risk of CSRF attacks, the unique per-session token is being exposed for GET requests. CSRF tokens in GET requests are potentially leaked at several locations: browser history, log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site. In the latter case (leaked CSRF token due to the Referer header being parsed by a linked site), it is trivially easy for the linked site to launch a CSRF attack on the protected site, and they will be able to target this attack very effectively, since the Referer header tells them the site as well as the CSRF token. The attack could be run entirely from JavaScript, so that a simple addition of a script tag to the HTML of a site can launch an attack (whether on an originally malicious site or on a hacked site). Additionally, since HTTPS requests from HTTPS contexts will not strip the Referer header (as opposed to HTTPS to HTTP requests) CSRF token leaks via Referer can still happen on HTTPS Applications.<br />
<br />
The ideal solution is to only include the CSRF token in POST requests and modify server-side actions that have state changing affect to only respond to POST requests. This is in fact what the <nowiki>RFC 2616</nowiki> requires for GET requests. If sensitive server-side actions are guaranteed to only ever respond to POST requests, then there is no need to include the token in GET requests.<br />
<br />
In most JavaEE web applications, however, HTTP method scoping is rarely ever utilized when retrieving HTTP parameters from a request. Calls to "HttpServletRequest.getParameter" will return a parameter value regardless if it was a GET or POST. This is not to say HTTP method scoping cannot be enforced. It can be achieved if a developer explicitly overrides doPost() in the HttpServlet class or leverages framework specific capabilities such as the AbstractFormController class in Spring.<br />
<br />
For these cases, attempting to retrofit this pattern in existing applications requires significant development time and cost, and as a temporary measure it may be better to pass CSRF tokens in the URL. Once the application has been fixed to respond to HTTP GET and POST verbs correctly, CSRF tokens for GET requests should be turned off.<br />
<br />
==== Encryption based Token Pattern ====<br />
The Encrypted Token Pattern leverages an encryption, rather than comparison method of Token-validation. It is most suitable for applications that do not want to maintain any state at server side. <br />
<br />
After successful authentication, the server generates a unique token comprised of the user's ID, a timestamp value and a [http://en.wikipedia.org/wiki/Cryptographic_nonce nonce], using a unique key available only on the server. This token is returned to the client and embedded in a hidden field for forms, in the request-header/parameter for AJAX requests. On receipt of this request, the server reads and decrypts the token value with the same key used to create the token. The inability to correctly decrypt suggests an intrusion attempt. Once decrypted, the UserId and timestamp contained within the token are validated; the UserId is compared against the currently logged in user, and the timestamp is compared against the current time.<br />
<br />
On successful token-decryption, the server has access to parsed values, ideally in the form of [http://en.wikipedia.org/wiki/Claims-based_identity claims]. These claims are processed by comparing the UserId claim to any potentially stored UserId (in a Cookie or Session variable, if the site already contains a means of authentication). The Timestamp is validated against the current time, preventing replay attacks. Alternatively, in the case of a CSRF attack, the server will be unable to decrypt the poisoned token, and can block and log the attack.<br />
<br />
This technique addresses some of the shortfalls in other stateless approaches, such as the need to store data in a Cookie, circumventing the Cookie-subdomain and [[HttpOnly]] issues. Your solution should use a strong encryption function. We recommend AES256-GCM or stronger.<br />
<br />
==== HMAC Based Token Pattern ====<br />
[https://en.wikipedia.org/wiki/HMAC HMAC (hash-based message authentication code)] is a cryptographic function that helps to guarantee integrity and authentication of a message. HMAC Tokens can be used as a CSRF mitigation technique without requiring server side state. It is similar to the encryption token-based pattern with two main differences:<br />
* Uses a strong HMAC function instead of an encryption function to generate the token<br />
* Includes an additional field called ‘operation’ that would indicate the purpose of the operation for which you are including the CSRF token (may it be form tag/ajax call) <br />
(Ex: ‘oneclickpurchase’ (or) buy/asin=SDFH&category=2&quantity=3)<br />
<br />
'''Note:''' Fields mentioned in encryption token pattern (user's ID, a timestamp value and a nonce) are included. <br />
<br />
The operation field helps in mitigating the fact that the hash function generates the same value irrespective of multiple iterations (unlike strong encryption functions that generate different values when they are encrypted each time). So, it would help in avoiding having repeated token values across your application. Nonce field serves the same purpose as in encrypted token pattern (i.e., to avoid rare collisions due to weak cryptographic functions and acts as a defense-in-depth measure). <br />
<br />
Generate the token using HMAC including all four fields mentioned previously (user's ID, a timestamp value, nonce, and operation) and then include it in hidden fields for form tags, headers/parameters for ajax calls. Once you receive the HMAC from the client in the requests, re-generate HMAC with the same fields that you used to generate it, and then verify that the HMAC you re-generated matches the HMAC received from the client. If it does, it is a legitimate user request and if it does not, flag it as a CSRF intrusion and alert your incident response teams. Because an attacker has no visibility into the key used for generating the hash fields used in generating it, there is no way for them to re-generate it to use in forged request.<br />
<br />
Your solution should use a strong HMAC function. We recommend SHA256/512 or stronger.<br />
<br />
=== Auto CSRF Mitigation Techniques ===<br />
Though the technique of mitigating tokens is widely used (stateful with synchronizer token and stateless with encrypted/HMAC token), the major problem associated with these techniques is the human tendency to forget things at times. If a developer forgets to add the token to any state changing operation, they are making the application vulnerable to CSRF. To avoid this, you can try to automate the process of adding tokens to CSRF vulnerable resources (mentioned earlier in this document). You can achieve this by doing the following:<br />
* Write wrappers (that would auto add tokens when used) around default form tags/ajax calls and educate your developers to use those wrappers instead of standard tags. Though this approach is better than depending purely on developers to add tokens, it still is vulnerable to the issue of human tendency to forget things. [https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html Spring Security] uses this technique to add CSRF tokens by default when a custom <form:form> tag is used, you can opt to use after verifying that its enabled and properly configured in the Spring Security version you are using.<br />
* Write a hook (that would capture the traffic and add tokens to CSRF vulnerable resources before rendering to customers) in your organizational web rendering frameworks. Because it is hard to analyze when a particular response is doing any state change (and thus needing a token), you might want to include tokens in all CSRF vulnerable resources (ex: include tokens in all POST responses). This is one recommended approach, but you need to consider the performance costs it might incur.<br />
* Get the tokens automatically added on the client side when the page is being rendered in user’s browser, with help of a client side script (this approach is used by [[CSRF Guard]]). You need to consider any possible JavaScript hijacking attacks.<br />
We recommend researching if the framework you are using has an option to achieve CSRF protection by default before trying to build your custom auto tokening system. For example, .NET has an [https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1 in-built protection] that adds token to CSRF vulnerable resources. You are responsible for proper configuration (such as key management and token management) before using these in-built CSRF protections that do auto tokening to CSRF vulnerable resources.<br />
<br />
== Defense-In-Depth Techniques ==<br />
<br />
=== Verifying origin with standard headers ===<br />
This defense technique is specifically proposed in section 5.0 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. This paper proposes the first creation of the Origin header and its use as a CSRF defense mechanism.<br />
<br />
There are two steps to this mitigation, both of which rely on examining an HTTP request header value.<br />
<br />
1. Determining the origin the request is coming from (source origin). Can be done via Origin and/or referer header.<br />
<br />
2. Determining the origin the request is going to (target origin).<br />
<br />
At server side we verify if both of them match. If they do, we accept the request as legitimate (meaning it’s the same origin request) and if they don’t, we discard the request (meaning that the request originated from cross-domain). Reliability on these headers comes from the fact that they cannot be altered programmatically (using JavaScript in an XSS) as they fall under [https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name forbidden headers] list (i.e., only browsers can set them).<br />
<br />
====Identifying Source Origin (via Origin/Referer header) ====<br />
'''Checking the Origin Header'''<br />
<br />
If the Origin header is present, verify that its value matches the target origin. Unlike the Referer, the Origin header will be present in HTTP requests that originate from an HTTPS URL.<br />
<br />
'''Checking the Referer Header'''<br />
<br />
If the Origin header is not present, verify the hostname in the Referer header matches the target origin. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state, which is required to keep track of a synchronization token.<br />
<br />
In both cases, make sure the target origin check is strong. For example, if your site is "site.com" make sure "site.com.attacker.com" does not pass your origin check (i.e., match through the trailing/after the origin to make sure you are matching against the entire origin).<br />
<br />
If neither of these headers are present, you can either accept or block the request. We recommend '''blocking'''. Alternatively, you might want to log all such instances, monitor their use cases/behavior, and then start blocking requests only after you get enough confidence.<br />
<br />
==== Identifying the Target Origin ====<br />
You might think it’s easy to determine the target origin, but it’s frequently not. The first thought is to simply grab the target origin (i.e., its hostname and port #) from the URL in the request. However, the application server is frequently sitting behind one or more proxies and the original URL is different from the URL the app server actually receives. If your application server is directly accessed by its users, then using the origin in the URL is fine and you're all set.<br />
<br />
If you are behind a proxy, there are a number of options to consider.<br />
* '''Configure your application to simply know its target origin:''' It’s your application, so you can find its target origin and set that value in some server configuration entry. This would be the most secure approach as its defined server side, so it is a trusted value. However, this might be problematic to maintain if your application is deployed in many places, e.g., dev, test, QA, production, and possibly multiple production instances. Setting the correct value for each of these situations might be difficult, but if you can do it via some central configuration and providing your instances to grab value from it, that's great! ('''Note:''' Make sure the centralized configuration store is maintained securely because major part of your CSRF defense depends on it.)<br />
<br />
* '''Use the Host header value:''' If you prefer that the application find its own target so it doesn't have to be configured for each deployed instance, we recommend using the Host family of headers. The Host header's purpose is to contain the target origin of the request. But, if your app server is sitting behind a proxy, the Host header value is most likely changed by the proxy to the target origin of the URL behind the proxy, which is different than the original URL. This modified Host header origin won't match the source origin in the original Origin or Referer headers.<br />
<br />
* '''Use the X-Forwarded-Host header value:''' To avoid the issue of proxy altering the host header, there is another header called X-Forwarded-Host, whose purpose is to contain the original Host header value the proxy received. Most proxies will pass along the original Host header value in the X-Forwarded-Host header. So that header value is likely to be the target origin value you need to compare to the source origin in the Origin or Referer header.<br />
<br />
This mitigation in earlier versions of the CSRF Cheat Sheet is treated as a primary defense. For reasons mentioned below, it is now moved to the Defense-in-Depth section.<br />
<br />
As it’s implicit, this mitigation would work properly when origin or referer headers are present in the requests. Though these headers are included '''majority''' of the time, there are few use cases where they are not included (most of them are for legitimate reasons to safeguard users privacy/to tune to browsers ecosystem). The following lists some use cases:<br />
* Internet Explorer 11 does not add the Origin header on a CORS request across sites of a trusted zone. The Referer header will remain the only indication of the UI origin. See the following references in stackoverflow [https://stackoverflow.com/questions/20784209/internet-explorer-11-does-not-add-the-origin-header-on-a-cors-request here] and [https://github.com/silverstripe/silverstripe-graphql/issues/118 here].<br />
* In an instance following a [https://stackoverflow.com/questions/22397072/are-there-any-browsers-that-set-the-origin-header-to-null-for-privacy-sensitiv 302 redirect cross-origin], Origin is not included in the redirected request because that may be considered sensitive information that should not be sent to the other origin.<br />
* There are some [https://wiki.mozilla.org/Security/Origin#Privacy-Sensitive_Contexts privacy contexts] where Origin is set to “null” For example, see the following [https://www.google.com/search?q=origin+header+sent+null+value+site%3Astackoverflow.com&oq=origin+header+sent+null+value+site%3Astackoverflow.com here].<br />
* Origin header is included for all cross origin requests but for same origin requests, in most browsers it is only included in POST/DELETE/PUT '''Note:''' Although it is not ideal, many developers use GET requests to do state changing operations.<br />
* Referer header is no exception. There are multiple use cases where referer header is omitted as well ([https://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty <nowiki>[1]</nowiki>], [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer <nowiki>[2]</nowiki>], [https://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding <nowiki>[3]</nowiki>], [https://seclab.stanford.edu/websec/csrf/csrf.pdf <nowiki>[4]</nowiki>] and [https://www.google.com/search?q=referer+header+sent+null+value+site:stackoverflow.com <nowiki>[5]</nowiki>]). Load balancers, proxies and embedded network devices are also well known to strip the referer header due to privacy reasons in logging them.<br />
<br />
Though exceptions can be written for above cases in your source and target origin check logic, there is currently no central repository (even there is one, keeping it up-to-date is a problem) that references all such use cases. Each browser might also handle these use cases differently (browsers are known to handle things differently considering their ecosystem. IE example of not sending origin header within trusted zone is such example). Rejecting requests that do not contain origin and/or referer headers might sound like a good idea but it can impact legitimate users. Keeping this system in monitoring mode and trying to investigate use cases such as stated above, then adding them into exception logic is a process that you may consider to make this defense more stable in your environment.<br />
<br />
This CSRF defense relies on browser behavior that can change at times. For example, when new privacy contexts are discovered, under which situations you have to keep your validation logic updated, where as in token based mitigation, you have full control on the CSRF mitigation. If browsers alter CSRF tokens, they are literally changing the HTML content on rendering pages (which no browser would ever want to do!).<br />
<br />
When there is an XSS vulnerability on a page of an application protected with Origin and/or Referer header, the level of effort required to exploit state changing operations (that are typically vulnerable to CSRF) on other pages is very easy (grab the parameters and forge a request, as Origin and Referer header is included by default by browsers) than compared to token based mitigation (where attacker needs to download the target page, parse the DOM for the token, construct a forge request, and send it to server).<br />
<br />
'''Note:''' Although the concept of an origin header stemmed from [https://seclab.stanford.edu/websec/csrf/csrf.pdf the Stanford CSRF] paper that references robust CSRF defenses, the initial [https://tools.ietf.org/html/rfc6454 origin header RFC] does not reference mitigating CSRF in any way (another [https://tools.ietf.org/id/draft-abarth-origin-03.html draft version] does, however).<br />
<br />
=== Double Submit Cookie ===<br />
If maintaining the state for CSRF token at server side is problematic, an alternative defense is to use the double submit cookie technique. This technique is easy to implement and is stateless. In this technique, we send a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match. When a user visits (even before authenticating to prevent login CSRF), the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session identifier. The site then requires that every transaction request include this pseudorandom value as a hidden form value (or other request parameter/header). If both of them match at server side, the server accepts it as legitimate request and if they don’t, it would reject the request.<br />
<br />
There’s a belief that this technique would work because a cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie (with which the server compares the token value).<br />
<br />
There are a couple of drawbacks associated with the assumptions made here. The problem of "trusting of sub domains and proper configuration of whole site in general to accept HTTPS connections only". The [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf Blackhat talk] by Rich Lundeen references these drawbacks.<br />
<br />
"''With double submit, if an attacker can write a cookie they can obviously defeat the protection. And again, writing cookies is significantly easier then reading them. The fact that cookies can be written is difficult for many people to understand. After all, doesn't the same origin policy specify that one domain cannot access cookies from another domain? However, there are two common scenarios where writing cookies across domains is possible:''<br />
<br />
''a) While it's true that hellokitty.marketing.example.com cannot read cookies or access the DOM from secure.example.com because of the same origin policy, hellokitty.marketing.example.com can write cookies to the parent domain (example.com), and these cookies are then consumed by secure.example.com (secure.example.com has no good way to distinguish which site set the cookie). Additionally, there are methods of forcing secure.example.com to always accept your cookie first. What this means is that XSS in hellokitty.marketing.example.com is able to overwrite cookies in secure.example.com.''<br />
<br />
''b) If an attacker is in the middle, they can usually force a request to the same domain over HTTP. If an application is hosted at <nowiki>https://secure.example.com</nowiki>, even if the cookies are set with the secure flag, a man in the middle can force connections to <nowiki>http://secure.example.com</nowiki> and set (overwrite) any arbitrary cookies (even though the secure flag prevents the attacker from reading those cookies). Even if the HSTS header is set on the server and the browser visiting the site supports HSTS (this would prevent a man in the middle from forcing plain text HTTP requests) unless the HSTS header is set in a way that includes all subdomains, a man in the middle can simply force a request to a separate subdomain and overwrite cookies similar to 1. In other words, as long as <nowiki>http://hellokitty.marketing.example.com</nowiki> doesn't force HTTPS, then an attacker can overwrite cookies on any example.com subdomain.''"<br />
<br />
So, unless you are sure that your subdomains are fully secured and only accept HTTPS connections (we believe it’s difficult to guarantee at large enterprises), you should not rely on the Double Submit Cookie technique as a primary mitigation for CSRF.<br />
<br />
A variant of double submit cookie that can mitigate both the risks mentioned above is including the token in an encrypted cookie - often within the authentication cookie - and then at the server side matching it (after decrypting the authentication cookie) with the token in hidden form field or parameter/header for ajax calls. This works because a sub domain has no way to over-write an properly crafted encrypted cookie without the necessary information such as encryption key.<br />
<br />
=== SameSite Cookie Attribute ===<br />
SameSite is a cookie attribute (similar to [[HttpOnly]], Secure etc.) introduced by Google to mitigate CSRF attacks. It is defined in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 this] Internet Draft. This attribute helps in preventing the browser from sending cookies along with cross-site requests. Possible values for this attribute are lax or strict.<br />
<br />
The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link. For example, for a GitHub-like website this would mean that if a logged-in user follows a link to a private GitHub project posted on a corporate discussion forum or email, GitHub will not receive the session cookie and the user will not be able to access the project. A bank website however most likely doesn't want to allow any transactional pages to be linked from external sites, so the strict flag would be most appropriate.<br />
<br />
The default lax value provides a reasonable balance between security and usability for websites that want to maintain user's logged-in session after the user arrives from an external link. In the above GitHub scenario, the session cookie would be allowed when following a regular link from an external website while blocking it in CSRF-prone request methods such as POST. Only cross-site requests that are allowed in lax mode are the ones that have top-level navigations and are also “safe” HTTP methods (more details [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7.1 here]).<br />
<br />
Example of cookies using this attribute:<br />
<br />
<pre><br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Strict<br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Lax<br />
</pre><br />
<br />
Support for this attribute in different browsers is increasing but there are still browsers that need to adopt this. As of August 2018, SameSite attribute is on browsers used by 68.92% of Internet users (detailed statistics are [https://caniuse.com/#feat=same-site-cookie-attribute here]).<br />
<br />
Though this technique seems to be efficient in mitigating CSRF attacks, it is still in early stages (in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft]) and does not have full browser support as mentioned above. Google’s [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft] also mentions a couple cases where forged requests can be simulated by attackers as same-site requests (and thus allowing to send SameSite cookies).<br />
<br />
Considering the factors above, it is not recommended to be used as a primary defense. Google agrees with this stance and strongly encourages developers to deploy server-side defenses such as tokens to mitigate CSRF more fully.<br />
<br />
=== Use of Custom Request Headers ===<br />
<br />
Adding CSRF tokens, a double submit cookie and value, encrypted token, or other defense that involves changing the UI can frequently be complex or otherwise problematic. An alternate defense that is particularly well suited for AJAX/XHR endpoints is the use of a custom request header. This defense relies on the [https://en.wikipedia.org/wiki/Same-origin_policy same-origin policy (SOP)] restriction that only JavaScript can be used to add a custom header, and only within its origin. By default, browsers do not allow JavaScript to make cross origin requests.<br />
<br />
A particularly attractive custom header and value to use is “X-Requested-With: XMLHttpRequest” because most JavaScript libraries already add this header to requests they generate by default. However, some do not. For example, AngularJS used to, but does not anymore. For more information, see [https://github.com/angular/angular.js/commit/3a75b1124d062f64093a90b26630938558909e8d their rationale] and how to add it back.<br />
<br />
If this is the case for your system, you can simply verify the presence of this header and value on all your server side AJAX endpoints in order to protect against CSRF attacks. This approach has the double advantage of usually requiring no UI changes and not introducing any server side state, which is particularly attractive to REST services. You can always add your own custom header and value if that is preferred.<br />
<br />
This defense technique is specifically discussed in section 4.3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. However, bypasses of this defense using Flash were documented as early as 2008 and again as recently as 2015 by Mathias Karlsson to [https://hackerone.com/reports/44146 exploit a CSRF flaw in Vimeo]. A Flash attack can't spoof the Origin or Referer headers, so by checking both of them we believe this combination of checks should prevent Flash bypass CSRF attacks (if any comes up in future). <br />
<br />
Besides any possible future bypasses such as Flash, using a static header will make it easy to exploit other state changing operations in the application (similar to the previous explanation on why ease of exploitation is easier in origin/referer header check than token based mitigation). Including a random token instead of static header value is more or less equal to the token based approach described in the Primary Defenses section. Developers also need to consider that if you are using this approach in an application with both Ajax calls and form tags, this technique would only help Ajax calls in protecting from CSRF and you would still need protect <form> tags with approaches described in this document such as tokens. Setting custom headers on form tags is not possible directly. Also, CORS configuration should also be robust to make this solution work effectively (as custom headers for requests coming from other domains trigger a pre-flight CORS check).<br />
<br />
=== User Interaction Based CSRF Defense ===<br />
<br />
While all the techniques referenced here do not require any user interaction, sometimes it’s easier or more appropriate to involve the user in the transaction to prevent unauthorized operations (forged via CSRF or otherwise). The following are some examples of techniques that can act as strong CSRF defense when implemented correctly.<br />
* Re-Authentication (password or stronger)<br />
* One-time Token<br />
* CAPTCHA<br />
While these are a very strong CSRF defense, it does create a huge impact on the user experience. For applications that are in need of high security for some operations (password change, money transfer etc.), these techniques should be used along with token based mitigation. Please note that tokens by themselves can mitigate CSRF, developers should use these techniques only to achieve additional security for their high sensitive operations.<br />
<br />
=== Login CSRF ===<br />
Most developers tend to ignore CSRF vulnerability on login forms as they assume that CSRF would not be applicable on login forms because user is not authenticated at that stage. That assumption is false. CSRF vulnerability can still occur on login forms where the user is not authenticated, but the impact/risk view for it is quite different from the impact/risk view of a general CSRF vulnerability (when a user is authenticated).<br />
<br />
With a CSRF vulnerability on login form, an attacker can make a victim login to the attacker's account and learn behavior from the victim's searches. For more information about login CSRF and other risks, see section 3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf the Stanford CSRF] paper.<br />
<br />
Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form. You can use any of the techniques mentioned above to generate tokens. Pre-sessions can be transitioned to real sessions once the user is authenticated. This technique is described in [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery section 4.1].<br />
<br />
If sub-domains under your master domain are treated as not trusted in your threat model, it is difficult to mitigate login CSRF. A strict subdomain and path level referer header (because most login pages are served on HTTPS - no stripping of referer - and are also linked from home pages) validation (detailed in section 6.1) can be used in these cases for mitigating CSRF on login forms to an extent.<br />
<br />
== Not So Popular CSRF Mitigations ==<br />
<br />
=== Triple Submit Cookie ===<br />
This mitigation is proposed by [https://www.owasp.org/images/e/e6/AppSecEU2012_Wilander.pdf John Wilander in 2012 at OWASP Appsec Research]. This technique adds an additional step to double submit cookie approach by verifying if the request contains two cookies with same name (please note, attacker need to write an additional cookie to bypass double submit cookie mitigation). Though it mitigates the issues discussed in bypass of double submit cookie, it introduces new problems such as cookie jar overflow (in-details and more issue details [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf here] and [https://webstersprodigy.net/2012/08/03/analysis-of-john-wilanders-triple-submit-cookies/ here]). We were not able to find any real-time implementations of this mitigation so far.<br />
<br />
=== Content-Type Header Validation ===<br />
This technique is better known than the triple submit cookie mitigation. In first place, this header is not designed for security (initial RFC [https://tools.ietf.org/html/rfc1049 here] and later well-defined in [https://www.ietf.org/rfc/rfc2045.txt this] RFC) but only to let receiving agents know the type of data they would be handling, so that they can invoke corresponding parsers. The pre-flighting behavior of this header (pre-flight if header has value other than application/x-www-form-urlencoded, multipart/form-data, or text/plain) is what treated as a CSRF mitigation and thus forcing all requests to have a header value that would force a pre-flight (such as application/json. Server side can reject cross-origin requests with CORS/SOP during this pre-flight).<br />
<br />
This approach has two main problems. One that it would mandate all requests to have a header value that would force pre-flight despite the real use case and the other that this technique is relying on a feature that is not designed for security, to mitigate a security vulnerability. When a bug was discovered in the Chrome API, browser architects even considered to removing this pre-flighting behavior. Because this header was not designed as a security control, architects can re-design it to better cater its primary purpose. In the future, there’s a possibility that new content-type header types can be included (to better support various use-cases), which can put systems relying on this header for CSRF mitigation in trouble. For more information, see [https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/september/common-csrf-prevention-misconceptions/ Common CSRF Prevention Misconceptions].<br />
<br />
== CSRF Mitigation Myths ==<br />
The following shows techniques presumed to be CSRF mitigations but none of them fully/actually mitigates a CSRF vulnerability.<br />
* '''CORS''': CORS is a header designed to relax Same-Origin-Policy when cross-origin communication between sites is required. It is not designed, nor prevents CSRF attacks.<br />
* '''Using HTTPS''': Using HTTPS has nothing to do with the protection from CSRF attacks. Resources that are under HTTPS are still vulnerable to CSRF if proper CSRF mitigations described above are not included.<br />
* More myths can be found [[Cross-Site Request Forgery (CSRF)|here]]<br />
<br />
== Implementation reference example ==<br />
The following JEE web filter provides an example reference for some of the concepts described in this cheat sheet. It implements the following stateless mitigations ([https://github.com/aramrami/OWASP-CSRFGuard OWASP CSRFGuard], cover a stateful approach).<br />
* Verifying same origin with standard headers<br />
* Double submit cookie<br />
* SameSite cookie attribute<br />
'''Please note''' that it only acts a reference sample and is not complete (for example: it doesn’t have a block to direct the control flow when origin and referer header check succeeds nor it has a port/host/protocol level validation for referer header). Developers are recommended to build their complete mitigation on top of this reference sample. Developers should also implement standard authentication or authorization checks before checking for CSRF.<br />
<br />
Source is also located [https://github.com/righettod/poc-csrf here] and provides a runnable POC.<br />
<br />
<syntaxhighlight lang="java"><br />
import org.slf4j.Logger;<br />
import org.slf4j.LoggerFactory;<br />
<br />
import javax.servlet.Filter;<br />
import javax.servlet.FilterChain;<br />
import javax.servlet.FilterConfig;<br />
import javax.servlet.ServletException;<br />
import javax.servlet.ServletRequest;<br />
import javax.servlet.ServletResponse;<br />
import javax.servlet.annotation.WebFilter;<br />
import javax.servlet.http.Cookie;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
import javax.servlet.http.HttpServletResponseWrapper;<br />
import javax.xml.bind.DatatypeConverter;<br />
import java.io.IOException;<br />
import java.net.MalformedURLException;<br />
import java.net.URL;<br />
import java.security.SecureRandom;<br />
import java.util.Arrays;<br />
<br />
/**<br />
* Filter in charge of validating each incoming HTTP request about Headers and CSRF token.<br />
* It is called for all requests to backend destination.<br />
*<br />
* We use the approach in which:<br />
* - The CSRF token is changed after each valid HTTP exchange<br />
* - The custom Header name for the CSRF token transmission is fixed<br />
* - A CSRF token is associated to a backend service URI in order to enable the support for multiple parallel Ajax request from the same application<br />
* - The CSRF cookie name is the backend service name prefixed with a fixed prefix<br />
*<br />
* Here for the POC we show the "access denied" reason in the response but in production code only return a generic message !<br />
*<br />
* @see "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet"<br />
* @see "https://wiki.mozilla.org/Security/Origin"<br />
* @see "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie"<br />
* @see "https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/"<br />
*/<br />
@WebFilter("/backend/*")<br />
public class CSRFValidationFilter implements Filter {<br />
<br />
/**<br />
* JVM param name used to define the target origin<br />
*/<br />
public static final String TARGET_ORIGIN_JVM_PARAM_NAME = "target.origin";<br />
<br />
/**<br />
* Name of the custom HTTP header used to transmit the CSRF token and also to prefix <br />
* the CSRF cookie for the expected backend service<br />
*/<br />
private static final String CSRF_TOKEN_NAME = "X-TOKEN";<br />
<br />
/**<br />
* Logger<br />
*/<br />
private static final Logger LOG = LoggerFactory.getLogger(CSRFValidationFilter.class);<br />
<br />
/**<br />
* Application expected deployment domain: named "Target Origin" in OWASP CSRF article<br />
*/<br />
private URL targetOrigin;<br />
<br />
/***<br />
* Secure generator<br />
*/<br />
private final SecureRandom secureRandom = new SecureRandom();<br />
<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {<br />
HttpServletRequest httpReq = (HttpServletRequest) request;<br />
HttpServletResponse httpResp = (HttpServletResponse) response;<br />
String accessDeniedReason;<br />
<br />
/* STEP 1: Verifying Same Origin with Standard Headers */<br />
//Try to get the source from the "Origin" header<br />
String source = httpReq.getHeader("Origin");<br />
if (this.isBlank(source)) {<br />
//If empty then fallback on "Referer" header<br />
source = httpReq.getHeader("Referer");<br />
//If this one is empty too then we trace the event and we block the request (recommendation of the article)...<br />
if (this.isBlank(source)) {<br />
accessDeniedReason = "CSRFValidationFilter: ORIGIN and REFERER request headers are both absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
}<br />
<br />
//Compare the source against the expected target origin<br />
URL sourceURL = new URL(source);<br />
if (!this.targetOrigin.getProtocol().equals(sourceURL.getProtocol()) || !this.targetOrigin.getHost().equals(sourceURL.getHost()) <br />
|| this.targetOrigin.getPort() != sourceURL.getPort()) {<br />
//One the part do not match so we trace the event and we block the request<br />
accessDeniedReason = String.format("CSRFValidationFilter: Protocol/Host/Port do not fully matches so we block the request! (%s != %s) ", <br />
this.targetOrigin, sourceURL);<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
<br />
/* STEP 2: Verifying CSRF token using "Double Submit Cookie" approach */<br />
//If CSRF token cookie is absent from the request then we provide one in response but we stop the process at this stage.<br />
//Using this way we implement the first providing of token<br />
Cookie tokenCookie = null;<br />
if (httpReq.getCookies() != null) {<br />
String csrfCookieExpectedName = this.determineCookieName(httpReq);<br />
tokenCookie = Arrays.stream(httpReq.getCookies()).filter(c -> c.getName().equals(csrfCookieExpectedName)).findFirst().orElse(null);<br />
}<br />
if (tokenCookie == null || this.isBlank(tokenCookie.getValue())) {<br />
LOG.info("CSRFValidationFilter: CSRF cookie absent or value is null/empty so we provide one and return an HTTP NO_CONTENT response !");<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpResp);<br />
//Set response state to "204 No Content" in order to allow the requester to clearly identify an initial response providing the initial CSRF token<br />
httpResp.setStatus(HttpServletResponse.SC_NO_CONTENT);<br />
} else {<br />
//If the cookie is present then we pass to validation phase<br />
//Get token from the custom HTTP header (part under control of the requester)<br />
String tokenFromHeader = httpReq.getHeader(CSRF_TOKEN_NAME);<br />
//If empty then we trace the event and we block the request<br />
if (this.isBlank(tokenFromHeader)) {<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header is absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else if (!tokenFromHeader.equals(tokenCookie.getValue())) {<br />
//Verify that token from header and one from cookie are the same<br />
//Here is not the case so we trace the event and we block the request<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header and via Cookie are not equals so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else {<br />
//Verify that token from header and one from cookie matches<br />
//Here is the case so we let the request reach the target component (ServiceServlet, jsp...) and add a new token when we get back the bucket<br />
HttpServletResponseWrapper httpRespWrapper = new HttpServletResponseWrapper(httpResp);<br />
chain.doFilter(request, httpRespWrapper);<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpRespWrapper);<br />
}<br />
}<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void init(FilterConfig filterConfig) throws ServletException {<br />
//To easier the configuration, we load the target expected origin from an JVM property<br />
//Reconfiguration only require an application restart that is generally acceptable<br />
try {<br />
this.targetOrigin = new URL(System.getProperty(TARGET_ORIGIN_JVM_PARAM_NAME));<br />
} catch (MalformedURLException e) {<br />
LOG.error("Cannot init the filter !", e);<br />
throw new ServletException(e);<br />
}<br />
LOG.info("CSRFValidationFilter: Filter init, set expected target origin to '{}'.", this.targetOrigin);<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void destroy() {<br />
LOG.info("CSRFValidationFilter: Filter shutdown");<br />
}<br />
<br />
/**<br />
* Check if a string is null or empty (including containing only spaces)<br />
*<br />
* @param s Source string<br />
* @return TRUE if source string is null or empty (including containing only spaces)<br />
*/<br />
private boolean isBlank(String s) {<br />
return s == null || s.trim().isEmpty();<br />
}<br />
<br />
/**<br />
* Generate a new CSRF token<br />
*<br />
* @return The token a string<br />
*/<br />
private String generateToken() {<br />
byte[] buffer = new byte[50];<br />
this.secureRandom.nextBytes(buffer);<br />
return DatatypeConverter.printHexBinary(buffer);<br />
}<br />
<br />
/**<br />
* Determine the name of the CSRF cookie for the targeted backend service<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @return The name of the cookie as a string<br />
*/<br />
private String determineCookieName(HttpServletRequest httpRequest) {<br />
String backendServiceName = httpRequest.getRequestURI().replaceAll("/", "-");<br />
return CSRF_TOKEN_NAME + "-" + backendServiceName;<br />
}<br />
<br />
/**<br />
* Add the CSRF token cookie and header to the provided HTTP response object<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @param httpResponse HTTP response object to update<br />
*/<br />
private void addTokenCookieAndHeader(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {<br />
//Get new token<br />
String token = this.generateToken();<br />
//Add cookie manually because the current Cookie class implementation do not support the "SameSite" attribute<br />
//We let the adding of the "Secure" cookie attribute to the reverse proxy rewriting...<br />
//Here we lock the cookie from JS access and we use the SameSite new attribute protection<br />
String cookieSpec = String.format("%s=%s; Path=%s; HttpOnly; SameSite=Strict", this.determineCookieName(httpRequest), token, httpRequest.getRequestURI());<br />
httpResponse.addHeader("Set-Cookie", cookieSpec);<br />
//Add cookie header to give access to the token to the JS code<br />
httpResponse.setHeader(CSRF_TOKEN_NAME, token);<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
== Authors and Primary Editors ==<br />
Manideep Konakandla (Amazon Application Security Team) - http://www.manideepk.com<br />
<br />
Dave Wichers - dave.wichers[at]owasp.org<br />
<br />
Paul Petefish - https://www.linkedin.com/in/paulpetefish<br />
<br />
Eric Sheridan - eric.sheridan[at]owasp.org<br />
<br />
Dominique Righetto - dominique.righetto[at]owasp.org<br /><br />
<br />
== Other Cheat Sheets ==<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]<br />
[[Category:Popular]]</div>Wichershttps://wiki.owasp.org/index.php?title=OWASP_SAMM_Project&diff=246908OWASP SAMM Project2019-01-29T16:04:51Z<p>Wichers: /* Quick Download v1.1.1 */</p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
<br />
'''OWASP SAMM v1.5 available in the downloads section!'''<br />
<br />
We are now working on the Beta release of OWASP SAMMv2, our work in progress is available [https://owaspsamm.org online on our new web site]. <br><br />
<br />
'''Join our monthly calls'''<br />
* The monthly call is on each 2nd Wednesday of the month at 21h30 CEST / 3:30pm EST. <br><br />
* Please join our GoToMeeting: https://global.gotomeeting.com/join/262891661 <br><br />
* The call is open for everybody interested in SAMM or who wants to work on SAMM. <br><br />
<br />
'''Join us on the OWASP SAMM project Slack channel'''<br />
* Join our project slack channel on https://owasp.slack.com/messages/C0VF1EJGH <br />
* If you do not have an OWASP Slack workspace account yet, contact one of our project leaders to get an invite link.<br />
<br />
'''2018 OWASP SAMM Summit (4-8 JUNE 2018, London)'''<br />
* Join our 2018 OWASP SAMM Summit near London as part of the [https://open-security-summit.org/ Open Security Summit].<br><br />
* We will organize working sessions in a 5-day sprint to draft SAMM v2.0. <br />
* Register online [https://open-security-summit.org/tickets/ here]<br />
* Sponsor the SAMM2, more details [https://www.owasp.org/index.php/OWASP_SAMM_Project#tab=Project_Sponsors here]<br />
<br />
The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:<br />
* '''Evaluate an organization’s existing software security practices'''<br />
* '''Build a balanced software security assurance program in well-defined iterations'''<br />
* '''Demonstrate concrete improvements to a security assurance program'''<br />
* '''Define and measure security-related activities throughout an organization'''<br />
<br />
<br />
<br />
''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')<br />
<br />
Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]<br />
<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download v1.5 ==<br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br><br />
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]<br />
<br />
== Quick Download v1.1.1 ==<br />
<br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.1/Final/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.1/Final/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.1/Final/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box]<br><br />
[https://github.com/OWASP/samm OWASP SAMM on GitHub]<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs<br />
<br />
== Change Log ==<br />
* OWASP SAMM v1.5 Released! ([http://www.prnewswire.com/news-releases/owasp-samm-v15-helps-organizations-improve-their-security-posture-300439237.html Press Release])<br />
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])<br />
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]<br />
<br />
== Email List ==<br />
<br />
Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]<br />
<br />
== Project Leaders ==<br />
<br />
[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br /> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win]<br />
<br />
== Related Projects ==<br />
<br />
*<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="center" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Browse Online =<br />
[[Image:OwaspSAMM.png|right]]<br />
<br />
The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.<br />
<br />
[[Image:SAMM-Overview.png|720px]]<br />
<br />
===== Click on any badge to learn more =====<br />
<br />
{| cellpadding="1"<br />
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]<br />
|-<br />
| align="center" |'''Strategy & Metrics'''<br />
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}<br />
|-<br />
| align="center" |'''Policy & Compliance'''<br />
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}<br />
|-<br />
| align="center" |'''Education & Guidance'''<br />
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}<br />
|-<br />
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]<br />
|-<br />
| align="center" |'''Threat Assessment'''<br />
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}<br />
|-<br />
| align="center" |'''Security Requirements'''<br />
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}<br />
|-<br />
| align="center" |'''Secure Architecture'''<br />
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}<br />
|-<br />
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]<br />
|-<br />
| align="center" |'''Design Review'''<br />
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}<br />
|-<br />
| align="center" |'''Code Review'''<br />
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}<br />
|-<br />
| align="center" |'''Security Testing'''<br />
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}<br />
|-<br />
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]<br />
|-<br />
| align="center" |'''Vulnerability Management'''<br />
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}<br />
|-<br />
| align="center" |'''Environment Hardening'''<br />
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}<br />
|-<br />
| align="center" |'''Operational Enablement'''<br />
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}<br />
|-<br />
|}<br />
<br />
= Downloads =<br />
<br />
The latest work in progress can be found on Github: https://github.com/OWASP/samm<br />
<br />
Download SAMM v1.5<br />
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;<br />
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;<br />
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;<br />
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;<br />
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;<br />
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;<br />
<br />
Download SAMM v1.1<br />
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;<br />
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;<br />
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;<br />
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;<br />
<br />
Download OpenSAMM v1.0:<br />
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]<br />
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]<br />
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML<br />
* in [https://www.owasp.org/images/f/fd/SAMM-1.0-cn.pdf Chinese - PDF], not available as XML<br />
<br />
<br />
Available resources to apply SAMM:<br />
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]<br />
<br />
<br />
Trainings:<br />
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge<br />
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]<br />
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]<br />
<br />
<br />
Assessments:<br />
* SAMM v1.5 Toolbox<br />
** Download the new v1.5 Toolbox with the updated scoring model [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]<br />
* SAMM v1.1 Toolbox<br />
** download the v1.1 toolbox, including the updated questions [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx here]<br />
* Assessment Interview Template by Nick Coblentz for SAMM V1.0<br />
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.<br />
* Roadmap Chart Template by Colin Watson for SAMM V1.0<br />
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.<br />
* Assessment Worksheet by Christian Frichot for SAMM V1.0<br />
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.<br />
* Project Plan Template by Jim Weiler for SAMM V1.0<br />
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.<br />
<br />
<br />
Mappings:<br />
* BSIMM-6 mapping to SAMM activities:<br />
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]<br />
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]<br />
* BSIMM mapping to SAMM during the 2011 Summit:<br />
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).<br />
<br />
<br />
Tools:<br />
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]<br />
<br />
= Community =<br />
<br />
[[Image:OwaspSAMM.png|right]]<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}<br />
<br />
</div><br />
<br />
= Summit =<br />
<br />
[[Image:OwaspSAMM.png|right]]<br />
<br />
In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!<br />
<br />
Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit<br />
<br />
<br />
In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!<br />
<br />
Summit Notes:<br />
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit<br />
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]<br />
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company<br />
<br />
Previous workshop Notes:<br />
<br />
During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.<br />
<br />
This is also an excellent opportunity to exchange experiences with your peers.<br />
<br />
If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).<br />
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].<br />
<br />
Previous workshop notes:<br />
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].<br />
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].<br />
<br />
<br />
= Talks =<br />
[[Image:OwaspSAMM.png|right]]<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
Upcoming talks featuring SAMM are listed here:<br />
<br />
* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)<br />
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)<br />
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)<br />
<br />
past talks:<br />
<br />
* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - [https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017<br />
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015<br />
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014<br />
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014<br />
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013<br />
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013<br />
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011<br />
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009<br />
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009<br />
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009<br />
<br />
</div><br />
<br />
= News =<br />
[[Image:OwaspSAMM.png|right]]<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
<br />
Latest News on SAMM<br />
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017<br />
* OWASP SAMM v1.5 Released!<br />
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here] <br />
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].<br />
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]<br />
<br />
</div><br />
<br />
= Languages =<br />
[[Image:OwaspSAMM.png|right]]<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
<br />
'''SAMM v1.0 is available in the following languages:'''<br />
<br />
* English<br />
* Spanish<br />
* Japanese<br />
* Chinese<br />
<br />
Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].<br />
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].<br />
<br />
You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!<br />
<br />
</div><br />
<br />
= Roadmap =<br />
[[Image:OwaspSAMM.png|right]]<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
<br />
Updated roadmap:<br />
Next 1.5 release, updated scoring:<br />
* Clarification of maturity levels (syntactic changes to keep the text consistent)<br />
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal. <br />
* Show improvements with every activity introduced<br />
* Adapt for the new scoring method<br />
* Update questions for 4-tiers<br />
* Review and where necessary clarify current questions<br />
* Consider v1.1 remarks that were not withheld for the previous release<br />
Targeted completion date: February 28, 2017<br />
<br />
SAMM version 2.0<br />
* Core model changed<br />
* Visualisations + flavours for a few development methodologies<br />
* Update quickstart guide, TB, HTG. <br />
* Success metrics: How well does the model work: Linked to the benchmarking project.<br />
Timing: Workshops as part of OWASP Project Summit June 2017<br />
<br />
</div><br />
= Get Involved =<br />
[[Image:OwaspSAMM.png|right]]<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
<br />
Involvement in the development of SAMM is actively encouraged!<br />
<br />
You do not have to be a security expert in order to contribute.<br />
<br />
Some of the ways you can help:<br />
<br />
==Feedback==<br />
<br />
Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:<br />
* What do like?<br />
* What don't you like?<br />
* How can we make SAMM easier to use?<br />
* How could SAMM be improved? <br />
<br />
<br />
==Localization==<br />
<br />
Are you fluent in another language? Can you help translate SAMM into that language?<br />
<br />
You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!<br />
<br />
</div><br />
<br />
= Project Sponsors =<br />
[[Image:OwaspSAMM.png|right]]<br />
<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
<br />
SAMM is developed and maintained by a worldwide team of volunteers. We have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM.<br />
<br />
==SAMM Adopters==<br />
SAMM is the premier open source software assurance framework. You can find a list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters] online.<br />
<br />
==Call for SAMM2 Sponsors==<br />
OWASP SAMM and the upcoming SAMM 2.0 release is the open source software security maturity model used to develop secure software for IT, application and software security technologists. <br />
<br />
We are seeking sponsors to support OWASP SAMM. All proceeds from the sponsorship support the mission of the OWASP Foundation and the further development of SAMM. Supporting the project drives the funding for research grants, SAMM hosting, tools, templates, documents, promotion, and more.<br />
<br />
By sponsoring SAMM, you not only support an important and flagship OWASP project, you will also get visibility during the next SAMM Summit (part of the OWASP Summit 2018) and recognition on the OWASP SAMM project web site and the next release of SAMM (version 2.0).<br />
<br />
For more information: Contact [mailto:seba@owasp.org seba@owasp.org]<br />
<br />
==== Acknowledgements ====<br />
<br />
<br />
<br />
We would like to thank the following sponsors who donated funds to our project:<br />
<br />
[[File:OWASP-NoVA-Chapter-Logo.PNG|250px|link=https://www.owasp.org/index.php/Virginia]]<br />
[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]<br />
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]<br />
<br />
[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]<br />
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]] <br />
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]] <br />
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]] <br />
<br />
{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}} <br />
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]] <br />
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]<br />
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]] <br />
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]] <br />
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]] <br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
<br /><br />
{{OWASP Book|6888083}}<br />
<br /><br />
<br />
[[Category:OWASP Project|Zed Attack Proxy Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]<br />
[[Category:OWASP_Download]]<br />
[[Category:Popular]]</div>Wichershttps://wiki.owasp.org/index.php?title=OWASP_SAMM_Project&diff=246907OWASP SAMM Project2019-01-29T16:03:05Z<p>Wichers: /* Quick Download v1.5 */</p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
<br />
'''OWASP SAMM v1.5 available in the downloads section!'''<br />
<br />
We are now working on the Beta release of OWASP SAMMv2, our work in progress is available [https://owaspsamm.org online on our new web site]. <br><br />
<br />
'''Join our monthly calls'''<br />
* The monthly call is on each 2nd Wednesday of the month at 21h30 CEST / 3:30pm EST. <br><br />
* Please join our GoToMeeting: https://global.gotomeeting.com/join/262891661 <br><br />
* The call is open for everybody interested in SAMM or who wants to work on SAMM. <br><br />
<br />
'''Join us on the OWASP SAMM project Slack channel'''<br />
* Join our project slack channel on https://owasp.slack.com/messages/C0VF1EJGH <br />
* If you do not have an OWASP Slack workspace account yet, contact one of our project leaders to get an invite link.<br />
<br />
'''2018 OWASP SAMM Summit (4-8 JUNE 2018, London)'''<br />
* Join our 2018 OWASP SAMM Summit near London as part of the [https://open-security-summit.org/ Open Security Summit].<br><br />
* We will organize working sessions in a 5-day sprint to draft SAMM v2.0. <br />
* Register online [https://open-security-summit.org/tickets/ here]<br />
* Sponsor the SAMM2, more details [https://www.owasp.org/index.php/OWASP_SAMM_Project#tab=Project_Sponsors here]<br />
<br />
The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:<br />
* '''Evaluate an organization’s existing software security practices'''<br />
* '''Build a balanced software security assurance program in well-defined iterations'''<br />
* '''Demonstrate concrete improvements to a security assurance program'''<br />
* '''Define and measure security-related activities throughout an organization'''<br />
<br />
<br />
<br />
''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')<br />
<br />
Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]<br />
<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download v1.5 ==<br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br><br />
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br><br />
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]<br />
<br />
== Quick Download v1.1.1 ==<br />
<br />
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br><br />
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br><br />
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br><br />
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box]<br><br />
[https://github.com/OWASP/samm OWASP SAMM on GitHub]<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs<br />
<br />
== Change Log ==<br />
* OWASP SAMM v1.5 Released! ([http://www.prnewswire.com/news-releases/owasp-samm-v15-helps-organizations-improve-their-security-posture-300439237.html Press Release])<br />
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])<br />
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]<br />
<br />
== Email List ==<br />
<br />
Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]<br />
<br />
== Project Leaders ==<br />
<br />
[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br /> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win]<br />
<br />
== Related Projects ==<br />
<br />
*<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="center" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Browse Online =<br />
[[Image:OwaspSAMM.png|right]]<br />
<br />
The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.<br />
<br />
[[Image:SAMM-Overview.png|720px]]<br />
<br />
===== Click on any badge to learn more =====<br />
<br />
{| cellpadding="1"<br />
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]<br />
|-<br />
| align="center" |'''Strategy & Metrics'''<br />
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}<br />
|-<br />
| align="center" |'''Policy & Compliance'''<br />
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}<br />
|-<br />
| align="center" |'''Education & Guidance'''<br />
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}<br />
|-<br />
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]<br />
|-<br />
| align="center" |'''Threat Assessment'''<br />
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}<br />
|-<br />
| align="center" |'''Security Requirements'''<br />
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}<br />
|-<br />
| align="center" |'''Secure Architecture'''<br />
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}<br />
|-<br />
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]<br />
|-<br />
| align="center" |'''Design Review'''<br />
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}<br />
|-<br />
| align="center" |'''Code Review'''<br />
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}<br />
|-<br />
| align="center" |'''Security Testing'''<br />
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}<br />
|-<br />
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]<br />
|-<br />
| align="center" |'''Vulnerability Management'''<br />
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}<br />
|-<br />
| align="center" |'''Environment Hardening'''<br />
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}<br />
|-<br />
| align="center" |'''Operational Enablement'''<br />
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}<br />
|-<br />
|}<br />
<br />
= Downloads =<br />
<br />
The latest work in progress can be found on Github: https://github.com/OWASP/samm<br />
<br />
Download SAMM v1.5<br />
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;<br />
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;<br />
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;<br />
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;<br />
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;<br />
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;<br />
<br />
Download SAMM v1.1<br />
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;<br />
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;<br />
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;<br />
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;<br />
<br />
Download OpenSAMM v1.0:<br />
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]<br />
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]<br />
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML<br />
* in [https://www.owasp.org/images/f/fd/SAMM-1.0-cn.pdf Chinese - PDF], not available as XML<br />
<br />
<br />
Available resources to apply SAMM:<br />
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]<br />
<br />
<br />
Trainings:<br />
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge<br />
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]<br />
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]<br />
<br />
<br />
Assessments:<br />
* SAMM v1.5 Toolbox<br />
** Download the new v1.5 Toolbox with the updated scoring model [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]<br />
* SAMM v1.1 Toolbox<br />
** download the v1.1 toolbox, including the updated questions [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx here]<br />
* Assessment Interview Template by Nick Coblentz for SAMM V1.0<br />
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.<br />
* Roadmap Chart Template by Colin Watson for SAMM V1.0<br />
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.<br />
* Assessment Worksheet by Christian Frichot for SAMM V1.0<br />
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.<br />
* Project Plan Template by Jim Weiler for SAMM V1.0<br />
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.<br />
<br />
<br />
Mappings:<br />
* BSIMM-6 mapping to SAMM activities:<br />
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]<br />
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]<br />
* BSIMM mapping to SAMM during the 2011 Summit:<br />
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).<br />
<br />
<br />
Tools:<br />
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]<br />
<br />
= Community =<br />
<br />
[[Image:OwaspSAMM.png|right]]<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}<br />
<br />
</div><br />
<br />
= Summit =<br />
<br />
[[Image:OwaspSAMM.png|right]]<br />
<br />
In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!<br />
<br />
Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit<br />
<br />
<br />
In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!<br />
<br />
Summit Notes:<br />
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit<br />
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]<br />
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company<br />
<br />
Previous workshop Notes:<br />
<br />
During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.<br />
<br />
This is also an excellent opportunity to exchange experiences with your peers.<br />
<br />
If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).<br />
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].<br />
<br />
Previous workshop notes:<br />
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].<br />
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].<br />
<br />
<br />
= Talks =<br />
[[Image:OwaspSAMM.png|right]]<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
Upcoming talks featuring SAMM are listed here:<br />
<br />
* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)<br />
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)<br />
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)<br />
<br />
past talks:<br />
<br />
* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - [https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017<br />
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015<br />
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014<br />
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014<br />
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013<br />
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013<br />
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011<br />
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009<br />
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009<br />
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009<br />
<br />
</div><br />
<br />
= News =<br />
[[Image:OwaspSAMM.png|right]]<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
<br />
Latest News on SAMM<br />
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017<br />
* OWASP SAMM v1.5 Released!<br />
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here] <br />
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].<br />
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]<br />
<br />
</div><br />
<br />
= Languages =<br />
[[Image:OwaspSAMM.png|right]]<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
<br />
'''SAMM v1.0 is available in the following languages:'''<br />
<br />
* English<br />
* Spanish<br />
* Japanese<br />
* Chinese<br />
<br />
Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].<br />
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].<br />
<br />
You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!<br />
<br />
</div><br />
<br />
= Roadmap =<br />
[[Image:OwaspSAMM.png|right]]<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
<br />
Updated roadmap:<br />
Next 1.5 release, updated scoring:<br />
* Clarification of maturity levels (syntactic changes to keep the text consistent)<br />
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal. <br />
* Show improvements with every activity introduced<br />
* Adapt for the new scoring method<br />
* Update questions for 4-tiers<br />
* Review and where necessary clarify current questions<br />
* Consider v1.1 remarks that were not withheld for the previous release<br />
Targeted completion date: February 28, 2017<br />
<br />
SAMM version 2.0<br />
* Core model changed<br />
* Visualisations + flavours for a few development methodologies<br />
* Update quickstart guide, TB, HTG. <br />
* Success metrics: How well does the model work: Linked to the benchmarking project.<br />
Timing: Workshops as part of OWASP Project Summit June 2017<br />
<br />
</div><br />
= Get Involved =<br />
[[Image:OwaspSAMM.png|right]]<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
<br />
Involvement in the development of SAMM is actively encouraged!<br />
<br />
You do not have to be a security expert in order to contribute.<br />
<br />
Some of the ways you can help:<br />
<br />
==Feedback==<br />
<br />
Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:<br />
* What do like?<br />
* What don't you like?<br />
* How can we make SAMM easier to use?<br />
* How could SAMM be improved? <br />
<br />
<br />
==Localization==<br />
<br />
Are you fluent in another language? Can you help translate SAMM into that language?<br />
<br />
You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!<br />
<br />
</div><br />
<br />
= Project Sponsors =<br />
[[Image:OwaspSAMM.png|right]]<br />
<br />
<div style="font-size:120%;border:none;margin: 0;color:#000"><br />
<br />
SAMM is developed and maintained by a worldwide team of volunteers. We have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM.<br />
<br />
==SAMM Adopters==<br />
SAMM is the premier open source software assurance framework. You can find a list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters] online.<br />
<br />
==Call for SAMM2 Sponsors==<br />
OWASP SAMM and the upcoming SAMM 2.0 release is the open source software security maturity model used to develop secure software for IT, application and software security technologists. <br />
<br />
We are seeking sponsors to support OWASP SAMM. All proceeds from the sponsorship support the mission of the OWASP Foundation and the further development of SAMM. Supporting the project drives the funding for research grants, SAMM hosting, tools, templates, documents, promotion, and more.<br />
<br />
By sponsoring SAMM, you not only support an important and flagship OWASP project, you will also get visibility during the next SAMM Summit (part of the OWASP Summit 2018) and recognition on the OWASP SAMM project web site and the next release of SAMM (version 2.0).<br />
<br />
For more information: Contact [mailto:seba@owasp.org seba@owasp.org]<br />
<br />
==== Acknowledgements ====<br />
<br />
<br />
<br />
We would like to thank the following sponsors who donated funds to our project:<br />
<br />
[[File:OWASP-NoVA-Chapter-Logo.PNG|250px|link=https://www.owasp.org/index.php/Virginia]]<br />
[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]<br />
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]<br />
<br />
[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]<br />
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]] <br />
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]] <br />
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]] <br />
<br />
{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}} <br />
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]] <br />
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]<br />
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]] <br />
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]] <br />
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]] <br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
<br /><br />
{{OWASP Book|6888083}}<br />
<br /><br />
<br />
[[Category:OWASP Project|Zed Attack Proxy Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]<br />
[[Category:OWASP_Download]]<br />
[[Category:Popular]]</div>Wichershttps://wiki.owasp.org/index.php?title=Category:Vulnerability_Scanning_Tools&diff=246881Category:Vulnerability Scanning Tools2019-01-28T16:49:56Z<p>Wichers: /* References */</p>
<hr />
<div>== Description ==<br />
<br />
Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as [[Cross-site scripting]], [[SQL Injection]], [[Command Injection]], [[Path Traversal]] and insecure server configuration. This category of tools is frequently referred to as [https://www.techopedia.com/definition/30958/dynamic-application-security-testing-dast Dynamic Application Security Testing] (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP [[Benchmark]] project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.<br />
<br />
Here we provide a list of vulnerability scanning tools currently available in the market.<br />
<br />
<br> '''Disclaimer:''' The tools listing in the table below are presented in an alphabetical order. <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think this information is incomplete or incorrect, please send an e-mail to our [mailto:owasp_ha_vulnerability_scanner_project@lists.owasp.org mailing list] and we will make every effort to correct this information.</b><br />
<br />
OWASP is aware of the [http://sectooladdict.blogspot.com/ '''Web Application Vulnerability Scanner Evaluation Project (WAVSEP)'''. WAVSEP] is completely unrelated to OWASP and we do not endorse its results, nor any of the DAST tools it evaluates. However, the results provided by WAVSEP may be helpful to someone interested in researching or selecting free and/or commercial DAST tools for their projects. This project has far more detail on DAST tools and their features than this OWASP DAST page.<br />
<br />
== Tools Listing ==<br />
<br />
{{:Template:OWASP Tool Headings}}<br />
{{OWASP Tool Info || tool_name = [http://www.acunetix.com/ Acunetix WVS] || tool_owner = Acunetix || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] || tool_owner = IBM || tool_licence = Commercial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www-03.ibm.com/software/products/en/appscan-standard AppScan] || tool_owner = IBM || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/Products/Application-Security/App-Scanner-Family/App-Scanner-Enterprise/ App Scanner] || tool_owner = Trustwave || tool_licence = Commercial || tool_platforms = Windows }}<br />
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/appspider/ AppSpider] || tool_owner = Rapid7 || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://apptrana.indusface.com/basic/ AppTrana Website Security Scan] || tool_owner = AppTrana || tool_licence = Free || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www.arachni-scanner.com/ Arachni] || tool_owner = Arachni|| tool_licence = Free for most use cases || tool_platforms = Most platforms supported}}<br />
{{OWASP Tool Info || tool_name = [https://www.scanmyserver.com/ AVDS] || tool_owner = Beyond Security || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = SaaS }}<br />
{{OWASP Tool Info || tool_name = [https://www.blueclosure.com BlueClosure BC Detect] || tool_owner = BlueClosure || tool_licence = Commercial, 2 weeks trial || tool_platforms = Most platforms supported}}<br />
{{OWASP Tool Info || tool_name = [http://www.portswigger.net/ Burp Suite] || tool_owner = PortSwiger || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Most platforms supported }}<br />
{{OWASP Tool Info || tool_name = [https://contrastsecurity.com Contrast] || tool_owner = Contrast Security || tool_licence = Commercial / Free (Full featured for 1 App) || tool_platforms = SaaS or On-Premises }}<br />
{{OWASP Tool Info || tool_name = [https://detectify.com/ Detectify] || tool_owner = Detectify || tool_licence = Commercial || tool_platforms = SaaS }}<br />
{{OWASP Tool Info || tool_name = [http://www.digifort.se/en/scanner Digifort- Inspect] || tool_owner = Digifort|| tool_licence = Commercial || tool_platforms = SaaS }}<br />
{{OWASP Tool Info || tool_name = [https://www.edgescan.com/ edgescan] || tool_owner = edgescan|| tool_licence = Commercial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www.gamasec.com/Gamascan.aspx GamaScan] || tool_owner = GamaSec || tool_licence = Commercial || tool_platforms = Windows }}<br />
{{OWASP Tool Info || tool_name = [http://rgaucher.info/beta/grabber/ Grabber] || tool_owner = Romain Gaucher || tool_licence = Open Source || tool_platforms = Python 2.4, BeautifulSoup and PyXML}}<br />
{{OWASP Tool Info || tool_name = [https://gravityscan.com/ Gravityscan] || tool_owner = Defiant, Inc. || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://sourceforge.net/p/grendel/code/ci/c59780bfd41bdf34cc13b27bc3ce694fd3cb7456/tree/ Grendel-Scan] || tool_owner = David Byrne || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.golismero.com GoLismero] || tool_owner = GoLismero Team || tool_licence = GPLv2.0 || tool_platforms = Windows, Linux and Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.ikare-monitoring.com/ IKare] || tool_owner = ITrust || tool_licence = Commercial || tool_platforms = N/A }}<br />
{{OWASP Tool Info || tool_name = [https://www.htbridge.com/immuniweb/ ImmuniWeb] || tool_owner = High-Tech Bridge || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [https://www.indusface.com/index.php/products/web-application-scanning Indusface Web Application Scanning] || tool_owner = Indusface || tool_licence = Commercial / Free Trial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www.nstalker.com/ N-Stealth] || tool_owner = N-Stalker || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://www.tenable.com/products/tenable-io/web-application-scanning/ Nessus] || tool_owner = Tenable || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.mavitunasecurity.com/ Netsparker] || tool_owner = MavitunaSecurity || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/nexpose-community-edition.jsp Nexpose] || tool_owner = Rapid7 || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Windows/Linux}}<br />
{{OWASP Tool Info || tool_name = [http://www.cirt.net/nikto2 Nikto] || tool_owner = CIRT || tool_licence = Open Source|| tool_platforms = Unix/Linux}}<br />
{{OWASP Tool Info || tool_name = [http://www.milescan.com/ ParosPro] || tool_owner = MileSCAN || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://probely.com Probe.ly] || tool_owner = Probe.ly || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/proxy.html Proxy.app] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.qualys.com/products/qg_suite/was/ QualysGuard] || tool_owner = Qualys || tool_licence = Commercial || tool_platforms = N/A}}<br />
{{OWASP Tool Info || tool_name = [http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ Retina] || tool_owner = BeyondTrust || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.orvant.com Securus] || tool_owner = Orvant, Inc || tool_licence = Commercial || tool_platforms = N/A}}<br />
{{OWASP Tool Info || tool_name = [http://www.whitehatsec.com/home/services/services.html Sentinel] || tool_owner = WhiteHat Security || tool_licence = Commercial || tool_platforms = N/A}}<br />
{{OWASP Tool Info || tool_name = [http://www.parasoft.com/products/article.jsp?articleId=3169&redname=webtesting&referred=webtesting SOATest] || tool_owner = Parasoft || tool_licence = Commercial || tool_platforms = Windows / Linux / Solaris}}<br />
{{OWASP Tool Info || tool_name = [https://www.tinfoilsecurity.com Tinfoil Security] || tool_owner = Tinfoil Security, Inc. || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS or On-Premises}}<br />
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/external-vulnerability-scanning.php Trustkeeper Scanner] || tool_owner = Trustwave SpiderLabs || tool_licence = Commercial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [https://subgraph.com/vega/ Vega] || tool_owner = Subgraph || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://wapiti.sourceforge.net/ Wapiti] || tool_owner = Informática Gesfor || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}<br />
{{OWASP Tool Info || tool_name = [https://www.defensecode.com/webscanner.php Web Security Scanner] || tool_owner = DefenseCode || tool_licence = Commercial || tool_platforms = On-Premises}}<br />
{{OWASP Tool Info || tool_name = [http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/web-application-vulnerability-scanning/ WebApp360] || tool_owner = TripWire || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://webcookies.org WebCookies] || tool_owner = WebCookies || tool_licence = Free|| tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991#.Uuf0KBAo4iw WebInspect] || tool_owner = HP || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/webreaver.html WebReaver] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.german-websecurity.com/en/products/webscanservice/product-details/overview/ WebScanService] || tool_owner = German Web Security || tool_licence = Commercial || tool_platforms = N/A}}<br />
{{OWASP Tool Info || tool_name = [https://suite.websecurify.com/ Websecurify Suite] || tool_owner = Websecurify || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows, Linux, Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.sensepost.com/research/wikto/ Wikto] || tool_owner = Sensepost || tool_licence = Open Source || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.w3af.org/ w3af] || tool_owner = w3af.org || tool_licence = GPLv2.0 || tool_platforms = Linux and Mac}}<br />
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Xenotix XSS Exploit Framework] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Zed Attack Proxy] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}<br />
|}<br />
<br />
== References ==<br />
<br />
*[[Source_Code_Analysis_Tools | SAST Tools]] - OWASP page with similar information on Static Application Security Testing (SAST) Tools<br />
*[[Free for Open Source Application Security Tools]] - OWASP page that lists the Commercial Dynamic Application Security Testing (DAST) tools we know of that are free for Open Source<br />
*http://sectooladdict.blogspot.com/ - Web Application Vulnerability Scanner Evaluation Project (WAVSEP)<br />
*http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria - v1.0 (2009)<br />
*http://www.slideshare.net/lbsuto/accuracy-and-timecostsofwebappscanners - White Paper: Analyzing the Accuracy and Time Costs of WebApplication Security Scanners - By Larry Suto (2010)<br />
*http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html - NIST home page which links to: NIST Special Publication 500-269: Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 (21 August, 2007)<br />
*http://www.softwareqatest.com/qatweb1.html#SECURITY - A list of Web Site Security Test Tools. (Has both DAST and SAST tools)<br />
<br />
[[Category:OWASP_Tools_Project]]</div>Wichershttps://wiki.owasp.org/index.php?title=Source_Code_Analysis_Tools&diff=246880Source Code Analysis Tools2019-01-28T16:47:48Z<p>Wichers: /* More info */</p>
<hr />
<div>[[Static_Code_Analysis | Source code analysis]] tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. <br />
<br />
Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.<br />
<br />
== Strengths and Weaknesses ==<br />
<br />
=== Strengths ===<br />
<br />
* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)<br />
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth<br />
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected<br />
<br />
=== Weaknesses ===<br />
<br />
* Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.<br />
* High numbers of false positives.<br />
* Frequently can't find configuration issues, since they are not represented in the code.<br />
* Difficult to 'prove' that an identified security issue is an actual vulnerability.<br />
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.<br />
<br />
==Important Selection Criteria==<br />
<br />
* Requirement: Must support your programming language, but not usually a key factor once it does.<br />
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)<br />
* How accurate is it? False Positive/False Negative rates?<br />
** Does the tool have an OWASP [[Benchmark]] score?<br />
* Does it understand the libraries/frameworks you use?<br />
* Does it require a fully buildable set of source?<br />
* Can it run against binaries instead of source?<br />
* Can it be integrated into the developer's IDE?<br />
* How hard is it to setup/use?<br />
* Can it be run continuously and automatically?<br />
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)<br />
<br />
==OWASP Tools Of This Type==<br />
<br />
* [[OWASP SonarQube Project]]<br />
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]<br />
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]<br />
* [[OWASP O2 Platform]]<br />
* [[OWASP WAP-Web Application Protection]]<br />
<br />
==Disclaimer==<br />
<br />
Disclaimer: <b>The tools listed in the tables below are presented in alphabetical order. <i>OWASP does not endorse any of the vendors or tools by listing them in the table below.</i> We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.</b><br />
<br />
==Open Source or Free Tools Of This Type==<br />
<br />
* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python<br />
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications<br />
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby<br />
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs<br />
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,<br />
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++<br />
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''<br />
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python<br />
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)<br />
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.<br />
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.<br />
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.<br />
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.<br />
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.<br />
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.<br />
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].<br />
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.<br />
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.<br />
<br />
==Commercial Tools Of This Type==<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. <br />
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service. <br />
* [http://www-01.ibm.com/software/rational/products/appscan/source/ AppScan Source] (IBM)<br />
* [http://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.<br />
* [https://buguroo.com/products/bugblast-next-gen-appsec-platform/bugscout-sca bugScout] (Buguroo Offensive Security)<br />
* [http://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages.<br />
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)<br />
* [https://www.grammatech.com/products/codesonar CodeSonar] tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.<br />
* [http://www.contrastsecurity.com/ Contrast] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.<br />
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)<br />
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)<br />
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (Micro Focus, Formally HP)<br />
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis<br />
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)<br />
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis<br />
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)<br />
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ PT Application Inspector] combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation for high accuracy rate with minimum false positives; has a unique capability to generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis; integrates with CI/CD, VCS, etc. PT AI helps to easily understand, verify, and fix flaws; has a simple UI; is highly automated and easy to use. Supported languages are Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.<br />
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.<br />
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#<br />
* [https://www.softwaresecured.com/reshift reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019.<br />
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for PHP that detects unknown security vulnerabilities and code quality issues.<br />
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)<br />
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)<br />
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.<br />
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)<br />
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).<br />
<br />
==More info==<br />
<br />
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]<br />
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]<br />
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools<br />
* [[Free for Open Source Application Security Tools]] - This page lists the Commercial Source Code Analysis Tools (SAST) we know of that are free for Open Source<br />
<br />
[[Category:OWASP .NET Project]]<br />
[[Category:SAMM-CR-2]]<br />
__NOTOC__</div>Wichershttps://wiki.owasp.org/index.php?title=C-Based_Toolchain_Hardening&diff=246839C-Based Toolchain Hardening2019-01-25T23:27:53Z<p>Wichers: Fix a broken link and one misspelling.</p>
<hr />
<div>[[C-Based Toolchain Hardening]] is a treatment of project settings that will help you deliver reliable and secure code when using C, C++ and Objective C languages in a number of development environments. This article will examine Microsoft and GCC toolchains for the C, C++ and Objective C languages. It will guide you through the steps you should take to create executables with firmer defensive postures and increased integration with the available platform security. Effectively configuring the toolchain also means your project will enjoy a number of benefits during development, including enhanced warnings and static analysis, and self-debugging code.<br />
<br />
There are four areas to be examined when hardening the toolchain: configuration, preprocessor, compiler, and linker. Nearly all areas are overlooked or neglected when setting up a project. The neglect appears to be pandemic, and it applies to nearly all projects including Auto-configured projects, Makefile-based, Eclipse-based, Visual Studio-based, and Xcode-based. Its important to address the gaps at configuration and build time because its difficult to impossible to [http://sourceware.org/ml/binutils/2012-03/msg00309.html add hardening on a distributed executable after the fact] on some platforms.<br />
<br />
This is a prescriptive article, and it will not debate semantics or speculate on behavior. Some information, such as the C/C++ committee's motivation and pedigree for [https://groups.google.com/a/isocpp.org/forum/?fromgroups=#!topic/std-discussion/ak8e1mzBhGs "program diagnostics", <tt>NDEBUG</tt>, <tt>assert</tt>, and <tt>abort()</tt>], appears to be lost like a tale in the Lord of the Rings. As such, the article will specify semantics (for example, the philosophy of 'debug' and 'release' build configurations), assign behaviors (for example, what an assert should do in a 'debug' and 'release' build configurations), and present a position. If you find the posture is too aggressive, then you should back off as required to suite your taste.<br />
<br />
A secure toolchain is not a silver bullet. It is one piece of an overall strategy in the engineering process to help ensure success. It will compliment existing processes such as static analysis, dynamic analysis, secure coding, negative test suites, and the like. Tools such as Valgrind and Helgrind will still be needed. And a project will still require solid designs and architectures.<br />
<br />
The OWASP [http://code.google.com/p/owasp-esapi-cplusplus/source ESAPI C++] project eats its own dog food. Many of the examples you will see in this article come directly from the ESAPI C++ project.<br />
<br />
Finally, a [[:Category:Cheatsheets|Cheat Sheet]] is available for those who desire a terse treatment of the material. Please visit [[C-Based_Toolchain_Hardening_Cheat_Sheet|C-Based Toolchain Hardening Cheat Sheet]] for the abbreviated version.<br />
<br />
== Wisdom ==<br />
<br />
Code '''must''' be correct. It '''should''' be secure. It '''can''' be efficient.<br />
<br />
[http://en.wikipedia.org/wiki/Jon_Bentley Dr. Jon Bentley]: ''"If it doesn't have to be correct, I can make it as fast as you'd like it to be"''.<br />
<br />
[http://en.wikipedia.org/wiki/Gary_McGraw Dr. Gary McGraw]: ''"Thou shalt not rely solely on security features and functions to build secure software as security is an emergent property of the entire system and thus relies on building and integrating all parts properly"''.<br />
<br />
== Configuration ==<br />
<br />
Configuration is the first opportunity to configure your project for success. Not only do you have to configure your project to meet reliability and security goals, you must also configure integrated libraries properly. You typically have has three choices. First, you can use auto-configuration utilities if on Linux or Unix. Second, you can write a makefile by hand. This is predominant on Linux, Mac OS X, and Unix, but it applies to Windows as well. Finally, you can use an integrated development environment or IDE.<br />
<br />
=== Build Configurations ===<br />
<br />
At this stage in the process, you should concentrate on configuring for two builds: Debug and Release. Debug will be used for development and include full instrumentation. Release will be configured for production. The difference between the two settings is usually ''optimization level'' and ''debug level''. A third build configuration is Test, and its usually a special case of Release.<br />
<br />
For debug and release builds, the settings are typically diametrically opposed. Debug configurations have no optimizations and full debug information; while Release builds have optimizations and minimal to moderate debug information. In addition, debug code has full assertions and additional library integration, such as mudflaps and malloc guards such as <tt>dmalloc</tt>.<br />
<br />
The Test configuration is often a Release configuration that makes everything public for testing and builds a test harness. For example, all member functions public (C++ class) and all interfaces (library or shared object) should be made available for testing. Many Object Oriented purist oppose testing private interfaces, but this is not about object oriented-ness. This (''q.v.'') is about building reliable and secure software.<br />
<br />
[http://gcc.gnu.org/gcc-4.8/changes.html GCC 4.8] introduced an optimization of <tt>-Og</tt>. Note that it is only an optimization, and still requires a customary debug level via <tt>-g</tt>.<br />
<br />
==== Debug Builds ====<br />
<br />
Debug builds are where developers spend most of their time when vetting problems, so this build should concentrate forces and tools or be a 'force multiplier'. Though many do not realize, debug code is more highly valued than release code because its adorned with additional instrumentation. The debug instrumentation will cause a program to become nearly "self-debugging", and help you catch mistakes such as bad parameters, failed API calls, and memory problems.<br />
<br />
Self-debugging code reduces your time during trouble shooting and debugging. Reducing time under the debugger means you have more time for development and feature requests. If code is checked in without debug instrumentation, it should be fixed by adding instrumentation or rejected.<br />
<br />
For GCC, optimizations and debug symbolication are controlled through two switches: <tt>-O</tt> and <tt>-g</tt>. You should use the following as part of your <tt>CFLAGS</tt> and <tt>CXXFLAGS</tt> for a minimal debug session:<br />
<br />
<pre>-O0 -g3 -ggdb</pre><br />
<br />
<tt>-O0</tt> turns off optimizations and <tt>-g3</tt> ensures maximum debug information is available. You may need to use <tt>-O1</tt> so some analysis is performed. Otherwise, your debug build will be missing a number of warnings not present in release builds. <tt>-g3</tt> ensures maximum debugging information is available for the debug session, including symbolic constants and <tt>#defines</tt>. <tt>-ggdb</tt> includes extensions to help with a debug session under GDB. For completeness, Jan Krachtovil stated <tt>-ggdb</tt> currently has no effect in a private email.<br />
<br />
Release builds should also consider the configuration pair of <tt>-mfunction-return=thunk</tt> and <tt>-mindirect-branch=thunk</tt>. These are the "Reptoline" fix which is an indirect branch used to thwart speculative execution CPU vulnerabilities such as Spectre and Meltdown. The CPU cannot tell what code to [speculatively] execute because it is an indirect (as opposed to a direct) branch. This is an extra layer of indirection, like calling a pointer through a pointer.<br />
<br />
Debug build should also define <tt>DEBUG</tt>, and ensure <tt>NDEBUG</tt> is not defined. <tt>NDEBUG</tt> removes "program diagnostics"; and has undesirable behavior and side effects which discussed below in more detail. The defines should be present for all code, and not just the program. You use it for all code (your program and included libraries) because you need to know how they fail too (remember, you take the bug report - not the third party library).<br />
<br />
In addition, you should use other relevant flags, such as <tt>-fno-omit-frame-pointer</tt>. Ensuring a frame pointer exists makes it easier to decode stack traces. Since debug builds are not shipped, its OK to leave symbols in the executable. Programs with debug information do not suffer performance hits. See, for example, [http://gcc.gnu.org/ml/gcc-help/2005-03/msg00032.html How does the gcc -g option affect performance?]<br />
<br />
Finally, you should ensure your project includes additional diagnostic libraries, such as <tt>dmalloc</tt> and [http://code.google.com/p/address-sanitizer/ Address Sanitizer]. A comparison of some memory checking tools can be found at [http://code.google.com/p/address-sanitizer/wiki/ComparisonOfMemoryTools Comparison Of Memory Tools]. If you don't include additional diagnostics in debug builds, then you should start using them since its OK to find errors you are not looking for.<br />
<br />
==== Release Builds ====<br />
<br />
Release builds are what your customer receives. They are meant to be run on production hardware and servers, and they should be reliable, secure, and efficient. A stable release build is the product of the hard work and effort during development.<br />
<br />
For release builds, you should use the following as part of <tt>CFLAGS</tt> and <tt>CXXFLAGS</tt> for release builds:<br />
<br />
<pre>-On -g2</pre><br />
<br />
<tt>-O''n''</tt> sets optimizations for speed or size (for example, <tt>-Os</tt> or <tt>-O2</tt>), and <tt>-g2</tt> ensure debugging information is created.<br />
<br />
Debugging information should be stripped and retained in case of symbolication for a crash report from the field. While not desired, debug information can be left in place without a performance penalty. See ''[http://gcc.gnu.org/ml/gcc-help/2005-03/msg00032.html How does the gcc -g option affect performance?]'' for details.<br />
<br />
Release builds should also define <tt>NDEBUG</tt>, and ensure <tt>DEBUG</tt> is not defined. The time for debugging and diagnostics is over, so users get production code with full optimizations, no "programming diagnostics", and other efficiencies. If you can't optimize or your are performing excessive logging, it usually means the program is not ready for production.<br />
<br />
If you have been relying on an <tt>assert</tt> and then a subsequent <tt>abort()</tt>, you have been abusing "program diagnostics" since it has no place in production code. If you want a memory dump, create one so users don't have to worry about secrets and other sensitive information being written to the filesystem and emailed in plain text.<br />
<br />
For Windows, you would use <tt>/Od</tt> for debug builds; and <tt>/Ox</tt>, <tt>/O2</tt> or <tt>/Os</tt> for release builds. See Microsoft's [http://msdn.microsoft.com/en-us/library/k1ack8f1.aspx /O Options (Optimize Code)] for details.<br />
<br />
==== Test Builds ====<br />
<br />
Test builds are used to provide heuristic validation by way of positive and negative test suites. Under a test configuration, all interfaces are tested to ensure they perform to specification and satisfaction. "Satisfaction" is subjective, but it should include no crashing and no trashing of your memory arena, even when faced with negative tests.<br />
<br />
Because all interfaces are tested (and not just the public ones), your <tt>CFLAGS</tt> and <tt>CXXFLAGS</tt> should include:<br />
<br />
<pre>-Dprotected=public -Dprivate=public</pre><br />
<br />
You should also change <tt>__attribute__ ((visibility ("hidden")))</tt> to <tt>__attribute__ ((visibility ("default")))</tt>.<br />
<br />
Nearly everyone gets a positive test right, so no more needs to be said. The negative self tests are much more interesting, and you should concentrate on trying to make your program fail so you can verify its fails gracefully. Remember, a bad guy is not going to be courteous when he attempts to cause your program to fail. And its your project that takes egg on the face by way of a bug report or guest appearance on [http://www.grok.org.uk/full-disclosure/ Full Disclosure] or [http://www.securityfocus.com/archive Bugtraq] - not ''<nowiki><some library></nowiki>'' you included.<br />
<br />
=== Auto Tools ===<br />
<br />
Auto configuration tools are popular on many Linux and Unix based systems, and the tools include ''Autoconf'', ''Automake'', ''config'', and ''Configure''. The tools work together to produce project files from scripts and template files. After the process completes, your project should be setup and ready to be made with <tt>make</tt>.<br />
<br />
When using auto configuration tools, there are a few files of interest worth mentioning. The files are part of the auto tools chain and include <tt>m4</tt> and the various <tt>*.in</tt>, <tt>*.ac</tt> (autoconf), and <tt>*.am</tt> (automake) files. At times, you will have to open them, or the resulting makefiles, to tune the "stock" configuration.<br />
<br />
There are three downsides to the command line configuration tools in the toolchain: (1) they often ignore user requests, (2) they cannot create configurations, and (3) security is often not a goal.<br />
<br />
To demonstrate the first issue, confider your project with the following: <tt>configure CFLAGS="-Wall -fPIE" CXXFLAGS="-Wall -fPIE" LDFLAGS="-pie"</tt>. You will probably find the auto tools ignored your request, which means the command below will not produce expected results. As a work around, you will have to open an <tt>m4</tt> scripts, <tt>Makefile.in</tt> or <tt>Makefile.am</tt> and fix the configuration.<br />
<br />
<pre>$ configure CFLAGS="-Wall -Wextra -Wconversion -fPIE -Wno-unused-parameter<br />
-Wformat=2 -Wformat-security -fstack-protector-all -Wstrict-overflow"<br />
LDFLAGS="-pie -z,noexecstack -z,noexecheap -z,relro -z,now"</pre><br />
<br />
For the second point, you will probably be disappointed to learn [https://lists.gnu.org/archive/html/automake/2012-12/msg00019.html Automake does not support the concept of configurations]. Its not entirely Autoconf's or Automake's fault - ''Make'' and its inability to detect changes is the underlying problem. Specifically, ''Make'' only [http://pubs.opengroup.org/onlinepubs/009695399/utilities/make.html checks modification times of prerequisites and targets], and does not check things like <tt>CFLAGS</tt> and <tt>CXXFLAGS</tt>. The net effect is you will not receive expected results when you issue <tt>make debug</tt> and then <tt>make test</tt> or <tt>make release</tt>.<br />
<br />
Finally, you will probably be disappointed to learn tools such as Autoconf and Automake miss many security related opportunities and ship insecure out of the box. There are a number of compiler switches and linker flags that improve the defensive posture of a program, but they are not 'on' by default. Tools like Autoconf - which are supposed to handle this situation - often provides setting to serve the lowest of all denominators.<br />
<br />
A recent discussion on the Automake mailing list illuminates the issue: ''[https://lists.gnu.org/archive/html/autoconf/2012-12/msg00038.html Enabling compiler warning flags]''. Attempts to improve default configurations were met with resistance and no action was taken. The resistance is often of the form, "<nowiki><some useful warning></nowiki> also produces false positives" or "<nowiki><some obscure platform></nowiki> does not support <nowiki><established security feature></nowiki>". Its noteworthy that David Wheeler, the author of ''[http://www.dwheeler.com/secure-programs/ Secure Programming for Linux and Unix HOWTO]'', was one of the folks trying to improve the posture.<br />
<br />
=== Makefiles ===<br />
<br />
Make is one of the earliest build systems dating back to the 1970s. Its available on Linux, Mac OS X and Unix, so you will frequently encounter projects using it. Unfortunately, Make has a number of short comings (''[http://aegis.sourceforge.net/auug97.pdf Recursive Make Considered Harmful]'' and ''[http://www.conifersystems.com/whitepapers/gnu-make/ What’s Wrong With GNU make?]''), and can cause some discomfort. Despite issues with Make, ESAPI C++ uses Make primarily for three reasons: first, its omnipresent; second, its easier to manage than the Auto Tools family; and third, <tt>libtool</tt> was out of the question.<br />
<br />
Consider what happens when you: (1) type <tt>make debug</tt>, and then type <tt>make release</tt>. Each build would require different <tt>CFLAGS</tt> due to optimizations and level of debug support. In your makefile, you would extract the relevant target and set <tt>CFLAGS</tt> and <tt>CXXFLAGS</tt> similar to below (taken from [http://code.google.com/p/owasp-esapi-cplusplus/source/browse/trunk/Makefile ESAPI C++ Makefile]):<br />
<br />
<pre># Makefile<br />
DEBUG_GOALS = $(filter $(MAKECMDGOALS), debug)<br />
ifneq ($(DEBUG_GOALS),)<br />
WANT_DEBUG := 1<br />
WANT_TEST := 0<br />
WANT_RELEASE := 0<br />
endif<br />
…<br />
<br />
ifeq ($(WANT_DEBUG),1)<br />
ESAPI_CFLAGS += -DDEBUG=1 -UNDEBUG -g3 -ggdb -O0<br />
ESAPI_CXXFLAGS += -DDEBUG=1 -UNDEBUG -g3 -ggdb -O0<br />
endif<br />
<br />
ifeq ($(WANT_RELEASE),1)<br />
ESAPI_CFLAGS += -DNDEBUG=1 -UDEBUG -g -O2<br />
ESAPI_CXXFLAGS += -DNDEBUG=1 -UDEBUG -g -O2<br />
endif<br />
<br />
ifeq ($(WANT_TEST),1)<br />
ESAPI_CFLAGS += -DESAPI_NO_ASSERT=1 -g2 -ggdb -O2 -Dprivate=public -Dprotected=public<br />
ESAPI_CXXFLAGS += -DESAPI_NO_ASSERT=1 -g2 -ggdb -O2 -Dprivate=public -Dprotected=public<br />
endif<br />
…<br />
<br />
# Merge ESAPI flags with user supplied flags. We perform the extra step to ensure <br />
# user options follow our options, which should give user option's a preference.<br />
override CFLAGS := $(ESAPI_CFLAGS) $(CFLAGS)<br />
override CXXFLAGS := $(ESAPI_CXXFLAGS) $(CXXFLAGS)<br />
override LDFLAGS := $(ESAPI_LDFLAGS) $(LDFLAGS)<br />
…</pre><br />
<br />
Make will first build the program in a debug configuration for a session under the debugger using a rule similar to:<br />
<br />
<pre>%.cpp:%.o:<br />
$(CXX) $(CPPFLAGS) $(CXXFLAGS) -c $< -o $@</pre><br />
<br />
When you want the release build, Make will do nothing because it considers everything up to date despite the fact <tt>CFLAGS</tt> and <tt>CXXFLAGS</tt> have changed. Hence, your program will actually be in a debug configuration and risk a <tt>SIGABRT</tt> at runtime because debug instrumentation is present (recall <tt>assert</tt> calls <tt>abort()</tt> when <tt>NDEBUG</tt> is '''not''' defined). In essence, you have DoS'd yourself due to <tt>make</tt>.<br />
<br />
In addition, many projects do not honor the user's command line. ESAPI C++ does its best to ensure a user's flags are honored via <tt>override</tt> as shown above, but other projects do not. For example, consider a project that should be built with Position Independent Executable (PIE or ASLR) enabled and data execution prevention (DEP) enabled. Dismissing user settings combined with insecure out of the box settings (and not picking them up during auto-setup or auto-configure) means a program built with the following will likely have neither defense:<br />
<br />
<pre>$ make CFLAGS="-fPIE" CXXFLAGS="-fPIE" LDFLAGS="-pie -z,noexecstack, -z,noexecheap"</pre><br />
<br />
Defenses such as ASLR and DEP are especially important on Linux because [http://linux.die.net/man/5/elf Data Execution - not Prevention - is the norm].<br />
<br />
=== Integration ===<br />
<br />
Project level integration presents opportunities to harden your program or library with domain specific knowledge. For example, if the platform supports Position Independent Executables (PIE or ASLR) and data execution prevention (DEP), then you should integrate with it. The consequences of not doing so could result in exploitation. As a case in point, see KingCope's 0-days for MySQL in December, 2012 (CVE-2012-5579 and CVE-2012-5612, among others). Integration with platform security would have neutered a number of the 0-days.<br />
<br />
You also have the opportunity to include helpful libraries that are not need for business logic support. For example, if you are working on a platform with [http://dmalloc.com DMalloc] or [http://code.google.com/p/address-sanitizer/ Address Sanitizer], you should probably use it in your debug builds. For Ubuntu, DMalloc available from the package manager and can be installed with <tt>sudo apt-get install libdmalloc5</tt>. For Apple platforms, its available as a scheme option (see [[#Clang/Xcode|Clang/Xcode]] below). Address Sanitizer is available in [http://gcc.gnu.org/gcc-4.8/changes.html GCC 4.8 and above] for many platforms.<br />
<br />
In addition, project level integration is an opportunity to harden third party libraries you chose to include. Because you chose to include them, you and your users are responsible for them. If you or your users endure a SP800-53 audit, third party libraries will be in scope because the supply chain is included (specifically, item SA-12, Supply Chain Protection). The audits are not limited to those in the US Federal arena - financial institutions perform reviews too. A perfect example of violating this guidance is [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1525 CVE-2012-1525], which was due to [http://www.agarri.fr/blog/index.html Adobe's inclusion of a defective Sablotron library].<br />
<br />
Another example is including OpenSSL. You know (1) [http://www.schneier.com/paper-ssl-revised.pdf SSLv2 is insecure], (2) [http://www.yaksman.org/~lweith/ssl.pdf SSLv3 is insecure], and (3) [http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/ compression is insecure] (among others). In addition, suppose you don't use hardware and engines, and only allow static linking. Given the knowledge and specifications, you would configure the OpenSSL library as follows:<br />
<br />
<pre>$ Configure darwin64-x86_64-cc -no-hw -no-engine -no-comp -no-shared -no-dso -no-ssl2 -no-ssl3 --openssldir=…</pre><br />
<br />
''Note Well'': you might want engines, especially on Ivy Bridge microarchitectures (3rd generation Intel Core i5 and i7 processors). To have OpenSSL use the processor's random number generator (via the of <tt>rdrand</tt> instruction), you will need to call OpenSSL's <tt>ENGINE_load_rdrand()</tt> function and then <tt>ENGINE_set_default</tt> with <tt>ENGINE_METHOD_RAND</tt>. See [http://wiki.opensslfoundation.com/index.php/Random_Numbers OpenSSL's Random Numbers] for details.<br />
<br />
If you configure without the switches, then you will likely have vulnerable code/libraries and risk failing an audit. If the program is a remote server, then the following command will reveal if compression is active on the channel:<br />
<br />
<pre>$ echo "GET / HTTP1.0" | openssl s_client -connect <nowiki>example.com:443</nowiki></pre><br />
<br />
<tt>nm</tt> or <tt>openssl s_client</tt> will show that compression is enabled in the client. In fact, any symbol within the <tt>OPENSSL_NO_COMP</tt> preprocessor macro will bear witness since <tt>-no-comp</tt> is translated into a <tt>CFLAGS</tt> define.<br />
<br />
<pre>$ nm /usr/local/ssl/iphoneos/lib/libcrypto.a 2>/dev/null | egrep -i "(COMP_CTX_new|COMP_CTX_free)"<br />
0000000000000110 T COMP_CTX_free<br />
0000000000000000 T COMP_CTX_new</pre><br />
<br />
Even more egregious is the answer given to auditors who specifically ask about configurations and protocols: "we don't use weak/wounded/broken ciphers" or "we follow best practices." The use of compression tells the auditor that you are using wounded protocol in an insecure configuration and you don't follow best practices. That will likely set off alarm bells, and ensure the auditor dives deeper on more items.<br />
<br />
== Preprocessor ==<br />
<br />
The preprocessor is crucial to setting up a project for success. The C committee provided one macro - <tt>NDEBUG</tt> - and the macro can be used to derive a number of configurations and drive engineering processes. Unfortunately, the committee also left many related items to chance, which has resulted in programmers abusing builtin facilities. This section will help you set up you projects to integrate well with other projects and ensure reliability and security.<br />
<br />
There are three topics to discuss when hardening the preprocessor. The first is well defined configurations which produce well defined behaviors, the second is useful behavior from assert, and the third is proper use of macros when integrating vendor code and third party libraries.<br />
<br />
=== Configurations ===<br />
<br />
To remove ambiguity, you should recognize two configurations: Release and Debug. Release is for production code on live servers, and its behavior is requested via the C/C++ <tt>NDEBUG</tt> macro. Its also the only macro observed by the C and C++ Committees and Posix. Diametrically opposed to release is Debug. While there is a compelling argument for <tt>!defined(NDEBUG)</tt>, you should have an explicit macro for the configuration and that macro should be <tt>DEBUG</tt>. This is because vendors and outside libraries use <tt>DEBUG</tt> (or similar) macro for their configuration. For example, Carnegie Mellon's Mach kernel uses <tt>DEBUG</tt>, Microsoft's CRT uses [http://msdn.microsoft.com/en-us/library/ww5t02fa%28v=vs.71%29.aspx<tt>_DEBUG</tt>], and Wind River Workbench uses <tt>DEBUG_MODE</tt>.<br />
<br />
In addition to <tt>NDEBUG</tt> (Release) and <tt>DEBUG</tt> (Debug), you have two additional cross products: both are defined or neither are defined. Defining both should be an error, and defining neither should default to a release configuration. Below is from [http://code.google.com/p/owasp-esapi-cplusplus/source/browse/trunk/esapi/EsapiCommon.h ESAPI C++ EsapiCommon.h], which is the configuration file used by all source files:<br />
<br />
<pre>// Only one or the other, but not both<br />
#if (defined(DEBUG) || defined(_DEBUG)) && (defined(NDEBUG) || defined(_NDEBUG))<br />
# error Both DEBUG and NDEBUG are defined.<br />
#endif<br />
<br />
// The only time we switch to debug is when asked. NDEBUG or {nothing} results<br />
// in release build (fewer surprises at runtime).<br />
#if defined(DEBUG) || defined(_DEBUG)<br />
# define ESAPI_BUILD_DEBUG 1<br />
#else<br />
# define ESAPI_BUILD_RELEASE 1<br />
#endif</pre><br />
<br />
When <tt>DEBUG</tt> is in effect, your code should receive full debug instrumentation, including the full force of assertions.<br />
<br />
=== ASSERT ===<br />
<br />
Asserts will help you create self-debugging code by helping you find the point of first failure quickly and easily. Asserts should be used throughout your program, including parameter validation, return value checking and program state. The <tt>assert</tt> will silently guard your code through its lifetime. It will always be there, even when not debugging a specific component of a module. If you have thorough code coverage, you will spend less time debugging and more time developing because programs will debug themselves.<br />
<br />
To use asserts effectively, you should assert everything. That includes parameters upon entering a function, return values from function calls, and any program state. Everywhere you place an <tt>if</tt> statement for validation or checking, you should have an assert. Everywhere you have an <tt>assert</tt> for validation or checking, you should have an <tt>if</tt> statement. They go hand-in-hand.<br />
<br />
If you are still using <tt>printf</tt>'s, then you have an opportunity for improvement. In the time it takes for you to write a <tt>printf</tt> or <tt>NSLog</tt> statement, you could have written an <tt>assert</tt>. Unlike the <tt>printf</tt> or <tt>NSLog</tt> which are often removed when no longer needed, the <tt>assert</tt> stays active forever. Remember, this is all about finding the point of first failure quickly so you can spend your time doing other things.<br />
<br />
There is one problem with using asserts - [http://pubs.opengroup.org/onlinepubs/009604499/functions/assert.html Posix states <tt>assert</tt> should call <tt>abort()</tt>] if <tt>NDEBUG</tt> is '''not''' defined. When debugging, <tt>NDEBUG</tt> will never be defined since you want the "program diagnostics" (quote from the Posix description). The behavior makes <tt>assert</tt> and its accompanying <tt>abort()</tt> completely useless for development. The result of "program diagnostics" calling <tt>abort()</tt> due to standard C/C++ behavior is disuse - developers simply don't use them. Its incredibly bad for the development community because self-debugging programs can help eradicate so many stability problems.<br />
<br />
Since self-debugging programs are so powerful, you will have to have to supply your own assert and signal handler with improved behavior. Your assert will exchange auto-aborting behavior for auto-debugging behavior. The auto-debugging facility will ensure the debugger snaps when a problem is detected, and you will find the point of first failure quickly and easily.<br />
<br />
ESAPI C++ supplies its own assert with the behavior described above. In the code below, <tt>ASSERT</tt> raises <tt>SIGTRAP</tt> when in effect or it evaluates to <tt>void</tt> in other cases.<br />
<br />
<pre>// A debug assert which should be sprinkled liberally. This assert fires and then continues rather<br />
// than calling abort(). Useful when examining negative test cases from the command line.<br />
#if (defined(ESAPI_BUILD_DEBUG) && defined(ESAPI_OS_STARNIX))<br />
# define ESAPI_ASSERT1(exp) { \<br />
if(!(exp)) { \<br />
std::ostringstream oss; \<br />
oss << "Assertion failed: " << (char*)(__FILE__) << "(" \<br />
<< (int)__LINE__ << "): " << (char*)(__func__) \<br />
<< std::endl; \<br />
std::cerr << oss.str(); \<br />
raise(SIGTRAP); \<br />
} \<br />
}<br />
# define ESAPI_ASSERT2(exp, msg) { \<br />
if(!(exp)) { \<br />
std::ostringstream oss; \<br />
oss << "Assertion failed: " << (char*)(__FILE__) << "(" \<br />
<< (int)__LINE__ << "): " << (char*)(__func__) \<br />
<< ": \"" << (msg) << "\"" << std::endl; \<br />
std::cerr << oss.str(); \<br />
raise(SIGTRAP); \<br />
} \<br />
}<br />
#elif (defined(ESAPI_BUILD_DEBUG) && defined(ESAPI_OS_WINDOWS))<br />
# define ESAPI_ASSERT1(exp) assert(exp)<br />
# define ESAPI_ASSERT2(exp, msg) assert(exp)<br />
#else<br />
# define ESAPI_ASSERT1(exp) ((void)(exp))<br />
# define ESAPI_ASSERT2(exp, msg) ((void)(exp))<br />
#endif<br />
<br />
#if !defined(ASSERT)<br />
# define ASSERT(exp) ESAPI_ASSERT1(exp)<br />
#endif</pre><br />
<br />
At program startup, a <tt>SIGTRAP</tt> handler will be installed if one is not provided by another component:<br />
<br />
<pre>struct DebugTrapHandler<br />
{<br />
DebugTrapHandler()<br />
{<br />
struct sigaction new_handler, old_handler;<br />
<br />
do<br />
{<br />
int ret = 0;<br />
<br />
ret = sigaction (SIGTRAP, NULL, &old_handler);<br />
if (ret != 0) break; // Failed<br />
<br />
// Don't step on another's handler<br />
if (old_handler.sa_handler != NULL) break;<br />
<br />
new_handler.sa_handler = &DebugTrapHandler::NullHandler;<br />
new_handler.sa_flags = 0;<br />
<br />
ret = sigemptyset (&new_handler.sa_mask);<br />
if (ret != 0) break; // Failed<br />
<br />
ret = sigaction (SIGTRAP, &new_handler, NULL);<br />
if (ret != 0) break; // Failed<br />
<br />
} while(0);<br />
}<br />
<br />
static void NullHandler(int /*unused*/) { }<br />
<br />
};<br />
<br />
// We specify a relatively low priority, to make sure we run before other CTORs<br />
// http://gcc.gnu.org/onlinedocs/gcc/C_002b_002b-Attributes.html#C_002b_002b-Attributes<br />
static const DebugTrapHandler g_dummyHandler __attribute__ ((init_priority (110)));</pre><br />
<br />
On a Windows platform, you would call <tt>_set_invalid_parameter_handler</tt> (and possibly <tt>set_unexpected</tt> or <tt>set_terminate</tt>) to install a new handler.<br />
<br />
Live hosts running production code should always define <tt>NDEBUG</tt> (i.e., release configuration), which means they do not assert or auto-abort. Auto-abortion is not acceptable behavior, and anyone who asks for the behavior is completely abusing the functionality of "program diagnostics". If a program wants a core dump, then it should create the dump rather than crashing.<br />
<br />
For more reading on asserting effectively, please see one of John Robbin's books, such as ''[http://www.amazon.com/dp/0735608865 Debugging Applications]''. John is a legendary bug slayer in Windows circles, and he will show you how to do nearly everything, from debugging a simple program to bug slaying in multithreaded programs.<br />
<br />
=== Additional Macros ===<br />
<br />
Additional macros include any macros needed to integrate properly and securely. It includes integrating the program with the platform (for example MFC or Cocoa/CocoaTouch) and libraries (for example, Crypto++ or OpenSSL). It can be a challenge because you have to have proficiency with your platform and all included libraries and frameworks. The list below illustrates the level of detail you will need when integrating.<br />
<br />
Though Boost is missing from the list, it appears to lack recommendations, additional debug diagnostics, and a hardening guide. See ''[http://stackoverflow.com/questions/14927033/boost-hardening-guide-preprocessor-macros BOOST Hardening Guide (Preprocessor Macros)]'' for details. In addition, Tim Day points to ''[http://boost.2283326.n4.nabble.com/boost-build-should-we-not-define-SECURE-SCL-0-by-default-for-all-msvc-toolsets-td2654710.html <nowiki>[boost.build] should we not define _SECURE_SCL=0 by default for all msvc toolsets</nowiki>]'' for a recent discussion related to hardening (or lack thereof).<br />
<br />
In addition to what you should define, defining some macros and undefining others should trigger a security related defect. For example, <tt>-U_FORTIFY_SOURCES</tt> on Linux and <tt>_CRT_SECURE_NO_WARNINGS=1</tt>, <tt>_SCL_SECURE_NO_WARNINGS</tt>, <tt>_ATL_SECURE_NO_WARNINGS</tt> or <tt>STRSAFE_NO_DEPRECATE</tt> on Windows.<br />
<br />
{| border="1"<br />
<br />
|-style="background:#DADADA"<br />
!Platform/Library!!Debug!!Release<br />
|+ Table 1: Additional Platform/Library Macros<br />
<br />
|-<br />
|width="175pt"|All<br />
|width="250pt"|DEBUG=1<br />
|width="250pt"|NDEBUG=1<br />
<br />
|-<br />
|Linux<br />
|_GLIBCXX_DEBUG=1<sup>a</sup><br><br />
_GLIBCXX_CONCEPT_CHECKS=1<sup>b</sup><br />
|_FORTIFY_SOURCE=2<br />
<br />
|-<br />
|Android<br />
|NDK_DEBUG=1<br />
|_FORTIFY_SOURCE=1 (4.2 and above)<br><br />
<tt>#define LOGI(...)</tt> (define to nothing, preempt logging)<br />
<br />
|-<br />
|Cocoa/CocoaTouch<br />
|<br />
|NS_BLOCK_ASSERTIONS=1<br><br />
<tt>#define NSLog(...)</tt> (define to nothing, preempt ASL)<br />
<br />
|-<br />
|SafeInt<br />
|SAFEINT_DISALLOW_UNSIGNED_NEGATION=1<br />
|SAFEINT_DISALLOW_UNSIGNED_NEGATION=1<br />
<br />
|-<br />
|Microsoft<br />
|_DEBUG=1, STRICT,<br><br />
_SECURE_SCL=1, _HAS_ITERATOR_DEBUGGING=1<br><br />
_CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES=1<br><br />
_CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES_COUNT=1<br />
|STRICT<br><br />
_CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES=1<br><br />
_CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES_COUNT=1<br />
<br />
|-<br />
|Microsoft ATL & MFC<br />
|_SECURE_ATL, _ATL_ALL_WARNINGS<br><br />
_ATL_CSTRING_EXPLICIT_CONSTRUCTORS<br />
|_SECURE_ATL, _ATL_ALL_WARNINGS<br><br />
_ATL_CSTRING_EXPLICIT_CONSTRUCTORS<br />
<br />
|-<br />
|STLPort<br />
|_STLP_DEBUG=1, _STLP_USE_DEBUG_LIB=1<br><br />
_STLP_DEBUG_ALLOC=1, _STLP_DEBUG_UNINITIALIZED=1<br />
|<br />
<br />
|-<br />
|SQLite<br />
|SQLITE_DEBUG, SQLITE_MEMDEBUG<br><br />
SQLITE_SECURE_DELETE<sup>c</sup><br><br />
SQLITE_DEFAULT_FILE_PERMISSIONS=N<sup>d</sup><br />
|SQLITE_SECURE_DELETE<sup>c</sup><br><br />
SQLITE_DEFAULT_FILE_PERMISSIONS=N<sup>d</sup><br />
<br />
|-<br />
|SQLCipher<br />
|SQLITE_HAS_CODEC=1<BR><br />
SQLITE_TEMP_STORE=3<sup>e</sup><br />
|SQLITE_HAS_CODEC=1<BR><br />
SQLITE_TEMP_STORE=3<sup>e</sup><br />
<br />
|}<br />
<br />
<sup>a</sup> Be careful with <tt>_GLIBCXX_DEBUG</tt> when using pre-compiled libraries such as Boost from a distribution. There are ABI incompatibilities, and the result will likely be a crash. You will have to compile Boost with <tt>_GLIBCXX_DEBUG</tt> or omit <tt>_GLIBCXX_DEBUG</tt>.<br />
<br />
<sup>b</sup> See [http://gcc.gnu.org/onlinedocs/libstdc++/manual/concept_checking.html Chapter 5, Diagnostics] of the libstdc++ manual for details.<br />
<br />
<sup>c</sup> SQLite secure deletion zeroizes memory on destruction. Define as required, and always define in US Federal since zeroization is required for FIPS 140-2, Level 1.<br />
<br />
<sup>d</sup> ''N'' is 0644 by default, which means everyone has some access.<br />
<br />
<sup>e</sup> Force temporary tables into memory (no unencrypted data to disk).<br />
<!--<br />
##########################################<br />
--><br />
== Compiler and Linker ==<br />
<br />
Compiler writers provide a rich set of warnings from the analysis of code during compilation. Both GCC and Visual Studio have static analysis capabilities to help find mistakes early in the development process. The built in static analysis capabilities of GCC and Visual Studio are usually sufficient to ensure proper API usage and catch a number of mistakes such as using an uninitialized variable or comparing a negative signed int and a positive unsigned int.<br />
<br />
As a concrete example, (and for those not familiar with C/C++ promotion rules), a warning will be issued if a signed integer is promoted to an unsigned integer and then compared because a side effect is <tt>-1 > 1</tt> after promotion! GCC and Visual Studio will not currently catch, for example, SQL injections and other tainted data usage. For that, you will need a tool designed to perform data flow analysis or taint analysis.<br />
<br />
Some in the development community resist static analysis or refute its results. For example, when static analysis warned the Linux kernel's <tt>sys_prctl</tt> was comparing an unsigned value against less than zero, Jesper Juhl offered a patch to clean up the code. Linus Torvalds howled “No, you don't do this… GCC is crap” (referring to compiling with warnings). For the full discussion, see ''[http://linux.derkeiler.com/Mailing-Lists/Kernel/2006-11/msg08325.html <nowiki>[PATCH] Don't compare unsigned variable for <0 in sys_prctl()</nowiki>]'' from the Linux Kernel mailing list.<br />
<br />
The following sections will detail steps for three platforms. First is a typical GNU Linux based distribution offering GCC and Binutils, second is Clang and Xcode, and third is modern Windows platforms.<br />
<br />
=== Distribution Hardening ===<br />
<br />
Before discussing GCC and Binutils, it would be a good time to point out some of the defenses discussed below are all ready present in a distribution. Unfortunately, its design by committee, so what is present is usually only a mild variation of what is available (this way, everyone is mildly offended). For those who are purely worried about performance, you might be surprised to learn you have already taken the small performance hint without even knowing.<br />
<br />
Linux and BSD distributions often apply some hardening without intervention via ''[http://gcc.gnu.org/onlinedocs/gcc/Spec-Files.html GCC Spec Files]''. If you are using Debian, Ubuntu, Linux Mint and family, see ''[http://wiki.debian.org/Hardening Debian Hardening]''. For Red Hat and Fedora systems, see ''[http://lists.fedoraproject.org/pipermail/devel-announce/2011-August/000821.html New hardened build support (coming) in F16]''. Gentoo users should visit ''[http://www.gentoo.org/proj/en/hardened/ Hardened Gentoo]''.<br />
<br />
You can see the settings being used by a distribution via <tt>gcc -dumpspecs</tt>. From Linux Mint 12 below, -fstack-protector (but not -fstack-protector-all) is used by default.<br />
<br />
<pre>$ gcc -dumpspecs<br />
…<br />
*link_ssp: %{fstack-protector:}<br />
<br />
*ssp_default: %{!fno-stack-protector:%{!fstack-protector-all: %{!ffreestanding:%{!nostdlib:-fstack-protector}}}}<br />
…</pre><br />
<br />
The “SSP” above stands for Stack Smashing Protector. SSP is a reimplementation of Hiroaki Etoh's work on IBM Pro Police Stack Detector. See Hiroaki Etoh's patch ''[http://gcc.gnu.org/ml/gcc-patches/2001-06/msg01753.html gcc stack-smashing protector]'' and IBM's ''[http://www.research.ibm.com/trl/projects/security/ssp/ GCC extension for protecting applications from stack-smashing attacks]'' for details.<br />
<br />
=== GCC/Binutils ===<br />
<br />
GCC (the compiler collection) and Binutils (the assemblers, linkers, and other tools) are separate projects that work together to produce a final executable. Both the compiler and linker offer options to help you write safer and more secure code. The linker will produce code which takes advantage of platform security features offered by the kernel and PaX, such as no-exec stacks and heaps (NX) and Position Independent Executable (PIE).<br />
<br />
The table below offers a set of compiler options to build your program. Static analysis warnings help catch mistakes early, while the linker options harden the executable at runtime. In the table below, “GCC” should be loosely taken as “non-ancient distributions.” While the GCC team considers 4.2 ancient, you will still encounter it on Apple and BSD platforms due to changes in GPL licensing around 2007. Refer to ''[http://gcc.gnu.org/onlinedocs/gcc/Option-Summary.html GCC Option Summary]'', ''[http://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html Options to Request or Suppress Warnings]'' and ''[http://sourceware.org/binutils/docs-2.21/ld/Options.html Binutils (LD) Command Line Options]'' for usage details.<br />
<br />
Noteworthy of special mention are <tt>-fno-strict-overflow</tt> and <tt>-fwrapv</tt><sup>a</sup>. The flags ensure the compiler does not remove statements that result in overflow or wrap. If your program only runs correctly using the flags, it is likely violating C/C++ rules on overflow and illegal. If the program is illegal due to overflow or wrap checking, you should consider using [http://code.google.com/p/safe-iop/ safe-iop] for C or David LeBlanc's [http://safeint.codeplex.com SafeInt] in C++.<br />
<br />
For a project compiled and linked with hardened settings, some of those settings can be verified with the [http://www.trapkit.de/tools/checksec.html Checksec] tool written by Tobias Klein. The <tt>checksec.sh</tt> script is designed to test standard Linux OS and PaX security features being used by an application. See the [http://www.trapkit.de/tools/checksec.html Trapkit] web page for details.<br />
<br />
{| border="1"<br />
<br />
|-style="background:#DADADA"<br />
!Flag or Switch!!Version!!Discussion<br />
|+ Table 2: GCC C Warning Options<br />
<br />
|-<br />
|width="200pt"|<nowiki>-Wall -Wextra</nowiki><br />
|width="75t"|GCC<br />
|width="425pt"|Enables many warnings (despite their names, all and extra do not turn on all warnings).<sup>a</sup><br />
<br />
|-<br />
|<nowiki>-Wconversion</nowiki><br />
|GCC<br />
|Warn for implicit conversions that may alter a value (includes -Wsign-conversion).<br />
<br />
|-<br />
|<nowiki>-Wsign-conversion</nowiki><br />
|GCC<br />
|Warn for implicit conversions that may change the sign of an integer value, such as assigning a signed integer to an unsigned integer (<tt>-1 > 1</tt> after promotion!).<br />
<br />
|-<br />
|<nowiki>-Wcast-align</nowiki><br />
|GCC<br />
|Warn for a pointer cast to a type which has a different size, causing an invalid alignment and subsequent bus error on ARM processors.<br />
<br />
|-<br />
|<nowiki>-Wformat=2 -Wformat-security</nowiki><br />
|GCC<br />
|Increases warnings related to possible security defects, including incorrect format specifiers.<br />
<br />
|-<br />
|<nowiki>-fno-common</nowiki><br />
|GCC<br />
|Prevent global variables being simultaneously defined in different object files.<br />
<br />
|-<br />
|<nowiki>-fstack-protector or -fstack-protector-all</nowiki><br />
|GCC<br />
|Stack Smashing Protector (SSP). Improves stack layout and adds a guard to detect stack based buffer overflows.<sup>b</sup><br />
<br />
|-<br />
|<nowiki>-fno-omit-frame-pointer</nowiki><br />
|GCC<br />
|Improves backtraces for post-mortem analysis<br />
<br />
|-<br />
|<nowiki>-Wmissing-prototypes and -Wmissing-declarations</nowiki><br />
|GCC<br />
|Warn if a global function is defined without a prototype or declaration.<br />
<br />
|-<br />
|<nowiki>-Wstrict-prototypes</nowiki><br />
|GCC<br />
|Warn if a function is declared or defined without specifying the argument types.<br />
<br />
|-<br />
|<nowiki>-fstack-check</nowiki><br />
|GCC<br />
|Prevents the stack-pointer from moving into another memory region without accessing the stack guard-page. The "-fstack-check" remediation has some expense. It touches each page using a 4K stride to ensure the guard page is touched.<br />
<br />
|-<br />
|<nowiki>-Wstrict-overflow</nowiki><br />
|GCC 4.2<br />
|Warn about optimizations taken due to <nowiki>[undefined]</nowiki> signed integer overflow assumptions. <br />
<br />
|-<br />
|<nowiki>-Wtrampolines</nowiki><br />
|GCC 4.3<br />
|Warn about trampolines generated for pointers to nested functions. Trampolines require executable stacks.<br />
<br />
|-<br />
|<nowiki>-fsanitize=address</nowiki><br />
|GCC 4.8<br />
|Enable [http://code.google.com/p/address-sanitizer/ AddressSanitizer], a fast memory error detector. Memory access instructions will be instrumented to help detect heap, stack, and global buffer overflows; as well as use-after-free bugs.<br />
<br />
|-<br />
|<nowiki>-fsanitize=thread</nowiki><br />
|GCC 4.8<br />
|Enable [http://code.google.com/p/data-race-test/wiki/ThreadSanitizer ThreadSanitizer], a fast data race detector. Memory access instructions will be instrumented to detect data race bugs.<br />
<br />
|-<br />
|<nowiki>-mfunction-return=thunk and -mindirect-branch=thunk</nowiki><br />
|GCC 7.3, 8.1<br />
|Enable "Reptoline" fix which is an indirect branch used to thwart speculative execution CPU vulnerabilities such as Spectre and Meltdown. <br />
<br />
<br />
|-<br />
|<nowiki>-Wl,-z,nodlopen and -Wl,-z,nodump</nowiki><br />
|Binutils 2.10<br />
|Reduces the ability of an attacker to load, manipulate, and dump shared objects.<br />
<br />
<br />
|-<br />
|<nowiki>-Wl,-z,noexecstack and -Wl,-z,noexecheap</nowiki><br />
|Binutils 2.14<br />
|Data Execution Prevention (DEP). ELF headers are marked with PT_GNU_STACK and PT_GNU_HEAP.<br />
<br />
|-<br />
|<nowiki>-Wl,-z,relro</nowiki><br />
|Binutils 2.15<br />
|Helps remediate Global Offset Table (GOT) attacks on executables.<br />
<br />
|-<br />
|<nowiki>-Wl,-z,now</nowiki><br />
|Binutils 2.15<br />
|Helps remediate Procedure Linkage Table (PLT) attacks on executables.<br />
<br />
|-<br />
|<nowiki>-fPIC</nowiki><br />
|Binutils<br />
|Position Independent Code. Used for libraries and shared objects. Both -fPIC (compiler) and -shared (linker) are required.<br />
<br />
|-<br />
|<nowiki>-fPIE</nowiki><br />
|Binutils 2.16<br />
|Position Independent Executable (ASLR). Used for programs. Both -fPIE (compiler) and -pie (linker) are required.<br />
<br />
|}<br />
<br />
<sup>a</sup> Unlike Clang and -Weverything, GCC does not provide a switch to truly enable all warnings.<br><br />
<sup>b</sup> -fstack-protector guards functions with high risk objects such as C strings, while -fstack-protector-all guards all objects.<br />
<br />
Additional C++ warnings which can be used include the following in Table 3. See ''[http://gcc.gnu.org/onlinedocs/gcc/C_002b_002b-Dialect-Options.html GCC's Options Controlling C++ Dialect]'' for additional options and details.<br />
<br />
{| border="1"<br />
<br />
|-style="background:#DADADA"<br />
!Flag or Switch!!Discussion<br />
|+ Table 3: GCC C++ Warning Options<br />
<br />
|-<br />
|width="200pt"|<nowiki>-Woverloaded-virtual</nowiki><br />
|width="425pt"|Warn when a function declaration hides virtual functions from a base class. <br />
<br />
|-<br />
|<nowiki>-Wreorder</nowiki><br />
|Warn when the order of member initializers given in the code does not match the order in which they must be executed.<br />
<br />
|-<br />
|<nowiki>-Wsign-promo</nowiki><br />
|Warn when overload resolution chooses a promotion from unsigned or enumerated type to a signed type, over a conversion to an unsigned type of the same size.<br />
<br />
|-<br />
|<nowiki>-Wnon-virtual-dtor</nowiki><br />
|Warn when a class has virtual functions and an accessible non-virtual destructor.<br />
<br />
|-<br />
|<nowiki>-Weffc++</nowiki><br />
|Warn about violations of the following style guidelines from Scott Meyers' ''[http://www.aristeia.com/books.html Effective C++, Second Edition]'' book.<br />
<br />
|}<br />
<br />
And additional Objective C warnings which are often useful include the following. See ''[http://gcc.gnu.org/onlinedocs/gcc/Objective_002dC-and-Objective_002dC_002b_002b-Dialect-Options.html Options Controlling Objective-C and Objective-C++ Dialects]'' for additional options and details.<br />
<br />
{| border="1"<br />
<br />
|-style="background:#DADADA"<br />
!Flag or Switch!!Discussion<br />
|+ Table 4: GCC Objective C Warning Options<br />
<br />
|-<br />
|width="200pt"|<nowiki>-Wstrict-selector-match</nowiki><br />
|width="425pt"|Warn if multiple methods with differing argument and/or return types are found for a given selector when attempting to send a message using this selector to a receiver of type id or Class.<br />
<br />
|-<br />
|<nowiki>-Wundeclared-selector</nowiki><br />
|Warn if a <tt>@selector(…)</tt> expression referring to an undeclared selector is found. <br />
<br />
|}<br />
<br />
The use of aggressive warnings will produce spurious noise. The noise is a tradeoff - you can learn of potential problems at the cost of wading through some chaff. The following will help reduces spurious noise from the warning system:<br />
<br />
* -Wno-unused-parameter (GCC)<br />
* -Wno-type-limits (GCC 4.3)<br />
* -Wno-tautological-compare (Clang)<br />
<br />
Finally, a simple version based Makefile example is shown below. This is different than feature based makefile produced by auto tools (which will test for a particular feature and then define a symbol or configure a template file). Not all platforms use all options and flags. To address the issue you can pursue one of two strategies. First, you can ship with a weakened posture by servicing the lowest common denominator; or you can ship with everything in force. In the latter case, those who don't have a feature available will edit the makefile to accommodate their installation.<br />
<br />
<pre>CXX=g++<br />
EGREP = egrep<br />
…<br />
<br />
GCC_COMPILER = $(shell $(CXX) -v 2>&1 | $(EGREP) -i -c '^gcc version')<br />
GCC41_OR_LATER = $(shell $(CXX) -v 2>&1 | $(EGREP) -i -c '^gcc version (4\.[1-9]|[5-9])')<br />
…<br />
<br />
GNU_LD210_OR_LATER = $(shell $(LD) -v 2>&1 | $(EGREP) -i -c '^gnu ld .* (2\.1[0-9]|2\.[2-9])')<br />
GNU_LD214_OR_LATER = $(shell $(LD) -v 2>&1 | $(EGREP) -i -c '^gnu ld .* (2\.1[4-9]|2\.[2-9])')<br />
…<br />
<br />
ifeq ($(GCC_COMPILER),1)<br />
MY_CC_FLAGS += -Wall -Wextra -Wconversion<br />
MY_CC_FLAGS += -Wformat=2 -Wformat-security<br />
MY_CC_FLAGS += -Wno-unused-parameter<br />
endif<br />
<br />
ifeq ($(GCC41_OR_LATER),1)<br />
MY_CC_FLAGS += -fstack-protector-all<br />
endif<br />
<br />
ifeq ($(GCC42_OR_LATER),1)<br />
MY_CC_FLAGS += -Wstrict-overflow<br />
endif<br />
<br />
ifeq ($(GCC43_OR_LATER),1)<br />
MY_CC_FLAGS += -Wtrampolines<br />
endif<br />
<br />
ifeq ($(GNU_LD210_OR_LATER),1)<br />
MY_LD_FLAGS += -z,nodlopen -z,nodump<br />
endif<br />
<br />
ifeq ($(GNU_LD214_OR_LATER),1)<br />
MY_LD_FLAGS += -z,noexecstack -z,noexecheap<br />
endif<br />
<br />
ifeq ($(GNU_LD215_OR_LATER),1)<br />
MY_LD_FLAGS += -z,relro -z,now<br />
endif<br />
<br />
ifeq ($(GNU_LD216_OR_LATER),1)<br />
MY_CC_FLAGS += -fPIE<br />
MY_LD_FLAGS += -pie<br />
endif<br />
<br />
# Use 'override' to honor the user's command line<br />
override CFLAGS := $(MY_CC_FLAGS) $(CFLAGS)<br />
override CXXFLAGS := $(MY_CC_FLAGS) $(CXXFLAGS)<br />
override LDFLAGS := $(MY_LD_FLAGS) $(LDFLAGS)<br />
…</pre><br />
<br />
=== Clang/Xcode ===<br />
<br />
[http://clang.llvm.org Clang] and [http://llvm.org LLVM] have been aggressively developed since Apple lost its GPL compiler back in 2007 (due to Tivoization which resulted in GPLv3). Since that time, a number of developers and Goggle have joined the effort. While Clang will consume most (all?) GCC/Binutil flags and switches, the project supports a number of its own options, including a static analyzer. In addition, Clang is relatively easy to build with additional diagnostics, such as Dr. John Regher and Peng Li's [http://embed.cs.utah.edu/ioc/ Integer Overflow Checker (IOC)].<br />
<br />
IOC is incredibly useful, and has found bugs in a number of projects, from the Linux Kernel (<tt>include/linux/bitops.h</tt>, still unfixed), SQLite, PHP, Firefox (many still unfixed), LLVM, and Python. Future version of Clang (Clang 3.3 and above) will allow you to enable the checks out of the box with <tt>-fsanitize=integer</tt> and <tt>-fsanitize=shift</tt>.<br />
<br />
Clang options can be found at [http://clang.llvm.org/docs/UsersManual.html Clang Compiler User’s Manual]. Clang does include an option to turn on all warnings - <tt>-Weverything</tt>. Use it with care but use it regularly since you will get back a lot of noise and issues you missed. For example, add <tt>-Weverything</tt> for production builds and make non-spurious issues a quality gate. Under Xcode, simply add <tt>-Weverything</tt> to <tt>CFLAGS</tt> and <tt>CXXFLAGS</tt>.<br />
<br />
In addition to compiler warnings, both static analysis and additional security checks can be performed. Reading on Clang's static analysis capabilities can be found at [http://clang-analyzer.llvm.org Clang Static Analyzer]. Figure 1 below shows some of the security checks utilized by Xcode.<br />
<br />
{| align="center"<br />
| [[File:toolchan-hardening-11.png|thumb|450px|Figure 1: Clang/LLVM and Xcode options]]<br />
|}<br />
<br />
=== Visual Studio ===<br />
<br />
Visual Studio offers a convenient Integrated Development Environment (IDE) for managing solutions and their settings. the section called “Visual Studio Options” discusses option which should be used with Visual Studio, and the section called “Project Properties” demonstrates incorporating those options into a solution's project.<br />
<br />
The table below lists the compiler and linker switches which should be used under Visual Studio. Refer to Howard and LeBlanc's Writing Secure Code (Microsoft Press) for a detailed discussion; or ''[http://msdn.microsoft.com/en-us/magazine/cc337897.aspx Protecting Your Code with Visual C++ Defenses]'' in Security Briefs by Michael Howard. In the table below, “Visual Studio” refers to nearly all versions of the development environment, including Visual Studio 5.0 and 6.0.<br />
<br />
For a project compiled and linked with hardened settings, those settings can be verified with BinScope. BinScope is a verification tool from Microsoft that analyzes binaries to ensure that they have been built in compliance with Microsoft's Security Development Lifecycle (SDLC) requirements and recommendations. See the ''[https://www.microsoft.com/download/en/details.aspx?id=11910 BinScope Binary Analyzer]'' download page for details.<br />
<br />
{| border="1"<br />
<br />
|-style="background:#DADADA"<br />
!Flag or Switch!!Version!!Discussion<br />
|+ Table 5: Visual Studio Warning Options<br />
<br />
|-<br />
|width="150pt"|<nowiki>/W4</nowiki><br />
|width="100pt"|Visual Studio<br />
|width="350pt"|Warning level 4, which includes most warnings.<br />
<br />
|-<br />
|<nowiki>/sdl</nowiki><br />
|Visual Studio 2002<br />
|Adds recommended Security Development Lifecycle checks including extra security-relevant warnings as errors, and additional secure code-generation features.<br />
|-<br />
|<nowiki>/WAll</nowiki><br />
|Visual Studio 2003<br />
|Enable all warnings, including those off by default.<sup>a</sup><br />
<br />
|-<br />
|<nowiki>/GS</nowiki><br />
|Visual Studio 2003<br />
|Adds a security cookie (guard or canary) on the stack before the return address buffer stack based for overflow checks.<sup>a</sup><br />
<br />
|-<br />
|<nowiki>/SafeSEH</nowiki><br />
|Visual Studio 2003<br />
|Safe structured exception handling to remediate SEH overwrites.<br />
<br />
|-<br />
|<nowiki>/analyze</nowiki><br />
|Visual Studio 2005<br />
|Enterprise code analysis (freely available with Windows SDK for Windows Server 2008 and .NET Framework 3.5).<br />
<br />
|-<br />
|<nowiki>/NXCOMPAT</nowiki><br />
|Visual Studio 2005<br />
|Data Execution Prevention (DEP).<br />
<br />
|-<br />
|<nowiki>/dynamicbase</nowiki><br />
|Visual Studio 2005 SP1<br />
|Address Space Layout Randomization (ASLR).<br />
<br />
|-<br />
|<nowiki>strict_gs_check</nowiki><br />
|Visual Studio 2005 SP1<br />
|Aggressively applies stack protections to a source file to help detect some categories of stack based buffer overruns.<sup>b</sup><br />
<br />
|-<br />
|<nowiki>/d2guard4 /link /guard:cf</nowiki><br />
|Visual Studio 2015<br />
|<i>Control Flow Guard</i> ensure that all indirect-calls result in a jump to legal targets. Please note that /d2guard4 is a compiler switch and it needs to be used with /guard. Also note that /guard is a linker switch and needs to be used with /d2guard4. Please note than <i>Control Flow Guard</i> protects against attacks like heap sprays and no-op sleds as well.<br />
|}<br />
<br />
<sup>a</sup>See Jon Sturgeon's discussion of the switch at ''[https://blogs.msdn.com/b/vcblog/archive/2010/12/14/off-by-default-compiler-warnings-in-visual-c.aspx Off By Default Compiler Warnings in Visual C++]''.<br><br />
<sup>a</sup>When using /GS, there are a number of circumstances which affect the inclusion of a security cookie. For example, the guard is not used if there is no buffer in the stack frame, optimizations are disabled, or the function is declared naked or contains inline assembly.<br><br />
<sup>b</sup><tt>#pragma strict_gs_check(on)</tt> should be used sparingly, but is recommend in high risk situations, such as when a source file parses input from the internet.<br />
<br />
=== Warn Suppression ===<br />
<br />
From the tables above, a lot of warnings have been enabled to help detect possible programming mistakes. The potential mistakes are detected via compiler which carries around a lot of contextual information during its code analysis phase. At times, you will receive spurious warnings because the compiler is not ''that'' smart. Its understandable and even a good thing (how would you like to be out of a job because a program writes its own programs?). At times you will have to learn how to work with the compiler's warning system to suppress warnings. Notice what was not said: turn off the warnings.<br />
<br />
Suppressing warnings placates the compiler for spurious noise so you can get to the issues that matter (you are separating the wheat from the chaff). This section will offer some hints and point out some potential minefields. First is an unused parameter (for example, <tt>argc</tt> or <tt>argv</tt>). Suppressing unused parameter warnings is especially helpful for C++ and interface programming, where parameters are often unused. For this warning, simply define an "UNUSED" macro and warp the parameter:<br />
<br />
<pre>#define UNUSED_PARAMETER(x) ((void)x)<br />
…<br />
<br />
int main(int argc, char* argv[])<br />
{<br />
UNUSED_PARAMETER(argc);<br />
UNUSED_PARAMETER(argv);<br />
…<br />
}</pre><br />
<br />
A potential minefield lies near "comparing unsigned and signed" values, and <tt>-Wconversion</tt> will catch it for you. This is because C/C++ promotion rules state the signed value will be promoted to an unsigned value and then compared. That means <tt>-1 > 1</tt> after promotion! To fix this, you cannot blindly cast - you must first range test the value:<br />
<br />
<pre>int x = GetX();<br />
unsigned int y = GetY();<br />
<br />
ASSERT(x >= 0);<br />
if(!(x >= 0))<br />
throw runtime_error("WTF??? X is negative.");<br />
<br />
if(static_cast<unsigned int>(x) > y)<br />
cout << "x is greater than y" << endl;<br />
else<br />
cout << "x is not greater than y" << endl;</pre><br />
<br />
Notice the code above will debug itself - you don't need to set a breakpoint to see if there is a problem with <tt>x</tt>. Just run the program and wait for it to tell you there is a problem. If there is a problem, the program will snap the debugger (and more importantly, not call a useless <tt>abort()</tt> as specified by Posix). It beats the snot out of <tt>printf</tt> that are removed when no longer needed or pollute outputs.<br />
<br />
Another conversion problem you will encounter conversion between types, and <tt>-Wconversion</tt> will also catch it for you. The following will always have an opportunity to fail, and should light up like a Christmas tree:<br />
<br />
<pre>struct sockaddr_in addr;<br />
…<br />
<br />
addr.sin_port = htons(atoi(argv[2]));</pre><br />
<br />
The following would probably serve you much better. Notice <tt>atoi</tt> and fiends are not used because they can silently fail. In addition, the code is instrumented so you don't need to waste a lot of time debugging potential problems:<br />
<br />
<pre>const char* cstr = GetPortString();<br />
<br />
ASSERT(cstr != NULL);<br />
if(!(cstr != NULL))<br />
throw runtime_error("WTF??? Port string is not valid.");<br />
<br />
istringstream iss(cstr);<br />
long long t = 0;<br />
iss >> t;<br />
<br />
ASSERT(!(iss.fail()));<br />
if(iss.fail())<br />
throw runtime_error("WTF??? Failed to read port.");<br />
<br />
// Should this be a port above the reserved range ([0-1024] on Unix)?<br />
ASSERT(t > 0);<br />
if(!(t > 0))<br />
throw runtime_error("WTF??? Port is too small");<br />
<br />
ASSERT(t < static_cast<long long>(numeric_limits<unsigned int>::max()));<br />
if(!(t < static_cast<long long>(numeric_limits<unsigned int>::max())))<br />
throw runtime_error("WTF??? Port is too large");<br />
<br />
// OK to use port<br />
unsigned short port = static_cast<unsigned short>(t);<br />
…</pre><br />
<br />
Again, notice the code above will debug itself - you don't need to set a breakpoint to see if there is a problem with <tt>port</tt>. This code will continue checking conditions, years after being instrumented (assuming to wrote code to read a config file early in the project). There's no need to remove the <tt>ASSERT</tt>s as with <tt>printf</tt> since they are silent guardians.<br />
<br />
Another useful suppression trick is too avoid ignoring return values. Not only is it useful to suppress the warning, its required for correct code. For example, <tt>snprint</tt> will alert you to truncations through its return value. You should not make them silent truncations by ignoring the warning or casting to <tt>void</tt>:<br />
<br />
<pre>char path[PATH_MAX];<br />
…<br />
<br />
int ret = snprintf(path, sizeof(path), "%s/%s", GetDirectory(), GetObjectName());<br />
ASSERT(ret != -1);<br />
ASSERT(!(ret >= sizeof(path)));<br />
<br />
if(ret == -1 || ret >= sizeof(path))<br />
throw runtime_error("WTF??? Unable to build full object name");<br />
<br />
// OK to use path<br />
…</pre><br />
<br />
The problem is pandemic, and not just boring user land programs. Projects which offer high integrity code, such as SELinux, suffer silent truncations. The following is from an approved SELinux patch even though a comment was made that it [http://permalink.gmane.org/gmane.comp.security.selinux/16845 suffered silent truncations in its <tt>security_compute_create_name</tt> function] from <tt>compute_create.c</tt>.<br />
<br />
<pre>12 int security_compute_create_raw(security_context_t scon,<br />
13 security_context_t tcon,<br />
14 security_class_t tclass,<br />
15 security_context_t * newcon)<br />
16 {<br />
17 char path[PATH_MAX];<br />
18 char *buf;<br />
19 size_t size;<br />
20 int fd, ret;<br />
21 <br />
22 if (!selinux_mnt) {<br />
23 errno = ENOENT;<br />
24 return -1;<br />
25 }<br />
26 <br />
27 snprintf(path, sizeof path, "%s/create", selinux_mnt);<br />
28 fd = open(path, O_RDWR);</pre><br />
<br />
Unlike other examples, the above code will not debug itself, and you will have to set breakpoints and trace calls to determine the point of first failure. (And the code above gambles that the truncated file does not exist or is not under an adversary's control by blindly performing the <tt>open</tt>).<br />
<br />
== Runtime ==<br />
<br />
The previous sections concentrated on setting up your project for success. This section will examine additional hints for running with increased diagnostics and defenses. Not all platforms are created equal - GNU Linux is difficult to impossible to [http://sourceware.org/ml/binutils/2012-03/msg00309.html add hardening to a program after compiling and static linking]; while Windows allows post-build hardening through a download. Remember, the goal is to find the point of first failure quickly so you can improve the reliability and security of the code.<br />
<br />
=== Xcode ===<br />
<br />
Xcode offers additional [http://developer.apple.com/library/mac/#recipes/xcode_help-scheme_editor/Articles/SchemeDiagnostics.html Application Diagnostics] that can help find memory errors and object use problems. Schemes can be managed through ''Products'' menu item, ''Scheme'' submenu item, and then ''Edit''. From the editor, navigate to the ''Diagnostics'' tab. In the figure below, four additional instruments are enabled for the debugging cycle: Scribble guards, Edge guards, Malloc guards, and Zombies.<br />
<br />
{| align="center"<br />
| [[File:toolchan-hardening-1.png|thumb|450px|Figure 2: Xcode Memory Diagnostics]]<br />
|}<br />
<br />
There is one caveat with using some of the guards: Apple only provides them for the simulator, and not a device. In the past, the guards were available for both devices and simulators.<br />
<br />
=== Windows ===<br />
<br />
Visual Studio offers a number of debugging aides for use during development. The aides are called [http://msdn.microsoft.com/en-us/library/d21c150d.aspx Managed Debugging Assistants (MDAs)]. You can find the MDAs on the ''Debug'' menu, then ''Exceptions'' submenu. MDAs allow you to tune your debugging experience by, for example, filter exceptions for which the debugger should snap. For more details, see Stephen Toub's ''[http://msdn.microsoft.com/en-us/magazine/cc163606.aspx Let The CLR Find Bugs For You With Managed Debugging Assistants]''.<br />
<br />
{| align="center"<br />
| [[File:toolchan-hardening-2.png|thumb|450px|Figure 3: Managed Debugging Assistants]]<br />
|}<br />
<br />
Finally, for runtime hardening, Microsoft has a helpful tool called EMET. EMET is the [http://support.microsoft.com/kb/2458544 Enhanced Mitigation Experience Toolkit], and allows you to apply runtime hardening to an executable which was built without. Its very useful for utilities and other programs that were built without an SDLC.<br />
<br />
{| align="center"<br />
| [[File:toolchan-hardening-3.png|thumb|450px|Figure 4: Windows and EMET]]<br />
|}<br />
<br />
== Authors and Editors ==<br />
<br />
* Jeffrey Walton - jeffrey, owasp.org<br />
* Jim Manico - jim, owasp.org<br />
* Kevin Wall - kevin, owasp.org</div>Wichershttps://wiki.owasp.org/index.php?title=Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet&diff=246804Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet2019-01-23T23:24:23Z<p>Wichers: /* Triple Submit Cookie */</p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
__TOC__{{TOC hidden}}<br />
<br />
== Introduction ==<br />
[[Cross-Site Request Forgery (CSRF)]] is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim. We would need a token/identifier that is not accessible to attacker and would not be sent along (like cookies) with forged requests that attacker initiates. For more information on CSRF, see OWASP [[Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) page]].<br />
<br />
The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or making a purchase with the user’s credentials. In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser, without the user’s knowledge, at least until the unauthorized transaction has been committed.<br />
<br />
Impacts of successful CSRF exploits vary greatly based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. If the targeted end user is an administrator account, a CSRF attack can compromise the entire web application. Using social engineering, an attacker can embed malicious HTML or JavaScript code into an email or website to request a specific 'task URL'. The task then executes with or without the user's knowledge, either directly or by using a Cross-Site Scripting flaw. For example, see [https://en.wikipedia.org/wiki/Samy_(computer_worm) Samy MySpace Worm].<br />
<br />
== What's new? ==<br />
If you have seen OWASP [https://www.owasp.org/index.php?title=Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet&action=history old CSRF prevention cheat sheets], you can observe that a lot has changed in this newer version. One of the major changes is that the “Verifying same origin with standard headers” CSRF defense has been moved to the Defense-in-Depth section, whereas token based mitigation moved to the Primary Defenses section (technical reasons for this switch were added under respective sections). Multiple new sections (HMAC based token protection, auto CSRF mitigation techniques, login CSRF, not so popular CSRF mitigations and CSRF mitigation myths) were added besides adding new content, removing obsolete content to the existing sections. Security issues/caveats associated with each mitigation were also included.<br />
<br />
==Warning: No Cross-Site Scripting (XSS) Vulnerabilities ==<br />
[[Cross-Site Scripting]] is not necessary for CSRF to work. However, any cross-site scripting vulnerability can be used to defeat all CSRF mitigation techniques available in the market today (except mitigation techniques that involve user interaction and described later in this cheat sheet). This is because an XSS payload can simply read any page on the site using an XMLHttpRequest (direct DOM access can be done, if on same page) and obtain the generated token from the response, and include that token with a forged request. This technique is exactly how the [https://en.wikipedia.org/wiki/Samy_(computer_worm) MySpace (Samy) worm] defeated MySpace's anti-CSRF defenses in 2005, which enabled the worm to propagate.<br />
<br />
It is imperative that no XSS vulnerabilities are present to ensure that CSRF defenses can't be circumvented. Please see the OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet|XSS Prevention Cheat Sheet]] for detailed guidance on how to prevent XSS flaws. <br />
<br />
== Resources that need to be protected from CSRF vulnerability ==<br />
The following list assumes that you are not violating [http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 RFC2616], section 9.1.1, by using GET requests for state changing operations. <br />
<br />
'''Note:''' If for any reason you violate, you would also need to protect those resources, which is mostly achieved with default <code>form tag [GET method]</code>, <code>href</code>, and <code>src</code> attributes. <br />
<br />
* Form tags with POST <br />
* Ajax/XHR calls<br />
<br />
== CSRF Defense Recommendations Summary ==<br />
We recommend token based CSRF defense (either stateful/stateless) as a primary defense to mitigate CSRF in your applications. Only for highly sensitive operations, we also recommend a user interaction based protection (either re-authentication/one-time token, detailed in section 7.5) along with token based mitigation.<br />
<br />
As a defense-in-depth measure, consider implementing one mitigation from the Defense-in-Depth Techniques section (you can choose the mitigation that fits your ecosystem considering the issues mentioned under them). These defense-in-depth mitigation techniques are not recommended to be used by themselves (without token based mitigation) for mitigating CSRF in your applications.<br />
<br />
== Primary Defense Techniques ==<br />
<br />
=== Token Based Mitigation ===<br />
This defense is one the most popular and recommended methods to mitigate CSRF. It can be achieved either with state (synchronizer token pattern) or stateless (encrypted/hash based token pattern). See section 6.3 on how to mitigate login CSRF in your applications. For all the mitigation's, it is implicit that general security principles should be adhered<br />
* Strong encryption/HMAC functions should be adhered to. <br />
'''Note:''' You can select any algorithm per your organizational needs. We recommend AES256-GCM for encryption and SHA256/512 for HMAC.<br />
* Strict key rotation and token lifetime policies should be maintained. Policies can be set according to your organizational needs. Generic key management guidance from OWASP can be found [[Key Management Cheat Sheet|here]].<br />
<br />
==== Synchronizer Token Pattern ====<br />
Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks. A CSRF token should be unique per user session, large random value, and also generated by a cryptographically secure random number generator. The CSRF token is added as a hidden field for forms headers/parameters for AJAX calls, and within the URL if the state changing operation occurs via a GET. See "Disclosure of Token in URL" section below. The server rejects the requested action if the CSRF token fails validation.<br />
<br />
In order to facilitate a "transparent but visible" CSRF solution, developers are encouraged to adopt a pattern similar to [http://www.corej2eepatterns.com/Design/PresoDesign.htm Synchronizer Token Pattern] (The original intention of this synchronizer token pattern was to detect duplicate submissions in forms). The synchronizer token pattern requires the generation of random "challenge" tokens that are associated with the user's current session. These challenge tokens are then inserted within the HTML forms and calls associated with sensitive server-side operations. It is the responsibility of the server application to verify the existence and correctness of this token. By including a challenge token with each request, the developer has a strong control to verify that the user actually intended to submit the desired requests. Inclusion of a required security token in HTTP requests associated with sensitive business functions helps mitigate CSRF attacks as successful exploitation assumes the attacker knows the randomly generated token for the target victim's session. <br />
<br />
'''Note:''' These tokens aren’t like cookies that are automatically sent with forged requests made from your browser from the attacker website. <br />
<br />
This is analogous to the attacker being able to guess the target victim's session identifier. <br />
<br />
The following describes a general approach to incorporate challenge tokens within the request.<br />
<br />
When a Web application formulates a request, the application should include a hidden input parameter with a common name such as "CSRFToken" (for forms)/ as header/parameter value for Ajax calls. The value of this token must be randomly generated such that it cannot be guessed by an attacker. Consider leveraging the java.security.SecureRandom class for Java applications to generate a sufficiently long random token. Alternative generation algorithms include the use of 256-bit BASE64 encoded hashes. Developers that choose this generation algorithm must make sure that there is randomness and uniqueness utilized in the data that is hashed to generate the random token.<br />
<br />
<syntaxhighlight lang="html"><br />
<form action="/transfer.do" method="post"><br />
<br />
<input type="hidden" name="CSRFToken" <br />
value="OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZMGYwMGEwOA=="><br />
...<br />
</form><br />
</syntaxhighlight><br />
<br />
In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is used for each subsequent request until the session expires. When a request is issued by the end-user, the server-side component must verify the existence and validity of the token in the request compared to the token found in the user session. If the token was not found within the request, or the value provided does not match the value within the user session, then the request should be aborted, and the event logged as a potential CSRF attack in progress.<br />
<br />
To further enhance the security of this proposed design, consider randomizing the CSRF token parameter name and/or value for each request. Implementing this approach results in the generation of per-request tokens as opposed to per-session tokens. This is more secure than per-session tokens as the time range for an attacker to exploit the stolen tokens is minimal. However, this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server. Few applications that need high security typically implement this approach (such as banks). You have to check what suits your needs. Regardless of the approach taken, developers are encouraged to protect the CSRF token the same way they protect authenticated session identifiers, such as the use of TLS.<br />
<br />
'''Existing Synchronizer Implementations'''<br />
<br />
Synchronizer token defenses have been built into many frameworks, so we strongly recommend using them first when they are available. External components that add CSRF defenses to existing applications are also recommended. OWASP has the following: <br />
<br />
* For Java: OWASP [[CSRF Guard]]<br />
* For PHP and Apache: [[CSRFProtector Project]]<br />
<br />
'''Disclosure of Token in URL'''<br />
<br />
Some implementations of synchronizer tokens include the challenge token in GET (URL) requests as well as POST requests. This is often implemented as a result of sensitive server-side operations being invoked as a result of embedded links in the page or other general design patterns. These patterns are often implemented without knowledge of CSRF and an understanding of CSRF prevention design strategies. While this control does help mitigate the risk of CSRF attacks, the unique per-session token is being exposed for GET requests. CSRF tokens in GET requests are potentially leaked at several locations: browser history, log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site. In the latter case (leaked CSRF token due to the Referer header being parsed by a linked site), it is trivially easy for the linked site to launch a CSRF attack on the protected site, and they will be able to target this attack very effectively, since the Referer header tells them the site as well as the CSRF token. The attack could be run entirely from JavaScript, so that a simple addition of a script tag to the HTML of a site can launch an attack (whether on an originally malicious site or on a hacked site). Additionally, since HTTPS requests from HTTPS contexts will not strip the Referer header (as opposed to HTTPS to HTTP requests) CSRF token leaks via Referer can still happen on HTTPS Applications.<br />
<br />
The ideal solution is to only include the CSRF token in POST requests and modify server-side actions that have state changing affect to only respond to POST requests. This is in fact what the <nowiki>RFC 2616</nowiki> requires for GET requests. If sensitive server-side actions are guaranteed to only ever respond to POST requests, then there is no need to include the token in GET requests.<br />
<br />
In most JavaEE web applications, however, HTTP method scoping is rarely ever utilized when retrieving HTTP parameters from a request. Calls to "HttpServletRequest.getParameter" will return a parameter value regardless if it was a GET or POST. This is not to say HTTP method scoping cannot be enforced. It can be achieved if a developer explicitly overrides doPost() in the HttpServlet class or leverages framework specific capabilities such as the AbstractFormController class in Spring.<br />
<br />
For these cases, attempting to retrofit this pattern in existing applications requires significant development time and cost, and as a temporary measure it may be better to pass CSRF tokens in the URL. Once the application has been fixed to respond to HTTP GET and POST verbs correctly, CSRF tokens for GET requests should be turned off.<br />
<br />
==== Encryption based Token Pattern ====<br />
The Encrypted Token Pattern leverages an encryption, rather than comparison method of Token-validation. It is most suitable for applications that do not want to maintain any state at server side. <br />
<br />
After successful authentication, the server generates a unique token comprised of the user's ID, a timestamp value and a [http://en.wikipedia.org/wiki/Cryptographic_nonce nonce], using a unique key available only on the server. This token is returned to the client and embedded in a hidden field for forms, in the request-header/parameter for AJAX requests. On receipt of this request, the server reads and decrypts the token value with the same key used to create the token. The inability to correctly decrypt suggests an intrusion attempt. Once decrypted, the UserId and timestamp contained within the token are validated; the UserId is compared against the currently logged in user, and the timestamp is compared against the current time.<br />
<br />
On successful token-decryption, the server has access to parsed values, ideally in the form of [http://en.wikipedia.org/wiki/Claims-based_identity claims]. These claims are processed by comparing the UserId claim to any potentially stored UserId (in a Cookie or Session variable, if the site already contains a means of authentication). The Timestamp is validated against the current time, preventing replay attacks. Alternatively, in the case of a CSRF attack, the server will be unable to decrypt the poisoned token, and can block and log the attack.<br />
<br />
This technique addresses some of the shortfalls in other stateless approaches, such as the need to store data in a Cookie, circumventing the Cookie-subdomain and [[HttpOnly]] issues.<br />
<br />
==== HMAC Based Token Pattern ====<br />
[https://en.wikipedia.org/wiki/HMAC HMAC (hash-based message authentication code)] is a cryptographic function that helps to guarantee integrity and authentication of a message. It is another way that CSRF mitigation can be achieved without maintaining any state at the server and is similar to an encryption token-based pattern with two main differences:<br />
* Uses a strong HMAC function instead of an encryption function to generate the token<br />
* Includes an additional field called ‘operation’ that would indicate the purpose of the operation for which you are including the CSRF token (may it be form tag/ajax call) <br />
(Ex: ‘oneclickpurchase’ (or) buy/asin=SDFH&category=2&quantity=3)<br />
<br />
'''Note:''' Fields mentioned in encryption token pattern (user's ID, a timestamp value and a nonce) are included. <br />
<br />
The operation field helps in mitigating the fact that the hash function generates the same value irrespective of multiple iterations (unlike strong encryption functions that generate different values when they are encrypted each time). So, it would help in avoiding having repeated token values across your application. Nonce field serves the same purpose as in encrypted token pattern (i.e., to avoid rare collisions due to weak cryptographic functions and acts as a defense-in-depth measure). <br />
<br />
Generate the token using HMAC including all four fields mentioned previously (user's ID, a timestamp value, nonce, and operation) and then include it in hidden fields for form tags, headers/parameters for ajax calls. Once you receive the HMAC from the client in the requests, re-generate HMAC with the same fields that you used to generate it, and then verify that the HMAC you re-generated matches the HMAC received from the client. If it does, it is a legitimate user request and if it does not, flag it as a CSRF intrusion and alert your incident response teams. Because an attacker has no visibility into the key used for generating the hash fields used in generating it, there is no way for them to re-generate it to use in forged request.<br />
<br />
=== Auto CSRF Mitigation Techniques ===<br />
Though the technique of mitigating tokens is widely used (stateful with synchronizer token and stateless with encrypted/HMAC token), the major problem associated with these techniques is the human tendency to forget things at times. If a developer forgets to add the token to any state changing operation, they are making the application vulnerable to CSRF. To avoid this, you can try to automate the process of adding tokens to CSRF vulnerable resources (mentioned earlier in this document). You can achieve this by doing the following:<br />
* Write wrappers (that would auto add tokens when used) around default form tags/ajax calls and educate your developers to use those wrappers instead of standard tags. Though this approach is better than depending purely on developers to add tokens, it still is vulnerable to the issue of human tendency to forget things. [https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html Spring Security] uses this technique to add CSRF tokens by default when a custom <form:form> tag is used, you can opt to use after verifying that its enabled and properly configured in the Spring Security version you are using.<br />
* Write a hook (that would capture the traffic and add tokens to CSRF vulnerable resources before rendering to customers) in your organizational web rendering frameworks. Because it is hard to analyze when a particular response is doing any state change (and thus needing a token), you might want to include tokens in all CSRF vulnerable resources (ex: include tokens in all POST responses). This is one recommended approach, but you need to consider the performance costs it might incur.<br />
* Get the tokens automatically added on the client side when the page is being rendered in user’s browser, with help of a client side script (this approach is used by [[CSRF Guard]]). You need to consider any possible JavaScript hijacking attacks.<br />
We recommend researching if the framework you are using has an option to achieve CSRF protection by default before trying to build your custom auto tokening system. For example, .NET has an [https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1 in-built protection] that adds token to CSRF vulnerable resources. You are responsible for proper configuration (such as key management and token management) before using these in-built CSRF protections that do auto tokening to CSRF vulnerable resources.<br />
<br />
=== Login CSRF ===<br />
Most developers tend to ignore CSRF vulnerability on login forms as they assume that CSRF would not be applicable on login forms because user is not authenticated at that stage. That assumption is false. CSRF vulnerability can still occur on login forms where the user is not authenticated, but the impact/risk view for it is quite different from the impact/risk view of a general CSRF vulnerability (when a user is authenticated).<br />
<br />
With a CSRF vulnerability on login form, an attacker can make a victim login to the attacker's account and learn behavior from the victim's searches. For more information about login CSRF and other risks, see section 3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf the Stanford CSRF] paper.<br />
<br />
Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form. You can use any of the techniques mentioned above to generate tokens. Pre-sessions can be transitioned to real sessions once the user is authenticated. This technique is described in [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery section 4.1].<br />
<br />
If sub-domains under your master domain are treated as not trusted in your threat model, it is difficult to mitigate login CSRF. A strict subdomain and path level referer header (because most login pages are served on HTTPS - no stripping of referer - and are also linked from home pages) validation (detailed in section 7.1) can be used in these cases for mitigating CSRF on login forms to an extent.<br />
<br />
== Defense-In-Depth Techniques ==<br />
<br />
=== Verifying origin with standard headers ===<br />
This defense technique is specifically proposed in section 5.0 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. This paper proposes the first creation of the Origin header and its use as a CSRF defense mechanism.<br />
<br />
There are two steps to this mitigation, both of which rely on examining an HTTP request header value.<br />
<br />
1. Determining the origin the request is coming from (source origin). Can be done via Origin and/or referer header.<br />
<br />
2. Determining the origin the request is going to (target origin).<br />
<br />
At server side we verify if both of them match. If they do, we accept the request as legitimate (meaning it’s the same origin request) and if they don’t, we discard the request (meaning that the request originated from cross-domain). Reliability on these headers comes from the fact that they cannot be altered programmatically (using JavaScript in an XSS) as they fall under [https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name forbidden headers] list (i.e., only browsers can set them).<br />
<br />
====Identifying Source Origin (via Origin/Referer header) ====<br />
'''Checking the Origin Header'''<br />
<br />
If the Origin header is present, verify that its value matches the target origin. Unlike the Referer, the Origin header will be present in HTTP requests that originate from an HTTPS URL.<br />
<br />
'''Checking the Referer Header'''<br />
<br />
If the Origin header is not present, verify the hostname in the Referer header matches the target origin. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state, which is required to keep track of a synchronization token.<br />
<br />
In both cases, make sure the target origin check is strong. For example, if your site is "site.com" make sure "site.com.attacker.com" does not pass your origin check (i.e., match through the trailing/after the origin to make sure you are matching against the entire origin).<br />
<br />
If neither of these headers are present, you can either accept or block the request. We recommend '''blocking'''. Alternatively, you might want to log all such instances, monitor their use cases/behavior, and then start blocking requests only after you get enough confidence.<br />
<br />
==== Identifying the Target Origin ====<br />
You might think it’s easy to determine the target origin, but it’s frequently not. The first thought is to simply grab the target origin (i.e., its hostname and port #) from the URL in the request. However, the application server is frequently sitting behind one or more proxies and the original URL is different from the URL the app server actually receives. If your application server is directly accessed by its users, then using the origin in the URL is fine and you're all set.<br />
<br />
If you are behind a proxy, there are a number of options to consider.<br />
* '''Configure your application to simply know its target origin:''' It’s your application, so you can find its target origin and set that value in some server configuration entry. This would be the most secure approach as its defined server side, so it is a trusted value. However, this might be problematic to maintain if your application is deployed in many places, e.g., dev, test, QA, production, and possibly multiple production instances. Setting the correct value for each of these situations might be difficult, but if you can do it via some central configuration and providing your instances to grab value from it, that's great! ('''Note:''' Make sure the centralized configuration store is maintained securely because major part of your CSRF defense depends on it.)<br />
<br />
* '''Use the Host header value:''' If you prefer that the application find its own target so it doesn't have to be configured for each deployed instance, we recommend using the Host family of headers. The Host header's purpose is to contain the target origin of the request. But, if your app server is sitting behind a proxy, the Host header value is most likely changed by the proxy to the target origin of the URL behind the proxy, which is different than the original URL. This modified Host header origin won't match the source origin in the original Origin or Referer headers.<br />
<br />
* '''Use the X-Forwarded-Host header value:''' To avoid the issue of proxy altering the host header, there is another header called X-Forwarded-Host, whose purpose is to contain the original Host header value the proxy received. Most proxies will pass along the original Host header value in the X-Forwarded-Host header. So that header value is likely to be the target origin value you need to compare to the source origin in the Origin or Referer header.<br />
<br />
This mitigation in earlier versions of the CSRF Cheat Sheet is treated as a primary defense. For reasons mentioned below, it is now moved to the Defense-in-Depth section.<br />
<br />
As it’s implicit, this mitigation would work properly when origin or referer headers are present in the requests. Though these headers are included '''majority''' of the time, there are few use cases where they are not included (most of them are for legitimate reasons to safeguard users privacy/to tune to browsers ecosystem). The following lists some use cases:<br />
* Internet Explorer 11 does not add the Origin header on a CORS request across sites of a trusted zone. The Referer header will remain the only indication of the UI origin. See the following references in stackoverflow [https://stackoverflow.com/questions/20784209/internet-explorer-11-does-not-add-the-origin-header-on-a-cors-request here] and [https://github.com/silverstripe/silverstripe-graphql/issues/118 here].<br />
* In an instance following a [https://stackoverflow.com/questions/22397072/are-there-any-browsers-that-set-the-origin-header-to-null-for-privacy-sensitiv 302 redirect cross-origin], Origin is not included in the redirected request because that may be considered sensitive information that should not be sent to the other origin.<br />
* There are some [https://wiki.mozilla.org/Security/Origin#Privacy-Sensitive_Contexts privacy contexts] where Origin is set to “null” For example, see the following [https://www.google.com/search?q=origin+header+sent+null+value+site%3Astackoverflow.com&oq=origin+header+sent+null+value+site%3Astackoverflow.com here].<br />
* Origin header is included for all cross origin requests but for same origin requests, in most browsers it is only included in POST/DELETE/PUT '''Note:''' Although it is not ideal, many developers use GET requests to do state changing operations.<br />
* Referer header is no exception. There are multiple use cases where referer header is omitted as well ([https://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty <nowiki>[1]</nowiki>], [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer <nowiki>[2]</nowiki>], [https://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding <nowiki>[3]</nowiki>], [https://seclab.stanford.edu/websec/csrf/csrf.pdf <nowiki>[4]</nowiki>] and [https://www.google.com/search?q=referer+header+sent+null+value+site:stackoverflow.com <nowiki>[5]</nowiki>]). Load balancers, proxies and embedded network devices are also well known to strip the referer header due to privacy reasons in logging them.<br />
<br />
Though exceptions can be written for above cases in your source and target origin check logic, there is currently no central repository (even there is one, keeping it up-to-date is a problem) that references all such use cases. Each browser might also handle these use cases differently (browsers are known to handle things differently considering their ecosystem. IE example of not sending origin header within trusted zone is such example). Rejecting requests that do not contain origin and/or referer headers might sound like a good idea but it can impact legitimate users. Keeping this system in monitoring mode and trying to investigate use cases such as stated above, then adding them into exception logic is a process that you may consider to make this defense more stable in your environment.<br />
<br />
This CSRF defense relies on browser behavior that can change at times. For example, when new privacy contexts are discovered, under which situations you have to keep your validation logic updated, where as in token based mitigation, you have full control on the CSRF mitigation. If browsers alter CSRF tokens, they are literally changing the HTML content on rendering pages (which no browser would ever want to do!).<br />
<br />
When there is an XSS vulnerability on a page of an application protected with Origin and/or Referer header, the level of effort required to exploit state changing operations (that are typically vulnerable to CSRF) on other pages is very easy (grab the parameters and forge a request, as Origin and Referer header is included by default by browsers) than compared to token based mitigation (where attacker needs to download the target page, parse the DOM for the token, construct a forge request, and send it to server).<br />
<br />
'''Note:''' Although the concept of an origin header stemmed from [https://seclab.stanford.edu/websec/csrf/csrf.pdf the Stanford CSRF] paper that references robust CSRF defenses, the initial [https://tools.ietf.org/html/rfc6454 origin header RFC] does not reference mitigating CSRF in any way (another [https://tools.ietf.org/id/draft-abarth-origin-03.html draft version] does, however).<br />
<br />
=== Double Submit Cookie ===<br />
If maintaining the state for CSRF token at server side is problematic, an alternative defense is to use the double submit cookie technique. This technique is easy to implement and is stateless. In this technique, we send a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match. When a user visits (even before authenticating to prevent login CSRF), the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session identifier. The site then requires that every transaction request include this pseudorandom value as a hidden form value (or other request parameter/header). If both of them match at server side, the server accepts it as legitimate request and if they don’t, it would reject the request.<br />
<br />
There’s a belief that this technique would work because a cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie (with which the server compares the token value).<br />
<br />
There are a couple of drawbacks associated with the assumptions made here. The problem of "trusting of sub domains and proper configuration of whole site in general to accept HTTPS connections only". The [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf Blackhat talk] by Rich Lundeen references these drawbacks.<br />
<br />
"''With double submit, if an attacker can write a cookie they can obviously defeat the protection. And again, writing cookies is significantly easier then reading them. The fact that cookies can be written is difficult for many people to understand. After all, doesn't the same origin policy specify that one domain cannot access cookies from another domain? However, there are two common scenarios where writing cookies across domains is possible:''<br />
<br />
''a) While it's true that hellokitty.marketing.example.com cannot read cookies or access the DOM from secure.example.com because of the same origin policy, hellokitty.marketing.example.com can write cookies to the parent domain (example.com), and these cookies are then consumed by secure.example.com (secure.example.com has no good way to distinguish which site set the cookie). Additionally, there are methods of forcing secure.example.com to always accept your cookie first. What this means is that XSS in hellokitty.marketing.example.com is able to overwrite cookies in secure.example.com.''<br />
<br />
''b) If an attacker is in the middle, they can usually force a request to the same domain over HTTP. If an application is hosted at <nowiki>https://secure.example.com</nowiki>, even if the cookies are set with the secure flag, a man in the middle can force connections to <nowiki>http://secure.example.com</nowiki> and set (overwrite) any arbitrary cookies (even though the secure flag prevents the attacker from reading those cookies). Even if the HSTS header is set on the server and the browser visiting the site supports HSTS (this would prevent a man in the middle from forcing plain text HTTP requests) unless the HSTS header is set in a way that includes all subdomains, a man in the middle can simply force a request to a separate subdomain and overwrite cookies similar to 1. In other words, as long as <nowiki>http://hellokitty.marketing.example.com</nowiki> doesn't force HTTPS, then an attacker can overwrite cookies on any example.com subdomain.''"<br />
<br />
So, unless you are sure that your subdomains are fully secured and only accept HTTPS connections (we believe it’s difficult to guarantee at large enterprises), you should not rely on the Double Submit Cookie technique as a primary mitigation for CSRF.<br />
<br />
A variant of double submit cookie that can mitigate both the risks mentioned above is including the token in an encrypted cookie - often within the authentication cookie - and then at the server side matching it (after decrypting the authentication cookie) with the token in hidden form field or parameter/header for ajax calls. This works because a sub domain has no way to over-write an properly crafted encrypted cookie without the necessary information such as encryption key.<br />
<br />
=== SameSite Cookie Attribute ===<br />
SameSite is a cookie attribute (similar to [[HttpOnly]], Secure etc.) introduced by Google to mitigate CSRF attacks. It is defined in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 this] Internet Draft. This attribute helps in preventing the browser from sending cookies along with cross-site requests. Possible values for this attribute are lax or strict.<br />
<br />
The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link. For example, for a GitHub-like website this would mean that if a logged-in user follows a link to a private GitHub project posted on a corporate discussion forum or email, GitHub will not receive the session cookie and the user will not be able to access the project. A bank website however most likely doesn't want to allow any transactional pages to be linked from external sites, so the strict flag would be most appropriate.<br />
<br />
The default lax value provides a reasonable balance between security and usability for websites that want to maintain user's logged-in session after the user arrives from an external link. In the above GitHub scenario, the session cookie would be allowed when following a regular link from an external website while blocking it in CSRF-prone request methods such as POST. Only cross-site requests that are allowed in lax mode are the ones that have top-level navigations and are also “safe” HTTP methods (more details [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7.1 here]).<br />
<br />
Example of cookies using this attribute:<br />
<br />
<pre><br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Strict<br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Lax<br />
</pre><br />
<br />
Support for this attribute in different browsers is increasing but there are still browsers that need to adopt this. As of August 2018, SameSite attribute is on browsers used by 68.92% of Internet users (detailed statistics are [https://caniuse.com/#feat=same-site-cookie-attribute here]).<br />
<br />
Though this technique seems to be efficient in mitigating CSRF attacks, it is still in early stages (in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft]) and does not have full browser support as mentioned above. Google’s [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft] also mentions a couple cases where forged requests can be simulated by attackers as same-site requests (and thus allowing to send SameSite cookies).<br />
<br />
Considering the factors above, it is not recommended to be used as a primary defense. Google agrees with this stance and strongly encourages developers to deploy server-side defenses such as tokens to mitigate CSRF more fully.<br />
<br />
=== Use of Custom Request Headers ===<br />
<br />
Adding CSRF tokens, a double submit cookie and value, encrypted token, or other defense that involves changing the UI can frequently be complex or otherwise problematic. An alternate defense that is particularly well suited for AJAX/XHR endpoints is the use of a custom request header. This defense relies on the [https://en.wikipedia.org/wiki/Same-origin_policy same-origin policy (SOP)] restriction that only JavaScript can be used to add a custom header, and only within its origin. By default, browsers do not allow JavaScript to make cross origin requests.<br />
<br />
A particularly attractive custom header and value to use is “X-Requested-With: XMLHttpRequest” because most JavaScript libraries already add this header to requests they generate by default. However, some do not. For example, AngularJS used to, but does not anymore. For more information, see [https://github.com/angular/angular.js/commit/3a75b1124d062f64093a90b26630938558909e8d their rationale] and how to add it back.<br />
<br />
If this is the case for your system, you can simply verify the presence of this header and value on all your server side AJAX endpoints in order to protect against CSRF attacks. This approach has the double advantage of usually requiring no UI changes and not introducing any server side state, which is particularly attractive to REST services. You can always add your own custom header and value if that is preferred.<br />
<br />
This defense technique is specifically discussed in section 4.3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. However, bypasses of this defense using Flash were documented as early as 2008 and again as recently as 2015 by Mathias Karlsson to [https://hackerone.com/reports/44146 exploit a CSRF flaw in Vimeo]. A Flash attack can't spoof the Origin or Referer headers, so by checking both of them we believe this combination of checks should prevent Flash bypass CSRF attacks (if any comes up in future). <br />
<br />
Besides any possible future bypasses such as Flash, using a static header will make it easy to exploit other state changing operations in the application (similar to the previous explanation on why ease of exploitation is easier in origin/referer header check than token based mitigation). Including a random token instead of static header value is more or less equal to the token based approach described in the Primary Defenses section. Developers also need to consider that if you are using this approach in an application with both Ajax calls and form tags, this technique would only help Ajax calls in protecting from CSRF and you would still need protect <form> tags with approaches described in this document such as tokens. Setting custom headers on form tags is not possible directly. Also, CORS configuration should also be robust to make this solution work effectively (as custom headers for requests coming from other domains trigger a pre-flight CORS check).<br />
<br />
=== User Interaction Based CSRF Defense ===<br />
<br />
While all the techniques referenced here do not require any user interaction, sometimes it’s easier or more appropriate to involve the user in the transaction to prevent unauthorized operations (forged via CSRF or otherwise). The following are some examples of techniques that can act as strong CSRF defense when implemented correctly.<br />
* Re-Authentication (password or stronger)<br />
* One-time Token<br />
* CAPTCHA<br />
While these are a very strong CSRF defense, it does create a huge impact on the user experience. For applications that are in need of high security for some operations (password change, money transfer etc.), these techniques should be used along with token based mitigation. Please note that tokens by themselves can mitigate CSRF, developers should use these techniques only to achieve additional security for their high sensitive operations.<br />
<br />
== Not So Popular CSRF Mitigations ==<br />
<br />
=== Triple Submit Cookie ===<br />
This mitigation is proposed by [https://www.owasp.org/images/e/e6/AppSecEU2012_Wilander.pdf John Wilander in 2012 at OWASP Appsec Research]. This technique adds an additional step to double submit cookie approach by verifying if the request contains two cookies with same name (please note, attacker need to write an additional cookie to bypass double submit cookie mitigation). Though it mitigates the issues discussed in bypass of double submit cookie, it introduces new problems such as cookie jar overflow (in-details and more issue details [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf here] and [https://webstersprodigy.net/2012/08/03/analysis-of-john-wilanders-triple-submit-cookies/ here]). We were not able to find any real-time implementations of this mitigation so far.<br />
<br />
=== Content-Type Header Validation ===<br />
This technique is better known than the triple submit cookie mitigation. In first place, this header is not designed for security (initial RFC [https://tools.ietf.org/html/rfc1049 here] and later well-defined in [https://www.ietf.org/rfc/rfc2045.txt this] RFC) but only to let receiving agents know the type of data they would be handling, so that they can invoke corresponding parsers. The pre-flighting behavior of this header (pre-flight if header has value other than application/x-www-form-urlencoded, multipart/form-data, or text/plain) is what treated as a CSRF mitigation and thus forcing all requests to have a header value that would force a pre-flight (such as application/json. Server side can reject cross-origin requests with CORS/SOP during this pre-flight).<br />
<br />
This approach has two main problems. One that it would mandate all requests to have a header value that would force pre-flight despite the real use case and the other that this technique is relying on a feature that is not designed for security, to mitigate a security vulnerability. When a bug was discovered in the Chrome API, browser architects even considered to removing this pre-flighting behavior. Because this header was not designed as a security control, architects can re-design it to better cater its primary purpose. In the future, there’s a possibility that new content-type header types can be included (to better support various use-cases), which can put systems relying on this header for CSRF mitigation in trouble. For more information, see [https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/september/common-csrf-prevention-misconceptions/ Common CSRF Prevention Misconceptions].<br />
<br />
== CSRF Mitigation Myths ==<br />
The following shows techniques presumed to be CSRF mitigations but none of them fully/actually mitigates a CSRF vulnerability.<br />
* '''CORS''': CORS is a header designed to relax Same-Origin-Policy when cross-origin communication between sites is required. It is not designed, nor prevents CSRF attacks.<br />
* '''Using HTTPS''': Using HTTPS has nothing to do with the protection from CSRF attacks. Resources that are under HTTPS are still vulnerable to CSRF if proper CSRF mitigations described above are not included.<br />
* More myths can be found [[Cross-Site Request Forgery (CSRF)|here]]<br />
<br />
== Personal Safety CSRF Tips for Users ==<br />
Since CSRF vulnerabilities are reportedly widespread, we recommend using the following best practices to mitigate risk. <br />
<br />
# Logoff immediately after using a Web application.<br />
# Do not allow your browser to save username/passwords, and do not allow sites to “remember” your login.<br />
# Do not use the same browser to access sensitive applications and to surf the Internet freely (tabbed browsing).<br />
# The use of plugins such as No-Script makes POST based CSRF vulnerabilities difficult to exploit. This is because JavaScript is used to automatically submit the form when the exploit is loaded. Without JavaScript, the attacker would have to trick the user into submitting the form manually.<br />
<br />
Integrated HTML-enabled mail/browser and newsreader/browser environments pose additional risks since simply viewing a mail message or a news message might lead to the execution of an attack. <br />
== Implementation reference example ==<br />
The following JEE web filter provides an example reference for some of the concepts described in this cheat sheet. It implements the following stateless mitigations ([https://github.com/aramrami/OWASP-CSRFGuard OWASP CSRFGuard], cover a stateful approach).<br />
* Verifying same origin with standard headers<br />
* Double submit cookie<br />
* SameSite cookie attribute<br />
'''Please note''' that it only acts a reference sample and is not complete (for example: it doesn’t have a block to direct the control flow when origin and referer header check succeeds nor it has a port/host/protocol level validation for referer header). Developers are recommended to build their complete mitigation on top of this reference sample. Developers should also implement standard authentication or authorization checks before checking for CSRF.<br />
<br />
Source is also located [https://github.com/righettod/poc-csrf here] and provides a runnable POC.<br />
<br />
<syntaxhighlight lang="java"><br />
import org.slf4j.Logger;<br />
import org.slf4j.LoggerFactory;<br />
<br />
import javax.servlet.Filter;<br />
import javax.servlet.FilterChain;<br />
import javax.servlet.FilterConfig;<br />
import javax.servlet.ServletException;<br />
import javax.servlet.ServletRequest;<br />
import javax.servlet.ServletResponse;<br />
import javax.servlet.annotation.WebFilter;<br />
import javax.servlet.http.Cookie;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
import javax.servlet.http.HttpServletResponseWrapper;<br />
import javax.xml.bind.DatatypeConverter;<br />
import java.io.IOException;<br />
import java.net.MalformedURLException;<br />
import java.net.URL;<br />
import java.security.SecureRandom;<br />
import java.util.Arrays;<br />
<br />
/**<br />
* Filter in charge of validating each incoming HTTP request about Headers and CSRF token.<br />
* It is called for all requests to backend destination.<br />
*<br />
* We use the approach in which:<br />
* - The CSRF token is changed after each valid HTTP exchange<br />
* - The custom Header name for the CSRF token transmission is fixed<br />
* - A CSRF token is associated to a backend service URI in order to enable the support for multiple parallel Ajax request from the same application<br />
* - The CSRF cookie name is the backend service name prefixed with a fixed prefix<br />
*<br />
* Here for the POC we show the "access denied" reason in the response but in production code only return a generic message !<br />
*<br />
* @see "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet"<br />
* @see "https://wiki.mozilla.org/Security/Origin"<br />
* @see "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie"<br />
* @see "https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/"<br />
*/<br />
@WebFilter("/backend/*")<br />
public class CSRFValidationFilter implements Filter {<br />
<br />
/**<br />
* JVM param name used to define the target origin<br />
*/<br />
public static final String TARGET_ORIGIN_JVM_PARAM_NAME = "target.origin";<br />
<br />
/**<br />
* Name of the custom HTTP header used to transmit the CSRF token and also to prefix <br />
* the CSRF cookie for the expected backend service<br />
*/<br />
private static final String CSRF_TOKEN_NAME = "X-TOKEN";<br />
<br />
/**<br />
* Logger<br />
*/<br />
private static final Logger LOG = LoggerFactory.getLogger(CSRFValidationFilter.class);<br />
<br />
/**<br />
* Application expected deployment domain: named "Target Origin" in OWASP CSRF article<br />
*/<br />
private URL targetOrigin;<br />
<br />
/***<br />
* Secure generator<br />
*/<br />
private final SecureRandom secureRandom = new SecureRandom();<br />
<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {<br />
HttpServletRequest httpReq = (HttpServletRequest) request;<br />
HttpServletResponse httpResp = (HttpServletResponse) response;<br />
String accessDeniedReason;<br />
<br />
/* STEP 1: Verifying Same Origin with Standard Headers */<br />
//Try to get the source from the "Origin" header<br />
String source = httpReq.getHeader("Origin");<br />
if (this.isBlank(source)) {<br />
//If empty then fallback on "Referer" header<br />
source = httpReq.getHeader("Referer");<br />
//If this one is empty too then we trace the event and we block the request (recommendation of the article)...<br />
if (this.isBlank(source)) {<br />
accessDeniedReason = "CSRFValidationFilter: ORIGIN and REFERER request headers are both absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
}<br />
<br />
//Compare the source against the expected target origin<br />
URL sourceURL = new URL(source);<br />
if (!this.targetOrigin.getProtocol().equals(sourceURL.getProtocol()) || !this.targetOrigin.getHost().equals(sourceURL.getHost()) <br />
|| this.targetOrigin.getPort() != sourceURL.getPort()) {<br />
//One the part do not match so we trace the event and we block the request<br />
accessDeniedReason = String.format("CSRFValidationFilter: Protocol/Host/Port do not fully matches so we block the request! (%s != %s) ", <br />
this.targetOrigin, sourceURL);<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
<br />
/* STEP 2: Verifying CSRF token using "Double Submit Cookie" approach */<br />
//If CSRF token cookie is absent from the request then we provide one in response but we stop the process at this stage.<br />
//Using this way we implement the first providing of token<br />
Cookie tokenCookie = null;<br />
if (httpReq.getCookies() != null) {<br />
String csrfCookieExpectedName = this.determineCookieName(httpReq);<br />
tokenCookie = Arrays.stream(httpReq.getCookies()).filter(c -> c.getName().equals(csrfCookieExpectedName)).findFirst().orElse(null);<br />
}<br />
if (tokenCookie == null || this.isBlank(tokenCookie.getValue())) {<br />
LOG.info("CSRFValidationFilter: CSRF cookie absent or value is null/empty so we provide one and return an HTTP NO_CONTENT response !");<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpResp);<br />
//Set response state to "204 No Content" in order to allow the requester to clearly identify an initial response providing the initial CSRF token<br />
httpResp.setStatus(HttpServletResponse.SC_NO_CONTENT);<br />
} else {<br />
//If the cookie is present then we pass to validation phase<br />
//Get token from the custom HTTP header (part under control of the requester)<br />
String tokenFromHeader = httpReq.getHeader(CSRF_TOKEN_NAME);<br />
//If empty then we trace the event and we block the request<br />
if (this.isBlank(tokenFromHeader)) {<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header is absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else if (!tokenFromHeader.equals(tokenCookie.getValue())) {<br />
//Verify that token from header and one from cookie are the same<br />
//Here is not the case so we trace the event and we block the request<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header and via Cookie are not equals so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else {<br />
//Verify that token from header and one from cookie matches<br />
//Here is the case so we let the request reach the target component (ServiceServlet, jsp...) and add a new token when we get back the bucket<br />
HttpServletResponseWrapper httpRespWrapper = new HttpServletResponseWrapper(httpResp);<br />
chain.doFilter(request, httpRespWrapper);<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpRespWrapper);<br />
}<br />
}<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void init(FilterConfig filterConfig) throws ServletException {<br />
//To easier the configuration, we load the target expected origin from an JVM property<br />
//Reconfiguration only require an application restart that is generally acceptable<br />
try {<br />
this.targetOrigin = new URL(System.getProperty(TARGET_ORIGIN_JVM_PARAM_NAME));<br />
} catch (MalformedURLException e) {<br />
LOG.error("Cannot init the filter !", e);<br />
throw new ServletException(e);<br />
}<br />
LOG.info("CSRFValidationFilter: Filter init, set expected target origin to '{}'.", this.targetOrigin);<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void destroy() {<br />
LOG.info("CSRFValidationFilter: Filter shutdown");<br />
}<br />
<br />
/**<br />
* Check if a string is null or empty (including containing only spaces)<br />
*<br />
* @param s Source string<br />
* @return TRUE if source string is null or empty (including containing only spaces)<br />
*/<br />
private boolean isBlank(String s) {<br />
return s == null || s.trim().isEmpty();<br />
}<br />
<br />
/**<br />
* Generate a new CSRF token<br />
*<br />
* @return The token a string<br />
*/<br />
private String generateToken() {<br />
byte[] buffer = new byte[50];<br />
this.secureRandom.nextBytes(buffer);<br />
return DatatypeConverter.printHexBinary(buffer);<br />
}<br />
<br />
/**<br />
* Determine the name of the CSRF cookie for the targeted backend service<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @return The name of the cookie as a string<br />
*/<br />
private String determineCookieName(HttpServletRequest httpRequest) {<br />
String backendServiceName = httpRequest.getRequestURI().replaceAll("/", "-");<br />
return CSRF_TOKEN_NAME + "-" + backendServiceName;<br />
}<br />
<br />
/**<br />
* Add the CSRF token cookie and header to the provided HTTP response object<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @param httpResponse HTTP response object to update<br />
*/<br />
private void addTokenCookieAndHeader(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {<br />
//Get new token<br />
String token = this.generateToken();<br />
//Add cookie manually because the current Cookie class implementation do not support the "SameSite" attribute<br />
//We let the adding of the "Secure" cookie attribute to the reverse proxy rewriting...<br />
//Here we lock the cookie from JS access and we use the SameSite new attribute protection<br />
String cookieSpec = String.format("%s=%s; Path=%s; HttpOnly; SameSite=Strict", this.determineCookieName(httpRequest), token, httpRequest.getRequestURI());<br />
httpResponse.addHeader("Set-Cookie", cookieSpec);<br />
//Add cookie header to give access to the token to the JS code<br />
httpResponse.setHeader(CSRF_TOKEN_NAME, token);<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
== Authors and Primary Editors ==<br />
Manideep Konakandla (Amazon Application Security Team) - http://www.manideepk.com<br />
<br />
Dave Wichers - dave.wichers[at]owasp.org<br />
<br />
Paul Petefish - https://www.linkedin.com/in/paulpetefish<br />
<br />
Eric Sheridan - eric.sheridan[at]owasp.org<br />
<br />
Dominique Righetto - dominique.righetto[at]owasp.org<br /><br />
<br />
== Other Cheat Sheets ==<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]<br />
[[Category:Popular]]</div>Wichershttps://wiki.owasp.org/index.php?title=Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet&diff=246803Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet2019-01-23T23:18:31Z<p>Wichers: </p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
__TOC__{{TOC hidden}}<br />
<br />
== Introduction ==<br />
[[Cross-Site Request Forgery (CSRF)]] is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim. We would need a token/identifier that is not accessible to attacker and would not be sent along (like cookies) with forged requests that attacker initiates. For more information on CSRF, see OWASP [[Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) page]].<br />
<br />
The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or making a purchase with the user’s credentials. In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser, without the user’s knowledge, at least until the unauthorized transaction has been committed.<br />
<br />
Impacts of successful CSRF exploits vary greatly based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. If the targeted end user is an administrator account, a CSRF attack can compromise the entire web application. Using social engineering, an attacker can embed malicious HTML or JavaScript code into an email or website to request a specific 'task URL'. The task then executes with or without the user's knowledge, either directly or by using a Cross-Site Scripting flaw. For example, see [https://en.wikipedia.org/wiki/Samy_(computer_worm) Samy MySpace Worm].<br />
<br />
== What's new? ==<br />
If you have seen OWASP [https://www.owasp.org/index.php?title=Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet&action=history old CSRF prevention cheat sheets], you can observe that a lot has changed in this newer version. One of the major changes is that the “Verifying same origin with standard headers” CSRF defense has been moved to the Defense-in-Depth section, whereas token based mitigation moved to the Primary Defenses section (technical reasons for this switch were added under respective sections). Multiple new sections (HMAC based token protection, auto CSRF mitigation techniques, login CSRF, not so popular CSRF mitigations and CSRF mitigation myths) were added besides adding new content, removing obsolete content to the existing sections. Security issues/caveats associated with each mitigation were also included.<br />
<br />
==Warning: No Cross-Site Scripting (XSS) Vulnerabilities ==<br />
[[Cross-Site Scripting]] is not necessary for CSRF to work. However, any cross-site scripting vulnerability can be used to defeat all CSRF mitigation techniques available in the market today (except mitigation techniques that involve user interaction and described later in this cheat sheet). This is because an XSS payload can simply read any page on the site using an XMLHttpRequest (direct DOM access can be done, if on same page) and obtain the generated token from the response, and include that token with a forged request. This technique is exactly how the [https://en.wikipedia.org/wiki/Samy_(computer_worm) MySpace (Samy) worm] defeated MySpace's anti-CSRF defenses in 2005, which enabled the worm to propagate.<br />
<br />
It is imperative that no XSS vulnerabilities are present to ensure that CSRF defenses can't be circumvented. Please see the OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet|XSS Prevention Cheat Sheet]] for detailed guidance on how to prevent XSS flaws. <br />
<br />
== Resources that need to be protected from CSRF vulnerability ==<br />
The following list assumes that you are not violating [http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 RFC2616], section 9.1.1, by using GET requests for state changing operations. <br />
<br />
'''Note:''' If for any reason you violate, you would also need to protect those resources, which is mostly achieved with default <code>form tag [GET method]</code>, <code>href</code>, and <code>src</code> attributes. <br />
<br />
* Form tags with POST <br />
* Ajax/XHR calls<br />
<br />
== CSRF Defense Recommendations Summary ==<br />
We recommend token based CSRF defense (either stateful/stateless) as a primary defense to mitigate CSRF in your applications. Only for highly sensitive operations, we also recommend a user interaction based protection (either re-authentication/one-time token, detailed in section 7.5) along with token based mitigation.<br />
<br />
As a defense-in-depth measure, consider implementing one mitigation from the Defense-in-Depth Techniques section (you can choose the mitigation that fits your ecosystem considering the issues mentioned under them). These defense-in-depth mitigation techniques are not recommended to be used by themselves (without token based mitigation) for mitigating CSRF in your applications.<br />
<br />
== Primary Defense Techniques ==<br />
<br />
=== Token Based Mitigation ===<br />
This defense is one the most popular and recommended methods to mitigate CSRF. It can be achieved either with state (synchronizer token pattern) or stateless (encrypted/hash based token pattern). See section 6.3 on how to mitigate login CSRF in your applications. For all the mitigation's, it is implicit that general security principles should be adhered<br />
* Strong encryption/HMAC functions should be adhered to. <br />
'''Note:''' You can select any algorithm per your organizational needs. We recommend AES256-GCM for encryption and SHA256/512 for HMAC.<br />
* Strict key rotation and token lifetime policies should be maintained. Policies can be set according to your organizational needs. Generic key management guidance from OWASP can be found [[Key Management Cheat Sheet|here]].<br />
<br />
==== Synchronizer Token Pattern ====<br />
Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks. A CSRF token should be unique per user session, large random value, and also generated by a cryptographically secure random number generator. The CSRF token is added as a hidden field for forms headers/parameters for AJAX calls, and within the URL if the state changing operation occurs via a GET. See "Disclosure of Token in URL" section below. The server rejects the requested action if the CSRF token fails validation.<br />
<br />
In order to facilitate a "transparent but visible" CSRF solution, developers are encouraged to adopt a pattern similar to [http://www.corej2eepatterns.com/Design/PresoDesign.htm Synchronizer Token Pattern] (The original intention of this synchronizer token pattern was to detect duplicate submissions in forms). The synchronizer token pattern requires the generation of random "challenge" tokens that are associated with the user's current session. These challenge tokens are then inserted within the HTML forms and calls associated with sensitive server-side operations. It is the responsibility of the server application to verify the existence and correctness of this token. By including a challenge token with each request, the developer has a strong control to verify that the user actually intended to submit the desired requests. Inclusion of a required security token in HTTP requests associated with sensitive business functions helps mitigate CSRF attacks as successful exploitation assumes the attacker knows the randomly generated token for the target victim's session. <br />
<br />
'''Note:''' These tokens aren’t like cookies that are automatically sent with forged requests made from your browser from the attacker website. <br />
<br />
This is analogous to the attacker being able to guess the target victim's session identifier. <br />
<br />
The following describes a general approach to incorporate challenge tokens within the request.<br />
<br />
When a Web application formulates a request, the application should include a hidden input parameter with a common name such as "CSRFToken" (for forms)/ as header/parameter value for Ajax calls. The value of this token must be randomly generated such that it cannot be guessed by an attacker. Consider leveraging the java.security.SecureRandom class for Java applications to generate a sufficiently long random token. Alternative generation algorithms include the use of 256-bit BASE64 encoded hashes. Developers that choose this generation algorithm must make sure that there is randomness and uniqueness utilized in the data that is hashed to generate the random token.<br />
<br />
<syntaxhighlight lang="html"><br />
<form action="/transfer.do" method="post"><br />
<br />
<input type="hidden" name="CSRFToken" <br />
value="OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZMGYwMGEwOA=="><br />
...<br />
</form><br />
</syntaxhighlight><br />
<br />
In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is used for each subsequent request until the session expires. When a request is issued by the end-user, the server-side component must verify the existence and validity of the token in the request compared to the token found in the user session. If the token was not found within the request, or the value provided does not match the value within the user session, then the request should be aborted, and the event logged as a potential CSRF attack in progress.<br />
<br />
To further enhance the security of this proposed design, consider randomizing the CSRF token parameter name and/or value for each request. Implementing this approach results in the generation of per-request tokens as opposed to per-session tokens. This is more secure than per-session tokens as the time range for an attacker to exploit the stolen tokens is minimal. However, this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server. Few applications that need high security typically implement this approach (such as banks). You have to check what suits your needs. Regardless of the approach taken, developers are encouraged to protect the CSRF token the same way they protect authenticated session identifiers, such as the use of TLS.<br />
<br />
'''Existing Synchronizer Implementations'''<br />
<br />
Synchronizer token defenses have been built into many frameworks, so we strongly recommend using them first when they are available. External components that add CSRF defenses to existing applications are also recommended. OWASP has the following: <br />
<br />
* For Java: OWASP [[CSRF Guard]]<br />
* For PHP and Apache: [[CSRFProtector Project]]<br />
<br />
'''Disclosure of Token in URL'''<br />
<br />
Some implementations of synchronizer tokens include the challenge token in GET (URL) requests as well as POST requests. This is often implemented as a result of sensitive server-side operations being invoked as a result of embedded links in the page or other general design patterns. These patterns are often implemented without knowledge of CSRF and an understanding of CSRF prevention design strategies. While this control does help mitigate the risk of CSRF attacks, the unique per-session token is being exposed for GET requests. CSRF tokens in GET requests are potentially leaked at several locations: browser history, log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site. In the latter case (leaked CSRF token due to the Referer header being parsed by a linked site), it is trivially easy for the linked site to launch a CSRF attack on the protected site, and they will be able to target this attack very effectively, since the Referer header tells them the site as well as the CSRF token. The attack could be run entirely from JavaScript, so that a simple addition of a script tag to the HTML of a site can launch an attack (whether on an originally malicious site or on a hacked site). Additionally, since HTTPS requests from HTTPS contexts will not strip the Referer header (as opposed to HTTPS to HTTP requests) CSRF token leaks via Referer can still happen on HTTPS Applications.<br />
<br />
The ideal solution is to only include the CSRF token in POST requests and modify server-side actions that have state changing affect to only respond to POST requests. This is in fact what the <nowiki>RFC 2616</nowiki> requires for GET requests. If sensitive server-side actions are guaranteed to only ever respond to POST requests, then there is no need to include the token in GET requests.<br />
<br />
In most JavaEE web applications, however, HTTP method scoping is rarely ever utilized when retrieving HTTP parameters from a request. Calls to "HttpServletRequest.getParameter" will return a parameter value regardless if it was a GET or POST. This is not to say HTTP method scoping cannot be enforced. It can be achieved if a developer explicitly overrides doPost() in the HttpServlet class or leverages framework specific capabilities such as the AbstractFormController class in Spring.<br />
<br />
For these cases, attempting to retrofit this pattern in existing applications requires significant development time and cost, and as a temporary measure it may be better to pass CSRF tokens in the URL. Once the application has been fixed to respond to HTTP GET and POST verbs correctly, CSRF tokens for GET requests should be turned off.<br />
<br />
==== Encryption based Token Pattern ====<br />
The Encrypted Token Pattern leverages an encryption, rather than comparison method of Token-validation. It is most suitable for applications that do not want to maintain any state at server side. <br />
<br />
After successful authentication, the server generates a unique token comprised of the user's ID, a timestamp value and a [http://en.wikipedia.org/wiki/Cryptographic_nonce nonce], using a unique key available only on the server. This token is returned to the client and embedded in a hidden field for forms, in the request-header/parameter for AJAX requests. On receipt of this request, the server reads and decrypts the token value with the same key used to create the token. The inability to correctly decrypt suggests an intrusion attempt. Once decrypted, the UserId and timestamp contained within the token are validated; the UserId is compared against the currently logged in user, and the timestamp is compared against the current time.<br />
<br />
On successful token-decryption, the server has access to parsed values, ideally in the form of [http://en.wikipedia.org/wiki/Claims-based_identity claims]. These claims are processed by comparing the UserId claim to any potentially stored UserId (in a Cookie or Session variable, if the site already contains a means of authentication). The Timestamp is validated against the current time, preventing replay attacks. Alternatively, in the case of a CSRF attack, the server will be unable to decrypt the poisoned token, and can block and log the attack.<br />
<br />
This technique addresses some of the shortfalls in other stateless approaches, such as the need to store data in a Cookie, circumventing the Cookie-subdomain and [[HttpOnly]] issues.<br />
<br />
==== HMAC Based Token Pattern ====<br />
[https://en.wikipedia.org/wiki/HMAC HMAC (hash-based message authentication code)] is a cryptographic function that helps to guarantee integrity and authentication of a message. It is another way that CSRF mitigation can be achieved without maintaining any state at the server and is similar to an encryption token-based pattern with two main differences:<br />
* Uses a strong HMAC function instead of an encryption function to generate the token<br />
* Includes an additional field called ‘operation’ that would indicate the purpose of the operation for which you are including the CSRF token (may it be form tag/ajax call) <br />
(Ex: ‘oneclickpurchase’ (or) buy/asin=SDFH&category=2&quantity=3)<br />
<br />
'''Note:''' Fields mentioned in encryption token pattern (user's ID, a timestamp value and a nonce) are included. <br />
<br />
The operation field helps in mitigating the fact that the hash function generates the same value irrespective of multiple iterations (unlike strong encryption functions that generate different values when they are encrypted each time). So, it would help in avoiding having repeated token values across your application. Nonce field serves the same purpose as in encrypted token pattern (i.e., to avoid rare collisions due to weak cryptographic functions and acts as a defense-in-depth measure). <br />
<br />
Generate the token using HMAC including all four fields mentioned previously (user's ID, a timestamp value, nonce, and operation) and then include it in hidden fields for form tags, headers/parameters for ajax calls. Once you receive the HMAC from the client in the requests, re-generate HMAC with the same fields that you used to generate it, and then verify that the HMAC you re-generated matches the HMAC received from the client. If it does, it is a legitimate user request and if it does not, flag it as a CSRF intrusion and alert your incident response teams. Because an attacker has no visibility into the key used for generating the hash fields used in generating it, there is no way for them to re-generate it to use in forged request.<br />
<br />
=== Auto CSRF Mitigation Techniques ===<br />
Though the technique of mitigating tokens is widely used (stateful with synchronizer token and stateless with encrypted/HMAC token), the major problem associated with these techniques is the human tendency to forget things at times. If a developer forgets to add the token to any state changing operation, they are making the application vulnerable to CSRF. To avoid this, you can try to automate the process of adding tokens to CSRF vulnerable resources (mentioned earlier in this document). You can achieve this by doing the following:<br />
* Write wrappers (that would auto add tokens when used) around default form tags/ajax calls and educate your developers to use those wrappers instead of standard tags. Though this approach is better than depending purely on developers to add tokens, it still is vulnerable to the issue of human tendency to forget things. [https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html Spring Security] uses this technique to add CSRF tokens by default when a custom <form:form> tag is used, you can opt to use after verifying that its enabled and properly configured in the Spring Security version you are using.<br />
* Write a hook (that would capture the traffic and add tokens to CSRF vulnerable resources before rendering to customers) in your organizational web rendering frameworks. Because it is hard to analyze when a particular response is doing any state change (and thus needing a token), you might want to include tokens in all CSRF vulnerable resources (ex: include tokens in all POST responses). This is one recommended approach, but you need to consider the performance costs it might incur.<br />
* Get the tokens automatically added on the client side when the page is being rendered in user’s browser, with help of a client side script (this approach is used by [[CSRF Guard]]). You need to consider any possible JavaScript hijacking attacks.<br />
We recommend researching if the framework you are using has an option to achieve CSRF protection by default before trying to build your custom auto tokening system. For example, .NET has an [https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1 in-built protection] that adds token to CSRF vulnerable resources. You are responsible for proper configuration (such as key management and token management) before using these in-built CSRF protections that do auto tokening to CSRF vulnerable resources.<br />
<br />
=== Login CSRF ===<br />
Most developers tend to ignore CSRF vulnerability on login forms as they assume that CSRF would not be applicable on login forms because user is not authenticated at that stage. That assumption is false. CSRF vulnerability can still occur on login forms where the user is not authenticated, but the impact/risk view for it is quite different from the impact/risk view of a general CSRF vulnerability (when a user is authenticated).<br />
<br />
With a CSRF vulnerability on login form, an attacker can make a victim login to the attacker's account and learn behavior from the victim's searches. For more information about login CSRF and other risks, see section 3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf the Stanford CSRF] paper.<br />
<br />
Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form. You can use any of the techniques mentioned above to generate tokens. Pre-sessions can be transitioned to real sessions once the user is authenticated. This technique is described in [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery section 4.1].<br />
<br />
If sub-domains under your master domain are treated as not trusted in your threat model, it is difficult to mitigate login CSRF. A strict subdomain and path level referer header (because most login pages are served on HTTPS - no stripping of referer - and are also linked from home pages) validation (detailed in section 7.1) can be used in these cases for mitigating CSRF on login forms to an extent.<br />
<br />
== Defense-In-Depth Techniques ==<br />
<br />
=== Verifying origin with standard headers ===<br />
This defense technique is specifically proposed in section 5.0 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. This paper proposes the first creation of the Origin header and its use as a CSRF defense mechanism.<br />
<br />
There are two steps to this mitigation, both of which rely on examining an HTTP request header value.<br />
<br />
1. Determining the origin the request is coming from (source origin). Can be done via Origin and/or referer header.<br />
<br />
2. Determining the origin the request is going to (target origin).<br />
<br />
At server side we verify if both of them match. If they do, we accept the request as legitimate (meaning it’s the same origin request) and if they don’t, we discard the request (meaning that the request originated from cross-domain). Reliability on these headers comes from the fact that they cannot be altered programmatically (using JavaScript in an XSS) as they fall under [https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name forbidden headers] list (i.e., only browsers can set them).<br />
<br />
====Identifying Source Origin (via Origin/Referer header) ====<br />
'''Checking the Origin Header'''<br />
<br />
If the Origin header is present, verify that its value matches the target origin. Unlike the Referer, the Origin header will be present in HTTP requests that originate from an HTTPS URL.<br />
<br />
'''Checking the Referer Header'''<br />
<br />
If the Origin header is not present, verify the hostname in the Referer header matches the target origin. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state, which is required to keep track of a synchronization token.<br />
<br />
In both cases, make sure the target origin check is strong. For example, if your site is "site.com" make sure "site.com.attacker.com" does not pass your origin check (i.e., match through the trailing/after the origin to make sure you are matching against the entire origin).<br />
<br />
If neither of these headers are present, you can either accept or block the request. We recommend '''blocking'''. Alternatively, you might want to log all such instances, monitor their use cases/behavior, and then start blocking requests only after you get enough confidence.<br />
<br />
==== Identifying the Target Origin ====<br />
You might think it’s easy to determine the target origin, but it’s frequently not. The first thought is to simply grab the target origin (i.e., its hostname and port #) from the URL in the request. However, the application server is frequently sitting behind one or more proxies and the original URL is different from the URL the app server actually receives. If your application server is directly accessed by its users, then using the origin in the URL is fine and you're all set.<br />
<br />
If you are behind a proxy, there are a number of options to consider.<br />
* '''Configure your application to simply know its target origin:''' It’s your application, so you can find its target origin and set that value in some server configuration entry. This would be the most secure approach as its defined server side, so it is a trusted value. However, this might be problematic to maintain if your application is deployed in many places, e.g., dev, test, QA, production, and possibly multiple production instances. Setting the correct value for each of these situations might be difficult, but if you can do it via some central configuration and providing your instances to grab value from it, that's great! ('''Note:''' Make sure the centralized configuration store is maintained securely because major part of your CSRF defense depends on it.)<br />
<br />
* '''Use the Host header value:''' If you prefer that the application find its own target so it doesn't have to be configured for each deployed instance, we recommend using the Host family of headers. The Host header's purpose is to contain the target origin of the request. But, if your app server is sitting behind a proxy, the Host header value is most likely changed by the proxy to the target origin of the URL behind the proxy, which is different than the original URL. This modified Host header origin won't match the source origin in the original Origin or Referer headers.<br />
<br />
* '''Use the X-Forwarded-Host header value:''' To avoid the issue of proxy altering the host header, there is another header called X-Forwarded-Host, whose purpose is to contain the original Host header value the proxy received. Most proxies will pass along the original Host header value in the X-Forwarded-Host header. So that header value is likely to be the target origin value you need to compare to the source origin in the Origin or Referer header.<br />
<br />
This mitigation in earlier versions of the CSRF Cheat Sheet is treated as a primary defense. For reasons mentioned below, it is now moved to the Defense-in-Depth section.<br />
<br />
As it’s implicit, this mitigation would work properly when origin or referer headers are present in the requests. Though these headers are included '''majority''' of the time, there are few use cases where they are not included (most of them are for legitimate reasons to safeguard users privacy/to tune to browsers ecosystem). The following lists some use cases:<br />
* Internet Explorer 11 does not add the Origin header on a CORS request across sites of a trusted zone. The Referer header will remain the only indication of the UI origin. See the following references in stackoverflow [https://stackoverflow.com/questions/20784209/internet-explorer-11-does-not-add-the-origin-header-on-a-cors-request here] and [https://github.com/silverstripe/silverstripe-graphql/issues/118 here].<br />
* In an instance following a [https://stackoverflow.com/questions/22397072/are-there-any-browsers-that-set-the-origin-header-to-null-for-privacy-sensitiv 302 redirect cross-origin], Origin is not included in the redirected request because that may be considered sensitive information that should not be sent to the other origin.<br />
* There are some [https://wiki.mozilla.org/Security/Origin#Privacy-Sensitive_Contexts privacy contexts] where Origin is set to “null” For example, see the following [https://www.google.com/search?q=origin+header+sent+null+value+site%3Astackoverflow.com&oq=origin+header+sent+null+value+site%3Astackoverflow.com here].<br />
* Origin header is included for all cross origin requests but for same origin requests, in most browsers it is only included in POST/DELETE/PUT '''Note:''' Although it is not ideal, many developers use GET requests to do state changing operations.<br />
* Referer header is no exception. There are multiple use cases where referer header is omitted as well ([https://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty <nowiki>[1]</nowiki>], [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer <nowiki>[2]</nowiki>], [https://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding <nowiki>[3]</nowiki>], [https://seclab.stanford.edu/websec/csrf/csrf.pdf <nowiki>[4]</nowiki>] and [https://www.google.com/search?q=referer+header+sent+null+value+site:stackoverflow.com <nowiki>[5]</nowiki>]). Load balancers, proxies and embedded network devices are also well known to strip the referer header due to privacy reasons in logging them.<br />
<br />
Though exceptions can be written for above cases in your source and target origin check logic, there is currently no central repository (even there is one, keeping it up-to-date is a problem) that references all such use cases. Each browser might also handle these use cases differently (browsers are known to handle things differently considering their ecosystem. IE example of not sending origin header within trusted zone is such example). Rejecting requests that do not contain origin and/or referer headers might sound like a good idea but it can impact legitimate users. Keeping this system in monitoring mode and trying to investigate use cases such as stated above, then adding them into exception logic is a process that you may consider to make this defense more stable in your environment.<br />
<br />
This CSRF defense relies on browser behavior that can change at times. For example, when new privacy contexts are discovered, under which situations you have to keep your validation logic updated, where as in token based mitigation, you have full control on the CSRF mitigation. If browsers alter CSRF tokens, they are literally changing the HTML content on rendering pages (which no browser would ever want to do!).<br />
<br />
When there is an XSS vulnerability on a page of an application protected with Origin and/or Referer header, the level of effort required to exploit state changing operations (that are typically vulnerable to CSRF) on other pages is very easy (grab the parameters and forge a request, as Origin and Referer header is included by default by browsers) than compared to token based mitigation (where attacker needs to download the target page, parse the DOM for the token, construct a forge request, and send it to server).<br />
<br />
'''Note:''' Although the concept of an origin header stemmed from [https://seclab.stanford.edu/websec/csrf/csrf.pdf the Stanford CSRF] paper that references robust CSRF defenses, the initial [https://tools.ietf.org/html/rfc6454 origin header RFC] does not reference mitigating CSRF in any way (another [https://tools.ietf.org/id/draft-abarth-origin-03.html draft version] does, however).<br />
<br />
=== Double Submit Cookie ===<br />
If maintaining the state for CSRF token at server side is problematic, an alternative defense is to use the double submit cookie technique. This technique is easy to implement and is stateless. In this technique, we send a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match. When a user visits (even before authenticating to prevent login CSRF), the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session identifier. The site then requires that every transaction request include this pseudorandom value as a hidden form value (or other request parameter/header). If both of them match at server side, the server accepts it as legitimate request and if they don’t, it would reject the request.<br />
<br />
There’s a belief that this technique would work because a cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie (with which the server compares the token value).<br />
<br />
There are a couple of drawbacks associated with the assumptions made here. The problem of "trusting of sub domains and proper configuration of whole site in general to accept HTTPS connections only". The [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf Blackhat talk] by Rich Lundeen references these drawbacks.<br />
<br />
"''With double submit, if an attacker can write a cookie they can obviously defeat the protection. And again, writing cookies is significantly easier then reading them. The fact that cookies can be written is difficult for many people to understand. After all, doesn't the same origin policy specify that one domain cannot access cookies from another domain? However, there are two common scenarios where writing cookies across domains is possible:''<br />
<br />
''a) While it's true that hellokitty.marketing.example.com cannot read cookies or access the DOM from secure.example.com because of the same origin policy, hellokitty.marketing.example.com can write cookies to the parent domain (example.com), and these cookies are then consumed by secure.example.com (secure.example.com has no good way to distinguish which site set the cookie). Additionally, there are methods of forcing secure.example.com to always accept your cookie first. What this means is that XSS in hellokitty.marketing.example.com is able to overwrite cookies in secure.example.com.''<br />
<br />
''b) If an attacker is in the middle, they can usually force a request to the same domain over HTTP. If an application is hosted at <nowiki>https://secure.example.com</nowiki>, even if the cookies are set with the secure flag, a man in the middle can force connections to <nowiki>http://secure.example.com</nowiki> and set (overwrite) any arbitrary cookies (even though the secure flag prevents the attacker from reading those cookies). Even if the HSTS header is set on the server and the browser visiting the site supports HSTS (this would prevent a man in the middle from forcing plain text HTTP requests) unless the HSTS header is set in a way that includes all subdomains, a man in the middle can simply force a request to a separate subdomain and overwrite cookies similar to 1. In other words, as long as <nowiki>http://hellokitty.marketing.example.com</nowiki> doesn't force HTTPS, then an attacker can overwrite cookies on any example.com subdomain.''"<br />
<br />
So, unless you are sure that your subdomains are fully secured and only accept HTTPS connections (we believe it’s difficult to guarantee at large enterprises), you should not rely on the Double Submit Cookie technique as a primary mitigation for CSRF.<br />
<br />
A variant of double submit cookie that can mitigate both the risks mentioned above is including the token in an encrypted cookie - often within the authentication cookie - and then at the server side matching it (after decrypting the authentication cookie) with the token in hidden form field or parameter/header for ajax calls. This works because a sub domain has no way to over-write an properly crafted encrypted cookie without the necessary information such as encryption key.<br />
<br />
=== SameSite Cookie Attribute ===<br />
SameSite is a cookie attribute (similar to [[HttpOnly]], Secure etc.) introduced by Google to mitigate CSRF attacks. It is defined in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 this] Internet Draft. This attribute helps in preventing the browser from sending cookies along with cross-site requests. Possible values for this attribute are lax or strict.<br />
<br />
The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link. For example, for a GitHub-like website this would mean that if a logged-in user follows a link to a private GitHub project posted on a corporate discussion forum or email, GitHub will not receive the session cookie and the user will not be able to access the project. A bank website however most likely doesn't want to allow any transactional pages to be linked from external sites, so the strict flag would be most appropriate.<br />
<br />
The default lax value provides a reasonable balance between security and usability for websites that want to maintain user's logged-in session after the user arrives from an external link. In the above GitHub scenario, the session cookie would be allowed when following a regular link from an external website while blocking it in CSRF-prone request methods such as POST. Only cross-site requests that are allowed in lax mode are the ones that have top-level navigations and are also “safe” HTTP methods (more details [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7.1 here]).<br />
<br />
Example of cookies using this attribute:<br />
<br />
<pre><br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Strict<br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Lax<br />
</pre><br />
<br />
Support for this attribute in different browsers is increasing but there are still browsers that need to adopt this. As of August 2018, SameSite attribute is on browsers used by 68.92% of Internet users (detailed statistics are [https://caniuse.com/#feat=same-site-cookie-attribute here]).<br />
<br />
Though this technique seems to be efficient in mitigating CSRF attacks, it is still in early stages (in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft]) and does not have full browser support as mentioned above. Google’s [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft] also mentions a couple cases where forged requests can be simulated by attackers as same-site requests (and thus allowing to send SameSite cookies).<br />
<br />
Considering the factors above, it is not recommended to be used as a primary defense. Google agrees with this stance and strongly encourages developers to deploy server-side defenses such as tokens to mitigate CSRF more fully.<br />
<br />
=== Use of Custom Request Headers ===<br />
<br />
Adding CSRF tokens, a double submit cookie and value, encrypted token, or other defense that involves changing the UI can frequently be complex or otherwise problematic. An alternate defense that is particularly well suited for AJAX/XHR endpoints is the use of a custom request header. This defense relies on the [https://en.wikipedia.org/wiki/Same-origin_policy same-origin policy (SOP)] restriction that only JavaScript can be used to add a custom header, and only within its origin. By default, browsers do not allow JavaScript to make cross origin requests.<br />
<br />
A particularly attractive custom header and value to use is “X-Requested-With: XMLHttpRequest” because most JavaScript libraries already add this header to requests they generate by default. However, some do not. For example, AngularJS used to, but does not anymore. For more information, see [https://github.com/angular/angular.js/commit/3a75b1124d062f64093a90b26630938558909e8d their rationale] and how to add it back.<br />
<br />
If this is the case for your system, you can simply verify the presence of this header and value on all your server side AJAX endpoints in order to protect against CSRF attacks. This approach has the double advantage of usually requiring no UI changes and not introducing any server side state, which is particularly attractive to REST services. You can always add your own custom header and value if that is preferred.<br />
<br />
This defense technique is specifically discussed in section 4.3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. However, bypasses of this defense using Flash were documented as early as 2008 and again as recently as 2015 by Mathias Karlsson to [https://hackerone.com/reports/44146 exploit a CSRF flaw in Vimeo]. A Flash attack can't spoof the Origin or Referer headers, so by checking both of them we believe this combination of checks should prevent Flash bypass CSRF attacks (if any comes up in future). <br />
<br />
Besides any possible future bypasses such as Flash, using a static header will make it easy to exploit other state changing operations in the application (similar to the previous explanation on why ease of exploitation is easier in origin/referer header check than token based mitigation). Including a random token instead of static header value is more or less equal to the token based approach described in the Primary Defenses section. Developers also need to consider that if you are using this approach in an application with both Ajax calls and form tags, this technique would only help Ajax calls in protecting from CSRF and you would still need protect <form> tags with approaches described in this document such as tokens. Setting custom headers on form tags is not possible directly. Also, CORS configuration should also be robust to make this solution work effectively (as custom headers for requests coming from other domains trigger a pre-flight CORS check).<br />
<br />
=== User Interaction Based CSRF Defense ===<br />
<br />
While all the techniques referenced here do not require any user interaction, sometimes it’s easier or more appropriate to involve the user in the transaction to prevent unauthorized operations (forged via CSRF or otherwise). The following are some examples of techniques that can act as strong CSRF defense when implemented correctly.<br />
* Re-Authentication (password or stronger)<br />
* One-time Token<br />
* CAPTCHA<br />
While these are a very strong CSRF defense, it does create a huge impact on the user experience. For applications that are in need of high security for some operations (password change, money transfer etc.), these techniques should be used along with token based mitigation. Please note that tokens by themselves can mitigate CSRF, developers should use these techniques only to achieve additional security for their high sensitive operations.<br />
<br />
== Not So Popular CSRF Mitigations ==<br />
<br />
=== Triple Submit Cookie ===<br />
This mitigation is proposed by John Wilander in 2012 at OWASP Appsec Research. This technique adds an additional step to double submit cookie approach by verifying if the request contains two cookies with same name (please note, attacker need to write an additional cookie to bypass double submit cookie mitigation). Though it mitigates the issues discussed in bypass of double submit cookie, it introduces new problems such as cookie jar overflow (in-details and more issue details [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf here] and [https://webstersprodigy.net/2012/08/03/analysis-of-john-wilanders-triple-submit-cookies/ here]). We were not able to find any real-time implementations of this mitigation so far.<br />
<br />
=== Content-Type Header Validation ===<br />
This technique is better known than the triple submit cookie mitigation. In first place, this header is not designed for security (initial RFC [https://tools.ietf.org/html/rfc1049 here] and later well-defined in [https://www.ietf.org/rfc/rfc2045.txt this] RFC) but only to let receiving agents know the type of data they would be handling, so that they can invoke corresponding parsers. The pre-flighting behavior of this header (pre-flight if header has value other than application/x-www-form-urlencoded, multipart/form-data, or text/plain) is what treated as a CSRF mitigation and thus forcing all requests to have a header value that would force a pre-flight (such as application/json. Server side can reject cross-origin requests with CORS/SOP during this pre-flight).<br />
<br />
This approach has two main problems. One that it would mandate all requests to have a header value that would force pre-flight despite the real use case and the other that this technique is relying on a feature that is not designed for security, to mitigate a security vulnerability. When a bug was discovered in the Chrome API, browser architects even considered to removing this pre-flighting behavior. Because this header was not designed as a security control, architects can re-design it to better cater its primary purpose. In the future, there’s a possibility that new content-type header types can be included (to better support various use-cases), which can put systems relying on this header for CSRF mitigation in trouble. For more information, see [https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/september/common-csrf-prevention-misconceptions/ Common CSRF Prevention Misconceptions].<br />
<br />
== CSRF Mitigation Myths ==<br />
The following shows techniques presumed to be CSRF mitigations but none of them fully/actually mitigates a CSRF vulnerability.<br />
* '''CORS''': CORS is a header designed to relax Same-Origin-Policy when cross-origin communication between sites is required. It is not designed, nor prevents CSRF attacks.<br />
* '''Using HTTPS''': Using HTTPS has nothing to do with the protection from CSRF attacks. Resources that are under HTTPS are still vulnerable to CSRF if proper CSRF mitigations described above are not included.<br />
* More myths can be found [[Cross-Site Request Forgery (CSRF)|here]]<br />
<br />
== Personal Safety CSRF Tips for Users ==<br />
Since CSRF vulnerabilities are reportedly widespread, we recommend using the following best practices to mitigate risk. <br />
<br />
# Logoff immediately after using a Web application.<br />
# Do not allow your browser to save username/passwords, and do not allow sites to “remember” your login.<br />
# Do not use the same browser to access sensitive applications and to surf the Internet freely (tabbed browsing).<br />
# The use of plugins such as No-Script makes POST based CSRF vulnerabilities difficult to exploit. This is because JavaScript is used to automatically submit the form when the exploit is loaded. Without JavaScript, the attacker would have to trick the user into submitting the form manually.<br />
<br />
Integrated HTML-enabled mail/browser and newsreader/browser environments pose additional risks since simply viewing a mail message or a news message might lead to the execution of an attack. <br />
== Implementation reference example ==<br />
The following JEE web filter provides an example reference for some of the concepts described in this cheat sheet. It implements the following stateless mitigations ([https://github.com/aramrami/OWASP-CSRFGuard OWASP CSRFGuard], cover a stateful approach).<br />
* Verifying same origin with standard headers<br />
* Double submit cookie<br />
* SameSite cookie attribute<br />
'''Please note''' that it only acts a reference sample and is not complete (for example: it doesn’t have a block to direct the control flow when origin and referer header check succeeds nor it has a port/host/protocol level validation for referer header). Developers are recommended to build their complete mitigation on top of this reference sample. Developers should also implement standard authentication or authorization checks before checking for CSRF.<br />
<br />
Source is also located [https://github.com/righettod/poc-csrf here] and provides a runnable POC.<br />
<br />
<syntaxhighlight lang="java"><br />
import org.slf4j.Logger;<br />
import org.slf4j.LoggerFactory;<br />
<br />
import javax.servlet.Filter;<br />
import javax.servlet.FilterChain;<br />
import javax.servlet.FilterConfig;<br />
import javax.servlet.ServletException;<br />
import javax.servlet.ServletRequest;<br />
import javax.servlet.ServletResponse;<br />
import javax.servlet.annotation.WebFilter;<br />
import javax.servlet.http.Cookie;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
import javax.servlet.http.HttpServletResponseWrapper;<br />
import javax.xml.bind.DatatypeConverter;<br />
import java.io.IOException;<br />
import java.net.MalformedURLException;<br />
import java.net.URL;<br />
import java.security.SecureRandom;<br />
import java.util.Arrays;<br />
<br />
/**<br />
* Filter in charge of validating each incoming HTTP request about Headers and CSRF token.<br />
* It is called for all requests to backend destination.<br />
*<br />
* We use the approach in which:<br />
* - The CSRF token is changed after each valid HTTP exchange<br />
* - The custom Header name for the CSRF token transmission is fixed<br />
* - A CSRF token is associated to a backend service URI in order to enable the support for multiple parallel Ajax request from the same application<br />
* - The CSRF cookie name is the backend service name prefixed with a fixed prefix<br />
*<br />
* Here for the POC we show the "access denied" reason in the response but in production code only return a generic message !<br />
*<br />
* @see "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet"<br />
* @see "https://wiki.mozilla.org/Security/Origin"<br />
* @see "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie"<br />
* @see "https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/"<br />
*/<br />
@WebFilter("/backend/*")<br />
public class CSRFValidationFilter implements Filter {<br />
<br />
/**<br />
* JVM param name used to define the target origin<br />
*/<br />
public static final String TARGET_ORIGIN_JVM_PARAM_NAME = "target.origin";<br />
<br />
/**<br />
* Name of the custom HTTP header used to transmit the CSRF token and also to prefix <br />
* the CSRF cookie for the expected backend service<br />
*/<br />
private static final String CSRF_TOKEN_NAME = "X-TOKEN";<br />
<br />
/**<br />
* Logger<br />
*/<br />
private static final Logger LOG = LoggerFactory.getLogger(CSRFValidationFilter.class);<br />
<br />
/**<br />
* Application expected deployment domain: named "Target Origin" in OWASP CSRF article<br />
*/<br />
private URL targetOrigin;<br />
<br />
/***<br />
* Secure generator<br />
*/<br />
private final SecureRandom secureRandom = new SecureRandom();<br />
<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {<br />
HttpServletRequest httpReq = (HttpServletRequest) request;<br />
HttpServletResponse httpResp = (HttpServletResponse) response;<br />
String accessDeniedReason;<br />
<br />
/* STEP 1: Verifying Same Origin with Standard Headers */<br />
//Try to get the source from the "Origin" header<br />
String source = httpReq.getHeader("Origin");<br />
if (this.isBlank(source)) {<br />
//If empty then fallback on "Referer" header<br />
source = httpReq.getHeader("Referer");<br />
//If this one is empty too then we trace the event and we block the request (recommendation of the article)...<br />
if (this.isBlank(source)) {<br />
accessDeniedReason = "CSRFValidationFilter: ORIGIN and REFERER request headers are both absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
}<br />
<br />
//Compare the source against the expected target origin<br />
URL sourceURL = new URL(source);<br />
if (!this.targetOrigin.getProtocol().equals(sourceURL.getProtocol()) || !this.targetOrigin.getHost().equals(sourceURL.getHost()) <br />
|| this.targetOrigin.getPort() != sourceURL.getPort()) {<br />
//One the part do not match so we trace the event and we block the request<br />
accessDeniedReason = String.format("CSRFValidationFilter: Protocol/Host/Port do not fully matches so we block the request! (%s != %s) ", <br />
this.targetOrigin, sourceURL);<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
<br />
/* STEP 2: Verifying CSRF token using "Double Submit Cookie" approach */<br />
//If CSRF token cookie is absent from the request then we provide one in response but we stop the process at this stage.<br />
//Using this way we implement the first providing of token<br />
Cookie tokenCookie = null;<br />
if (httpReq.getCookies() != null) {<br />
String csrfCookieExpectedName = this.determineCookieName(httpReq);<br />
tokenCookie = Arrays.stream(httpReq.getCookies()).filter(c -> c.getName().equals(csrfCookieExpectedName)).findFirst().orElse(null);<br />
}<br />
if (tokenCookie == null || this.isBlank(tokenCookie.getValue())) {<br />
LOG.info("CSRFValidationFilter: CSRF cookie absent or value is null/empty so we provide one and return an HTTP NO_CONTENT response !");<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpResp);<br />
//Set response state to "204 No Content" in order to allow the requester to clearly identify an initial response providing the initial CSRF token<br />
httpResp.setStatus(HttpServletResponse.SC_NO_CONTENT);<br />
} else {<br />
//If the cookie is present then we pass to validation phase<br />
//Get token from the custom HTTP header (part under control of the requester)<br />
String tokenFromHeader = httpReq.getHeader(CSRF_TOKEN_NAME);<br />
//If empty then we trace the event and we block the request<br />
if (this.isBlank(tokenFromHeader)) {<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header is absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else if (!tokenFromHeader.equals(tokenCookie.getValue())) {<br />
//Verify that token from header and one from cookie are the same<br />
//Here is not the case so we trace the event and we block the request<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header and via Cookie are not equals so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else {<br />
//Verify that token from header and one from cookie matches<br />
//Here is the case so we let the request reach the target component (ServiceServlet, jsp...) and add a new token when we get back the bucket<br />
HttpServletResponseWrapper httpRespWrapper = new HttpServletResponseWrapper(httpResp);<br />
chain.doFilter(request, httpRespWrapper);<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpRespWrapper);<br />
}<br />
}<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void init(FilterConfig filterConfig) throws ServletException {<br />
//To easier the configuration, we load the target expected origin from an JVM property<br />
//Reconfiguration only require an application restart that is generally acceptable<br />
try {<br />
this.targetOrigin = new URL(System.getProperty(TARGET_ORIGIN_JVM_PARAM_NAME));<br />
} catch (MalformedURLException e) {<br />
LOG.error("Cannot init the filter !", e);<br />
throw new ServletException(e);<br />
}<br />
LOG.info("CSRFValidationFilter: Filter init, set expected target origin to '{}'.", this.targetOrigin);<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void destroy() {<br />
LOG.info("CSRFValidationFilter: Filter shutdown");<br />
}<br />
<br />
/**<br />
* Check if a string is null or empty (including containing only spaces)<br />
*<br />
* @param s Source string<br />
* @return TRUE if source string is null or empty (including containing only spaces)<br />
*/<br />
private boolean isBlank(String s) {<br />
return s == null || s.trim().isEmpty();<br />
}<br />
<br />
/**<br />
* Generate a new CSRF token<br />
*<br />
* @return The token a string<br />
*/<br />
private String generateToken() {<br />
byte[] buffer = new byte[50];<br />
this.secureRandom.nextBytes(buffer);<br />
return DatatypeConverter.printHexBinary(buffer);<br />
}<br />
<br />
/**<br />
* Determine the name of the CSRF cookie for the targeted backend service<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @return The name of the cookie as a string<br />
*/<br />
private String determineCookieName(HttpServletRequest httpRequest) {<br />
String backendServiceName = httpRequest.getRequestURI().replaceAll("/", "-");<br />
return CSRF_TOKEN_NAME + "-" + backendServiceName;<br />
}<br />
<br />
/**<br />
* Add the CSRF token cookie and header to the provided HTTP response object<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @param httpResponse HTTP response object to update<br />
*/<br />
private void addTokenCookieAndHeader(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {<br />
//Get new token<br />
String token = this.generateToken();<br />
//Add cookie manually because the current Cookie class implementation do not support the "SameSite" attribute<br />
//We let the adding of the "Secure" cookie attribute to the reverse proxy rewriting...<br />
//Here we lock the cookie from JS access and we use the SameSite new attribute protection<br />
String cookieSpec = String.format("%s=%s; Path=%s; HttpOnly; SameSite=Strict", this.determineCookieName(httpRequest), token, httpRequest.getRequestURI());<br />
httpResponse.addHeader("Set-Cookie", cookieSpec);<br />
//Add cookie header to give access to the token to the JS code<br />
httpResponse.setHeader(CSRF_TOKEN_NAME, token);<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
== Authors and Primary Editors ==<br />
Manideep Konakandla (Amazon Application Security Team) - http://www.manideepk.com<br />
<br />
Dave Wichers - dave.wichers[at]owasp.org<br />
<br />
Paul Petefish - https://www.linkedin.com/in/paulpetefish<br />
<br />
Eric Sheridan - eric.sheridan[at]owasp.org<br />
<br />
Dominique Righetto - dominique.righetto[at]owasp.org<br /><br />
<br />
== Other Cheat Sheets ==<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]<br />
[[Category:Popular]]</div>Wichershttps://wiki.owasp.org/index.php?title=Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet&diff=246802Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet2019-01-23T23:01:47Z<p>Wichers: </p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
__TOC__{{TOC hidden}}<br />
<br />
== Introduction ==<br />
[[Cross-Site Request Forgery (CSRF)]] is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim. We would need a token/identifier that is not accessible to attacker and would not be sent along (like cookies) with forged requests that attacker initiates. For more information on CSRF, see OWASP [[Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) page]].<br />
<br />
The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or making a purchase with the user’s credentials. In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser, without the user’s knowledge, at least until the unauthorized transaction has been committed.<br />
<br />
Impacts of successful CSRF exploits vary greatly based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. If the targeted end user is an administrator account, a CSRF attack can compromise the entire web application. Using social engineering, an attacker can embed malicious HTML or JavaScript code into an email or website to request a specific 'task URL'. The task then executes with or without the user's knowledge, either directly or by using a Cross-Site Scripting flaw. For example, see [https://en.wikipedia.org/wiki/Samy_(computer_worm) Samy MySpace Worm].<br />
<br />
== What's new? ==<br />
If you have seen OWASP [https://www.owasp.org/index.php?title=Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet&action=history old CSRF prevention cheat sheets], you can observe that a lot has changed in this newer version. One of the major changes is that the “Verifying same origin with standard headers” CSRF defense has been moved to the Defense in Depth section, whereas token based mitigation moved to the Primary Defense section (technical reasons for this switch were added under respective sections). Multiple new sections (HMAC based token protection, auto CSRF mitigation techniques, login CSRF, not so popular CSRF mitigations and CSRF mitigation myths) were added besides adding new content, removing obsolete content to the existing sections. Security issues/caveats associated with each mitigation were also included.<br />
<br />
==Warning: No Cross-Site Scripting (XSS) Vulnerabilities ==<br />
[[Cross-Site Scripting]] is not necessary for CSRF to work. However, any cross-site scripting vulnerability can be used to defeat all CSRF mitigation techniques available in the market today (except mitigation techniques that involve user interaction and described later in this cheat sheet). This is because an XSS payload can simply read any page on the site using an XMLHttpRequest (direct DOM access can be done, if on same page) and obtain the generated token from the response, and include that token with a forged request. This technique is exactly how the [https://en.wikipedia.org/wiki/Samy_(computer_worm) MySpace (Samy) worm] defeated MySpace's anti-CSRF defenses in 2005, which enabled the worm to propagate.<br />
<br />
It is imperative that no XSS vulnerabilities are present to ensure that CSRF defenses can't be circumvented. Please see the OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet|XSS Prevention Cheat Sheet]] for detailed guidance on how to prevent XSS flaws. <br />
<br />
== Resources that need to be protected from CSRF vulnerability ==<br />
The following list assumes that you are not violating [http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 RFC2616], section 9.1.1, by using GET requests for state changing operations. <br />
<br />
'''Note:''' If for any reason you violate, you would also need to protect those resources, which is mostly achieved with default <code>form tag [GET method]</code>, <code>href</code>, and <code>src</code> attributes. <br />
<br />
* Form tags with POST <br />
* Ajax/XHR calls<br />
<br />
== CSRF Defense Recommendations Summary ==<br />
We recommend token based CSRF defense (either stateful/stateless) as a primary defense to mitigate CSRF in your applications. Only for highly sensitive operations, we also recommend a user interaction based protection (either re-authentication/one-time token, detailed in section 7.5) along with token based mitigation.<br />
<br />
As a defense-in-depth measure, consider implementing one mitigation from Defense in Depth Mitigations section (you can choose the mitigation that fits your ecosystem considering the issues mentioned under them). These defense-in-depth mitigation techniques are not recommended to be used by themselves (without token based mitigation) for mitigating CSRF in your applications.<br />
<br />
== Primary Defense Technique ==<br />
<br />
=== Token Based Mitigation ===<br />
This defense is one the most popular and recommended methods to mitigate CSRF. It can be achieved either with state (synchronizer token pattern) or stateless (encrypted/hash based token pattern). See section 4.3 on how to mitigate login CSRF in your applications. For all the mitigation's, it is implicit that general security principles should be adhered<br />
* Strong encryption/HMAC functions should be adhered to. <br />
'''Note:''' You can select any algorithm per your organizational needs. We recommend AES256-GCM for encryption and SHA256/512 for HMAC.<br />
* Strict key rotation and token lifetime policies should be maintained. Policies can be set according to your organizational needs. Generic key management guidance from OWASP can be found [[Key Management Cheat Sheet|here]].<br />
<br />
==== Synchronizer Token Pattern ====<br />
Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks. A CSRF token should be unique per user session, large random value, and also generated by a cryptographically secure random number generator. The CSRF token is added as a hidden field for forms headers/parameters for AJAX calls, and within the URL if the state changing operation occurs via a GET. See "Disclosure of Token in URL" section below. The server rejects the requested action if the CSRF token fails validation.<br />
<br />
In order to facilitate a "transparent but visible" CSRF solution, developers are encouraged to adopt a pattern similar to [http://www.corej2eepatterns.com/Design/PresoDesign.htm Synchronizer Token Pattern] (The original intention of this synchronizer token pattern was to detect duplicate submissions in forms). The synchronizer token pattern requires the generation of random "challenge" tokens that are associated with the user's current session. These challenge tokens are then inserted within the HTML forms and calls associated with sensitive server-side operations. It is the responsibility of the server application to verify the existence and correctness of this token. By including a challenge token with each request, the developer has a strong control to verify that the user actually intended to submit the desired requests. Inclusion of a required security token in HTTP requests associated with sensitive business functions helps mitigate CSRF attacks as successful exploitation assumes the attacker knows the randomly generated token for the target victim's session. <br />
<br />
'''Note:''' These tokens aren’t like cookies that are automatically sent with forged requests made from your browser from the attacker website. <br />
<br />
This is analogous to the attacker being able to guess the target victim's session identifier. <br />
<br />
The following describes a general approach to incorporate challenge tokens within the request.<br />
<br />
When a Web application formulates a request, the application should include a hidden input parameter with a common name such as "CSRFToken" (for forms)/ as header/parameter value for Ajax calls. The value of this token must be randomly generated such that it cannot be guessed by an attacker. Consider leveraging the java.security.SecureRandom class for Java applications to generate a sufficiently long random token. Alternative generation algorithms include the use of 256-bit BASE64 encoded hashes. Developers that choose this generation algorithm must make sure that there is randomness and uniqueness utilized in the data that is hashed to generate the random token.<br />
<br />
<syntaxhighlight lang="html"><br />
<form action="/transfer.do" method="post"><br />
<br />
<input type="hidden" name="CSRFToken" <br />
value="OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZMGYwMGEwOA=="><br />
...<br />
</form><br />
</syntaxhighlight><br />
<br />
In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is used for each subsequent request until the session expires. When a request is issued by the end-user, the server-side component must verify the existence and validity of the token in the request compared to the token found in the user session. If the token was not found within the request, or the value provided does not match the value within the user session, then the request should be aborted, and the event logged as a potential CSRF attack in progress.<br />
<br />
To further enhance the security of this proposed design, consider randomizing the CSRF token parameter name and/or value for each request. Implementing this approach results in the generation of per-request tokens as opposed to per-session tokens. This is more secure than per-session tokens as the time range for an attacker to exploit the stolen tokens is minimal. However, this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server. Few applications that need high security typically implement this approach (such as banks). You have to check what suits your needs. Regardless of the approach taken, developers are encouraged to protect the CSRF token the same way they protect authenticated session identifiers, such as the use of TLS.<br />
<br />
'''Existing Synchronizer Implementations'''<br />
<br />
Synchronizer token defenses have been built into many frameworks, so we strongly recommend using them first when they are available. External components that add CSRF defenses to existing applications are also recommended. OWASP has the following: <br />
<br />
* For Java: OWASP [[CSRF Guard]]<br />
* For PHP and Apache: [[CSRFProtector Project]]<br />
<br />
'''Disclosure of Token in URL'''<br />
<br />
Some implementations of synchronizer tokens include the challenge token in GET (URL) requests as well as POST requests. This is often implemented as a result of sensitive server-side operations being invoked as a result of embedded links in the page or other general design patterns. These patterns are often implemented without knowledge of CSRF and an understanding of CSRF prevention design strategies. While this control does help mitigate the risk of CSRF attacks, the unique per-session token is being exposed for GET requests. CSRF tokens in GET requests are potentially leaked at several locations: browser history, log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site. In the latter case (leaked CSRF token due to the Referer header being parsed by a linked site), it is trivially easy for the linked site to launch a CSRF attack on the protected site, and they will be able to target this attack very effectively, since the Referer header tells them the site as well as the CSRF token. The attack could be run entirely from JavaScript, so that a simple addition of a script tag to the HTML of a site can launch an attack (whether on an originally malicious site or on a hacked site). Additionally, since HTTPS requests from HTTPS contexts will not strip the Referer header (as opposed to HTTPS to HTTP requests) CSRF token leaks via Referer can still happen on HTTPS Applications.<br />
<br />
The ideal solution is to only include the CSRF token in POST requests and modify server-side actions that have state changing affect to only respond to POST requests. This is in fact what the <nowiki>RFC 2616</nowiki> requires for GET requests. If sensitive server-side actions are guaranteed to only ever respond to POST requests, then there is no need to include the token in GET requests.<br />
<br />
In most JavaEE web applications, however, HTTP method scoping is rarely ever utilized when retrieving HTTP parameters from a request. Calls to "HttpServletRequest.getParameter" will return a parameter value regardless if it was a GET or POST. This is not to say HTTP method scoping cannot be enforced. It can be achieved if a developer explicitly overrides doPost() in the HttpServlet class or leverages framework specific capabilities such as the AbstractFormController class in Spring.<br />
<br />
For these cases, attempting to retrofit this pattern in existing applications requires significant development time and cost, and as a temporary measure it may be better to pass CSRF tokens in the URL. Once the application has been fixed to respond to HTTP GET and POST verbs correctly, CSRF tokens for GET requests should be turned off.<br />
<br />
==== Encryption based Token Pattern ====<br />
The Encrypted Token Pattern leverages an encryption, rather than comparison method of Token-validation. It is most suitable for applications that do not want to maintain any state at server side. <br />
<br />
After successful authentication, the server generates a unique token comprised of the user's ID, a timestamp value and a [http://en.wikipedia.org/wiki/Cryptographic_nonce nonce], using a unique key available only on the server. This token is returned to the client and embedded in a hidden field for forms, in the request-header/parameter for AJAX requests. On receipt of this request, the server reads and decrypts the token value with the same key used to create the token. The inability to correctly decrypt suggests an intrusion attempt. Once decrypted, the UserId and timestamp contained within the token are validated; the UserId is compared against the currently logged in user, and the timestamp is compared against the current time.<br />
<br />
On successful token-decryption, the server has access to parsed values, ideally in the form of [http://en.wikipedia.org/wiki/Claims-based_identity claims]. These claims are processed by comparing the UserId claim to any potentially stored UserId (in a Cookie or Session variable, if the site already contains a means of authentication). The Timestamp is validated against the current time, preventing replay attacks. Alternatively, in the case of a CSRF attack, the server will be unable to decrypt the poisoned token, and can block and log the attack.<br />
<br />
This technique addresses some of the shortfalls in other stateless approaches, such as the need to store data in a Cookie, circumventing the Cookie-subdomain and [[HttpOnly]] issues.<br />
<br />
==== HMAC Based Token Pattern ====<br />
[https://en.wikipedia.org/wiki/HMAC HMAC (hash-based message authentication code)] is a cryptographic function that helps to guarantee integrity and authentication of a message. It is another way that CSRF mitigation can be achieved without maintaining any state at the server and is similar to an encryption token-based pattern with two main differences:<br />
* Uses a strong HMAC function instead of an encryption function to generate the token<br />
* Includes an additional field called ‘operation’ that would indicate the purpose of the operation for which you are including the CSRF token (may it be form tag/ajax call) <br />
(Ex: ‘oneclickpurchase’ (or) buy/asin=SDFH&category=2&quantity=3)<br />
<br />
'''Note:''' Fields mentioned in encryption token pattern (user's ID, a timestamp value and a nonce) are included. <br />
<br />
The operation field helps in mitigating the fact that the hash function generates the same value irrespective of multiple iterations (unlike strong encryption functions that generate different values when they are encrypted each time). So, it would help in avoiding having repeated token values across your application. Nonce field serves the same purpose as in encrypted token pattern (i.e., to avoid rare collisions due to weak cryptographic functions and acts as a defense-in-depth measure). <br />
<br />
Generate the token using HMAC including all four fields mentioned previously (user's ID, a timestamp value, nonce, and operation) and then include it in hidden fields for form tags, headers/parameters for ajax calls. Once you receive the HMAC from the client in the requests, re-generate HMAC with the same fields that you used to generate it, and then verify that the HMAC you re-generated matches the HMAC received from the client. If it does, it is a legitimate user request and if it does not, flag it as a CSRF intrusion and alert your incident response teams. Because an attacker has no visibility into the key used for generating the hash fields used in generating it, there is no way for them to re-generate it to use in forged request.<br />
<br />
=== Auto CSRF Mitigation Techniques ===<br />
Though the technique of mitigating tokens is widely used (stateful with synchronizer token and stateless with encrypted/HMAC token), the major problem associated with these techniques is the human tendency to forget things at times. If a developer forgets to add the token to any state changing operation, they are making the application vulnerable to CSRF. To avoid this, you can try to automate the process of adding tokens to CSRF vulnerable resources (mentioned earlier in this document). You can achieve this by doing the following:<br />
* Write wrappers (that would auto add tokens when used) around default form tags/ajax calls and educate your developers to use those wrappers instead of standard tags. Though this approach is better than depending purely on developers to add tokens, it still is vulnerable to the issue of human tendency to forget things. [https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html Spring Security] uses this technique to add CSRF tokens by default when a custom <form:form> tag is used, you can opt to use after verifying that its enabled and properly configured in the Spring Security version you are using.<br />
* Write a hook (that would capture the traffic and add tokens to CSRF vulnerable resources before rendering to customers) in your organizational web rendering frameworks. Because it is hard to analyze when a particular response is doing any state change (and thus needing a token), you might want to include tokens in all CSRF vulnerable resources (ex: include tokens in all POST responses). This is one recommended approach, but you need to consider the performance costs it might incur.<br />
* Get the tokens automatically added on the client side when the page is being rendered in user’s browser, with help of a client side script (this approach is used by [[CSRF Guard]]). You need to consider any possible JavaScript hijacking attacks.<br />
We recommend researching if the framework you are using has an option to achieve CSRF protection by default before trying to build your custom auto tokening system. For example, .NET has an [https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1 in-built protection] that adds token to CSRF vulnerable resources. You are responsible for proper configuration (such as key management and token management) before using these in-built CSRF protections that do auto tokening to CSRF vulnerable resources.<br />
<br />
=== Login CSRF ===<br />
Most developers tend to ignore CSRF vulnerability on login forms as they assume that CSRF would not be applicable on login forms because user is not authenticated at that stage. That assumption is false. CSRF vulnerability can still occur on login forms where the user is not authenticated, but the impact/risk view for it is quite different from the impact/risk view of a general CSRF vulnerability (when a user is authenticated).<br />
<br />
With a CSRF vulnerability on login form, an attacker can make a victim login to the attacker's account and learn behavior from the victim's searches. For more information about login CSRF and other risks, see section 3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf the Stanford CSRF] paper.<br />
<br />
Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form. You can use any of the techniques mentioned above to generate tokens. Pre-sessions can be transitioned to real sessions once the user is authenticated. This technique is described in [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery section 4.1].<br />
<br />
If sub-domains under your master domain are treated as not trusty in your threat model, it is difficult to mitigate login CSRF. A strict subdomain and path level referer header (because most login pages are served on HTTPS - no stripping of referer - and are also linked from home pages) validation (detailed in section 6.1) can be used in these cases for mitigating CSRF on login forms to an extent.<br />
<br />
== Defense In Depth Techniques ==<br />
<br />
=== Verifying origin with standard headers ===<br />
This defense technique is specifically proposed in section 5.0 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. This paper proposes the first creation of the Origin header and its use as a CSRF defense mechanism.<br />
<br />
There are two steps to this mitigation, both of which rely on examining an HTTP request header value.<br />
<br />
1. Determining the origin the request is coming from (source origin). Can be done via Origin and/or referer header.<br />
<br />
2. Determining the origin the request is going to (target origin).<br />
<br />
At server side we verify if both of them match. If they do, we accept the request as legitimate (meaning it’s the same origin request) and if they don’t, we discard the request (meaning that the request originated from cross-domain). Reliability on these headers comes from the fact that they cannot be altered programmatically (using JavaScript in an XSS) as they fall under [https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name forbidden headers] list (i.e., only browsers can set them).<br />
<br />
====Identifying Source Origin (via Origin/Referer header) ====<br />
'''Checking the Origin Header'''<br />
<br />
If the Origin header is present, verify that its value matches the target origin. Unlike the Referer, the Origin header will be present in HTTP requests that originate from an HTTPS URL.<br />
<br />
'''Checking the Referer Header'''<br />
<br />
If the Origin header is not present, verify the hostname in the Referer header matches the target origin. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state, which is required to keep track of a synchronization token.<br />
<br />
In both cases, make sure the target origin check is strong. For example, if your site is "site.com" make sure "site.com.attacker.com" does not pass your origin check (i.e., match through the trailing/after the origin to make sure you are matching against the entire origin).<br />
<br />
If neither of these headers are present, you can either accept or block the request. We recommend '''blocking'''. Alternatively, you might want to log all such instances, monitor their use cases/behavior, and then start blocking requests only after you get enough confidence.<br />
<br />
==== Identifying the Target Origin ====<br />
You might think it’s easy to determine the target origin, but it’s frequently not. The first thought is to simply grab the target origin (i.e., its hostname and port #) from the URL in the request. However, the application server is frequently sitting behind one or more proxies and the original URL is different from the URL the app server actually receives. If your application server is directly accessed by its users, then using the origin in the URL is fine and you're all set.<br />
<br />
If you are behind a proxy, there are a number of options to consider.<br />
* '''Configure your application to simply know its target origin:''' It’s your application, so you can find its target origin and set that value in some server configuration entry. This would be the most secure approach as its defined server side, so it is a trusted value. However, this might be problematic to maintain if your application is deployed in many places, e.g., dev, test, QA, production, and possibly multiple production instances. Setting the correct value for each of these situations might be difficult, but if you can do it via some central configuration and providing your instances to grab value from it, that's great! ('''Note:''' Make sure the centralized configuration store is maintained securely because major part of your CSRF defense depends on it.)<br />
<br />
* '''Use the Host header value:''' If you prefer that the application find its own target so it doesn't have to be configured for each deployed instance, we recommend using the Host family of headers. The Host header's purpose is to contain the target origin of the request. But, if your app server is sitting behind a proxy, the Host header value is most likely changed by the proxy to the target origin of the URL behind the proxy, which is different than the original URL. This modified Host header origin won't match the source origin in the original Origin or Referer headers.<br />
<br />
* '''Use the X-Forwarded-Host header value:''' To avoid the issue of proxy altering the host header, there is another header called X-Forwarded-Host, whose purpose is to contain the original Host header value the proxy received. Most proxies will pass along the original Host header value in the X-Forwarded-Host header. So that header value is likely to be the target origin value you need to compare to the source origin in the Origin or Referer header.<br />
<br />
This mitigation in earlier versions of the CSRF Cheat Sheet is treated as a primary defense. For reasons mentioned below, it is now moved to the Defense-in-Depth section.<br />
<br />
As it’s implicit, this mitigation would work properly when origin or referer headers are present in the requests. Though these headers are included '''majority''' of the time, there are few use cases where they are not included (most of them are for legitimate reasons to safeguard users privacy/to tune to browsers ecosystem). The following lists some use cases:<br />
* Internet Explorer 11 does not add the Origin header on a CORS request across sites of a trusted zone. The Referer header will remain the only indication of the UI origin. See the following references in stackoverflow [https://stackoverflow.com/questions/20784209/internet-explorer-11-does-not-add-the-origin-header-on-a-cors-request here] and [https://github.com/silverstripe/silverstripe-graphql/issues/118 here].<br />
* In an instance following a [https://stackoverflow.com/questions/22397072/are-there-any-browsers-that-set-the-origin-header-to-null-for-privacy-sensitiv 302 redirect cross-origin], Origin is not included in the redirected request because that may be considered sensitive information that should not be sent to the other origin.<br />
* There are some [https://wiki.mozilla.org/Security/Origin#Privacy-Sensitive_Contexts privacy contexts] where Origin is set to “null” For example, see the following [https://www.google.com/search?q=origin+header+sent+null+value+site%3Astackoverflow.com&oq=origin+header+sent+null+value+site%3Astackoverflow.com here].<br />
* Origin header is included for all cross origin requests but for same origin requests, in most browsers it is only included in POST/DELETE/PUT '''Note:''' Although it is not ideal, many developers use GET requests to do state changing operations.<br />
* Referer header is no exception. There are multiple use cases where referer header is omitted as well ([https://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty <nowiki>[1]</nowiki>], [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer <nowiki>[2]</nowiki>], [https://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding <nowiki>[3]</nowiki>], [https://seclab.stanford.edu/websec/csrf/csrf.pdf <nowiki>[4]</nowiki>] and [https://www.google.com/search?q=referer+header+sent+null+value+site:stackoverflow.com <nowiki>[5]</nowiki>]). Load balancers, proxies and embedded network devices are also well known to strip the referer header due to privacy reasons in logging them.<br />
<br />
Though exceptions can be written for above cases in your source and target origin check logic, there is currently no central repository (even there is one, keeping it up-to-date is a problem) that references all such use cases. Each browser might also handle these use cases differently (browsers are known to handle things differently considering their ecosystem. IE example of not sending origin header within trusted zone is such example). Rejecting requests that do not contain origin and/or referer headers might sound like a good idea but it can impact legitimate users. Keeping this system in monitoring mode and trying to investigate use cases such as stated above, then adding them into exception logic is a process that you may consider to make this defense more stable in your environment.<br />
<br />
This CSRF defense relies on browser behavior that can change at times. For example, when new privacy contexts are discovered, under which situations you have to keep your validation logic updated, where as in token based mitigation, you have full control on the CSRF mitigation. If browsers alter CSRF tokens, they are literally changing the HTML content on rendering pages (which no browser would ever want to do!).<br />
<br />
When there is an XSS vulnerability on a page of an application protected with Origin and/or Referer header, the level of effort required to exploit state changing operations (that are typically vulnerable to CSRF) on other pages is very easy (grab the parameters and forge a request, as Origin and Referer header is included by default by browsers) than compared to token based mitigation (where attacker needs to download the target page, parse the DOM for the token, construct a forge request, and send it to server).<br />
<br />
'''Note:''' Although the concept of an origin header stemmed from [https://seclab.stanford.edu/websec/csrf/csrf.pdf the Stanford CSRF] paper that references robust CSRF defenses, the initial [https://tools.ietf.org/html/rfc6454 origin header RFC] does not reference mitigating CSRF in any way (another [https://tools.ietf.org/id/draft-abarth-origin-03.html draft version] does, however).<br />
<br />
=== Double Submit Cookie ===<br />
If maintaining the state for CSRF token at server side is problematic, an alternative defense is to use the double submit cookie technique. This technique is easy to implement and is stateless. In this technique, we send a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match. When a user visits (even before authenticating to prevent login CSRF), the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session identifier. The site then requires that every transaction request include this pseudorandom value as a hidden form value (or other request parameter/header). If both of them match at server side, the server accepts it as legitimate request and if they don’t, it would reject the request.<br />
<br />
There’s a belief that this technique would work because a cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie (with which the server compares the token value).<br />
<br />
There are a couple of drawbacks associated with the assumptions made here. The problem of "trusting of sub domains and proper configuration of whole site in general to accept HTTPS connections only". The [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf Blackhat talk] by Rich Lundeen references these drawbacks.<br />
<br />
"''With double submit, if an attacker can write a cookie they can obviously defeat the protection. And again, writing cookies is significantly easier then reading them. The fact that cookies can be written is difficult for many people to understand. After all, doesn't the same origin policy specify that one domain cannot access cookies from another domain? However, there are two common scenarios where writing cookies across domains is possible:''<br />
<br />
''a) While it's true that hellokitty.marketing.example.com cannot read cookies or access the DOM from secure.example.com because of the same origin policy, hellokitty.marketing.example.com can write cookies to the parent domain (example.com), and these cookies are then consumed by secure.example.com (secure.example.com has no good way to distinguish which site set the cookie). Additionally, there are methods of forcing secure.example.com to always accept your cookie first. What this means is that XSS in hellokitty.marketing.example.com is able to overwrite cookies in secure.example.com.''<br />
<br />
''b) If an attacker is in the middle, they can usually force a request to the same domain over HTTP. If an application is hosted at <nowiki>https://secure.example.com</nowiki>, even if the cookies are set with the secure flag, a man in the middle can force connections to <nowiki>http://secure.example.com</nowiki> and set (overwrite) any arbitrary cookies (even though the secure flag prevents the attacker from reading those cookies). Even if the HSTS header is set on the server and the browser visiting the site supports HSTS (this would prevent a man in the middle from forcing plaintext HTTP requests) unless the HSTS header is set in a way that includes all subdomains, a man in the middle can simply force a request to a separate subdomain and overwrite cookies similar to 1. In other words, as long as <nowiki>http://hellokitty.marketing.example.com</nowiki> doesn't force HTTPS, then an attacker can overwrite cookies on any example.com subdomain.''"<br />
<br />
So, unless you are sure that your subdomains are fully secured and only accept HTTPS connections (we believe it’s difficult to guarantee at large enterprises), you should not rely on the Double Submit Cookie technique as a primary mitigation for CSRF.<br />
<br />
A variant of double submit cookie that can mitigate both the risks mentioned above is including the token in an encrypted cookie - often within the authentication cookie - and then at the server side matching it (after decrypting authentication cookie) with the token in hidden form field or parameter/header for ajax calls. This works because a sub domain has no way to over-write an properly crafted encrypted cookie without the necessary information such as encryption key.<br />
<br />
=== Samesite Cookie Attribute ===<br />
SameSite is a cookie attribute (similar to [[HttpOnly]], Secure etc.) introduced by Google to mitigate CSRF attacks. It is defined in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 this] Internet Draft. This attribute helps in preventing the browser from sending cookies along with cross-site requests. Possible values for this attribute are lax or strict.<br />
<br />
The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link. For example, for a GitHub-like website this would mean that if a logged-in user follows a link to a private GitHub project posted on a corporate discussion forum or email, GitHub will not receive the session cookie and the user will not be able to access the project. A bank website however most likely doesn't want to allow any transactional pages to be linked from external sites, so the strict flag would be most appropriate.<br />
<br />
The default lax value provides a reasonable balance between security and usability for websites that want to maintain user's logged-in session after the user arrives from an external link. In the above GitHub scenario, the session cookie would be allowed when following a regular link from an external website while blocking it in CSRF-prone request methods such as POST. Only cross-site requests that are allowed in lax mode are the ones that have top-level navigations and are also “safe” HTTP methods (more details [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7.1 here]).<br />
<br />
Example of cookies using this attribute:<br />
<br />
<pre><br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Strict<br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Lax<br />
</pre><br />
<br />
Support for this attribute in different browsers is increasing but there are still browsers that need to adopt this. As of August 2018, SameSite attribute is on browsers used by 68.92% of Internet users (detailed statistics are [https://caniuse.com/#feat=same-site-cookie-attribute here]).<br />
<br />
Though this technique seems to be efficient in mitigating CSRF attacks, it is still in early stages (in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft]) and does not have full browser support as mentioned above. Google’s [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft] also mentions a couple cases where forged requests can be simulated by attackers as same-site requests (and thus allowing to send SameSite cookies).<br />
<br />
Considering the factors above, it is not recommended to be used as a primary defense. Google agrees with this stance and strongly encourages developers to deploy server-side defenses such as tokens to mitigate CSRF more fully.<br />
<br />
=== Use of Custom Request Headers ===<br />
<br />
Adding CSRF tokens, a double submit cookie and value, encrypted token, or other defense that involves changing the UI can frequently be complex or otherwise problematic. An alternate defense that is particularly well suited for AJAX/XHR endpoints is the use of a custom request header. This defense relies on the [https://en.wikipedia.org/wiki/Same-origin_policy same-origin policy (SOP)] restriction that only JavaScript can be used to add a custom header, and only within its origin. By default, browsers do not allow JavaScript to make cross origin requests.<br />
<br />
A particularly attractive custom header and value to use is “X-Requested-With: XMLHttpRequest” because most JavaScript libraries already add this header to requests they generate by default. However, some do not. For example, AngularJS used to, but does not anymore. For more information, see [https://github.com/angular/angular.js/commit/3a75b1124d062f64093a90b26630938558909e8d their rationale] and how to add it back.<br />
<br />
If this is the case for your system, you can simply verify the presence of this header and value on all your server side AJAX endpoints in order to protect against CSRF attacks. This approach has the double advantage of usually requiring no UI changes and not introducing any server side state, which is particularly attractive to REST services. You can always add your own custom header and value if that is preferred.<br />
<br />
This defense technique is specifically discussed in section 4.3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. However, bypasses of this defense using Flash were documented as early as 2008 and again as recently as 2015 by Mathias Karlsson to [https://hackerone.com/reports/44146 exploit a CSRF flaw in Vimeo]. A Flash attack can't spoof the Origin or Referer headers, so by checking both of them we believe this combination of checks should prevent Flash bypass CSRF attacks (if any comes up in future). <br />
<br />
Besides any possible future bypasses such as Flash, using a static header will make it easy to exploit other state changing operations in the application (similar to the previous explanation on why ease of exploitation is easier in origin/referer header check than token based mitigation). Including a random token instead of static header value is more or less equal to the token based approach described in the primary defense section. Developers also need to consider that if you are using this approach in an application with both Ajax calls and form tags, this technique would only help Ajax calls in protecting from CSRF and you would still need protect <form> tags with approaches described in this document such as tokens. Setting custom headers on form tags is not possible directly. Also, CORS configuration should also be robust to make this solution work effectively (as custom headers for requests coming from other domains trigger a pre-flight CORS check).<br />
<br />
=== User Interaction Based CSRF Defense ===<br />
<br />
While all the techniques referenced here do not require any user interaction, sometimes it’s easier or more appropriate to involve the user in the transaction to prevent unauthorized operations (forged via CSRF or otherwise). The following are some examples of techniques that can act as strong CSRF defense when implemented correctly.<br />
* Re-Authentication (password or stronger)<br />
* One-time Token<br />
* CAPTCHA<br />
While these are a very strong CSRF defense, it does create a huge impact on the user experience. For applications that are in need of high security for some operations (password change, money transfer etc.), these techniques should be used along with token based mitigation. Please note that tokens by themselves can mitigate CSRF, developers should use these techniques only to achieve additional security for their high sensitive operations.<br />
<br />
== Not So Popular CSRF Mitigations ==<br />
<br />
=== Triple Submit Cookie ===<br />
This mitigation is proposed by John Wilander in 2012 at OWASP Appsec Research. This technique adds an additional step to double submit cookie approach by verifying if the request contains two cookies with same name (please note, attacker need to write an additional cookie to bypass double submit cookie mitigation). Though it mitigates the issues discussed in bypass of double submit cookie, it introduces new problems such as cookie jar overflow (in-details and more issue details [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf here] and [https://webstersprodigy.net/2012/08/03/analysis-of-john-wilanders-triple-submit-cookies/ here]). We were not able to find any real-time implementations of this mitigation so far.<br />
<br />
=== Content-Type Header Validation ===<br />
This technique is better known than the triple submit cookie mitigation. In first place, this header is not designed for security (initial RFC [https://tools.ietf.org/html/rfc1049 here] and later well-defined in [https://www.ietf.org/rfc/rfc2045.txt this] RFC) but only to let receiving agents know the type of data they would be handling, so that they can invoke corresponding parsers. The pre-flighting behavior of this header (pre-flight if header has value other than application/x-www-form-urlencoded, multipart/form-data, or text/plain) is what treated as a CSRF mitigation and thus forcing all requests to have a header value that would force a pre-flight (such as application/json. Server side can reject cross-origin requests with CORS/SOP during this pre-flight).<br />
<br />
This approach has two main problems. One that it would mandate all requests to have a header value that would force pre-flight despite the real use case and the other that this technique is relying on a feature that is not designed for security, to mitigate a security vulnerability. When a bug was discovered in the Chrome API, browser architects even considered to removing this pre-flighting behavior. Because this header was not designed as a security control, architects can re-design it to better cater its primary purpose. In the future, there’s a possibility that new content-type header types can be included (to better support various use-cases), which can put systems relying on this header for CSRF mitigation in trouble. For more information, see [https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/september/common-csrf-prevention-misconceptions/ Common CSRF Prevention Misconceptions].<br />
<br />
== CSRF Mitigation Myths ==<br />
The following shows techniques presumed to be CSRF mitigations but none of them fully/actually mitigates a CSRF vulnerability.<br />
* '''CORS''': CORS is a header designed to relax Same-Origin-Policy when cross-origin communication between sites is required. It is not designed, nor prevents CSRF attacks.<br />
* '''Using HTTPS''': Using HTTPS has nothing to do with the protection from CSRF attacks. Resources that are under HTTPS are still vulnerable to CSRF if proper CSRF mitigations described above are not included.<br />
* More myths can be found [[Cross-Site Request Forgery (CSRF)|here]]<br />
<br />
== Personal Safety CSRF Tips for Users ==<br />
Since CSRF vulnerabilities are reportedly widespread, we recommend using the following best practices to mitigate risk. <br />
<br />
# Logoff immediately after using a Web application.<br />
# Do not allow your browser to save username/passwords, and do not allow sites to “remember” your login.<br />
# Do not use the same browser to access sensitive applications and to surf the Internet freely (tabbed browsing).<br />
# The use of plugins such as No-Script makes POST based CSRF vulnerabilities difficult to exploit. This is because JavaScript is used to automatically submit the form when the exploit is loaded. Without JavaScript, the attacker would have to trick the user into submitting the form manually.<br />
<br />
Integrated HTML-enabled mail/browser and newsreader/browser environments pose additional risks since simply viewing a mail message or a news message might lead to the execution of an attack. <br />
== Implementation reference example ==<br />
The following JEE web filter provides an example reference for some of the concepts described in this cheat sheet. It implements the following stateless mitigations ([https://github.com/aramrami/OWASP-CSRFGuard OWASP CSRFGuard], cover a stateful approach).<br />
* Verifying same origin with standard headers<br />
* Double submit cookie<br />
* SameSite cookie attribute<br />
'''Please note''' that it only acts a reference sample and is not complete (for example: it doesn’t have a block to direct the control flow when origin and referer header check succeeds nor it has a port/host/protocol level validation for referer header). Developers are recommended to build their complete mitigation on top of this reference sample. Developers should also implement standard authentication or authorization checks before checking for CSRF.<br />
<br />
Source is also located [https://github.com/righettod/poc-csrf here] and provides a runnable POC.<br />
<br />
<syntaxhighlight lang="java"><br />
import org.slf4j.Logger;<br />
import org.slf4j.LoggerFactory;<br />
<br />
import javax.servlet.Filter;<br />
import javax.servlet.FilterChain;<br />
import javax.servlet.FilterConfig;<br />
import javax.servlet.ServletException;<br />
import javax.servlet.ServletRequest;<br />
import javax.servlet.ServletResponse;<br />
import javax.servlet.annotation.WebFilter;<br />
import javax.servlet.http.Cookie;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
import javax.servlet.http.HttpServletResponseWrapper;<br />
import javax.xml.bind.DatatypeConverter;<br />
import java.io.IOException;<br />
import java.net.MalformedURLException;<br />
import java.net.URL;<br />
import java.security.SecureRandom;<br />
import java.util.Arrays;<br />
<br />
/**<br />
* Filter in charge of validating each incoming HTTP request about Headers and CSRF token.<br />
* It is called for all requests to backend destination.<br />
*<br />
* We use the approach in which:<br />
* - The CSRF token is changed after each valid HTTP exchange<br />
* - The custom Header name for the CSRF token transmission is fixed<br />
* - A CSRF token is associated to a backend service URI in order to enable the support for multiple parallel Ajax request from the same application<br />
* - The CSRF cookie name is the backend service name prefixed with a fixed prefix<br />
*<br />
* Here for the POC we show the "access denied" reason in the response but in production code only return a generic message !<br />
*<br />
* @see "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet"<br />
* @see "https://wiki.mozilla.org/Security/Origin"<br />
* @see "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie"<br />
* @see "https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/"<br />
*/<br />
@WebFilter("/backend/*")<br />
public class CSRFValidationFilter implements Filter {<br />
<br />
/**<br />
* JVM param name used to define the target origin<br />
*/<br />
public static final String TARGET_ORIGIN_JVM_PARAM_NAME = "target.origin";<br />
<br />
/**<br />
* Name of the custom HTTP header used to transmit the CSRF token and also to prefix <br />
* the CSRF cookie for the expected backend service<br />
*/<br />
private static final String CSRF_TOKEN_NAME = "X-TOKEN";<br />
<br />
/**<br />
* Logger<br />
*/<br />
private static final Logger LOG = LoggerFactory.getLogger(CSRFValidationFilter.class);<br />
<br />
/**<br />
* Application expected deployment domain: named "Target Origin" in OWASP CSRF article<br />
*/<br />
private URL targetOrigin;<br />
<br />
/***<br />
* Secure generator<br />
*/<br />
private final SecureRandom secureRandom = new SecureRandom();<br />
<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {<br />
HttpServletRequest httpReq = (HttpServletRequest) request;<br />
HttpServletResponse httpResp = (HttpServletResponse) response;<br />
String accessDeniedReason;<br />
<br />
/* STEP 1: Verifying Same Origin with Standard Headers */<br />
//Try to get the source from the "Origin" header<br />
String source = httpReq.getHeader("Origin");<br />
if (this.isBlank(source)) {<br />
//If empty then fallback on "Referer" header<br />
source = httpReq.getHeader("Referer");<br />
//If this one is empty too then we trace the event and we block the request (recommendation of the article)...<br />
if (this.isBlank(source)) {<br />
accessDeniedReason = "CSRFValidationFilter: ORIGIN and REFERER request headers are both absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
}<br />
<br />
//Compare the source against the expected target origin<br />
URL sourceURL = new URL(source);<br />
if (!this.targetOrigin.getProtocol().equals(sourceURL.getProtocol()) || !this.targetOrigin.getHost().equals(sourceURL.getHost()) <br />
|| this.targetOrigin.getPort() != sourceURL.getPort()) {<br />
//One the part do not match so we trace the event and we block the request<br />
accessDeniedReason = String.format("CSRFValidationFilter: Protocol/Host/Port do not fully matches so we block the request! (%s != %s) ", <br />
this.targetOrigin, sourceURL);<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
<br />
/* STEP 2: Verifying CSRF token using "Double Submit Cookie" approach */<br />
//If CSRF token cookie is absent from the request then we provide one in response but we stop the process at this stage.<br />
//Using this way we implement the first providing of token<br />
Cookie tokenCookie = null;<br />
if (httpReq.getCookies() != null) {<br />
String csrfCookieExpectedName = this.determineCookieName(httpReq);<br />
tokenCookie = Arrays.stream(httpReq.getCookies()).filter(c -> c.getName().equals(csrfCookieExpectedName)).findFirst().orElse(null);<br />
}<br />
if (tokenCookie == null || this.isBlank(tokenCookie.getValue())) {<br />
LOG.info("CSRFValidationFilter: CSRF cookie absent or value is null/empty so we provide one and return an HTTP NO_CONTENT response !");<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpResp);<br />
//Set response state to "204 No Content" in order to allow the requester to clearly identify an initial response providing the initial CSRF token<br />
httpResp.setStatus(HttpServletResponse.SC_NO_CONTENT);<br />
} else {<br />
//If the cookie is present then we pass to validation phase<br />
//Get token from the custom HTTP header (part under control of the requester)<br />
String tokenFromHeader = httpReq.getHeader(CSRF_TOKEN_NAME);<br />
//If empty then we trace the event and we block the request<br />
if (this.isBlank(tokenFromHeader)) {<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header is absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else if (!tokenFromHeader.equals(tokenCookie.getValue())) {<br />
//Verify that token from header and one from cookie are the same<br />
//Here is not the case so we trace the event and we block the request<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header and via Cookie are not equals so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else {<br />
//Verify that token from header and one from cookie matches<br />
//Here is the case so we let the request reach the target component (ServiceServlet, jsp...) and add a new token when we get back the bucket<br />
HttpServletResponseWrapper httpRespWrapper = new HttpServletResponseWrapper(httpResp);<br />
chain.doFilter(request, httpRespWrapper);<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpRespWrapper);<br />
}<br />
}<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void init(FilterConfig filterConfig) throws ServletException {<br />
//To easier the configuration, we load the target expected origin from an JVM property<br />
//Reconfiguration only require an application restart that is generally acceptable<br />
try {<br />
this.targetOrigin = new URL(System.getProperty(TARGET_ORIGIN_JVM_PARAM_NAME));<br />
} catch (MalformedURLException e) {<br />
LOG.error("Cannot init the filter !", e);<br />
throw new ServletException(e);<br />
}<br />
LOG.info("CSRFValidationFilter: Filter init, set expected target origin to '{}'.", this.targetOrigin);<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void destroy() {<br />
LOG.info("CSRFValidationFilter: Filter shutdown");<br />
}<br />
<br />
/**<br />
* Check if a string is null or empty (including containing only spaces)<br />
*<br />
* @param s Source string<br />
* @return TRUE if source string is null or empty (including containing only spaces)<br />
*/<br />
private boolean isBlank(String s) {<br />
return s == null || s.trim().isEmpty();<br />
}<br />
<br />
/**<br />
* Generate a new CSRF token<br />
*<br />
* @return The token a string<br />
*/<br />
private String generateToken() {<br />
byte[] buffer = new byte[50];<br />
this.secureRandom.nextBytes(buffer);<br />
return DatatypeConverter.printHexBinary(buffer);<br />
}<br />
<br />
/**<br />
* Determine the name of the CSRF cookie for the targeted backend service<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @return The name of the cookie as a string<br />
*/<br />
private String determineCookieName(HttpServletRequest httpRequest) {<br />
String backendServiceName = httpRequest.getRequestURI().replaceAll("/", "-");<br />
return CSRF_TOKEN_NAME + "-" + backendServiceName;<br />
}<br />
<br />
/**<br />
* Add the CSRF token cookie and header to the provided HTTP response object<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @param httpResponse HTTP response object to update<br />
*/<br />
private void addTokenCookieAndHeader(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {<br />
//Get new token<br />
String token = this.generateToken();<br />
//Add cookie manually because the current Cookie class implementation do not support the "SameSite" attribute<br />
//We let the adding of the "Secure" cookie attribute to the reverse proxy rewriting...<br />
//Here we lock the cookie from JS access and we use the SameSite new attribute protection<br />
String cookieSpec = String.format("%s=%s; Path=%s; HttpOnly; SameSite=Strict", this.determineCookieName(httpRequest), token, httpRequest.getRequestURI());<br />
httpResponse.addHeader("Set-Cookie", cookieSpec);<br />
//Add cookie header to give access to the token to the JS code<br />
httpResponse.setHeader(CSRF_TOKEN_NAME, token);<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
== Authors and Primary Editors ==<br />
Manideep Konakandla (Amazon Application Security Team) - http://www.manideepk.com<br />
<br />
Dave Wichers - dave.wichers[at]owasp.org<br />
<br />
Paul Petefish - https://www.linkedin.com/in/paulpetefish<br />
<br />
Eric Sheridan - eric.sheridan[at]owasp.org<br />
<br />
Dominique Righetto - dominique.righetto[at]owasp.org<br /><br />
<br />
== Other Cheat Sheets ==<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]<br />
[[Category:Popular]]</div>Wichershttps://wiki.owasp.org/index.php?title=Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet&diff=246801Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet2019-01-23T22:38:50Z<p>Wichers: /* CSRF Defense Recommendations Summary */</p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
__TOC__{{TOC hidden}}<br />
<br />
== Introduction ==<br />
[[Cross-Site Request Forgery (CSRF)]] is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim. We would need a token/identifier that is not accessible to attacker and would not be sent along (like cookies) with forged requests that attacker initiates. For more information on CSRF, see OWASP [[Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) page]].<br />
<br />
The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or making a purchase with the user’s credentials. In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser, without the user’s knowledge, at least until the unauthorized transaction has been committed.<br />
<br />
Impacts of successful CSRF exploits vary greatly based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. If the targeted end user is an administrator account, a CSRF attack can compromise the entire web application. Using social engineering, an attacker can embed malicious HTML or JavaScript code into an email or website to request a specific 'task URL'. The task then executes with or without the user's knowledge, either directly or by using a Cross-Site Scripting flaw. For example, see [https://en.wikipedia.org/wiki/Samy_(computer_worm) Samy MySpace Worm].<br />
<br />
<br />
== What's new? ==<br />
If you have seen OWASP [https://www.owasp.org/index.php?title=Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet&action=history old CSRF prevention cheat sheets], you can observe that a lot has changed in this newer version. One of the major changes is that the “Verifying same origin with standard headers” CSRF defense has been moved to the Defense in Depth section, whereas token based mitigation moved to the Primary Defense section (technical reasons for this switch were added under respective sections). Multiple new sections (HMAC based token protection, auto CSRF mitigation techniques, login CSRF, not so popular CSRF mitigations and CSRF mitigation myths) were added besides adding new content, removing obsolete content to the existing sections. Security issues/caveats associated with each mitigation were also included.<br />
<br />
==Warning: No Cross-Site Scripting (XSS) Vulnerabilities ==<br />
[[Cross-Site Scripting]] is not necessary for CSRF to work. However, any cross-site scripting vulnerability can be used to defeat all CSRF mitigation techniques available in the market today (except mitigation techniques that involve user interaction and described later in this cheatsheet). This is because an XSS payload can simply read any page on the site using an XMLHttpRequest (direct DOM access can be done, if on same page) and obtain the generated token from the response, and include that token with a forged request. This technique is exactly how the [https://en.wikipedia.org/wiki/Samy_(computer_worm) MySpace (Samy) worm] defeated MySpace's anti-CSRF defenses in 2005, which enabled the worm to propagate.<br />
<br />
It is imperative that no XSS vulnerabilities are present to ensure that CSRF defenses can't be circumvented. Please see the OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet|XSS Prevention Cheat Sheet]] for detailed guidance on how to prevent XSS flaws. <br />
<br />
== Resources that need to be protected from CSRF vulnerability ==<br />
The following list assumes that you are not violating [http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 RFC2616], section 9.1.1, by using GET requests for state changing operations. <br />
<br />
'''Note:''' If for any reason you violate, you would also need to protect those resources, which is mostly achieved with default <code>form tag [GET method]</code>, <code>href</code>, and <code>src</code> attributes. <br />
<br />
* Form tags with POST <br />
* Ajax/XHR calls<br />
<br />
== CSRF Defense Recommendations Summary ==<br />
We recommend token based CSRF defense (either stateful/stateless) as a primary defense to mitigate CSRF in your applications. Only for highly sensitive operations, we also recommend a user interaction based protection (either re-authentication/one-time token, detailed in section 7.5) along with token based mitigation.<br />
<br />
As a defense-in-depth measure, consider implementing one mitigation from Defense in Depth Mitigations section (you can choose the mitigation that fits your ecosystem considering the issues mentioned under them). These defense-in-depth mitigation techniques are not recommended to be used by themselves (without token based mitigation) for mitigating CSRF in your applications.<br />
<br />
== Primary Defense Technique ==<br />
<br />
=== Token Based Mitigation ===<br />
This defense is one the most popular and recommended methods to mitigate CSRF. It can be achieved either with state (synchronizer token pattern) or stateless (encrypted/hash based token pattern). See section 4.3 on how to mitigate login CSRF in your applications. For all the mitigation's, it is implicit that general security principles should be adhered<br />
* Strong encryption/HMAC functions should be adhered to. <br />
'''Note:''' You can select any algorithm per your organizational needs. We recommend AES256-GCM for encryption and SHA256/512 for HMAC.<br />
* Strict key rotation and token lifetime policies should be maintained. Policies can be set according to your organizational needs. Generic key management guidance from OWASP can be found [[Key Management Cheat Sheet|here]].<br />
<br />
==== Synchronizer Token Pattern ====<br />
Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks. A CSRF token should be unique per user session, large random value, and also generated by a cryptographically secure random number generator. The CSRF token is added as a hidden field for forms headers/parameters for AJAX calls, and within the URL if the state changing operation occurs via a GET. See "Disclosure of Token in URL" section below. The server rejects the requested action if the CSRF token fails validation.<br />
<br />
In order to facilitate a "transparent but visible" CSRF solution, developers are encouraged to adopt a pattern similar to [http://www.corej2eepatterns.com/Design/PresoDesign.htm Synchronizer Token Pattern] (The original intention of this synchronizer token pattern was to detect duplicate submissions in forms). The synchronizer token pattern requires the generation of random "challenge" tokens that are associated with the user's current session. These challenge tokens are then inserted within the HTML forms and calls associated with sensitive server-side operations. It is the responsibility of the server application to verify the existence and correctness of this token. By including a challenge token with each request, the developer has a strong control to verify that the user actually intended to submit the desired requests. Inclusion of a required security token in HTTP requests associated with sensitive business functions helps mitigate CSRF attacks as successful exploitation assumes the attacker knows the randomly generated token for the target victim's session. <br />
<br />
'''Note:''' These tokens aren’t like cookies that are automatically sent with forged requests made from your browser from the attacker website. <br />
<br />
This is analogous to the attacker being able to guess the target victim's session identifier. <br />
<br />
The following describes a general approach to incorporate challenge tokens within the request.<br />
<br />
When a Web application formulates a request, the application should include a hidden input parameter with a common name such as "CSRFToken" (for forms)/ as header/parameter value for Ajax calls. The value of this token must be randomly generated such that it cannot be guessed by an attacker. Consider leveraging the java.security.SecureRandom class for Java applications to generate a sufficiently long random token. Alternative generation algorithms include the use of 256-bit BASE64 encoded hashes. Developers that choose this generation algorithm must make sure that there is randomness and uniqueness utilized in the data that is hashed to generate the random token.<br />
<br />
<syntaxhighlight lang="html"><br />
<form action="/transfer.do" method="post"><br />
<br />
<input type="hidden" name="CSRFToken" <br />
value="OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZMGYwMGEwOA=="><br />
...<br />
</form><br />
</syntaxhighlight><br />
<br />
In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is used for each subsequent request until the session expires. When a request is issued by the end-user, the server-side component must verify the existence and validity of the token in the request compared to the token found in the user session. If the token was not found within the request, or the value provided does not match the value within the user session, then the request should be aborted, and the event logged as a potential CSRF attack in progress.<br />
<br />
To further enhance the security of this proposed design, consider randomizing the CSRF token parameter name and/or value for each request. Implementing this approach results in the generation of per-request tokens as opposed to per-session tokens. This is more secure than per-session tokens as the time range for an attacker to exploit the stolen tokens is minimal. However, this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server. Few applications that need high security typically implement this approach (such as banks). You have to check what suits your needs. Regardless of the approach taken, developers are encouraged to protect the CSRF token the same way they protect authenticated session identifiers, such as the use of TLS.<br />
<br />
'''Existing Synchronizer Implementations'''<br />
<br />
Synchronizer token defenses have been built into many frameworks, so we strongly recommend using them first when they are available. External components that add CSRF defenses to existing applications are also recommended. OWASP has the following: <br />
<br />
* For Java: OWASP [[CSRF Guard]]<br />
* For PHP and Apache: [[CSRFProtector Project]]<br />
<br />
'''Disclosure of Token in URL'''<br />
<br />
Some implementations of synchronizer tokens include the challenge token in GET (URL) requests as well as POST requests. This is often implemented as a result of sensitive server-side operations being invoked as a result of embedded links in the page or other general design patterns. These patterns are often implemented without knowledge of CSRF and an understanding of CSRF prevention design strategies. While this control does help mitigate the risk of CSRF attacks, the unique per-session token is being exposed for GET requests. CSRF tokens in GET requests are potentially leaked at several locations: browser history, log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site. In the latter case (leaked CSRF token due to the Referer header being parsed by a linked site), it is trivially easy for the linked site to launch a CSRF attack on the protected site, and they will be able to target this attack very effectively, since the Referer header tells them the site as well as the CSRF token. The attack could be run entirely from JavaScript, so that a simple addition of a script tag to the HTML of a site can launch an attack (whether on an originally malicious site or on a hacked site). Additionally, since HTTPS requests from HTTPS contexts will not strip the Referer header (as opposed to HTTPS to HTTP requests) CSRF token leaks via Referer can still happen on HTTPS Applications.<br />
<br />
The ideal solution is to only include the CSRF token in POST requests and modify server-side actions that have state changing affect to only respond to POST requests. This is in fact what the <nowiki>RFC 2616</nowiki> requires for GET requests. If sensitive server-side actions are guaranteed to only ever respond to POST requests, then there is no need to include the token in GET requests.<br />
<br />
In most JavaEE web applications, however, HTTP method scoping is rarely ever utilized when retrieving HTTP parameters from a request. Calls to "HttpServletRequest.getParameter" will return a parameter value regardless if it was a GET or POST. This is not to say HTTP method scoping cannot be enforced. It can be achieved if a developer explicitly overrides doPost() in the HttpServlet class or leverages framework specific capabilities such as the AbstractFormController class in Spring.<br />
<br />
For these cases, attempting to retrofit this pattern in existing applications requires significant development time and cost, and as a temporary measure it may be better to pass CSRF tokens in the URL. Once the application has been fixed to respond to HTTP GET and POST verbs correctly, CSRF tokens for GET requests should be turned off.<br />
<br />
==== Encryption based Token Pattern ====<br />
The Encrypted Token Pattern leverages an encryption, rather than comparison method of Token-validation. It is most suitable for applications that do not want to maintain any state at server side. <br />
<br />
After successful authentication, the server generates a unique token comprised of the user's ID, a timestamp value and a [http://en.wikipedia.org/wiki/Cryptographic_nonce nonce], using a unique key available only on the server. This token is returned to the client and embedded in a hidden field for forms, in the request-header/parameter for AJAX requests. On receipt of this request, the server reads and decrypts the token value with the same key used to create the token. Inability to correctly decrypt suggest an intrusion attempt. Once decrypted, the UserId and timestamp contained within the token are validated; the UserId is compared against the currently logged in user, and the timestamp is compared against the current time.<br />
<br />
On successful token-decryption, the server has access to parsed values, ideally in the form of [http://en.wikipedia.org/wiki/Claims-based_identity claims]. These claims are processed by comparing the UserId claim to any potentially stored UserId (in a Cookie or Session variable, if the site already contains a means of authentication). The Timestamp is validated against the current time, preventing replay attacks. Alternatively, in the case of a CSRF attack, the server will be unable to decrypt the poisoned token, and can block and log the attack.<br />
<br />
This technique addresses some of the shortfalls in other stateless approaches, such as the need to store data in a Cookie, circumnavigating the Cookie-subdomain and HTTPONLY issues.<br />
<br />
==== HMAC Based Token Pattern ====<br />
[https://en.wikipedia.org/wiki/HMAC HMAC (hash-based message authentication code)] is a cryptographic function that helps to guarantee integrity and authentication of a message. It is another way that CSRF mitigation can be achieved without maintaining any state at the server and is similar to an encryption token-based pattern with two main differences:<br />
* Uses a strong HMAC function instead of an encryption function to generate the token<br />
* Includes an additional field called ‘operation’ that would indicate the purpose of the operation for which you are including the CSRF token (may it be form tag/ajax call) <br />
(Ex: ‘oneclickpurchase’ (or) buy/asin=SDFH&category=2&quantity=3)<br />
<br />
'''Note:''' Fields mentioned in encryption token pattern (user's ID, a timestamp value and a nonce) are included. <br />
<br />
The operation field helps in mitigating the fact that the hash function generates the same value irrespective of multiple iterations (unlike strong encryption functions that generate different values when they are encrypted each time). So, it would help in avoiding having repeated token values across your application. Nonce field serves the same purpose as in encrypted token pattern (i.e., to avoid rare collisions due to weak cryptographic functions and acts as a defense-in-depth measure). <br />
<br />
Generate the token using HMAC including all four fields mentioned previously (user's ID, a timestamp value, nonce, and operation) and then include it in hidden fields for form tags, headers/parameters for ajax calls. Once you receive the HMAC from the client in the requests, re-generate HMAC with the same fields that you used to generate it, and then verify that the HMAC you re-generated matches the HMAC received from the client. If it does, it is a legitimate user request and if it does not, flag it as a CSRF intrusion and alert your incident response teams. Because an attacker has no visibility into the key used for generating the hash fields used in generating it, there is no way for them to re-generate it to use in forged request.<br />
<br />
=== Auto CSRF Mitigation Techniques ===<br />
Though the technique of mitigating tokens is widely used (stateful with synchronizer token and stateless with encrypted/HMAC token), the major problem associated with these techniques is the human tendency to forget things at times. If a developer forgets to add the token to any state changing operation, they are making the application vulnerable to CSRF. To avoid this, you can try to automate the process of adding tokens to CSRF vulnerable resources (mentioned earlier in this document). You can achieve this by doing the following:<br />
* Write wrappers (that would auto add tokens when used) around default form tags/ajax calls and educate your developers to use those wrappers instead of standard tags. Though this approach is better than depending purely on developers to add tokens, it still is vulnerable to the issue of human tendency to forget things. [https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html Spring Security] uses this technique to add CSRF tokens by default when a custom <form:form> tag is used, you can opt to use after verifying that its enabled and properly configured in the Spring Security version you are using.<br />
* Write a hook (that would capture the traffic and add tokens to CSRF vulnerable resources before rendering to customers) in your organizational web rendering frameworks. Because it is hard to analyze when a particular response is doing any state change (and thus needing a token), you might want to include tokens in all CSRF vulnerable resources (ex: include tokens in all POST responses). This is one recommended approach, but you need to consider the performance costs it might incur.<br />
* Get the tokens automatically added on the client side when the page is being rendered in user’s browser, with help of a client side script (this approach is used by [[CSRF Guard]]). You need to consider any possible JavaScript hijacking attacks.<br />
We recommend researching if the framework you are using has an option to achieve CSRF protection by default before trying to build your custom auto tokening system. For example, .NET has an [https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1 in-built protection] that adds token to CSRF vulnerable resources. You are responsible for proper configuration (such as key management and token management) before using these in-built CSRF protections that do auto tokening to CSRF vulnerable resources.<br />
<br />
=== Login CSRF ===<br />
Most developers tend to ignore CSRF vulnerability on login forms as they assume that CSRF would not be applicable on login forms because user is not authenticated at that stage. That assumption is false. CSRF vulnerability can still occur on login forms where the user is not authenticated, but the impact/risk view for it is quite different from the impact/risk view of a general CSRF vulnerability (when a user is authenticated).<br />
<br />
With a CSRF vulnerability on login form, an attacker can make a victim login as them and learn behavior from their searches. For more information about login CSRF and other risks, see section 3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf this] paper.<br />
<br />
Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form. You can use any of the techniques mentioned above to generate tokens. Pre-sessions can be transitioned to real sessions once the user is authenticated. This technique is described in [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery section 4.1].<br />
<br />
If sub-domains under your master domain are treated as not trusty in your threat model, it is difficult to mitigate login CSRF. A strict subdomain and path level referrer header (because most login pages are served on HTTPS - no stripping of referrer - and are also linked from home pages) validation (detailed in section 6.1) can be used in these cases for mitigating CSRF on login forms to an extent.<br />
<br />
== Defense In Depth Techniques ==<br />
<br />
=== Verifying origin with standard headers ===<br />
This defense technique is specifically proposed in section 5.0 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. This paper proposes the first creation of the Origin header and its use as a CSRF defense mechanism.<br />
<br />
There are two steps to this mitigation, both of which rely on examining an HTTP request header value.<br />
<br />
1. Determining the origin the request is coming from (source origin). Can be done via Origin and/or referer header.<br />
<br />
2. Determining the origin the request is going to (target origin).<br />
<br />
At server side we verify if both of them match. If they do, we accept the request as legitimate (meaning it’s the same origin request) and if they don’t, we discard the request (meaning that the request originated from cross-domain). Reliability on these headers comes from the fact that they cannot be altered programmatically (using JavaScript in an XSS) as they fall under [https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name forbidden headers] list (i.e., only browsers can set them).<br />
<br />
====Identifying Source Origin (via Origin/Referer header) ====<br />
'''Checking the Origin Header'''<br />
<br />
If the Origin header is present, verify that its value matches the target origin. Unlike the Referer, the Origin header will be present in HTTP requests that originate from an HTTPS URL.<br />
<br />
'''Checking the Referer Header'''<br />
<br />
If the Origin header is not present, verify the hostname in the Referer header matches the target origin. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state, which is required to keep track of a synchronization token.<br />
<br />
In both cases, make sure the target origin check is strong. For example, if your site is "site.com" make sure "site.com.attacker.com" does not pass your origin check (i.e., match through the trailing/after the origin to make sure you are matching against the entire origin).<br />
<br />
If neither of these headers are present, you can either accept or block the request. We recommend '''blocking'''. Alternatively, you might want to log all such instances, monitor their use cases/behavior, and then start blocking requests only after you get enough confidence.<br />
<br />
==== Identifying the Target Origin ====<br />
You might think it’s easy to determine the target origin, but it’s frequently not. The first thought is to simply grab the target origin (i.e., its hostname and port #) from the URL in the request. However, the application server is frequently sitting behind one or more proxies and the original URL is different from the URL the app server actually receives. If your application server is directly accessed by its users, then using the origin in the URL is fine and you're all set.<br />
<br />
If you are behind a proxy, there are a number of options to consider.<br />
* '''Configure your application to simply know its target origin:''' It’s your application, so you can find its target origin and set that value in some server configuration entry. This would be the most secure approach as its defined server side, so it is a trusted value. However, this might be problematic to maintain if your application is deployed in many places, e.g., dev, test, QA, production, and possibly multiple production instances. Setting the correct value for each of these situations might be difficult, but if you can do it via some central configuration and providing your instances to grab value from it, that's great! ('''Note:''' Make sure the centralized configuration store is maintained securely because major part of your CSRF defense depends on it.)<br />
<br />
* '''Use the Host header value:''' If you prefer that the application find its own target so it doesn't have to be configured for each deployed instance, we recommend using the Host family of headers. The Host header's purpose is to contain the target origin of the request. But, if your app server is sitting behind a proxy, the Host header value is most likely changed by the proxy to the target origin of the URL behind the proxy, which is different than the original URL. This modified Host header origin won't match the source origin in the original Origin or Referer headers.<br />
<br />
* '''Use the X-Forwarded-Host header value:''' To avoid the issue of proxy altering the host header, there is another header called X-Forwarded-Host, whose purpose is to contain the original Host header value the proxy received. Most proxies will pass along the original Host header value in the X-Forwarded-Host header. So that header value is likely to be the target origin value you need to compare to the source origin in the Origin or Referer header.<br />
<br />
This mitigation in earlier versions of the CSRF Cheat Sheet is treated as a primary defense. For reasons mentioned below, it is now moved to the Defense in Depth section.<br />
<br />
As it’s implicit, this mitigation would work properly when origin or referrer headers are present in the requests. Though these headers are included '''majority''' of the time, there are few use cases where they are not included (most of them are for legitimate reasons to safeguard users privacy/to tune to browsers ecosystem). The following lists some use cases:<br />
* Internet Explorer 11 does not add the Origin header on a CORS request across sites of a trusted zone. The Referer header will remain the only indication of the UI origin. See the following references in stackoverflow [https://stackoverflow.com/questions/20784209/internet-explorer-11-does-not-add-the-origin-header-on-a-cors-request here] and [https://github.com/silverstripe/silverstripe-graphql/issues/118 here].<br />
* In an instance following a [https://stackoverflow.com/questions/22397072/are-there-any-browsers-that-set-the-origin-header-to-null-for-privacy-sensitiv 302 redirect cross-origin], Origin is not included in the redirected request because that may be considered sensitive information that should not be sent to the other origin.<br />
* There are some [https://wiki.mozilla.org/Security/Origin#Privacy-Sensitive_Contexts privacy contexts] where Origin is set to “null” For example, see the following [https://www.google.com/search?q=origin+header+sent+null+value+site%3Astackoverflow.com&oq=origin+header+sent+null+value+site%3Astackoverflow.com here].<br />
* Origin header is included for all cross origin requests but for same origin requests, in most browsers it is only included in POST/DELETE/PUT '''Note:''' Although it is not ideal, many developers use GET requests to do state changing operations.<br />
* Referer header is no exception. There are multiple use cases where referrer header is omitted as well ([https://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty <nowiki>[1]</nowiki>], [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer <nowiki>[2]</nowiki>], [https://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding <nowiki>[3]</nowiki>], [https://seclab.stanford.edu/websec/csrf/csrf.pdf <nowiki>[4]</nowiki>] and [https://www.google.com/search?q=referrer+header+sent+null+value+site:stackoverflow.com <nowiki>[5]</nowiki>]). Load balancers, proxies and embedded network devices are also well known to strip the referrer header due to privacy reasons in logging them.<br />
<br />
Though exceptions can be written for above cases in your source and target origin check logic, there is currently no central repository (even there is one, keeping it up-to-date is a problem) that references all such use cases. Each browser might also handle these use cases differently (browsers are known to handle things differently considering their ecosystem. IE example of not sending origin header within trusted zone is such example). Rejecting requests that do not contain origin and/or referrer headers might sound like a good idea but it can impact legitimate users. Keeping this system in monitoring mode and trying to investigate use cases such as stated above, then adding them into exception logic is a process that you may consider to make this defense more stable in your environment.<br />
<br />
This CSRF defense relies on browser behavior that can change at times. For example, when new privacy contexts are discovered, under which situations you have to keep your validation logic updated, where as in token based mitigation, you have full control on the CSRF mitigation. If browsers alter CSRF tokens, they are literally changing the HTML content on rendering pages (which no browser would ever want to do!).<br />
<br />
When there is an XSS vulnerability on a page of an application protected with Origin and/or Referrer header, the level of effort required to exploit state changing operations (that are typically vulnerable to CSRF) on other pages is very easy (grab the parameters and forge a request, as Origin and Referrer header is included by default by browsers) than compared to token based mitigation (where attacker needs to download the target page, parse the DOM for the token, construct a forge request, and send it to server).<br />
<br />
'''Note:''' Although the concept of origin header stemmed from [https://seclab.stanford.edu/websec/csrf/csrf.pdf this] paper that references robust CSRF defenses, initial [https://tools.ietf.org/html/rfc6454 origin header RFC] does not reference to mitigate CSRF in any way (another [https://tools.ietf.org/id/draft-abarth-origin-03.html draft version] does, however).<br />
<br />
=== Double Submit Cookie ===<br />
If maintaining the state for CSRF token at server side is problematic, an alternative defense is to use the double submit cookie technique. This technique is easy to implement and is stateless. In this technique, we send a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match. When a user visits (even before authenticating to prevent login CSRF), the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session identifier. The site then requires that every transaction request include this pseudorandom value as a hidden form value (or other request parameter/header). If both of them match at server side, the server accepts it as legitimate request and if they don’t, it would reject the request.<br />
<br />
There’s a belief that this technique would work because a cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie (with which the server compares the token value).<br />
<br />
There are a couple of drawbacks associated with the assumptions made here. The problem of "trusting of sub domains and proper configuration of whole site in general to accept HTTPS connections only". The [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf Blackhat talk] by Rich Lundeen references these drawbacks.<br />
<br />
"''With double submit, if an attacker can write a cookie they can obviously defeat the protection. And again, writing cookies is significantly easier then reading them. The fact that cookies can be written is difficult for many people to understand. After all, doesn't the same origin policy specify that one domain cannot access cookies from another domain? However, there are two common scenarios where writing cookies across domains is possible:''<br />
<br />
''a) While it's true that hellokitty.marketing.example.com cannot read cookies or access the DOM from secure.example.com because of the same origin policy, hellokitty.marketing.example.com can write cookies to the parent domain (example.com), and these cookies are then consumed by secure.example.com (secure.example.com has no good way to distinguish which site set the cookie). Additionally, there are methods of forcing secure.example.com to always accept your cookie first. What this means is that XSS in hellokitty.marketing.example.com is able to overwrite cookies in secure.example.com.''<br />
<br />
''b) If an attacker is in the middle, they can usually force a request to the same domain over HTTP. If an application is hosted at <nowiki>https://secure.example.com</nowiki>, even if the cookies are set with the secure flag, a man in the middle can force connections to <nowiki>http://secure.example.com</nowiki> and set (overwrite) any arbitrary cookies (even though the secure flag prevents the attacker from reading those cookies). Even if the HSTS header is set on the server and the browser visiting the site supports HSTS (this would prevent a man in the middle from forcing plaintext HTTP requests) unless the HSTS header is set in a way that includes all subdomains, a man in the middle can simply force a request to a separate subdomain and overwrite cookies similar to 1. In other words, as long as <nowiki>http://hellokitty.marketing.example.com</nowiki> doesn't force https, then an attacker can overwrite cookies on any example.com subdomain.''"<br />
<br />
So, unless you are sure that your subdomains are fully secured and only accept HTTPS connections (we believe it’s difficult to guarantee at large enterprises), you should not rely on the Double Submit Cookie technique as a primary mitigation for CSRF.<br />
<br />
A variant of double submit cookie that can mitigate both the risks mentioned above is including the token in an encrypted cookie - often within the authentication cookie - and then at the server side matching it (after decrypting authentication cookie) with the token in hidden form field or parameter/header for ajax calls. This works because a sub domain has no way to over-write an properly crafted encrypted cookie without the necessary information such as encryption key.<br />
<br />
=== Samesite Cookie Attribute ===<br />
SameSite is a cookie attribute (similar to HTTPOnly, Secure etc.) introduced by Google to mitigate CSRF attacks. It is defined in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 this] Internet Draft. This attribute helps in preventing the browser from sending cookies along with cross-site requests. Possible values for this attribute are lax or strict.<br />
<br />
The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link. For example, for a GitHub-like website this would mean that if a logged-in user follows a link to a private GitHub project posted on a corporate discussion forum or email, GitHub will not receive the session cookie and the user will not be able to access the project. A bank website however most likely doesn't want to allow any transactional pages to be linked from external sites, so the strict flag would be most appropriate.<br />
<br />
The default lax value provides a reasonable balance between security and usability for websites that want to maintain user's logged-in session after the user arrives from an external link. In the above GitHub scenario, the session cookie would be allowed when following a regular link from an external website while blocking it in CSRF-prone request methods such as POST. Only cross-site-requests that are allowed in lax mode are the ones that have top-level navigations and are also “safe” HTTP methods (more details [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7.1 here]).<br />
<br />
Example of cookies using this attribute:<br />
<br />
<pre><br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Strict<br />
Set-Cookie: JSESSIONID=xxxxx; SameSite=Lax<br />
</pre><br />
<br />
Support for this attribute in different browsers is increasing but there are still browsers that need to adopt this. As of August 2018, SameSite attribute is on browsers used by 68.92% of Internet users (detailed statistics are [https://caniuse.com/#feat=same-site-cookie-attribute here]).<br />
<br />
Though this technique seems to be efficient in mitigating CSRF attacks, it is still in early stages (in [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft]) and does not have full browser support as mentioned above. Google’s [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7 draft] also mentions a couple cases where forged requests can be simulated by attackers as same-site requests (and thus allowing to send SameSite cookies).<br />
<br />
Considering the factors above, it is not recommended to be used as a primary defense. Google agrees with this stance and strongly encourages developers to deploy server-side defenses such as tokens to mitigate CSRF more fully.<br />
<br />
=== Use of Custom Request Headers ===<br />
<br />
Adding CSRF tokens, a double submit cookie and value, encrypted token, or other defense that involves changing the UI can frequently be complex or otherwise problematic. An alternate defense that is particularly well suited for AJAX/XHR endpoints is the use of a custom request header. This defense relies on the [https://en.wikipedia.org/wiki/Same-origin_policy same-origin policy (SOP)] restriction that only JavaScript can be used to add a custom header, and only within its origin. By default, browsers do not allow JavaScript to make cross origin requests.<br />
<br />
A particularly attractive custom header and value to use is “X-Requested-With: XMLHttpRequest” because most JavaScript libraries already add this header to requests they generate by default. However, some do not. For example, AngularJS used to, but does not anymore. For more information, see [https://github.com/angular/angular.js/commit/3a75b1124d062f64093a90b26630938558909e8d their rationale] and how to add it back.<br />
<br />
If this is the case for your system, you can simply verify the presence of this header and value on all your server side AJAX endpoints in order to protect against CSRF attacks. This approach has the double advantage of usually requiring no UI changes and not introducing any server side state, which is particularly attractive to REST services. You can always add your own custom header and value if that is preferred.<br />
<br />
This defense technique is specifically discussed in section 4.3 of [https://seclab.stanford.edu/websec/csrf/csrf.pdf Robust Defenses for Cross-Site Request Forgery]. However, bypasses of this defense using Flash were documented as early as 2008 and again as recently as 2015 by Mathias Karlsson to [https://hackerone.com/reports/44146 exploit a CSRF flaw in Vimeo]. Flash attack can't spoof the Origin or Referer headers, so by checking both of them we believe this combination of checks should prevent Flash bypass CSRF attacks (if any comes up in future). <br />
<br />
Besides any possible future bypasses such as Flash, using a static header will make it easy to exploit other state changing operations in the application (similar to the previous explanation on why ease of exploitation is easier in origin/referrer header check than token based mitigation). Including a random token instead of static header value is more or less equal to the token based approach described in the primary defense section. Developers also need to consider that if you are using this approach in an application with both Ajax calls and form tags, this technique would only help Ajax calls in protecting from CSRF and you would still need protect <form> tags with approaches described in this document such as tokens. Setting custom headers on form tags is not possible directly. Also, CORS configuration should also be robust to make this solution work effectively (as custom headers for requests coming from other domains trigger a pre-flight CORS check).<br />
<br />
=== User Interaction Based CSRF Defense ===<br />
<br />
While all the techniques referenced here do not require any user interaction, sometimes it’s easier or more appropriate to involve the user in the transaction to prevent unauthorized operations (forged via CSRF or otherwise). The following are some examples of techniques that can act as strong CSRF defense when implemented correctly.<br />
* Re-Authentication (password or stronger)<br />
* One-time Token<br />
* CAPTCHA<br />
While these are a very strong CSRF defense, it does create a huge impact on the user experience. For applications that are in need of high security for some operations (password change, money transfer etc.), these techniques should be used along with token based mitigation. Please note that tokens by themselves can mitigate CSRF, developers should use these techniques only to achieve additional security for their high sensitive operations.<br />
<br />
== Not So Popular CSRF Mitigations ==<br />
<br />
=== Triple Submit Cookie ===<br />
This mitigation is proposed by John Wilander in 2012 at OWASP Appsec Research. This technique adds an additional step to double submit cookie approach by verifying if the request contains two cookies with same name (please note, attacker need to write an additional cookie to bypass double submit cookie mitigation). Though it mitigates the issues discussed in bypass of double submit cookie, it introduces new problems such as cookie jar overflow (in-details and more issue details [https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf here] and [https://webstersprodigy.net/2012/08/03/analysis-of-john-wilanders-triple-submit-cookies/ here]). We were not able to find any real-time implementations of this mitigation so far.<br />
<br />
=== Content-Type Header Validation ===<br />
This technique is better known than the triple submit cookie mitigation. In first place, this header is not designed for security (initial RFC [https://tools.ietf.org/html/rfc1049 here] and later well-defined in [https://www.ietf.org/rfc/rfc2045.txt this] RFC) but only to let receiving agents know the type of data they would be handling, so that they can invoke corresponding parsers. The pre-flighting behavior of this header (pre-flight if header has value other than application/x-www-form-urlencoded, multipart/form-data, or text/plain) is what treated as a CSRF mitigation and thus forcing all requests to have a header value that would force a pre-flight (such as application/json. Server side can reject cross-origin requests with CORS/SOP during this pre-flight).<br />
<br />
This approach has two main problems. One that it would mandate all requests to have a header value that would force pre-flight despite the real use case and the other that this technique is relying on a feature that is not designed for security, to mitigate a security vulnerability. When a bug was discovered in the Chrome API, browser architects even considered to removing this pre-flighting behavior. Because this header was not designed as a security control, architects can re-design it to better cater its primary purpose. In the future, there’s a possibility that new content-type header types can be included (to better support various use-cases), which can put systems relying on this header for CSRF mitigation in trouble. For more information, see [https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/september/common-csrf-prevention-misconceptions/ Common CSRF Prevention Misconceptions].<br />
<br />
== CSRF Mitigation Myths ==<br />
The following shows techniques presumed to be CSRF mitigations but none of them fully/actually mitigates a CSRF vulnerability.<br />
* '''CORS''': CORS is a header designed to relax Same-Origin-Policy when cross-origin communication between sites is required. It is not designed, nor prevents CSRF attacks.<br />
* '''Using HTTPS''': Using HTTPS has nothing to do with the protection from CSRF attacks. Resources that are under HTTPS are still vulnerable to CSRF if proper CSRF mitigations described above are not included.<br />
* More myths can be found [[Cross-Site Request Forgery (CSRF)|here]]<br />
<br />
== Personal Safety CSRF Tips for Users ==<br />
Since CSRF vulnerabilities are reportedly widespread, we recommend using the following best practices to mitigate risk. <br />
<br />
1. Logoff immediately after using a Web application.<br /><br />
2. Do not allow your browser to save username/passwords, and do not allow sites to “remember” your login.<br /><br />
3. Do not use the same browser to access sensitive applications and to surf the Internet freely (tabbed browsing).<br /><br />
4. The use of plugins such as No-Script makes POST based CSRF vulnerabilities difficult to exploit. This is because JavaScript is used to automatically submit the form when the exploit is loaded. Without JavaScript, the attacker would have to trick the user into submitting the form manually.<br /><br />
<br />
Integrated HTML-enabled mail/browser and newsreader/browser environments pose additional risks since simply viewing a mail message or a news message might lead to the execution of an attack. <br />
== Implementation reference example ==<br />
The following JEE web filter provides an example reference for some of the concepts described in this cheatsheet. It implements the following stateless mitigations ([https://github.com/aramrami/OWASP-CSRFGuard OWASP CSRFGuard], cover a stateful approach).<br />
* Verifying same origin with standard headers<br />
* Double submit cookie<br />
* SameSite cookie attribute<br />
'''Please note''' that it only acts a reference sample and is not complete (for example: it doesn’t have a block to direct the control flow when origin and referrer header check succeeds nor it has a port/host/protocol level validation for referrer header). Developers are recommended to build their complete mitigation on top of this reference sample. Developers should also implement standard authentication or authorization checks before checking for CSRF.<br />
<br />
Source is also located [https://github.com/righettod/poc-csrf here] and provides a runnable POC.<br />
<br />
<syntaxhighlight lang="java"><br />
import org.slf4j.Logger;<br />
import org.slf4j.LoggerFactory;<br />
<br />
import javax.servlet.Filter;<br />
import javax.servlet.FilterChain;<br />
import javax.servlet.FilterConfig;<br />
import javax.servlet.ServletException;<br />
import javax.servlet.ServletRequest;<br />
import javax.servlet.ServletResponse;<br />
import javax.servlet.annotation.WebFilter;<br />
import javax.servlet.http.Cookie;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
import javax.servlet.http.HttpServletResponseWrapper;<br />
import javax.xml.bind.DatatypeConverter;<br />
import java.io.IOException;<br />
import java.net.MalformedURLException;<br />
import java.net.URL;<br />
import java.security.SecureRandom;<br />
import java.util.Arrays;<br />
<br />
/**<br />
* Filter in charge of validating each incoming HTTP request about Headers and CSRF token.<br />
* It is called for all requests to backend destination.<br />
*<br />
* We use the approach in which:<br />
* - The CSRF token is changed after each valid HTTP exchange<br />
* - The custom Header name for the CSRF token transmission is fixed<br />
* - A CSRF token is associated to a backend service URI in order to enable the support for multiple parallel Ajax request from the same application<br />
* - The CSRF cookie name is the backend service name prefixed with a fixed prefix<br />
*<br />
* Here for the POC we show the "access denied" reason in the response but in production code only return a generic message !<br />
*<br />
* @see "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet"<br />
* @see "https://wiki.mozilla.org/Security/Origin"<br />
* @see "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie"<br />
* @see "https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/"<br />
*/<br />
@WebFilter("/backend/*")<br />
public class CSRFValidationFilter implements Filter {<br />
<br />
/**<br />
* JVM param name used to define the target origin<br />
*/<br />
public static final String TARGET_ORIGIN_JVM_PARAM_NAME = "target.origin";<br />
<br />
/**<br />
* Name of the custom HTTP header used to transmit the CSRF token and also to prefix <br />
* the CSRF cookie for the expected backend service<br />
*/<br />
private static final String CSRF_TOKEN_NAME = "X-TOKEN";<br />
<br />
/**<br />
* Logger<br />
*/<br />
private static final Logger LOG = LoggerFactory.getLogger(CSRFValidationFilter.class);<br />
<br />
/**<br />
* Application expected deployment domain: named "Target Origin" in OWASP CSRF article<br />
*/<br />
private URL targetOrigin;<br />
<br />
/***<br />
* Secure generator<br />
*/<br />
private final SecureRandom secureRandom = new SecureRandom();<br />
<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {<br />
HttpServletRequest httpReq = (HttpServletRequest) request;<br />
HttpServletResponse httpResp = (HttpServletResponse) response;<br />
String accessDeniedReason;<br />
<br />
/* STEP 1: Verifying Same Origin with Standard Headers */<br />
//Try to get the source from the "Origin" header<br />
String source = httpReq.getHeader("Origin");<br />
if (this.isBlank(source)) {<br />
//If empty then fallback on "Referer" header<br />
source = httpReq.getHeader("Referer");<br />
//If this one is empty too then we trace the event and we block the request (recommendation of the article)...<br />
if (this.isBlank(source)) {<br />
accessDeniedReason = "CSRFValidationFilter: ORIGIN and REFERER request headers are both absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
}<br />
<br />
//Compare the source against the expected target origin<br />
URL sourceURL = new URL(source);<br />
if (!this.targetOrigin.getProtocol().equals(sourceURL.getProtocol()) || !this.targetOrigin.getHost().equals(sourceURL.getHost()) <br />
|| this.targetOrigin.getPort() != sourceURL.getPort()) {<br />
//One the part do not match so we trace the event and we block the request<br />
accessDeniedReason = String.format("CSRFValidationFilter: Protocol/Host/Port do not fully matches so we block the request! (%s != %s) ", <br />
this.targetOrigin, sourceURL);<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
return;<br />
}<br />
<br />
/* STEP 2: Verifying CSRF token using "Double Submit Cookie" approach */<br />
//If CSRF token cookie is absent from the request then we provide one in response but we stop the process at this stage.<br />
//Using this way we implement the first providing of token<br />
Cookie tokenCookie = null;<br />
if (httpReq.getCookies() != null) {<br />
String csrfCookieExpectedName = this.determineCookieName(httpReq);<br />
tokenCookie = Arrays.stream(httpReq.getCookies()).filter(c -> c.getName().equals(csrfCookieExpectedName)).findFirst().orElse(null);<br />
}<br />
if (tokenCookie == null || this.isBlank(tokenCookie.getValue())) {<br />
LOG.info("CSRFValidationFilter: CSRF cookie absent or value is null/empty so we provide one and return an HTTP NO_CONTENT response !");<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpResp);<br />
//Set response state to "204 No Content" in order to allow the requester to clearly identify an initial response providing the initial CSRF token<br />
httpResp.setStatus(HttpServletResponse.SC_NO_CONTENT);<br />
} else {<br />
//If the cookie is present then we pass to validation phase<br />
//Get token from the custom HTTP header (part under control of the requester)<br />
String tokenFromHeader = httpReq.getHeader(CSRF_TOKEN_NAME);<br />
//If empty then we trace the event and we block the request<br />
if (this.isBlank(tokenFromHeader)) {<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header is absent/empty so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else if (!tokenFromHeader.equals(tokenCookie.getValue())) {<br />
//Verify that token from header and one from cookie are the same<br />
//Here is not the case so we trace the event and we block the request<br />
accessDeniedReason = "CSRFValidationFilter: Token provided via HTTP Header and via Cookie are not equals so we block the request !";<br />
LOG.warn(accessDeniedReason);<br />
httpResp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedReason);<br />
} else {<br />
//Verify that token from header and one from cookie matches<br />
//Here is the case so we let the request reach the target component (ServiceServlet, jsp...) and add a new token when we get back the bucket<br />
HttpServletResponseWrapper httpRespWrapper = new HttpServletResponseWrapper(httpResp);<br />
chain.doFilter(request, httpRespWrapper);<br />
//Add the CSRF token cookie and header<br />
this.addTokenCookieAndHeader(httpReq, httpRespWrapper);<br />
}<br />
}<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void init(FilterConfig filterConfig) throws ServletException {<br />
//To easier the configuration, we load the target expected origin from an JVM property<br />
//Reconfiguration only require an application restart that is generally acceptable<br />
try {<br />
this.targetOrigin = new URL(System.getProperty(TARGET_ORIGIN_JVM_PARAM_NAME));<br />
} catch (MalformedURLException e) {<br />
LOG.error("Cannot init the filter !", e);<br />
throw new ServletException(e);<br />
}<br />
LOG.info("CSRFValidationFilter: Filter init, set expected target origin to '{}'.", this.targetOrigin);<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*/<br />
@Override<br />
public void destroy() {<br />
LOG.info("CSRFValidationFilter: Filter shutdown");<br />
}<br />
<br />
/**<br />
* Check if a string is null or empty (including containing only spaces)<br />
*<br />
* @param s Source string<br />
* @return TRUE if source string is null or empty (including containing only spaces)<br />
*/<br />
private boolean isBlank(String s) {<br />
return s == null || s.trim().isEmpty();<br />
}<br />
<br />
/**<br />
* Generate a new CSRF token<br />
*<br />
* @return The token a string<br />
*/<br />
private String generateToken() {<br />
byte[] buffer = new byte[50];<br />
this.secureRandom.nextBytes(buffer);<br />
return DatatypeConverter.printHexBinary(buffer);<br />
}<br />
<br />
/**<br />
* Determine the name of the CSRF cookie for the targeted backend service<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @return The name of the cookie as a string<br />
*/<br />
private String determineCookieName(HttpServletRequest httpRequest) {<br />
String backendServiceName = httpRequest.getRequestURI().replaceAll("/", "-");<br />
return CSRF_TOKEN_NAME + "-" + backendServiceName;<br />
}<br />
<br />
/**<br />
* Add the CSRF token cookie and header to the provided HTTP response object<br />
*<br />
* @param httpRequest Source HTTP request<br />
* @param httpResponse HTTP response object to update<br />
*/<br />
private void addTokenCookieAndHeader(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {<br />
//Get new token<br />
String token = this.generateToken();<br />
//Add cookie manually because the current Cookie class implementation do not support the "SameSite" attribute<br />
//We let the adding of the "Secure" cookie attribute to the reverse proxy rewriting...<br />
//Here we lock the cookie from JS access and we use the SameSite new attribute protection<br />
String cookieSpec = String.format("%s=%s; Path=%s; HttpOnly; SameSite=Strict", this.determineCookieName(httpRequest), token, httpRequest.getRequestURI());<br />
httpResponse.addHeader("Set-Cookie", cookieSpec);<br />
//Add cookie header to give access to the token to the JS code<br />
httpResponse.setHeader(CSRF_TOKEN_NAME, token);<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
== Authors and Primary Editors ==<br />
Manideep Konakandla (Amazon Application Security Team) - http://www.manideepk.com<br />
<br />
Dave Wichers - dave.wichers[at]owasp.org<br />
<br />
Paul Petefish - https://www.linkedin.com/in/paulpetefish<br />
<br />
Eric Sheridan - eric.sheridan[at]owasp.org<br />
<br />
Dominique Righetto - dominique.righetto[at]owasp.org<br /><br />
<br />
== Other Cheatsheets ==<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]<br />
[[Category:Popular]]</div>Wichershttps://wiki.owasp.org/index.php?title=Cross-Site_Request_Forgery_Prevention_Cheat_Sheet&diff=246800Cross-Site Request Forgery Prevention Cheat Sheet2019-01-23T22:37:11Z<p>Wichers: Redirected page to Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet</p>
<hr />
<div>#redirect [[Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet]]</div>Wichershttps://wiki.owasp.org/index.php?title=Free_for_Open_Source_Application_Security_Tools&diff=246776Free for Open Source Application Security Tools2019-01-23T16:31:43Z<p>Wichers: </p>
<hr />
<div>__NOTOC__<br />
== Introduction ==<br />
OWASP's mission is to help the world improve the security of its software. One of the best ways OWASP can do that is to help Open Source developers improve the software they are producing that everyone else relies on. As such, the following lists of '''automated vulnerability detection tools''' that are '''free for open source''' projects have been gathered together here to raise awareness of their availability.<br />
<br />
We would encourage open source projects to use the following types of tools to improve the security and quality of their code:<br />
* Static Application Security Testing ([[SAST]]) Tools <br />
* Dynamic Application Security Testing ([[DAST]]) Tools - (Primarily for web apps)<br />
* Interactive Application Security Testing (IAST) Tools - (Primarily for web apps and web APIs)<br />
* Keeping Open Source libraries up-to-date (to avoid [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]])<br />
* Static Code Quality Tools<br />
<br />
<br> '''Disclaimer:''' <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them below. They are simply listed if we believe they are free for use by open source projects. We have made every effort to provide this information as accurately as possible. If you are the vendor of a free for open source tool and think this information is incomplete or incorrect, please send an e-mail to dave.wichers (at) owasp.org and we will make every effort to correct this information.</b><br />
<br />
== Free for Open Source Tools ==<br />
Tools that are free for open source projects in each of the above categories are listed below.<br />
<br />
=== SAST Tools ===<br />
OWASP already maintains a page of known SAST tools: [[Source Code Analysis Tools]], which includes a list of those that are "Open Source or Free Tools Of This Type". Any such tools could certainly be used. One such cloud service that looks promising is:<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM.com] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python<br />
In addition, we are aware of the following commercial SAST tools that are free for Open Source projects:<br />
* [https://scan.coverity.com/ Coverity Scan Static Analysis] - Can be lashed into Travis-CI so it's done automatically with online resources. Supports over a dozen programming languages as documented here in the section [https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html Comprehensive support for these programming languages and frameworks].<br />
* [https://www.softwaresecured.com/reshift reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019. If you go to the Pricing section on this page, it says it is free for public repositories.<br />
<br />
=== DAST Tools ===<br />
If your project has a web application component, we recommend running automated scans against it to look for vulnerabilities. OWASP maintains a page of known DAST Tools: [[:Category:Vulnerability Scanning Tools|Vulnerability Scanning Tools]], and the '''Licence''' column on this page indicates which of those tools have free capabilities. Our primary recommendation is to use one of these:<br />
* [[OWASP Zed Attack Proxy Project|OWASP ZAP]] - A full featured free and open source DAST tool that includes both automated scanning for vulnerabilities and tools to assist expert manual web app pen testing.<br />
** The ZAP team has also been working hard to make it easier to integrate ZAP into your CI/CD pipeline. (e.g., here's a [https://www.we45.com/blog/how-to-integrate-zap-into-jenkins-ci-pipeline-we45-blog blog post on how to integrate ZAP with Jenkins]).<br />
* [http://www.arachni-scanner.com/ Arachni] - Arachni is a commercially supported scanner, but its free for most use cases, including scanning open source projects.<br />
We are not aware of any other commercial grade tools that offer their full featured DAST product free for open source projects.<br />
<br />
=== IAST Tools ===<br />
IAST tools are typically geared to analyze Web Applications and Web APIs, but that is vendor specific. There may be IAST products that can perform good security analysis on non-web applications as well.<br />
<br />
We are aware of only one IAST Tool that is free for open source at this time:<br />
* [https://www.contrastsecurity.com/contrast-community-edition Contrast Community Edition (CE)] - Fully featured version for 1 app and up to 5 users (some Enterprise features disabled). Contrast CE supports Java only.<br />
<br />
=== Open Source Software (OSS) Security Tools ===<br />
OSS refers to the open source libraries or components that application developers leverage to quickly develop new applications and add features to existing apps. Gartner refers to the analysis of the security of these components as software composition analysis (SCA). So OSS Analysis and SCA are the same thing.<br />
<br />
OWASP recommends that all software projects generally try to keep the libraries they use as up-to-date as possible to reduce the likelihood of [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]]. There are two recommended approaches for this:<br />
<br />
==== Keeping Your Libraries Updated ====<br />
Using the latest version of each library is recommended because security issues are frequently fixed 'silently' by the component maintainer. By silently, we mean without publishing a [https://cve.mitre.org/ CVE] for the security fix.<br />
* [https://www.mojohaus.org/versions-maven-plugin/ Maven Versions plugin]<br />
** For Maven projects, can be used to generate a report of all dependencies used and when upgrades are available for them. Either a direct report, or part of the overall project documentation using: mvn site.<br />
* Dependabot - https://dependabot.com/<br />
** A GitHub only service that creates pull requests to keep your dependencies up-to-date. It automatically generates a pull request for each dependency you can upgrade, which you can then ignore, or accept, as you like. It supports tons of languages.<br />
** Recommended for all open source projects maintained on GitHub!<br />
<br />
==== Detecting Known Vulnerable Components ====<br />
As an alternative, or in addition to, trying to keep all your components up-to-date, a project can specifically monitor whether any of the components they use have known vulnerable components.<br />
<br />
Free tools of this type:<br />
* OWASP has its own free open source tool [[OWASP Dependency Check]] that is free for anyone to use.<br />
* GitHub: Security alerts for vulnerable dependencies - https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/<br />
** A native GitHub feature that reports known vulnerable dependencies in your GitHub projects. Supports: Java, .NET, JavaScript, Ruby, and Python. Your GitHub projects are automatically signed up for this service.<br />
Commercial tools of this type that are free for open source:<br />
* Contrast Community Edition (CE) (mentioned earlier) also has both Known Vulnerable Component detection and Available Updates reporting for OSS. CE supports Java only.<br />
* Snyk - https://www.snyk.io - Supports Node.js, Ruby, Java, Python, Scala, Golang, .NET, PHP - Latest list here: https://snyk.io/docs<br />
** A Commercial tool that identifies vulnerable components and integrates with numerous CI/CD pipelines. It is free for open source: https://snyk.io/plans<br />
** If you don't want to grant Snyk write access to your repo (see it can auto-create pull requests) you can use the Command Line Interface (CLI) instead. See: https://snyk.io/docs/using-snyk. If you do this and want it to be free, you have to configure Snyk so it know its open source: https://support.snyk.io/snyk-cli/how-can-i-set-a-snyk-cli-project-as-open-source<br />
*** Another benefit of using the Snyk CLI is that it won't auto create Pull requests for you (which makes these 'issues' more public than you might prefer)<br />
** They also provide detailed information and remediation guidance for known vulnerabilities here: https://snyk.io/vuln<br />
* SourceClear - https://www.sourceclear.com/ - Supports: Java, Ruby, JavaScript, Python, Objective C, GO, PHP<br />
** They have a free trial right from their [https://www.sourceclear.com/ home page]. When the 30 day trial expires, it converts into a free "Personal Account" per: "Upgrade at any time to get the features that matter most to you, or choose the Personal plan when your trial ends." Personal Account described here: https://www.sourceclear.com/pricing/<br />
** They also make their component vulnerability data (for publicly known vulns) free to search: https://www.sourceclear.com/vulnerability-database/search#_ (Very useful when trying to research a particular library)<br />
* WhiteSource Bolt - Supports 200+ programming languages. https://www.whitesourcesoftware.com/<br />
** Azure version: https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt<br />
** GitHub version: https://github.com/apps/whitesource-bolt-for-github Available starting in Nov. 2018.<br />
<br />
=== Code Quality tools ===<br />
Quality has a significant correlation to security. As such, we recommend open source projects also consider using good code quality tools. A few that we are aware of are:<br />
* SpotBugs (https://github.com/spotbugs/spotbugs) - Open source code quality tool for Java<br />
** This is the active fork for FindBugs, so if you use Findbugs, you should switch to this.<br />
** SpotBugs users should add the FindSecBugs plugin (http://find-sec-bugs.github.io/) to their SpotBugs setup, as it significantly improves on the very basic security checking native to SpotBugs.<br />
<br />
* SonarQube (https://www.sonarqube.org/)<br />
** This is a commercially supported, very popular, free (and commercial) code quality tool. It includes most if not all the FindSecBugs security rules plus lots more for quality, including a free, internet online CI setup to run it against your open source projects. SonarQube supports numerous languages: https://www.sonarqube.org/features/multi-languages/<br />
<br />
Please let us know if you are aware of any other high quality application security tools that are free for open source (or simply add them to this page). We are particularly interested in identifying and listing commercial tools that are free for open source, as they tend to be better and easier to use than open source (free) tools. If you are aware of any missing from this list, please add them, or let us know (dave.wichers (at) owasp.org) and we'll confirm they are free, and add them for you. Please encourage your favorite commercial tool vendor to make their tool free for open source projects as well!!<br />
<br />
Finally, please forward this page to the open source projects you rely on and encourage them to use these free tools!</div>Wichershttps://wiki.owasp.org/index.php?title=Source_Code_Analysis_Tools&diff=246775Source Code Analysis Tools2019-01-23T16:27:41Z<p>Wichers: Edit reshift tool description.</p>
<hr />
<div>[[Static_Code_Analysis | Source code analysis]] tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. <br />
<br />
Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.<br />
<br />
== Strengths and Weaknesses ==<br />
<br />
=== Strengths ===<br />
<br />
* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)<br />
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth<br />
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected<br />
<br />
=== Weaknesses ===<br />
<br />
* Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.<br />
* High numbers of false positives.<br />
* Frequently can't find configuration issues, since they are not represented in the code.<br />
* Difficult to 'prove' that an identified security issue is an actual vulnerability.<br />
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.<br />
<br />
==Important Selection Criteria==<br />
<br />
* Requirement: Must support your programming language, but not usually a key factor once it does.<br />
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)<br />
* How accurate is it? False Positive/False Negative rates?<br />
** Does the tool have an OWASP [[Benchmark]] score?<br />
* Does it understand the libraries/frameworks you use?<br />
* Does it require a fully buildable set of source?<br />
* Can it run against binaries instead of source?<br />
* Can it be integrated into the developer's IDE?<br />
* How hard is it to setup/use?<br />
* Can it be run continuously and automatically?<br />
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)<br />
<br />
==OWASP Tools Of This Type==<br />
<br />
* [[OWASP SonarQube Project]]<br />
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]<br />
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]<br />
* [[OWASP O2 Platform]]<br />
* [[OWASP WAP-Web Application Protection]]<br />
<br />
==Disclaimer==<br />
<br />
Disclaimer: <b>The tools listed in the tables below are presented in alphabetical order. <i>OWASP does not endorse any of the vendors or tools by listing them in the table below.</i> We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.</b><br />
<br />
==Open Source or Free Tools Of This Type==<br />
<br />
* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python<br />
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications<br />
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby<br />
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs<br />
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,<br />
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++<br />
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''<br />
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python<br />
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)<br />
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.<br />
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.<br />
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.<br />
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.<br />
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.<br />
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.<br />
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].<br />
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.<br />
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.<br />
<br />
==Commercial Tools Of This Type==<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. <br />
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service. <br />
* [http://www-01.ibm.com/software/rational/products/appscan/source/ AppScan Source] (IBM)<br />
* [http://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.<br />
* [https://buguroo.com/products/bugblast-next-gen-appsec-platform/bugscout-sca bugScout] (Buguroo Offensive Security)<br />
* [http://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages.<br />
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)<br />
* [https://www.grammatech.com/products/codesonar CodeSonar] tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.<br />
* [http://www.contrastsecurity.com/ Contrast] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.<br />
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)<br />
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)<br />
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (Micro Focus, Formally HP)<br />
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis<br />
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)<br />
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis<br />
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)<br />
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ PT Application Inspector] combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation for high accuracy rate with minimum false positives; has a unique capability to generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis; integrates with CI/CD, VCS, etc. PT AI helps to easily understand, verify, and fix flaws; has a simple UI; is highly automated and easy to use. Supported languages are Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.<br />
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.<br />
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#<br />
* [https://www.softwaresecured.com/reshift reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019.<br />
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for PHP that detects unknown security vulnerabilities and code quality issues.<br />
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)<br />
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)<br />
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.<br />
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)<br />
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).<br />
<br />
==More info==<br />
<br />
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]<br />
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]<br />
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools<br />
<br />
[[Category:OWASP .NET Project]]<br />
[[Category:SAMM-CR-2]]<br />
__NOTOC__</div>Wichershttps://wiki.owasp.org/index.php?title=Source_Code_Analysis_Tools&diff=246421Source Code Analysis Tools2019-01-07T18:11:06Z<p>Wichers: </p>
<hr />
<div>[[Static_Code_Analysis | Source code analysis]] tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. <br />
<br />
Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.<br />
<br />
== Strengths and Weaknesses ==<br />
<br />
=== Strengths ===<br />
<br />
* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)<br />
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth<br />
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected<br />
<br />
=== Weaknesses ===<br />
<br />
* Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.<br />
* High numbers of false positives.<br />
* Frequently can't find configuration issues, since they are not represented in the code.<br />
* Difficult to 'prove' that an identified security issue is an actual vulnerability.<br />
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.<br />
<br />
==Important Selection Criteria==<br />
<br />
* Requirement: Must support your programming language, but not usually a key factor once it does.<br />
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)<br />
* How accurate is it? False Positive/False Negative rates?<br />
** Does the tool have an OWASP [[Benchmark]] score?<br />
* Does it understand the libraries/frameworks you use?<br />
* Does it require a fully buildable set of source?<br />
* Can it run against binaries instead of source?<br />
* Can it be integrated into the developer's IDE?<br />
* How hard is it to setup/use?<br />
* Can it be run continuously and automatically?<br />
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)<br />
<br />
==OWASP Tools Of This Type==<br />
<br />
* [[OWASP SonarQube Project]]<br />
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]<br />
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]<br />
* [[OWASP O2 Platform]]<br />
* [[OWASP WAP-Web Application Protection]]<br />
<br />
==Disclaimer==<br />
<br />
Disclaimer: <b>The tools listed in the tables below are presented in alphabetical order. <i>OWASP does not endorse any of the vendors or tools by listing them in the table below.</i> We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.</b><br />
<br />
==Open Source or Free Tools Of This Type==<br />
<br />
* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python<br />
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications<br />
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby<br />
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs<br />
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,<br />
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++<br />
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''<br />
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python<br />
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)<br />
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.<br />
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.<br />
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.<br />
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.<br />
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.<br />
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.<br />
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].<br />
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.<br />
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.<br />
<br />
==Commercial Tools Of This Type==<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. <br />
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service. <br />
* [http://www-01.ibm.com/software/rational/products/appscan/source/ AppScan Source] (IBM)<br />
* [http://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.<br />
* [https://buguroo.com/products/bugblast-next-gen-appsec-platform/bugscout-sca bugScout] (Buguroo Offensive Security)<br />
* [http://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages.<br />
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)<br />
* [https://www.grammatech.com/products/codesonar CodeSonar] tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.<br />
* [http://www.contrastsecurity.com/ Contrast] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.<br />
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)<br />
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)<br />
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (Micro Focus, Formally HP)<br />
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis<br />
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)<br />
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis<br />
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)<br />
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ PT Application Inspector] combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation for high accuracy rate with minimum false positives; has a unique capability to generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis; integrates with CI/CD, VCS, etc. PT AI helps to easily understand, verify, and fix flaws; has a simple UI; is highly automated and easy to use. Supported languages are Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.<br />
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.<br />
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#<br />
* [https://www.softwaresecured.com/reshift reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and use machine learning to give a prediction on false positives.<br />
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for PHP that detects unknown security vulnerabilities and code quality issues.<br />
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)<br />
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)<br />
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.<br />
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)<br />
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).<br />
<br />
==More info==<br />
<br />
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]<br />
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]<br />
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools<br />
<br />
[[Category:OWASP .NET Project]]<br />
[[Category:SAMM-CR-2]]<br />
__NOTOC__</div>Wichershttps://wiki.owasp.org/index.php?title=Category:Vulnerability_Scanning_Tools&diff=246349Category:Vulnerability Scanning Tools2019-01-03T15:25:04Z<p>Wichers: /* Tools Listing */</p>
<hr />
<div>== Description ==<br />
<br />
Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as [[Cross-site scripting]], [[SQL Injection]], [[Command Injection]], [[Path Traversal]] and insecure server configuration. This category of tools is frequently referred to as [https://www.techopedia.com/definition/30958/dynamic-application-security-testing-dast Dynamic Application Security Testing] (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP [[Benchmark]] project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.<br />
<br />
Here we provide a list of vulnerability scanning tools currently available in the market.<br />
<br />
<br> '''Disclaimer:''' The tools listing in the table below are presented in an alphabetical order. <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think this information is incomplete or incorrect, please send an e-mail to our [mailto:owasp_ha_vulnerability_scanner_project@lists.owasp.org mailing list] and we will make every effort to correct this information.</b><br />
<br />
OWASP is aware of the [http://sectooladdict.blogspot.com/ '''Web Application Vulnerability Scanner Evaluation Project (WAVSEP)'''. WAVSEP] is completely unrelated to OWASP and we do not endorse its results, nor any of the DAST tools it evaluates. However, the results provided by WAVSEP may be helpful to someone interested in researching or selecting free and/or commercial DAST tools for their projects. This project has far more detail on DAST tools and their features than this OWASP DAST page.<br />
<br />
== Tools Listing ==<br />
<br />
{{:Template:OWASP Tool Headings}}<br />
{{OWASP Tool Info || tool_name = [http://www.acunetix.com/ Acunetix WVS] || tool_owner = Acunetix || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] || tool_owner = IBM || tool_licence = Commercial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www-03.ibm.com/software/products/en/appscan-standard AppScan] || tool_owner = IBM || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/Products/Application-Security/App-Scanner-Family/App-Scanner-Enterprise/ App Scanner] || tool_owner = Trustwave || tool_licence = Commercial || tool_platforms = Windows }}<br />
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/appspider/ AppSpider] || tool_owner = Rapid7 || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://apptrana.indusface.com/basic/ AppTrana Website Security Scan] || tool_owner = AppTrana || tool_licence = Commercial / Free Trial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www.arachni-scanner.com/ Arachni] || tool_owner = Arachni|| tool_licence = Free for most use cases || tool_platforms = Most platforms supported}}<br />
{{OWASP Tool Info || tool_name = [https://www.scanmyserver.com/ AVDS] || tool_owner = Beyond Security || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = SaaS }}<br />
{{OWASP Tool Info || tool_name = [https://www.blueclosure.com BlueClosure BC Detect] || tool_owner = BlueClosure || tool_licence = Commercial, 2 weeks trial || tool_platforms = Most platforms supported}}<br />
{{OWASP Tool Info || tool_name = [http://www.portswigger.net/ Burp Suite] || tool_owner = PortSwiger || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Most platforms supported }}<br />
{{OWASP Tool Info || tool_name = [https://contrastsecurity.com Contrast] || tool_owner = Contrast Security || tool_licence = Commercial / Free (Full featured for 1 App) || tool_platforms = SaaS or On-Premises }}<br />
{{OWASP Tool Info || tool_name = [https://detectify.com/ Detectify] || tool_owner = Detectify || tool_licence = Commercial || tool_platforms = SaaS }}<br />
{{OWASP Tool Info || tool_name = [http://www.digifort.se/en/scanner Digifort- Inspect] || tool_owner = Digifort|| tool_licence = Commercial || tool_platforms = SaaS }}<br />
{{OWASP Tool Info || tool_name = [https://www.edgescan.com/ edgescan] || tool_owner = edgescan|| tool_licence = Commercial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www.gamasec.com/Gamascan.aspx GamaScan] || tool_owner = GamaSec || tool_licence = Commercial || tool_platforms = Windows }}<br />
{{OWASP Tool Info || tool_name = [http://rgaucher.info/beta/grabber/ Grabber] || tool_owner = Romain Gaucher || tool_licence = Open Source || tool_platforms = Python 2.4, BeautifulSoup and PyXML}}<br />
{{OWASP Tool Info || tool_name = [https://gravityscan.com/ Gravityscan] || tool_owner = Defiant, Inc. || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://sourceforge.net/p/grendel/code/ci/c59780bfd41bdf34cc13b27bc3ce694fd3cb7456/tree/ Grendel-Scan] || tool_owner = David Byrne || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.golismero.com GoLismero] || tool_owner = GoLismero Team || tool_licence = GPLv2.0 || tool_platforms = Windows, Linux and Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.ikare-monitoring.com/ IKare] || tool_owner = ITrust || tool_licence = Commercial || tool_platforms = N/A }}<br />
{{OWASP Tool Info || tool_name = [https://www.htbridge.com/immuniweb/ ImmuniWeb] || tool_owner = High-Tech Bridge || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [https://www.indusface.com/index.php/products/web-application-scanning Indusface Web Application Scanning] || tool_owner = Indusface || tool_licence = Commercial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www.nstalker.com/ N-Stealth] || tool_owner = N-Stalker || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://www.tenable.com/products/tenable-io/web-application-scanning/ Nessus] || tool_owner = Tenable || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.mavitunasecurity.com/ Netsparker] || tool_owner = MavitunaSecurity || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/nexpose-community-edition.jsp Nexpose] || tool_owner = Rapid7 || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Windows/Linux}}<br />
{{OWASP Tool Info || tool_name = [http://www.cirt.net/nikto2 Nikto] || tool_owner = CIRT || tool_licence = Open Source|| tool_platforms = Unix/Linux}}<br />
{{OWASP Tool Info || tool_name = [http://www.milescan.com/ ParosPro] || tool_owner = MileSCAN || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://probely.com Probe.ly] || tool_owner = Probe.ly || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/proxy.html Proxy.app] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.qualys.com/products/qg_suite/was/ QualysGuard] || tool_owner = Qualys || tool_licence = Commercial || tool_platforms = N/A}}<br />
{{OWASP Tool Info || tool_name = [http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ Retina] || tool_owner = BeyondTrust || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.orvant.com Securus] || tool_owner = Orvant, Inc || tool_licence = Commercial || tool_platforms = N/A}}<br />
{{OWASP Tool Info || tool_name = [http://www.whitehatsec.com/home/services/services.html Sentinel] || tool_owner = WhiteHat Security || tool_licence = Commercial || tool_platforms = N/A}}<br />
{{OWASP Tool Info || tool_name = [http://www.parasoft.com/products/article.jsp?articleId=3169&redname=webtesting&referred=webtesting SOATest] || tool_owner = Parasoft || tool_licence = Commercial || tool_platforms = Windows / Linux / Solaris}}<br />
{{OWASP Tool Info || tool_name = [https://www.tinfoilsecurity.com Tinfoil Security] || tool_owner = Tinfoil Security, Inc. || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS or On-Premises}}<br />
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/external-vulnerability-scanning.php Trustkeeper Scanner] || tool_owner = Trustwave SpiderLabs || tool_licence = Commercial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [https://subgraph.com/vega/ Vega] || tool_owner = Subgraph || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://wapiti.sourceforge.net/ Wapiti] || tool_owner = Informática Gesfor || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}<br />
{{OWASP Tool Info || tool_name = [https://www.defensecode.com/webscanner.php Web Security Scanner] || tool_owner = DefenseCode || tool_licence = Commercial || tool_platforms = On-Premises}}<br />
{{OWASP Tool Info || tool_name = [http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/web-application-vulnerability-scanning/ WebApp360] || tool_owner = TripWire || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://webcookies.org WebCookies] || tool_owner = WebCookies || tool_licence = Free|| tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991#.Uuf0KBAo4iw WebInspect] || tool_owner = HP || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/webreaver.html WebReaver] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.german-websecurity.com/en/products/webscanservice/product-details/overview/ WebScanService] || tool_owner = German Web Security || tool_licence = Commercial || tool_platforms = N/A}}<br />
{{OWASP Tool Info || tool_name = [https://suite.websecurify.com/ Websecurify Suite] || tool_owner = Websecurify || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows, Linux, Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.sensepost.com/research/wikto/ Wikto] || tool_owner = Sensepost || tool_licence = Open Source || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.w3af.org/ w3af] || tool_owner = w3af.org || tool_licence = GPLv2.0 || tool_platforms = Linux and Mac}}<br />
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Xenotix XSS Exploit Framework] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Zed Attack Proxy] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}<br />
|}<br />
<br />
== References ==<br />
<br />
*[[Source_Code_Analysis_Tools | SAST Tools]] - OWASP page with similar information on Static Application Security Testing (SAST) Tools<br />
*http://sectooladdict.blogspot.com/ - Web Application Vulnerability Scanner Evaluation Project (WAVSEP)<br />
*http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria - v1.0 (2009)<br />
*http://www.slideshare.net/lbsuto/accuracy-and-timecostsofwebappscanners - White Paper: Analyzing the Accuracy and Time Costs of WebApplication Security Scanners - By Larry Suto (2010)<br />
*http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html - NIST home page which links to: NIST Special Publication 500-269: Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 (21 August, 2007)<br />
*http://www.softwareqatest.com/qatweb1.html#SECURITY - A list of Web Site Security Test Tools. (Has both DAST and SAST tools)<br />
<br />
[[Category:OWASP_Tools_Project]]</div>Wichershttps://wiki.owasp.org/index.php?title=OWASP_Dependency_Check&diff=246336OWASP Dependency Check2019-01-02T21:46:28Z<p>Wichers: /* Quick Download */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==OWASP Dependency-Check==<br />
<br />
Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake). The tool can be part of a solution to the [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities]] previously known as [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | OWASP Top 10 2013 A9-Using Components with Known Vulnerabilities]].<br />
<br />
==Introduction==<br />
<br />
The OWASP Top 10 2013 contains a new entry: [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]. Dependency Check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components.<br />
<br />
The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[https://cdn2.hubspot.net/hub/203759/file-1100864196-pdf/docs/Contrast_-_Insecure_Libraries_2014.pdf Unfortunate Reality of Insecure Libraries]". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the [https://nvd.nist.gov/vuln/search National Vulnerability Database]).<br />
<br />
Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the [https://nvd.nist.gov/products/cpe Common Platform Enumeration (CPE)] for the given dependency. If a CPE is identified, a listing of associated [https://cve.mitre.org/ Common Vulnerability and Exposure (CVE)] entries are listed in a report.<br />
<br />
Dependency-check automatically updates itself using the [https://nvd.nist.gov/vuln/data-feeds NVD Data Feeds] hosted by NIST. '''IMPORTANT NOTE:''' The initial download of the data may take ten minutes or more. If you run the tool at least once every seven days, only a small XML file needs to be downloaded to keep the local copy of the data current.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Quick Download ==<br />
<br />
Version 4.0.2<br />
* [https://dl.bintray.com/jeremy-long/owasp/dependency-check-4.0.2-release.zip Command Line]<br />
* [https://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-4.0.2-release.zip Ant Task]<br />
* [https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-maven%7C4.0.2%7Cmaven-plugin Maven Plugin]<br />
* [https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-gradle%7C4.0.2%7Cgradle-plugin Gradle Plugin]<br />
* [https://plugins.jenkins.io/dependency-check-jenkins-plugin Jenkins Plugin]<br />
* [https://brew.sh/ Mac Homebrew]:<br><code>brew update && brew install dependency-check</code><br />
<br />
Other Plugins<br />
* [https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22net.vonbuchholtz%22%20a%3A%22sbt-dependency-check%22 sbt Plugin]<br />
* [https://github.com/livingsocial/lein-dependency-check lein-dependency-check]<br />
<br />
== Integrations ==<br />
* [https://github.com/stevespringett/dependency-check-sonar-plugin SonarQube Plugin]<br />
<br />
== Links ==<br />
<br />
* [https://github.com/jeremylong/DependencyCheck github]<br />
* [https://github.com/jeremylong/dependency-check-gradle gradle source]<br />
* [https://github.com/albuch/sbt-dependency-check sbt source]<br />
* [https://github.com/jenkinsci/dependency-check-plugin jenkins source]<br />
* [https://www.ohloh.net/p/dependencycheck Ohloh]<br />
* [https://bintray.com/jeremy-long/owasp Bintray]<br />
<br />
== Documentation ==<br />
<br />
* [https://jeremylong.github.io/DependencyCheck/ Documentation (on GitHub)]<br />
<br />
== Mailing List ==<br />
<br />
* [mailto:dependency-check+subscribe@googlegroups.com Subscribe]<br />
* [mailto:dependency-check@googlegroups.com Post]<br />
* [https://groups.google.com/forum/#!forum/dependency-check Archived Posts]<br />
<br />
== Presentation ==<br />
<br />
* [https://jeremylong.github.io/DependencyCheck/general/dependency-check.pdf dependency-check (PDF)]<br />
* [https://jeremylong.github.io/DependencyCheck/general/dependency-check.pptx dependency-check (PPTX)]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=https://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
Dependency-Check is developed by a team of volunteers. The primary contributors to date have been:<br />
<br />
* [[User:Jeremy Long|Jeremy Long]]<br />
* [[User:Steve Springett|Steve Springett]]<br />
* [[User:Will Stranathan|Will Stranathan]]<br />
<br />
= Road Map and Getting Involved =<br />
As of March 2015, the top priorities are:<br />
* Resolving all open [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues/feature requests]<br />
* Improving analysis for .NET DLLs<br />
<br />
Involvement in the development and promotion of dependency-check is actively encouraged! You do not have to be a security expert in order to contribute. How you can help:<br />
* Use the tool<br />
* Provide feedback via the [https://groups.google.com/forum/?fromgroups#!forum/dependency-check mailing list] or by creating [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues] (both bugs and feature requests are encouraged)<br />
* The project source code is hosted on [https://github.com/jeremylong/DependencyCheck/ github] - if you are so inclined fork it and provide push requests!<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Wichershttps://wiki.owasp.org/index.php?title=OWASP_Dependency_Check&diff=246335OWASP Dependency Check2019-01-02T21:45:38Z<p>Wichers: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==OWASP Dependency-Check==<br />
<br />
Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake). The tool can be part of a solution to the [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities]] previously known as [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | OWASP Top 10 2013 A9-Using Components with Known Vulnerabilities]].<br />
<br />
==Introduction==<br />
<br />
The OWASP Top 10 2013 contains a new entry: [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]. Dependency Check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components.<br />
<br />
The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[https://cdn2.hubspot.net/hub/203759/file-1100864196-pdf/docs/Contrast_-_Insecure_Libraries_2014.pdf Unfortunate Reality of Insecure Libraries]". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the [https://nvd.nist.gov/vuln/search National Vulnerability Database]).<br />
<br />
Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the [https://nvd.nist.gov/products/cpe Common Platform Enumeration (CPE)] for the given dependency. If a CPE is identified, a listing of associated [https://cve.mitre.org/ Common Vulnerability and Exposure (CVE)] entries are listed in a report.<br />
<br />
Dependency-check automatically updates itself using the [https://nvd.nist.gov/vuln/data-feeds NVD Data Feeds] hosted by NIST. '''IMPORTANT NOTE:''' The initial download of the data may take ten minutes or more. If you run the tool at least once every seven days, only a small XML file needs to be downloaded to keep the local copy of the data current.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Quick Download ==<br />
<br />
Version 4.0.2<br />
* [https://dl.bintray.com/jeremy-long/owasp/dependency-check-4.0.2-release.zip Command Line]<br />
* [https://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-4.0.2-release.zip Ant Task]<br />
* [https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-maven%7C4.0.2%7Cmaven-plugin Maven Plugin]<br />
* [https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-gradle%7C4.0.2%7Cgradle-plugin Gradle Plugin]<br />
* [httpss://plugins.jenkins.io/dependency-check-jenkins-plugin Jenkins Plugin]<br />
* [https://brew.sh/ Mac Homebrew]:<br><code>brew update && brew install dependency-check</code><br />
<br />
Other Plugins<br />
* [https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22net.vonbuchholtz%22%20a%3A%22sbt-dependency-check%22 sbt Plugin]<br />
* [https://github.com/livingsocial/lein-dependency-check lein-dependency-check]<br />
<br />
== Integrations ==<br />
* [https://github.com/stevespringett/dependency-check-sonar-plugin SonarQube Plugin]<br />
<br />
== Links ==<br />
<br />
* [https://github.com/jeremylong/DependencyCheck github]<br />
* [https://github.com/jeremylong/dependency-check-gradle gradle source]<br />
* [https://github.com/albuch/sbt-dependency-check sbt source]<br />
* [https://github.com/jenkinsci/dependency-check-plugin jenkins source]<br />
* [https://www.ohloh.net/p/dependencycheck Ohloh]<br />
* [https://bintray.com/jeremy-long/owasp Bintray]<br />
<br />
== Documentation ==<br />
<br />
* [https://jeremylong.github.io/DependencyCheck/ Documentation (on GitHub)]<br />
<br />
== Mailing List ==<br />
<br />
* [mailto:dependency-check+subscribe@googlegroups.com Subscribe]<br />
* [mailto:dependency-check@googlegroups.com Post]<br />
* [https://groups.google.com/forum/#!forum/dependency-check Archived Posts]<br />
<br />
== Presentation ==<br />
<br />
* [https://jeremylong.github.io/DependencyCheck/general/dependency-check.pdf dependency-check (PDF)]<br />
* [https://jeremylong.github.io/DependencyCheck/general/dependency-check.pptx dependency-check (PPTX)]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=https://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
Dependency-Check is developed by a team of volunteers. The primary contributors to date have been:<br />
<br />
* [[User:Jeremy Long|Jeremy Long]]<br />
* [[User:Steve Springett|Steve Springett]]<br />
* [[User:Will Stranathan|Will Stranathan]]<br />
<br />
= Road Map and Getting Involved =<br />
As of March 2015, the top priorities are:<br />
* Resolving all open [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues/feature requests]<br />
* Improving analysis for .NET DLLs<br />
<br />
Involvement in the development and promotion of dependency-check is actively encouraged! You do not have to be a security expert in order to contribute. How you can help:<br />
* Use the tool<br />
* Provide feedback via the [https://groups.google.com/forum/?fromgroups#!forum/dependency-check mailing list] or by creating [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues] (both bugs and feature requests are encouraged)<br />
* The project source code is hosted on [https://github.com/jeremylong/DependencyCheck/ github] - if you are so inclined fork it and provide push requests!<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Wichershttps://wiki.owasp.org/index.php?title=OWASP_Dependency_Check&diff=246334OWASP Dependency Check2019-01-02T21:41:39Z<p>Wichers: /* Quick Download */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==OWASP Dependency-Check==<br />
<br />
Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake). The tool can be part of a solution to the [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities]] previously known as [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | OWASP Top 10 2013 A9-Using Components with Known Vulnerabilities]].<br />
<br />
==Introduction==<br />
<br />
The OWASP Top 10 2013 contains a new entry: [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]. Dependency-check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components.<br />
<br />
The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[https://cdn2.hubspot.net/hub/203759/file-1100864196-pdf/docs/Contrast_-_Insecure_Libraries_2014.pdf Unfortunate Reality of Insecure Libraries]". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the [https://nvd.nist.gov/vuln/search National Vulnerability Database]).<br />
<br />
Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the [https://nvd.nist.gov/products/cpe Common Platform Enumeration (CPE)] for the given dependency. If a CPE is identified, a listing of associated [http://cve.mitre.org/ Common Vulnerability and Exposure (CVE)] entries are listed in a report.<br />
<br />
Dependency-check automatically updates itself using the [https://nvd.nist.gov/vuln/data-feeds NVD Data Feeds] hosted by NIST. '''IMPORTANT NOTE:''' The initial download of the data may take ten minutes or more, if you run the tool at least once every seven days only a small XML file needs to be downloaded to keep the local copy of the data current.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Quick Download ==<br />
<br />
Version 4.0.2<br />
* [https://dl.bintray.com/jeremy-long/owasp/dependency-check-4.0.2-release.zip Command Line]<br />
* [https://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-4.0.2-release.zip Ant Task]<br />
* [https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-maven%7C4.0.2%7Cmaven-plugin Maven Plugin]<br />
* [https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-gradle%7C4.0.2%7Cgradle-plugin Gradle Plugin]<br />
* [httpss://plugins.jenkins.io/dependency-check-jenkins-plugin Jenkins Plugin]<br />
* [https://brew.sh/ Mac Homebrew]:<br><code>brew update && brew install dependency-check</code><br />
<br />
Other Plugins<br />
* [https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22net.vonbuchholtz%22%20a%3A%22sbt-dependency-check%22 sbt Plugin]<br />
* [https://github.com/livingsocial/lein-dependency-check lein-dependency-check]<br />
<br />
== Integrations ==<br />
* [https://github.com/stevespringett/dependency-check-sonar-plugin SonarQube Plugin]<br />
<br />
== Links ==<br />
<br />
* [https://github.com/jeremylong/DependencyCheck github]<br />
* [https://github.com/jeremylong/dependency-check-gradle gradle source]<br />
* [https://github.com/albuch/sbt-dependency-check sbt source]<br />
* [https://github.com/jenkinsci/dependency-check-plugin jenkins source]<br />
* [https://www.ohloh.net/p/dependencycheck Ohloh]<br />
* [https://bintray.com/jeremy-long/owasp Bintray]<br />
<br />
== Documentation ==<br />
<br />
* [https://jeremylong.github.io/DependencyCheck/ Documentation (on GitHub)]<br />
<br />
== Mailing List ==<br />
<br />
* [mailto:dependency-check+subscribe@googlegroups.com Subscribe]<br />
* [mailto:dependency-check@googlegroups.com Post]<br />
* [https://groups.google.com/forum/#!forum/dependency-check Archived Posts]<br />
<br />
== Presentation ==<br />
<br />
* [https://jeremylong.github.io/DependencyCheck/general/dependency-check.pdf dependency-check (PDF)]<br />
* [https://jeremylong.github.io/DependencyCheck/general/dependency-check.pptx dependency-check (PPTX)]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
Dependency-Check is developed by a team of volunteers. The primary contributors to date have been:<br />
<br />
* [[User:Jeremy Long|Jeremy Long]]<br />
* [[User:Steve Springett|Steve Springett]]<br />
* [[User:Will Stranathan|Will Stranathan]]<br />
<br />
= Road Map and Getting Involved =<br />
As of March 2015, the top priorities are:<br />
* Resolving all open [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues/feature requests]<br />
* Improving analysis for .NET Dlls<br />
<br />
Involvement in the development and promotion of dependency-check is actively encouraged!<br />
You do not have to be a security expert in order to contribute. How you can help:<br />
* Use the tool<br />
* Provide feedback via the [https://groups.google.com/forum/?fromgroups#!forum/dependency-check mailing list] or by creating [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues] (both bugs and feature requests are encouraged)<br />
* The project source code is hosted on [https://github.com/jeremylong/DependencyCheck/ github] - if you are so inclined fork it and provide push requests!<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Wichershttps://wiki.owasp.org/index.php?title=OWASP_Dependency_Check&diff=246333OWASP Dependency Check2019-01-02T21:36:28Z<p>Wichers: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==OWASP Dependency-Check==<br />
<br />
Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake). The tool can be part of a solution to the [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities]] previously known as [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | OWASP Top 10 2013 A9-Using Components with Known Vulnerabilities]].<br />
<br />
==Introduction==<br />
<br />
The OWASP Top 10 2013 contains a new entry: [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]. Dependency-check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components.<br />
<br />
The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[https://cdn2.hubspot.net/hub/203759/file-1100864196-pdf/docs/Contrast_-_Insecure_Libraries_2014.pdf Unfortunate Reality of Insecure Libraries]". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the [https://nvd.nist.gov/vuln/search National Vulnerability Database]).<br />
<br />
Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the [https://nvd.nist.gov/products/cpe Common Platform Enumeration (CPE)] for the given dependency. If a CPE is identified, a listing of associated [http://cve.mitre.org/ Common Vulnerability and Exposure (CVE)] entries are listed in a report.<br />
<br />
Dependency-check automatically updates itself using the [https://nvd.nist.gov/vuln/data-feeds NVD Data Feeds] hosted by NIST. '''IMPORTANT NOTE:''' The initial download of the data may take ten minutes or more, if you run the tool at least once every seven days only a small XML file needs to be downloaded to keep the local copy of the data current.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Quick Download ==<br />
<br />
Version 4.0.1<br />
* [https://dl.bintray.com/jeremy-long/owasp/dependency-check-4.0.2-release.zip Command Line]<br />
* [https://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-4.0.2-release.zip Ant Task]<br />
* [https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-maven%7C4.0.2%7Cmaven-plugin Maven Plugin]<br />
* [https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-gradle%7C4.0.2%7Cgradle-plugin Gradle Plugin]<br />
* [httpss://plugins.jenkins.io/dependency-check-jenkins-plugin Jenkins Plugin]<br />
* [https://brew.sh/ Mac Homebrew]:<br><code>brew update && brew install dependency-check</code><br />
<br />
Other Plugins<br />
* [https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22net.vonbuchholtz%22%20a%3A%22sbt-dependency-check%22 sbt Plugin]<br />
* [https://github.com/livingsocial/lein-dependency-check lein-dependency-check]<br />
<br />
== Integrations ==<br />
* [https://github.com/stevespringett/dependency-check-sonar-plugin SonarQube Plugin]<br />
<br />
== Links ==<br />
<br />
* [https://github.com/jeremylong/DependencyCheck github]<br />
* [https://github.com/jeremylong/dependency-check-gradle gradle source]<br />
* [https://github.com/albuch/sbt-dependency-check sbt source]<br />
* [https://github.com/jenkinsci/dependency-check-plugin jenkins source]<br />
* [https://www.ohloh.net/p/dependencycheck Ohloh]<br />
* [https://bintray.com/jeremy-long/owasp Bintray]<br />
<br />
== Documentation ==<br />
<br />
* [https://jeremylong.github.io/DependencyCheck/ Documentation (on GitHub)]<br />
<br />
== Mailing List ==<br />
<br />
* [mailto:dependency-check+subscribe@googlegroups.com Subscribe]<br />
* [mailto:dependency-check@googlegroups.com Post]<br />
* [https://groups.google.com/forum/#!forum/dependency-check Archived Posts]<br />
<br />
== Presentation ==<br />
<br />
* [https://jeremylong.github.io/DependencyCheck/general/dependency-check.pdf dependency-check (PDF)]<br />
* [https://jeremylong.github.io/DependencyCheck/general/dependency-check.pptx dependency-check (PPTX)]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
Dependency-Check is developed by a team of volunteers. The primary contributors to date have been:<br />
<br />
* [[User:Jeremy Long|Jeremy Long]]<br />
* [[User:Steve Springett|Steve Springett]]<br />
* [[User:Will Stranathan|Will Stranathan]]<br />
<br />
= Road Map and Getting Involved =<br />
As of March 2015, the top priorities are:<br />
* Resolving all open [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues/feature requests]<br />
* Improving analysis for .NET Dlls<br />
<br />
Involvement in the development and promotion of dependency-check is actively encouraged!<br />
You do not have to be a security expert in order to contribute. How you can help:<br />
* Use the tool<br />
* Provide feedback via the [https://groups.google.com/forum/?fromgroups#!forum/dependency-check mailing list] or by creating [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues] (both bugs and feature requests are encouraged)<br />
* The project source code is hosted on [https://github.com/jeremylong/DependencyCheck/ github] - if you are so inclined fork it and provide push requests!<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Wichershttps://wiki.owasp.org/index.php?title=Benchmark&diff=245977Benchmark2018-12-12T04:16:35Z<p>Wichers: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Benchmark Project ==<br />
The OWASP Benchmark for Security Automation (OWASP Benchmark) is a free and open test suite designed to evaluate the speed, coverage, and accuracy of automated software vulnerability detection tools and services (henceforth simply referred to as 'tools'). Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other. Each version of the OWASP Benchmark contains thousands of test cases that are fully runnable and exploitable, each of which maps to the appropriate CWE number for that vulnerability.<br />
<br />
You can use the OWASP Benchmark with [[Source_Code_Analysis_Tools | Static Application Security Testing (SAST)]] tools, [[:Category:Vulnerability_Scanning_Tools | Dynamic Application Security Testing (DAST)]] tools like OWASP [[ZAP]] and Interactive Application Security Testing (IAST) tools. Benchmark is implemented in Java. Future versions may expand to include other languages.<br />
<br />
==Benchmark Project Scoring Philosophy==<br />
<br />
Security tools (SAST, DAST, and IAST) are amazing when they find a complex vulnerability in your code. But with widespread misunderstanding of the specific vulnerabilities automated tools cover, end users are often left with a false sense of security.<br />
<br />
We are on a quest to measure just how good these tools are at discovering and properly diagnosing security problems in applications. We rely on the [http://en.wikipedia.org/wiki/Receiver_operating_characteristic long history] of military and medical evaluation of detection technology as a foundation for our research. Therefore, the test suite tests both real and fake vulnerabilities.<br />
<br />
There are four possible test outcomes in the Benchmark:<br />
<br />
# Tool correctly identifies a real vulnerability (True Positive - TP)<br />
# Tool fails to identify a real vulnerability (False Negative - FN)<br />
# Tool correctly ignores a false alarm (True Negative - TN)<br />
# Tool fails to ignore a false alarm (False Positive - FP)<br />
<br />
We can learn a lot about a tool from these four metrics. Consider a tool that simply flags every line of code as vulnerable. This tool will perfectly identify all vulnerabilities! But it will also have 100% false positives and thus adds no value. Similarly, consider a tool that reports absolutely nothing. This tool will have zero false positives, but will also identify zero real vulnerabilities and is also worthless. You can even imagine a tool that flips a coin to decide whether to report whether each test case contains a vulnerability. The result would be 50% true positives and 50% false positives. We need a way to distinguish valuable security tools from these trivial ones.<br />
<br />
If you imagine the line that connects all these points, from 0,0 to 100,100 establishes a line that roughly translates to "random guessing." The ultimate measure of a security tool is how much better it can do than this line. The diagram below shows how we will evaluate security tools against the Benchmark.<br />
<br />
[[File:Wbe guide.png]]<br />
<br />
A point plotted on this chart provides a visual indication of how well a tool did considering both the True Positives the tool reported, as well as the False Positives it reported. We also want to compute an individual score for that point in the range 0 - 100, which we call the Benchmark Accuracy Score.<br />
<br />
The Benchmark Accuracy Score is essentially a [https://en.wikipedia.org/wiki/Youden%27s_J_statistic Youden Index], which is a standard way of summarizing the accuracy of a set of tests. Youden's index is one of the oldest measures for diagnostic accuracy. It is also a global measure of a test performance, used for the evaluation of overall discriminative power of a diagnostic procedure and for comparison of this test with other tests. Youden's index is calculated by deducting 1 from the sum of a test’s sensitivity and specificity expressed not as percentage but as a part of a whole number: (sensitivity + specificity) – 1. For a test with poor diagnostic accuracy, Youden's index equals 0, and in a perfect test Youden's index equals 1.<br />
<br />
So for example, if a tool has a True Positive Rate (TPR) of .98 (i.e., 98%) <br />
and False Positive Rate (FPR) of .05 (i.e., 5%)<br />
Sensitivity = TPR (.98)<br />
Specificity = 1-FPR (.95)<br />
So the Youden Index is (.98+.95) - 1 = .93<br />
<br />
And this would equate to a Benchmark score of 93 (since we normalize this to the range 0 - 100)<br />
<br />
On the graph, the Benchmark Score is the length of the line from the point down to the diagonal “guessing” line. Note that a Benchmark score can actually be negative if the point is below the line. This is caused when the False Positive Rate is actually higher than the True Positive Rate.<br />
<br />
==Benchmark Validity==<br />
<br />
The Benchmark tests are not exactly like real applications. The tests are derived from coding patterns observed in real applications, but the majority of them are considerably '''simpler''' than real applications. That is, most real world applications will be considerably harder to successfully analyze than the OWASP Benchmark Test Suite. Although the tests are based on real code, it is possible that some tests may have coding patterns that don't occur frequently in real code.<br />
<br />
Remember, we are trying to test the capabilities of the tools and make them explicit, so that users can make informed decisions about what tools to use, how to use them, and what results to expect. This is exactly aligned with the OWASP mission to make application security visible.<br />
<br />
==Generating Benchmark Scores==<br />
<br />
Anyone can use this Benchmark to evaluate vulnerability detection tools. The basic steps are:<br />
# Download the Benchmark from GitHub<br />
# Run your tools against the Benchmark<br />
# Run the BenchmarkScore tool on the reports from your tools<br />
<br />
That's it!<br />
<br />
Full details on how to do this are at the bottom of the page on the Quick_Start tab.<br />
<br />
We encourage both vendors, open source tools, and end users to verify their application security tools against the Benchmark. In order to ensure that the results are fair and useful, we ask that you follow a few simple rules when publishing results. We won't recognize any results that aren't easily reproducible:<br />
<br />
# A description of the default “out-of-the-box” installation, version numbers, etc…<br />
# Any and all configuration, tailoring, onboarding, etc… performed to make the tool run<br />
# Any and all changes to default security rules, tests, or checks used to achieve the results<br />
# Easily reproducible steps to run the tool<br />
<br />
== Reporting Format==<br />
<br />
The Benchmark includes tools to interpret raw tool output, compare it to the expected results, and generate summary charts and graphs. We use the following table format in order to capture all the information generated during the evaluation.<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! style="background:#DDDDDD" | Security Category<br />
! TP<br />
! FN<br />
! TN<br />
! FP<br />
! style="background:#DDDDDD" | Total<br />
! TPR<br />
! FPR<br />
! style="background:#DDDDDD" | Score<br />
|-<br />
! style="background:#DDDDDD" valign="top" width="11%"| General security category for test cases.<br />
| valign="top" width="11%"| '''True Positives''': Tests with real vulnerabilities that were correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Negative''': Tests with real vulnerabilities that were not correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''True Negative''': Tests with fake vulnerabilities that were correctly not reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Positive''':Tests with fake vulnerabilities that were incorrectly reported as vulnerable by the tool.<br />
| style="background:#DDDDDD" valign="top" width="11%"| Total test cases for this category.<br />
| valign="top" width="11%"| '''True Positive Rate''': TP / ( TP + FN ) - Also referred to as Precision, as defined at [https://en.wikipedia.org/wiki/Precision_and_recall Wikipedia].<br />
| valign="top" width="11%"| '''False Positive Rate''': FP / ( FP + TN ).<br />
| style="background:#DDDDDD" valign="top" width="11%"| Normalized distance from the “guess line” TPR - FPR.<br />
|-<br />
! style="background:#DDDDDD" | Command Injection<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | Etc...<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | <br />
! Total TP<br />
! Total FN<br />
! Total TN<br />
! Total FP<br />
! style="background:#DDDDDD" | Total TC<br />
! Average TPR<br />
! Average FPR<br />
! style="background:#DDDDDD" | Average Score<br />
|}<br />
<br />
==Code Repo and Build/Run Instructions ==<br />
<br />
See the '''Getting Started''' and '''Getting, Building, and Running the Benchmark''' sections on the Quick Start tab.<br />
<br />
==Licensing==<br />
<br />
The OWASP Benchmark is free to use under the [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0].<br />
<br />
== Mailing List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-benchmark-project OWASP Benchmark Mailing List]<br />
<br />
== Project Leaders ==<br />
<br />
[https://www.owasp.org/index.php/User:Wichers Dave Wichers] [mailto:dave.wichers@owasp.org @]<br />
<br />
== Project References ==<br />
* [https://www.mir-swamp.org/#packages/public Software Assurance Marketplace (SWAMP) - set of curated packages to test tools against]<br />
* [http://samate.nist.gov/Other_Test_Collections.html SAMATE List of Test Collections]<br />
<br />
== Related Projects ==<br />
<br />
* [http://samate.nist.gov/SARD/testsuite.php NSA's Juliet for Java]<br />
* [http://sectoolmarket.com/ The Web Application Vulnerability Scanner Evaluation Project (WAVSEP)]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
All test code and project files can be downloaded from [https://github.com/OWASP/benchmark OWASP GitHub].<br />
<br />
== Project Intro Video ==<br />
<br />
[[File:BenchmarkPodcastTitlePage.jpg|200px|link=https://www.youtube.com/watch?v=HQP8dwc3jJA&index=5&list=PLGB2s-U5FSWOmEStMt3JqlMFJvRYqeVW5]]<br />
<br />
== News and Events ==<br />
* LOOKING FOR VOLUNTEERS!! - We are looking for individuals and organizations to join and make this a much more community driven project, including additional coleaders to help take this project to the next level. Contributors could work on things like new test cases, additional tool scorecard generators, adding support for languages beyond Java, and a host of other improvements. Please contact [mailto:dave.wichers@owasp.org me] if you are interested in contributing at any level.<br />
* June 5, 2016 - Benchmark Version 1.2 Released<br />
* Sep 24, 2015 - Benchmark introduced to broader OWASP community at [https://appsecusa2015.sched.org/event/3r9k/using-the-owasp-benchmark-to-assess-automated-vulnerability-analysis-tools AppSec USA]<br />
* Aug 27, 2015 - U.S. Dept. of Homeland Security (DHS) is financially supporting the Benchmark project.<br />
* Aug 15, 2015 - Benchmark Version 1.2beta Released with full DAST Support. Checkmarx and ZAP scorecard generators also released.<br />
* July 10, 2015 - Benchmark Scorecard generator and open source scorecards released<br />
* May 23, 2015 - Benchmark Version 1.1 Released<br />
* April 15, 2015 - Benchmark Version 1.0 Released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Test Cases =<br />
<br />
Version 1.0 of the Benchmark was published on April 15, 2015 and had 20,983 test cases. On May 23, 2015, version 1.1 of the Benchmark was released. The 1.1 release improves on the previous version by making sure that there are both true positives and false positives in every vulnerability area. Version 1.2 was released on June 5, 2016 (and the 1.2beta August 15, 2015).<br />
<br />
Version 1.2 and forward of the Benchmark is a fully executable web application, which means it is scannable by any kind of vulnerability detection tool. The 1.2 has been limited to slightly less than 3,000 test cases, to make it easier for DAST tools to scan it (so it doesn't take so long and they don't run out of memory, or blow up the size of their database). The 1.2 release covers the same vulnerability areas that 1.1 covers. We added a few Spring database SQL Injection tests, but that's it. The bulk of the work was turning each test case into something that actually runs correctly AND is fully exploitable, and then generating a UI on top of it that works in order to turn the test cases into a real running application.<br />
<br />
You can still download Benchmark version 1.1 by cloning the release marked with the GIT tag '1.1'.<br />
<br />
The test case areas and quantities for the Benchmark releases are:<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! Vulnerability Area<br />
! # of Tests in v1.1<br />
! # of Tests in v1.2<br />
! CWE Number<br />
|-<br />
| [[Command Injection]]<br />
| 2708<br />
| 251<br />
| [https://cwe.mitre.org/data/definitions/78.html 78]<br />
|-<br />
| Weak Cryptography<br />
| 1440<br />
| 246<br />
| [https://cwe.mitre.org/data/definitions/327.html 327]<br />
|-<br />
| Weak Hashing<br />
| 1421<br />
| 236<br />
| [https://cwe.mitre.org/data/definitions/328.html 328]<br />
|-<br />
| [[LDAP injection | LDAP Injection]]<br />
| 736<br />
| 59<br />
| [https://cwe.mitre.org/data/definitions/90.html 90]<br />
|-<br />
| [[Path Traversal]]<br />
| 2630<br />
| 268<br />
| [https://cwe.mitre.org/data/definitions/22.html 22]<br />
|-<br />
| Secure Cookie Flag<br />
| 416<br />
| 67<br />
| [https://cwe.mitre.org/data/definitions/614.html 614]<br />
|-<br />
| [[SQL Injection]]<br />
| 3529<br />
| 504<br />
| [https://cwe.mitre.org/data/definitions/89.html 89]<br />
|-<br />
| [[Trust Boundary Violation]]<br />
| 725<br />
| 126<br />
| [https://cwe.mitre.org/data/definitions/501.html 501]<br />
|-<br />
| Weak Randomness<br />
| 3640<br />
| 493<br />
| [https://cwe.mitre.org/data/definitions/330.html 330]<br />
|-<br />
| [[XPATH Injection]]<br />
| 347<br />
| 35<br />
| [https://cwe.mitre.org/data/definitions/643.html 643]<br />
|-<br />
| [[XSS]] (Cross-Site Scripting)<br />
| 3449<br />
| 455<br />
| [https://cwe.mitre.org/data/definitions/79.html 79]<br />
|-<br />
| Total Test Cases<br />
| 21,041<br />
| 2,740<br />
|}<br />
<br />
Each Benchmark version comes with a spreadsheet that lists every test case, the vulnerability category, the CWE number, and the expected result (true finding/false positive). Look for the file: expectedresults-VERSION#.csv in the project root directory.<br />
<br />
Every test case is:<br />
* a servlet or JSP (currently they are all servlets, but we plan to add JSPs)<br />
* either a true vulnerability or a false positive for a single issue<br />
<br />
The Benchmark is intended to help determine how well analysis tools correctly analyze a broad array of application and framework behavior, including:<br />
<br />
* HTTP request and response problems<br />
* Simple and complex data flow<br />
* Simple and complex control flow<br />
* Popular frameworks<br />
* Inversion of control<br />
* Reflection<br />
* Class loading<br />
* Annotations<br />
* Popular UI technologies (particularly JavaScript frameworks)<br />
<br />
Not all of these are yet tested by the Benchmark but future enhancements intend to provide more coverage of these issues.<br />
<br />
Additional future enhancements could cover:<br />
* All vulnerability types in the [[Top10 | OWASP Top 10]]<br />
* Does the tool find flaws in libraries?<br />
* Does the tool find flaws spanning custom code and libraries?<br />
* Does tool handle web services? REST, XML, GWT, etc…<br />
* Does tool work with different app servers? Java platforms?<br />
<br />
== Example Test Case ==<br />
<br />
Each test case is a simple Java EE servlet. BenchmarkTest00001 in version 1.0 of the Benchmark was an LDAP Injection test with the following metadata in the accompanying BenchmarkTest00001.xml file:<br />
<br />
<test-metadata><br />
<category>ldapi</category><br />
<test-number>00001</test-number><br />
<vulnerability>true</vulnerability><br />
<cwe>90</cwe><br />
</test-metadata><br />
<br />
BenchmarkTest00001.java in the OWASP Benchmark 1.0 simply reads in all the cookie values, looks for a cookie named "foo", and uses the value of this cookie when performing an LDAP query. Here's the code for BenchmarkTest00001.java:<br />
<br />
package org.owasp.benchmark.testcode;<br />
<br />
import java.io.IOException;<br />
<br />
import javax.servlet.ServletException;<br />
import javax.servlet.annotation.WebServlet;<br />
import javax.servlet.http.HttpServlet;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
<br />
@WebServlet("/BenchmarkTest00001")<br />
public class BenchmarkTest00001 extends HttpServlet {<br />
<br />
private static final long serialVersionUID = 1L;<br />
<br />
@Override<br />
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
doPost(request, response);<br />
}<br />
<br />
@Override<br />
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
// some code<br />
<br />
javax.servlet.http.Cookie[] cookies = request.getCookies();<br />
<br />
String param = null;<br />
boolean foundit = false;<br />
if (cookies != null) {<br />
for (javax.servlet.http.Cookie cookie : cookies) {<br />
if (cookie.getName().equals("foo")) {<br />
param = cookie.getValue();<br />
foundit = true;<br />
}<br />
}<br />
if (!foundit) {<br />
// no cookie found in collection<br />
param = "";<br />
}<br />
} else {<br />
// no cookies<br />
param = "";<br />
}<br />
<br />
try {<br />
javax.naming.directory.DirContext dc = org.owasp.benchmark.helpers.Utils.getDirContext();<br />
Object[] filterArgs = {"a","b"};<br />
dc.search("name", param, filterArgs, new javax.naming.directory.SearchControls());<br />
} catch (javax.naming.NamingException e) {<br />
throw new ServletException(e);<br />
}<br />
}<br />
}<br />
<br />
= Test Case Details =<br />
<br />
The following describes situations in the Benchmark that have come up for debate as to the validity/accuracy of the test cases in these scenarios. <br />
<br />
== Cookies as a Source of Attack for XSS ==<br />
<br />
Benchmark v1.1 and early versions of the 1.2beta included test cases that used cookies as a source of data that flowed into XSS vulnerabilities. The Benchmark treated these tests as False Positives because the Benchmark team figured that you'd have to use an XSS vulnerability in the first place to set the cookie value, and so it wasn't fair/reasonable to consider an XSS vulnerability whose data source was a cookie value as actually exploitable. However, we got feedback from some tool vendors, like Fortify, Burp, and Arachni, that they disagreed with this analysis and felt that, in fact, cookies were a valid source of attack against XSS vulnerabilities. Given that there are good arguments on both sides of this safe vs. unsafe question, we decided on Aug 25, 2015 to simply remove those test cases from the Benchmark. If, in the future, we decide who is right, we may add such test cases back in.<br />
<br />
== Headers as a Source of Attack for XSS ==<br />
<br />
Similarly, the Benchmark team believes that the names of headers aren't a valid source of XSS attack for the same reason we thought cookie values aren't a valid source. Because it would require an XSS vulnerability to be exploited in the first place to set them. In fact, we feel that this argument is much stronger for header names, than cookie values. Right now, the Benchmark doesn't include any header names as sources for XSS test cases, but we plan to add them, and mark them as false positive in the Benchmark.<br />
<br />
We do have header values as sources for some XSS test cases in the Benchmark and only 'referer' is treated as a valid XSS source (i.e., true positives) because other headers are not viable XSS sources. Other headers are, of course, valid sources for other attack vectors, like SQL injection or Command Injection.<br />
<br />
== False Positive Scenario: Static Values Passed to Unsafe (Weak) Sinks ==<br />
<br />
The Benchmark has MANY test cases where unsafe data flows in from the browser, but that data is replaced with static content as it goes through the propagators in the that specific test case. This static (safe) data then flows to the sink, which may be a weak/unsafe sink, like, for example, an unsafely constructed SQL statement. The Benchmark treats those test cases as false positives because there is absolutely no way for that weakness to be exploited. The NSA Juliet SAST benchmark treats such test cases exactly the same way, as false positives. We do recognize that there are weaknesses in those test cases, even though they aren't exploitable.<br />
<br />
Some SAST tool vendors feel it is appropriate to point out those weaknesses, and that's fine. However, if the tool points those weaknesses out, and does not distinguish them from truly exploitable vulnerabilities, then the Benchmark treats those findings as false positives. If the tool allows a user to differentiate these non-exploitable weaknesses from exploitable vulnerabilities, then the Benchmark scorecard generator can use that information to filter out these extra findings (along with any other similarly marked findings) so they don't count against that tool when calculating that tool's Benchmark score. In the real world, its important for analysts to be able to filter out such findings if they only have time to deal with the most critical, actually exploitable, vulnerabilities. If a tool doesn't make it easy for an analyst to distinguish the two situations, then they are providing a disservice to the analyst.<br />
<br />
This issue doesn't affect DAST tools. They only report what appears to be exploitable to them. So this has no affect on them.<br />
<br />
If you are a SAST tool vendor or user, and you believe the Benchmark scorecard generator is counting such findings against that tool, and there is a way to tell them apart, please let the project team know so the scorecard generator can be adjusted to not count those findings against the tool. The Benchmark project's goal is the generate the most fair and accurate results it can generate. If such an adjustment is made to how a scorecard is generated for that tool, we plan to document this was done for that tool, and explain how others could perform the same filtering within that tool in order to get the same focused set of results.<br />
<br />
== Dead Code ==<br />
<br />
Some SAST tools point out weaknesses in dead code because they might eventually end up being used, and serve as bad coding examples (think cut/paste of code). We think this is fine/appropriate. However, there is no dead code in the OWASP Benchmark (at least not intentionally). So dead code should not be causing any tool to report unnecessary false positives.<br />
<br />
= Tool Support/Results =<br />
<br />
The results for 5 free tools, PMD, FindBugs, FindBugs with the FindSecBugs plugin, SonarQube and OWASP ZAP are available here against version 1.2 of the Benchmark: https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html. We've included multiple versions of FindSecBugs' and ZAP's results so you can see the improvements they are making finding vulnerabilities in Benchmark.<br />
<br />
We have Benchmark results for all the following tools, but haven't publicly released the results for any commercial tools. However, we included a 'Commercial Average' page, which includes a summary of results for 6 commercial SAST tools along with anonymous versions of each SAST tool's scorecard.<br />
<br />
The Benchmark can generate results for the following tools: <br />
<br />
'''Free Static Application Security Testing (SAST) Tools:'''<br />
<br />
* [https://pmd.github.io/ PMD] (which really has no security rules) - .xml results file<br />
* [http://findbugs.sourceforge.net/ Findbugs] - .xml results file (Note: The 'new' Findbugs is now at: https://spotbugs.github.io/)<br />
* FindBugs with the [http://find-sec-bugs.github.io/ FindSecurityBugs plugin] - .xml results file<br />
* [https://www.sonarqube.org/downloads/ SonarQube] - .xml results file<br />
<br />
Note: We looked into supporting [http://checkstyle.sourceforge.net/ Checkstyle] but it has no security rules, just like PMD. The [http://fb-contrib.sourceforge.net/ fb-contrib] FindBugs plugin doesn't have any security rules either. We did test [http://errorprone.info/ Error Prone], and found that it does report some use of [http://errorprone.info/bugpattern/InsecureCipherMode) insecure ciphers (CWE-327)], but that's it.<br />
<br />
'''Commercial SAST Tools:'''<br />
<br />
* [http://www.castsoftware.com/products/application-intelligence-platform CAST Application Intelligence Platform (AIP)] - .xml results file<br />
* [https://www.checkmarx.com/products/static-application-security-testing/ Checkmarx CxSAST] - .xml results file<br />
* [https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/SAST-Coverity-datasheet.pdf Synopsys Static Analysis (Formerly Coverity Code Advisor) (On-Demand and stand-alone versions)] - .json results file (You can scan Benchmark w/Coverity for free. See: https://scan.coverity.com/)<br />
* [https://software.microfocus.com/en-us/products/static-code-analysis-sast/overview Micro Focus (Formally HPE) Fortify (On-Demand and stand-alone versions)] - .fpr results file<br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source IBM AppScan Source (Standalone and Cloud)] - .ozasmt or .xml results file<br />
* [https://juliasoft.com/solutions/julia-for-security/ Julia Analyzer] - .xml results file<br />
* [https://www.parasoft.com/products/jtest/ Parasoft Jtest] - .xml results file<br />
* [https://www.shiftleft.io/product/ ShiftLeft SAST] - .sl results file (Benchmark specific format. Ask vendor how to generate this)<br />
* [https://www.sourcemeter.com/features/ SourceMeter] - .txt results file of ALL results from VulnerabilityHunter<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] - .xml results file<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode SAST] - .xml results file<br />
* [https://www.rigs-it.com/xanitizer/ XANITIZER] - xml results file ([https://www.rigs-it.com/wp-content/uploads/2018/03/howtosetupxanitizerforowaspbenchmarkproject.pdf Their white paper on how to setup Xanitizer to scan Benchmark.]) (Free trial available)<br />
<br />
We are looking for results for other commercial static analysis tools like: [http://www.grammatech.com/codesonar Grammatech CodeSonar], [http://www.klocwork.com/products-services/klocwork Klocwork], etc. If you have a license for any static analysis tool not already listed above and can run it on the Benchmark and send us the results file that would be very helpful. <br />
<br />
The free SAST tools come bundled with the Benchmark so you can run them yourselves. If you have a license for any commercial SAST tool, you can also run them against the Benchmark. Just put your results files in the /results folder of the project, and then run the BenchmarkScore script for your platform (.sh / .bat) and it will generate a scorecard in the /scorecard directory for all the tools you have results for that are currently supported.<br />
<br />
'''Free Dynamic Application Security Testing (DAST) Tools:'''<br />
<br />
Note: While we support scorecard generators for these Free and Commercial DAST tools, we haven't been able to get a full/clean run against the Benchmark from most of these tools. As such, some of these scorecard generators might still need some work to properly reflect their results. If you notice any problems, let us know.<br />
<br />
* [http://www.arachni-scanner.com/ Arachni] - .xml results file<br />
** To generate .xml, run: ./bin/arachni_reporter "Your_AFR_Results_Filename.afr" --reporter=xml:outfile=Benchmark1.2-Arachni.xml<br />
* [https://www.owasp.org/index.php/ZAP OWASP ZAP] - .xml results file. To generate a complete ZAP XML results file so you can generate a valid scorecard, make sure you:<br />
** Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
** Then: Report > Generate XML Report...<br />
<br />
'''Commercial DAST Tools:'''<br />
<br />
* [https://www.acunetix.com/vulnerability-scanner/ Acunetix Web Vulnerability Scanner (WVS)] - .xml results file (Generated using [https://www.acunetix.com/resources/wvs7manual.pdf command line interface (see Chapter 10.)] /ExportXML switch)<br />
* [https://portswigger.net/burp/ Burp Pro] - .xml results file<br />
**You must use Burp Pro v1.6.30+ to scan the Benchmark due to a limitation fixed in v1.6.30.<br />
* [https://software.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/overview Micro Focus (Formally HPE) WebInspect] - .xml results file<br />
* [http://www-03.ibm.com/software/products/en/appscan This was IBM AppScan (but I believe IBM sold this product off. To whom?] - .xml results file<br />
* [https://www.netsparker.com/web-vulnerability-scanner/ Netsparker] - .xml results file<br />
* [https://www.rapid7.com/products/appspider/ Rapid7 AppSpider] - .xml results file<br />
<br />
* Qualys - We ran Qualys against v1.2 of the Benchmark and it found none of the vulnerabilities we test for as far as we could tell. So we haven't implemented a scorecard generator for it. If you get results where you think it does find some real issues, send us the results file and, if confirmed, we'll produce a scorecard generator for it.<br />
<br />
If you have access to other DAST Tools, PLEASE RUN THEM FOR US against the Benchmark, and send us the results file so we can build a scorecard generator for that tool.<br />
<br />
'''Commercial Interactive Application Security Testing (IAST) Tools:'''<br />
<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] - .zip results file (You can scan Benchmark w/Contrast for free. See: https://www.contrastsecurity.com/contrast-community-edition)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection (IAST)] - .hlg results file<br />
* [https://www.synopsys.com/software-integrity/security-testing/interactive-application-security-testing.html Seeker IAST] - .csv results file<br />
<br />
'''Commercial Hybrid Analysis Application Security Testing Tools:'''<br />
<br />
* [http://www.iappsecure.com/products.html Fusion Lite Insight] - .xml results file<br />
<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It may be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.'''<br />
<br />
The project has automated test harnesses for these vulnerability detection tools, so we can repeatably run the tools against each version of the Benchmark and automatically produce scorecards in our desired format.<br />
<br />
We want to test as many tools as possible against the Benchmark. If you are:<br />
<br />
* A tool vendor and want to participate in the project<br />
* Someone who wants to help score a free tool against the project<br />
* Someone who has a license to a commercial tool and the terms of the license allow you to publish tool results, and you want to participate<br />
<br />
please let [mailto:dave.wichers@owasp.org me] know!<br />
<br />
= Quick Start =<br />
<br />
==What is in the Benchmark?==<br />
The Benchmark is a Java Maven project. Its primary component is thousands of test cases (e.g., BenchmarkTest00001.java) , each of which is a single Java servlet that contains a single vulnerability (either a true positive or false positive). The vulnerabilities span about a dozen different types currently and are expected to expand significantly in the future.<br />
<br />
An expectedresults.csv is published with each version of the Benchmark (e.g., expectedresults-1.1.csv) and it specifically lists the expected results for each test case. Here’s what the first two rows in this file looks like for version 1.1 of the Benchmark:<br />
<br />
# test name category real vulnerability CWE Benchmark version: 1.1 2015-05-22<br />
BenchmarkTest00001 crypto TRUE 327<br />
<br />
This simply means that the first test case is a crypto test case (use of weak cryptographic algorithms), this is a real vulnerability (as opposed to a false positive), and this issue maps to CWE 327. It also indicates this expected results file is for Benchmark version 1.1 (produced May 22, 2015). There is a row in this file for each of the tens of thousands of test cases in the Benchmark. Each time a new version of the Benchmark is published, a new corresponding results file is generated and each test case can be completely different from one version to the next.<br />
<br />
The Benchmark also comes with a bunch of different utilities, commands, and prepackaged open source security analysis tools, all of which can be executed through Maven goals, including:<br />
<br />
* Open source vulnerability detection tools to be run against the Benchmark<br />
* A scorecard generator, which computes a scorecard for each of the tools you have results files for.<br />
<br />
==What Can You Do With the Benchmark?==<br />
* Compile all the software in the Benchmark project (e.g., mvn compile)<br />
* Run a static vulnerability analysis tool (SAST) against the Benchmark test case code<br />
<br />
* Scan a running version of the Benchmark with a dynamic application security testing tool (DAST)<br />
** Instructions on how to run it are provided below<br />
<br />
* Generate scorecards for each of the tools you have results files for<br />
** See the Tool Support/Results page for the list of tools the Benchmark supports generating scorecards for<br />
<br />
==Getting Started==<br />
Before downloading or using the Benchmark make sure you have the following installed and configured properly:<br />
<br />
GIT: http://git-scm.com/ or https://github.com/<br />
Maven: https://maven.apache.org/ (Version: 3.2.3 or newer works.)<br />
Java: http://www.oracle.com/technetwork/java/javase/downloads/index.html (Java 7 or 8) (64-bit)<br />
<br />
==Getting, Building, and Running the Benchmark==<br />
<br />
To download and build everything:<br />
<br />
$ git clone https://github.com/OWASP/benchmark <br />
$ cd benchmark<br />
$ mvn compile (This compiles it)<br />
$ runBenchmark.sh/.bat - This compiles and runs it.<br />
<br />
Then navigate to: https://localhost:8443/benchmark/ to go to its home page. It uses a self signed SSL certificate, so you'll get a security warning when you hit the home page.<br />
<br />
Note: We have set the Benchmark app to use up to 6 Gig of RAM, which it may need when it is fully scanned by a DAST scanner. The DAST tool probably also requires 3+ Gig of RAM. As such, we recommend having a 16 Gig machine if you are going to try to run a full DAST scan. And at least 4 or ideally 8 Gig if you are going to play around with the running Benchmark app.<br />
<br />
== Using a VM instead ==<br />
We have several preconstructed VMs or instructions on how to build one that you can use instead:<br />
<br />
* Docker: A Dockerfile is checked into the project [https://github.com/OWASP/Benchmark/blob/master/VMs/Dockerfile here]. This Docker file should automatically produce a Docker VM with the latest Benchmark project files. After you have Docker installed, cd to /VMs then run: <br />
./buildDockerImage.sh --> This builds the Docker Benchmark VM (This will take a WHILE)<br />
docker images --> You should see the new benchmark:latest image in the list provided<br />
# The Benchmark Docker Image only has to be created once. <br />
<br />
To run the Benchmark in your Docker VM, just run:<br />
./runDockerImage.sh --> This pulls in any updates to Benchmark since the Image was built, builds everything, and starts a remotely accessible Benchmark web app.<br />
If successful, you should see this at the end:<br />
[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]<br />
[INFO] Press Ctrl-C to stop the container...<br />
Then simply navigate to: https://localhost:8443/benchmark from the machine you are running Docker<br />
<br />
Or if you want to access from a different machine:<br />
docker-machine ls (in a different terminal) --> To get IP Docker VM is exporting (e.g., tcp://192.168.99.100:2376)<br />
Navigate to: https://192.168.99.100:8443/benchmark in your browser (using the above IP as an example)<br />
<br />
* Amazon Web Services (AWS) - Here's how you set up the Benchmark on an AWS VM:<br />
sudo yum install git<br />
sudo yum install maven<br />
sudo yum install mvn<br />
sudo wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo sed -i s/\$releasever/6/g /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo yum install -y apache-maven<br />
git clone https://github.com/OWASP/benchmark<br />
cd benchmark<br />
chmod 755 *.sh<br />
./runBenchmark.sh -- to run it locally on the VM.<br />
./runRemoteAccessibleBenchmark.sh -- to run it so it can be accessed outside the VM (on port 8443).<br />
<br />
==Running Free Static Analysis Tools Against the Benchmark==<br />
There are scripts for running each of the free SAST vulnerability detection tools included with the Benchmark against the Benchmark test cases. On Linux, you might have to make them executable (e.g., chmod 755 *.sh) before you can run them.<br />
<br />
Generating Test Results for PMD:<br />
<br />
$ ./scripts/runPMD.sh (Linux) or .\scripts\runPMD.bat (Windows)<br />
<br />
Generating Test Results for FindBugs:<br />
<br />
$ ./scripts/runFindBugs.sh (Linux) or .\scripts\runFindBugs.bat (Windows)<br />
<br />
Generating Test Results for FindBugs with the FindSecBugs plugin:<br />
<br />
$ ./scripts/runFindSecBugs.sh (Linux) or .\scripts\runFindSecBugs.bat (Windows)<br />
<br />
In each case, the script will generate a results file and put it in the /results directory. For example: <br />
<br />
Benchmark_1.2-findbugs-v3.0.1-1026.xml<br />
<br />
This results file name is carefully constructed to mean the following: It's a results file against the OWASP Benchmark version 1.2, FindBugs was the analysis tool, it was version 3.0.1 of FindBugs, and it took 1026 seconds to run the analysis.<br />
<br />
NOTE: If you create a results file yourself, by running a commercial tool for example, you can add the version # and the compute time to the filename just like this and the Benchmark Scorecard generator will pick this information up and include it in the generated scorecard. If you don't, depending on what metadata is included in the tool results, the Scorecard generator might do this automatically anyway.<br />
<br />
==Generating Scorecards==<br />
The scorecard generation application BenchmarkScore is included with the Benchmark. It parses the output files generated by any of the supported security tools run against the Benchmark and compares them against the expected results, and produces a set of web pages that detail the accuracy and speed of the tools involved. For the list of currently supported tools, check out the: Tools Support/Results tab. If you are using a tool that is not yet supported, simply send us a results file from that tool and we'll write a parser for that tool and add it to the supported tools list.<br />
<br />
The following command will compute a Benchmark scorecard for all the results files in the '''/results''' directory. The generated scorecard is put into the '''/scorecard''' directory.<br />
<br />
createScorecard.sh (Linux) or createScorecard.bat (Windows)<br />
<br />
An example of a real scorecard for some open source tools is provided at the top of the Tool Support/Results tab so you can see what one looks like.<br />
<br />
We recommend including the Benchmark version number in any results file name, in order to help prevent mismatches between the expected results and the actual results files. A tool will not score well against the wrong expected results.<br />
<br />
===Customizing Your Scorecard Generation===<br />
<br />
The createScorecard scripts are very simple. They only have one line. Here's what the 1.2 version looks like:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv results"<br />
<br />
This Maven command simply says to run the BenchmarkScore application, passing in two parameters. The 1st is the Benchmark expected results file to compare the tool results against. And the 2nd is the name of the directory that contains all the results from tools run against that version of the Benchmark. If you have tool results older than the current version of the Benchmark, like 1.1 results for example, then you would do something like this instead:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.1.csv 1.1_results"<br />
<br />
To keep things organized, we actually put the expected results file inside the same results folder for that version of the Benchmark, so our command looks like this:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="1.1_results/expectedresults-1.1.csv 1.1_results"<br />
<br />
In all cases, the generated scorecard is put in the /scorecard folder.<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It is likely to be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.''' It is for just this reason that the Benchmark project isn't releasing such results itself.<br />
<br />
= Tool Scanning Tips =<br />
<br />
People frequently have difficulty scanning the Benchmark with various tools due to many reasons, including size of the Benchmark app and its codebase, and complexity of the tools used. Here is some guidance for some of the tools we have used to scan the Benchmark. If you've learned any tricks on how to get better or easier results for a particular tool against the Benchmark, let us know or update this page directly.<br />
<br />
== Generic Tips ==<br />
<br />
Because of the size of the Benchmark, you may need to give your tool more memory before it starts the scan. If its a Java based tool, you may want to pass more memory to it like this:<br />
<br />
-Xmx4G (This gives the Java application 4 Gig of memory)<br />
<br />
== SAST Tools ==<br />
<br />
=== Checkmarx ===<br />
<br />
The Checkmarx SAST Tool (CxSAST) is ready to scan the OWASP Benchmark out-of-the-box. <br />
Please notice that the OWASP Benchmark “hides” some vulnerabilities in dead code areas, for example:<br />
<syntaxhighlight lang="java"><br />
if (0>1)<br />
{<br />
//vulnerable code<br />
}</syntaxhighlight><br />
By default, CxSAST will find these vulnerabilities since Checkmarx believes that including dead code in the scan results is a SAST best practice. <br />
<br />
Checkmarx's experience shows that security experts expect to find these types of code vulnerabilities, and demand that their developers fix them. However, OWASP Benchmark considers the flagging of these vulnerabilities as False Positives, as a result lowering Checkmarx's overall score. <br />
<br />
Therefore, in order to receive an OWASP score untainted by dead code, re-configure CxSAST as follows:<br />
# Open the CxAudit client for editing Java queries.<br />
# Override the "Find_Dead_Code" query.<br />
# Add the commented text of the original query to the new override query.<br />
# Save the queries.<br />
<br />
=== FindBugs ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindBugs.(sh or bat). If you want to run a different version of FindBugs, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== FindBugs with FindSecBugs ===<br />
<br />
[http://h3xstream.github.io/find-sec-bugs/ FindSecurityBugs] is a great plugin for FindBugs that significantly increases the ability for FindBugs to find security issues. We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindSecBugs.(sh or bat). If you want to run a different version of FindSecBugs, just change the version number of the findsecbugs-plugin artifact in the Benchmark pom.xml file.<br />
<br />
=== Micro Focus (Formally HP) Fortify ===<br />
<br />
If you are using the Audit Workbench, you can give it more memory and make sure you invoke it in 64-bit mode by doing this:<br />
<br />
set AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
export AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
auditworkbench -64<br />
<br />
We found it was easier to use the Maven support in Fortify to scan the Benchmark and to do it in 2 phases, translate, and then scan. We did something like this:<br />
<br />
Translate Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_17.10/bin<br />
export SCA_VM_OPTS="-Xmx2G -version 1.7"<br />
mvn sca:clean<br />
mvn sca:translate<br />
<br />
Scan Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_4.10/bin<br />
export SCA_VM_OPTS="-Xmx10G -version 1.7"<br />
mvn sca:scan<br />
<br />
=== PMD ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runPMD.(sh or bat). If you want to run a different version of PMD, just change its version number in the Benchmark pom.xml file. (NOTE: PMD doesn't find any security issues. We include it because its interesting to know that it doesn't.)<br />
<br />
=== SonarQube ===<br />
<br />
We include this free tool in the Benchmark and its mostly dialed in. But its a bit tricky because SonarQube requires two parts. There is a stand alone scanner for Java. And then there is a web application that accepts the results, and in turn can then produce the results file required by the Benchmark scorecard generator for SonarQube. Running the script runSonarQube.(sh or bat) will generate the results, but if the SonarQube Web Application isn't running where the runSonarQube script expects it to be, then the script will fail.<br />
<br />
If you want to run a different version of SonarQube, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== Xanitizer ===<br />
<br />
The vendor has written their own guide to [http://www.rigs-it.net/opendownloads/whitepapers/HowToSetUpXanitizerForOWASPBenchmarkProject.pdf How to Set Up Xanitizer for OWASP Benchmark].<br />
<br />
== DAST Tools ==<br />
<br />
=== Burp Pro ===<br />
<br />
You must use Burp Pro v1.6.29 or greater to scan the Benchmark due to a previous limitation in Burp Pro related to ensuring the path attribute for cookies was honored. This issue was fixed in the v1.6.29 release.<br />
<br />
To scan, first spider the entire Benchmark, and then select the /Benchmark URL and actively scan that branch. You can skip all the .html pages and any other pages that Burp says have no parameters.<br />
<br />
NOTE: We have been unable to simply run Burp Pro against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get Burp Pro to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
=== OWASP ZAP ===<br />
<br />
ZAP may require additional memory to be able to scan the Benchmark. To configure the amount of memory:<br />
* Tools --> Options --> JVM: Recommend setting to: -Xmx2048m (or larger). (Then restart ZAP).<br />
<br />
To run ZAP against Benchmark:<br />
# Because Benchmark uses Cookies and Headers as sources of attack for many test cases: Tools --> Options --> Active Scan Input Vectors: Then check the HTTP Headers, All Requests, and Cookie Data checkboxes and hit OK<br />
# Click on Show All Tabs button (if spider tab isn't visible)<br />
# Go to Spider tab (the black spider) and click on New Scan button<br />
# Enter: https://localhost:8443/benchmark/ into the 'Starting Point' box and hit 'Start Scan'<br />
#* Do this again. For some reason it takes 2 passes with the Spider before it stops finding more Benchmark endpoints.<br />
# When Spider completes, click on 'benchmark' folder in Site Map, right click and select: 'Attack --> Active Scan'<br />
#* It will take several hours, like 3+ to complete (it's actually likely to simply freeze before completing the scan - see NOTE: below)<br />
<br />
For faster active scan you can<br />
* Disable the ZAP DB log (in ZAP 2.5.0+):<br />
** Disable it via Options / Database / Recover Log<br />
** Set it on the command line using "-config database.recoverylog=false"<br />
* Disable unnecessary plugins / Technologies: When you launch the Active Scan<br />
** On the Policy tab, disable all plugins except: XSS (Reflected), Path Traversal, SQLi, OS Command Injection<br />
** Go the Technology Tab, disable everything and only enable: MySQL, YOUR_OS, Tomcat<br />
** Note: This 2nd performance improvement step is a bit like cheating as you wouldn't do this for a normal site scan. You'd want to leave all this on in case these other plugins/technologies are helpful in finding more issues. So a fair performance comparison of ZAP to other tools would leave all this on.<br />
<br />
To generate the ZAP XML results file so you can generate its scorecard:<br />
* Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
* Then: Report > Generate XML Report...<br />
<br />
NOTE: Similar to Burp, we can't simply run ZAP against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get ZAP to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
Things we tried that didn't improve the score:<br />
* AJAX Spider - the traditional spider appears to find all (or 99%) of the test cases so the AJAX Spider does not appear to be needed against Benchmark v1.2<br />
* XSS (Persistent) - There are 3 of these plugins that run by default. There aren't any stored XSS in Benchmark, so you can disable these plugins for a faster scan.<br />
* DOM XSS Plugin - This is an optional plugin that didn't seem to find any additional XSS issues. There aren't an DOM specific XSS issues in Benchmark v1.2, so not surprising.<br />
<br />
== IAST Tools ==<br />
<br />
Interactive Application Security Testing (IAST) tools work differently than scanners. IAST tools monitor an application as it runs to identify application vulnerabilities using context from inside the running application. Typically these tools run continuously, immediately notifying users of vulnerabilities, but you can also get a full report of an entire application. To do this, we simply run the Benchmark application with an IAST agent and use a crawler to hit all the pages.<br />
<br />
=== Contrast Assess ===<br />
<br />
To use Contrast Assess, we simply add the Java agent to the Benchmark environment and run the BenchmarkCrawler. The entire process should only take a few minutes. We provided a few scripts, which simply add the -javaagent:contrast.jar flag to the Benchmark launch configuration. We have tested on MacOS, Ubuntu, and Windows. Be sure your VM has at least 4M of memory.<br />
<br />
* Ensure your environment has Java, Maven, and git installed, then build the Benchmark project<br />
'''$ git clone https://github.com/OWASP/Benchmark.git'''<br />
'''$ cd Benchmark'''<br />
'''$ mvn compile'''<br />
<br />
* Download a licensed copy of the Contrast Assess Java Agent (contrast.jar) from your Contrast TeamServer account and put it in the /Benchmark/tools/Contrast directory.<br />
'''$ cp ~/Downloads/contrast.jar tools/Contrast'''<br />
<br />
* In Terminal 1, launch the Benchmark application and wait until it starts<br />
'''$ cd tools/Contrast <br />
'''$ ./runBenchmark_wContrast.sh''' (.bat on Windows)<br />
'''[INFO] Scanning for projects...<br />
'''[INFO] <br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] Building OWASP Benchmark Project 1.2<br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] <br />
'''...<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]'''<br />
'''[INFO] Press Ctrl-C to stop the container...'''<br />
<br />
* In Terminal 2, launch the crawler and wait a minute or two for the crawl to complete.<br />
'''$ ./runCrawler.sh''' (.bat on Windows)<br />
<br />
* A Contrast report has been generated in /Benchmark/tools/Contrast/working/contrast.log. This report will be automatically copied (and renamed with version number) to /Benchmark/results directory.<br />
'''$ more tools/Contrast/working/contrast.log'''<br />
'''2016-04-22 12:29:29,716 [main b] INFO - Contrast Runtime Engine<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Copyright (C) 2012<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Pat. 8,458,789 B2<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Contrast Security, Inc.<br />
'''2016-04-22 12:29:29,717 [main b] INFO - All Rights Reserved<br />
'''2016-04-22 12:29:29,717 [main b] INFO - https://www.contrastsecurity.com/<br />
'''...'''<br />
<br />
* Press Ctrl-C to stop the Benchmark in Terminal 1. Note: on Windows, select "N" when asked Terminate batch job (Y/N))<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x is stopped'''<br />
'''Copying Contrast report to results directory'''<br />
<br />
* In Terminal 2, generate scorecards in /Benchmark/scorecard<br />
'''$ ./createScorecards.sh''' (.bat on Windows)<br />
'''Analyzing results from Benchmark_1.2-Contrast.log<br />
'''Actual results file generated: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.csv<br />
'''Report written to: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html<br />
<br />
* Open the Benchmark Scorecard in your browser<br />
'''/Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html'''<br />
<br />
=== Hdiv Detection ===<br />
<br />
Hdiv has written their own instructions on how to run the detection component of their product on the Benchmark here: https://hdivsecurity.com/docs/features/benchmark/#how-to-run-hdiv-in-owasp-benchmark-project. You'll see that these instructions involve using the same crawler used to exercise all the test cases in the Benchmark, just like Contrast above.<br />
<br />
= RoadMap =<br />
<br />
Benchmark v1.0 - Released April 15, 2015 - This initial release included over 20,000 test cases in 11 different vulnerability categories. As this initial version was not a runnable application, it was only suitable for assessing static analysis tools (SAST).<br />
<br />
Benchmark v1.1 - Released May 23, 2015 - This update fixed some inaccurate test cases, and made sure that every vulnerability area included both True Positives and False Positives.<br />
<br />
Benchmark Scorecard Generator - Released July 10, 2015 - The ability to automatically and repeatably produce a scorecard of how well tools do against the Benchmark was released for most of the SAST tools supported by the Benchmark. Scorecards present graphical as well as statistical data on how well a tool does against the Benchmark down to the level of detail of how exactly it did against each individual test in the Benchmark. [https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html Here are the latest public scorecards]. Support for producing scorecards for additional tools is being added all the time and the current full set is documented on the '''Tool Support/Results''' and '''Quick Start''' tabs of this wiki.<br />
<br />
Benchmark v1.2beta - Released Aug 15, 2015 - The 1st release of a fully runnable version of the Benchmark to support assessing all types of vulnerability detection and prevention technologies, including DAST, IAST, RASP, WAFs, etc. This involved creating a user interface for every test case, and enhancing each test case to make sure its actually exploitable, not just uses something that is theoretically weak. This release is under 3,000 test cases to make it practical to scan the entire Benchmark with a DAST tool in a reasonable amount of time, with commodity hardware specs.<br />
<br />
Benchmark 1.2 - Released June 5, 2016 - Based on feedback from a number of DAST tool developers, and other vendors as well, we made the Benchmark more realistic in a number of ways to facilitate external DAST scanning, and also made the Benchmark more resilient against attack so it could properly survive various DAST vulnerability detection and exploit verification techniques.<br />
<br />
Plans for Benchmark 1.3:<br />
<br />
While we don't have hard and fast rules of exactly what we are going to do next, enhancements in the following areas are planned for the next release:<br />
<br />
* Add new vulnerability categories (e.g., XXE, Hibernate Injection)<br />
* Add support for popular server side Java frameworks (e.g., Spring)<br />
* Add web services test cases<br />
<br />
We are also starting to work on the ability to score WAFs/RASPs and other defensive technology against Benchmark.<br />
<br />
= FAQ =<br />
<br />
==1. How are the scores computed for the Benchmark?==<br />
<br />
Each test case has a single vulnerability of a specific type. Its either a real vulnerability (True Positive) or not (a False Positive). We document all the test cases for each version of the Benchmark in the expectedresults-VERSION#.csv file (e.g., expectedresults-1.1.csv). This file lists the test case name, the CWE type of the vulnerability, and whether it is a True Positive or not. The Benchmark supports scorecard generators for computing exactly how a tool did when analyzing a version of the Benchmark. The full list of supported tools is on the Tools Support/Results tab. For each tool there is a parser that can parse the native results format for that tool (usually XML). This parser simply, for each test case, looks to see if that tool reported a vulnerability of the type expected in the test case source code file (for SAST) or the test case URL (for DAST/IAST). If it did, and the test case was a True Positive, the tool gets credit for finding it. If it is a False Positive test, and the tool reports that type of finding, then its recorded as a False Positive. If the tool didn't report that type of vulnerability for a test case, then they get either a False Negative, or a True Negative as appropriate. After calculating all of the individual test case results, a scorecard is generated providing a chart and statistics for that tool across all the vulnerability categories, and pages are also created comparing different tools to each other in each vulnerability category (if multiple tools are being scored together).<br />
<br />
A detailed file explaining exactly how that tool did against each individual test case in that version of the Benchmark is produced as part of scorecard generation, and is available via the Actual Results link on each tool's scorecard page. (e.g., Benchmark_v1.1_Scorecard_for_FindBugs.csv).<br />
<br />
==2. What if the tool I'm using doesn't have a scorecard generator for it?==<br />
<br />
Send us the results file! We'll be happy to create a parser for that tool so its now supported.<br />
<br />
==3. What if a tool finds other unexpected vulnerabilities?==<br />
<br />
We are sure there are vulnerabilities we didn't intend to be there and we are eliminating them as we find them. If you find some, let us know and we'll fix them too. We are primarily focused on unintentional vulnerabilities in the categories of vulnerabilities the Benchmark currently supports, since that is what is actually measured.<br />
<br />
Right now, two types of vulnerabilities that get reported are ignored by the scorecard generator:<br />
# Vulnerabilities in categories not yet supported<br />
# Vulnerabilities of a type that is supported, but reported in test cases not of that type<br />
<br />
In the case of #2, false positives reported in unexpected areas are also ignored, which is primarily a DAST problem. Right now those false positives are completely ignored, but we are thinking about including them in the false positive score in some fashion. We just haven't decided how yet.<br />
<br />
==4. How should I configure my tool to scan the Benchmark?==<br />
<br />
All tools support various levels of configuration in order to improve their results. The Benchmark project, in general, is trying to '''compare out of the box capabilities of tools'''. However, if a few simple tweaks to a tool can be done to improve that tool's score, that's fine. We'd like to understand what those simple tweaks are, and document them here, so others can repeat those tests in exactly the same way. For example, just turn on the 'test cookies and headers' flag, which is off by default. Or turn on the 'advanced' scan, so it will work harder, find more vulnerabilities. Its simple things like this we are talking about, not an extensive effort to teach the tool about the app, or perform 'expert' configuration of the tool.<br />
<br />
So, if you know of some simple tweaks to improve a tool's results, let us know what they are and we'll document them here so everyone can benefit and make it easier to do apples to apples comparisons. And we'll link to that guidance once we start documenting it, but we don't have any such guidance right now.<br />
<br />
==5. I'm having difficulty scanning the Benchmark with a DAST tool. How can I get it to work?==<br />
<br />
We've run into 2 primary issues giving DAST tools problems.<br />
<br />
a) The Benchmark Generates Lots of Cookies<br />
<br />
The Burp team pointed out a cookies bug in the 1.2beta Benchmark. Each Weak Randomness test case generates its own cookie, 1 per test case. This caused the creation of so many cookies that servers would eventually start returning 400 errors because there were simply too many cookies being submitted in a request. This was fixed in the Aug 27, 2015 update to the Benchmark by setting the path attribute for each of these cookies to be the path to that individual test case. Now, only at most one of these cookies should be submitted with each request, eliminating this 'too many cookies' problem. However, if a DAST tool doesn't honor this path attribute, it may continue to send too many cookies, making the Benchmark unscannable for that tool. Burp Pro prior to 1.6.29 had this issue, but it was fixed in the 1.6.29 release.<br />
<br />
b) The Benchmark is a BIG Application<br />
<br />
Yes. It is, so you might have to give your scanner more memory than it normally uses by default in order to successfully scan the entire Benchmark. Please consult your tool vendor's documentation on how to give it more memory.<br />
<br />
Your machine itself might not have enough memory in the first place. For example, we were not able to successfully scan the 1.2beta with OWASP ZAP with only 8 Gig of RAM. So, you might need a more powerful machine or use a cloud provided machine to successfully scan the Benchmark with certain DAST tools. You may have similar problems with SAST tools against large versions of the Benchmark, like the 1.1 release.<br />
<br />
= Acknowledgements =<br />
<br />
The following people, organizations, and many others, have contributed to this project and their contributions are much appreciated!<br />
<br />
* Lots of Vendors - Many vendors have provided us with either trial licenses we can use, or they have run their tools themselves and either sent us results files, or written and contributed scorecard generators for their tool. Many have also provided valuable feedback so we can make the Benchmark more accurate and more realistic.<br />
* Juan Gama - Development of initial release and continued support<br />
* Ken Prole - Assistance with automated scorecard development using CodeDx<br />
* Nick Sanidas - Development of initial release<br />
* Denim Group - Contribution of scan results to facilitate scorecard development<br />
* Tasos Laskos - Significant feedback on the DAST version of the Benchmark<br />
* Ann Campbell - From SonarSource - for fixing our SonarQube results parser<br />
* Dhiraj Mishra - OWASP Member - contributed SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring<br />
<br />
[[File:CWE_Logo.jpeg|link=https://cwe.mitre.org/]] - The CWE project for providing a mapping mechanism to easily map test cases to issues found by vulnerability detection tools.<br />
<br />
We are looking for volunteers. Please contact [mailto:dave.wichers@owasp.org Dave Wichers] if you are interested in contributing new test cases, tool results run against the benchmark, or anything else.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]]</div>Wichershttps://wiki.owasp.org/index.php?title=XML_External_Entity_(XXE)_Prevention_Cheat_Sheet&diff=245714XML External Entity (XXE) Prevention Cheat Sheet2018-12-03T17:21:30Z<p>Wichers: /* libxerces-c */</p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br /><br />
__TOC__{{TOC hidden}}<br />
= Introduction =<br />
<br />
''XML eXternal Entity injection'' (XXE), which is now part of the [[Top_10-2017_A4-XML_External_Entities_(XXE)| OWASP Top 10]], is a type of attack against an application that parses XML input. <br />
<br />
XXE issue is referenced under the ID [https://cwe.mitre.org/data/definitions/611.html 611] in the [https://cwe.mitre.org/index.html Common Weakness Enumeration] referential.<br />
<br />
This attack occurs when untrusted XML input containing a '''reference to an external entity is processed by a weakly configured XML parser'''. <br />
<br />
This attack may lead to the disclosure of confidential data, denial of service, [[Server Side Request Forgery]] (SSRF), port scanning from the perspective of the machine where the parser is located, and other system impacts. The following guide provides concise information to prevent this vulnerability. <br />
<br />
For more information on XXE, please visit [[XML External Entity (XXE) Processing]].<br />
<br />
==General Guidance==<br />
The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following:<br />
<syntaxhighlight lang="java"><br />
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);<br />
</syntaxhighlight><br />
<br />
Disabling DTDs also makes the parser secure against denial of services (DOS) attacks such as Billion Laughs. If it is not possible to disable DTDs completely, then external entities and external document type declarations must be disabled in the way that’s specific to each parser.<br />
<br />
Detailed XXE Prevention guidance for a number of languages and commonly used XML parsers in those languages is provided below.<br />
<br />
==C/C++==<br />
<br />
===libxml2===<br />
<br />
The Enum [http://xmlsoft.org/html/libxml-parser.html#xmlParserOption xmlParserOption] should not have the following options defined:<br />
<br />
* <code>XML_PARSE_NOENT</code>: Expands entities and substitutes them with replacement text<br />
* <code>XML_PARSE_DTDLOAD</code>: Load the external DTD<br />
<br />
<br />
Note: <br />
<br />
Per: https://mail.gnome.org/archives/xml/2012-October/msg00045.html, starting with libxml2 version 2.9, XXE has been disabled by default as committed by the following patch: http://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f.<br />
<br />
<br />
Search for the usage of the following APIs to ensure there is no <code>XML_PARSE_NOENT</code> and <code>XML_PARSE_DTDLOAD</code> defined in the parameters:<br />
* xmlCtxtReadDoc<br />
* xmlCtxtReadFd<br />
* xmlCtxtReadFile<br />
* xmlCtxtReadIO<br />
* xmlCtxtReadMemory<br />
* xmlCtxtUseOptions<br />
* xmlParseInNodeContext<br />
* xmlReadDoc<br />
* xmlReadFd<br />
* xmlReadFile<br />
* xmlReadIO<br />
* xmlReadMemory<br />
<br />
===libxerces-c===<br />
Use of XercesDOMParser do this to prevent XXE:<br />
<br />
<syntaxhighlight lang="c++"><br />
XercesDOMParser *parser = new XercesDOMParser;<br />
parser->setCreateEntityReferenceNodes(false);<br />
</syntaxhighlight><br />
<br />
Use of SAXParser, do this to prevent XXE:<br />
<br />
<syntaxhighlight lang="c++"><br />
SAXParser* parser = new SAXParser;<br />
parser->setDisableDefaultEntityResolution(true);<br />
</syntaxhighlight><br />
<br />
Use of SAX2XMLReader, do this to prevent XXE:<br />
<br />
<syntaxhighlight lang="c++"><br />
SAX2XMLReader* reader = XMLReaderFactory::createXMLReader();<br />
parser->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true);<br />
</syntaxhighlight><br />
<br />
==Java==<br />
<br />
Java applications using XML libraries are particularly vulnerable to XXE because the default settings for most Java XML parsers is to have XXE enabled. To use these parsers safely, you have to explicitly disable XXE in the parser you use. The following describes how to disable XXE in the most commonly used XML parsers for Java.<br />
<br />
===JAXP DocumentBuilderFactory, SAXParserFactory and DOM4J===<br />
<br />
<code>DocumentBuilderFactory, SAXParserFactory</code> and <code>DOM4J XML</code> Parsers can be configured using the same techniques to protect them against XXE. <br />
<br />
Only the <code>DocumentBuilderFactory</code> example is presented here. The JAXP <code>DocumentBuilderFactory</code> [http://docs.oracle.com/javase/7/docs/api/javax/xml/parsers/DocumentBuilderFactory.html#setFeature(java.lang.String,%20boolean) setFeature] method allows a developer to control which implementation-specific XML processor features are enabled or disabled. <br />
<br />
The features can either be set on the factory or the underlying <code>XMLReader</code> [http://docs.oracle.com/javase/7/docs/api/org/xml/sax/XMLReader.html#setFeature%28java.lang.String,%20boolean%29 setFeature] method. <br />
<br />
Each XML processor implementation has its own features that govern how DTDs and external entities are processed.<br />
<br />
For a syntax highlighted example code snippet using <code>SAXParserFactory</code>, look [https://gist.github.com/asudhakar02/45e2e6fd8bcdfb4bc3b2 here].<br />
<br />
<syntaxhighlight lang="java"><br />
import javax.xml.parsers.DocumentBuilderFactory;<br />
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features<br />
<br />
...<br />
<br />
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();<br />
String FEATURE = null;<br />
try {<br />
// This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented<br />
// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl<br />
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";<br />
dbf.setFeature(FEATURE, true);<br />
<br />
// If you can't completely disable DTDs, then at least do the following:<br />
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities<br />
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities<br />
// JDK7+ - http://xml.org/sax/features/external-general-entities <br />
FEATURE = "http://xml.org/sax/features/external-general-entities";<br />
dbf.setFeature(FEATURE, false);<br />
<br />
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities<br />
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities<br />
// JDK7+ - http://xml.org/sax/features/external-parameter-entities <br />
FEATURE = "http://xml.org/sax/features/external-parameter-entities";<br />
dbf.setFeature(FEATURE, false);<br />
<br />
// Disable external DTDs as well<br />
FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";<br />
dbf.setFeature(FEATURE, false);<br />
<br />
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"<br />
dbf.setXIncludeAware(false);<br />
dbf.setExpandEntityReferences(false);<br />
<br />
// And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then <br />
// ensure the entity settings are disabled (as shown above) and beware that SSRF attacks<br />
// (http://cwe.mitre.org/data/definitions/918.html) and denial <br />
// of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk."<br />
<br />
// remaining parser logic<br />
...<br />
} catch (ParserConfigurationException e) {<br />
// This should catch a failed setFeature feature<br />
logger.info("ParserConfigurationException was thrown. The feature '" + FEATURE + "' is probably not supported by your XML processor.");<br />
...<br />
} catch (SAXException e) {<br />
// On Apache, this should be thrown when disallowing DOCTYPE<br />
logger.warning("A DOCTYPE was passed into the XML document");<br />
...<br />
} catch (IOException e) {<br />
// XXE that points to a file that doesn't exist<br />
logger.error("IOException occurred, XXE may still possible: " + e.getMessage());<br />
...<br />
}<br />
<br />
// Load XML file or stream using a XXE agnostic configured parser...<br />
DocumentBuilder safebuilder = dbf.newDocumentBuilder();<br />
</syntaxhighlight><br />
<br />
[http://xerces.apache.org/xerces-j/ Xerces 1] [http://xerces.apache.org/xerces-j/features.html Features]:<br />
* Do not include external entities by setting [http://xerces.apache.org/xerces-j/features.html#external-general-entities this feature] to <code>false</code>.<br />
* Do not include parameter entities by setting [http://xerces.apache.org/xerces-j/features.html#external-parameter-entities this feature] to <code>false</code>.<br />
* Do not include external DTDs by setting [http://xerces.apache.org/xerces-j/features.html#load-external-dtd this feature] to <code>false</code>.<br />
<br />
[http://xerces.apache.org/xerces2-j/ Xerces 2] [http://xerces.apache.org/xerces2-j/features.html Features]:<br />
* Disallow an inline DTD by setting [http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl this feature] to <code>true</code>.<br />
* Do not include external entities by setting [http://xerces.apache.org/xerces2-j/features.html#external-general-entities this feature] to <code>false</code>.<br />
* Do not include parameter entities by setting [http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities this feature] to <code>false</code>.<br />
* Do not include external DTDs by setting [http://xerces.apache.org/xerces-j/features.html#load-external-dtd this feature] to <code>false</code>.<br />
<br />
'''Note: The above defenses require Java 7 update 67, Java 8 update 20, or above, because the above countermeasures for DocumentBuilderFactory and SAXParserFactory are broken in earlier Java versions, per: [http://www.cvedetails.com/cve/CVE-2014-6517/ CVE-2014-6517].'''<br />
<br />
===XMLInputFactory (a StAX parser)===<br />
<br />
[http://en.wikipedia.org/wiki/StAX StAX] parsers such as <code>[http://docs.oracle.com/javase/7/docs/api/javax/xml/stream/XMLInputFactory.html XMLInputFactory]</code> allow various properties and features to be set.<br />
<br />
To protect a Java <code>XMLInputFactory</code> from XXE, do this:<br />
<br />
<syntaxhighlight lang="java"><br />
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); // This disables DTDs entirely for that factory<br />
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false); // disable external entities<br />
</syntaxhighlight><br />
<br />
===TransformerFactory===<br />
To protect a <code>javax.xml.transform.TransformerFactory</code> from XXE, do this:<br />
<br />
<syntaxhighlight lang="java"><br />
TransformerFactory tf = TransformerFactory.newInstance();<br />
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");<br />
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");<br />
</syntaxhighlight><br />
<br />
===Validator===<br />
To protect a <code>javax.xml.validation.Validator</code> from XXE, do this:<br />
<br />
<syntaxhighlight lang="java"><br />
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");<br />
Schema schema = factory.newSchema();<br />
Validator validator = schema.newValidator();<br />
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");<br />
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");<br />
</syntaxhighlight><br />
<br />
===SchemaFactory===<br />
To protect a <code>javax.xml.validation.SchemaFactory</code> from XXE, do this:<br />
<br />
<syntaxhighlight lang="java"><br />
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");<br />
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");<br />
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");<br />
Schema schema = factory.newSchema(Source);<br />
</syntaxhighlight><br />
<br />
===SAXTransformerFactory===<br />
To protect a <code>javax.xml.transform.sax.SAXTransformerFactory</code> from XXE, do this:<br />
<br />
<syntaxhighlight lang="java"><br />
SAXTransformerFactory sf = SAXTransformerFactory.newInstance();<br />
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");<br />
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");<br />
sf.newXMLFilter(Source);<br />
</syntaxhighlight><br />
<br />
'''Note: Use of the following <code>XMLConstants</code> requires JAXP 1.5, which was added to Java in 7u40 and Java 8:'''<br />
* javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD<br />
* javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA<br />
* javax.xml.XMLConstants.ACCESS_EXTERNAL_STYLESHEET<br />
<br />
===XMLReader===<br />
To protect a Java <code>org.xml.sax.XMLReader</code> from XXE, do this:<br />
<br />
<syntaxhighlight lang="java"><br />
XMLReader reader = XMLReaderFactory.createXMLReader();<br />
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);<br />
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); // This may not be strictly required as DTDs shouldn't be allowed at all, per previous line.<br />
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);<br />
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);<br />
</syntaxhighlight><br />
<br />
===SAXReader===<br />
To protect a Java <code>org.dom4j.io.SAXReader</code> from XXE, do this:<br />
<br />
<syntaxhighlight lang="java"><br />
saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);<br />
saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);<br />
saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);<br />
</syntaxhighlight><br />
<br />
Based on testing, if you are missing one of these, you can still be vulnerable to an XXE attack.<br />
<br />
===SAXBuilder===<br />
To protect a Java <code>org.jdom2.input.SAXBuilder</code> from XXE, do this:<br />
<br />
<syntaxhighlight lang="java"><br />
SAXBuilder builder = new SAXBuilder();<br />
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);<br />
builder.setFeature("http://xml.org/sax/features/external-general-entities", false);<br />
builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);<br />
Document doc = builder.build(new File(fileName));<br />
</syntaxhighlight><br />
<br />
===JAXB Unmarshaller===<br />
Since a <code>javax.xml.bind.Unmarshaller</code> parses XML and does not support any flags for disabling XXE, it’s imperative to parse the untrusted XML through a configurable secure parser first, generate a source object as a result, and pass the source object to the Unmarshaller. For example:<br />
<br />
<syntaxhighlight lang="java"><br />
//Disable XXE<br />
SAXParserFactory spf = SAXParserFactory.newInstance();<br />
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);<br />
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);<br />
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);<br />
<br />
//Do unmarshall operation<br />
Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(new StringReader(xml)));<br />
JAXBContext jc = JAXBContext.newInstance(Object.class);<br />
Unmarshaller um = jc.createUnmarshaller();<br />
um.unmarshal(xmlSource);<br />
</syntaxhighlight><br />
<br />
===XPathExpression===<br />
A <code>javax.xml.xpath.XPathExpression</code> is similar to an Unmarshaller where it can’t be configured securely by itself, so the untrusted data must be parsed through another securable XML parser first. <br />
<br />
For example:<br />
<br />
<syntaxhighlight lang="java"><br />
DocumentBuilderFactory df = DocumentBuilderFactory.newInstance(); <br />
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); <br />
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); <br />
DocumentBuilder builder = df.newDocumentBuilder();<br />
String result = new XPathExpression().evaluate( builder.parse(new ByteArrayInputStream(xml.getBytes())) );<br />
</syntaxhighlight><br />
<br />
===java.beans.XMLDecoder===<br />
<br />
The [https://docs.oracle.com/javase/8/docs/api/java/beans/XMLDecoder.html#readObject-- readObject()] method in this class is fundamentally unsafe. <br />
<br />
Not only is the XML it parses subject to XXE, but the method can be used to construct any Java object, and [http://stackoverflow.com/questions/14307442/is-it-safe-to-use-xmldecoder-to-read-document-files execute arbitrary code as described here]. <br />
<br />
And there is no way to make use of this class safe except to trust or properly validate the input being passed into it. <br />
<br />
As such, we'd strongly recommend completely avoiding the use of this class and replacing it with a safe or properly configured XML parser as described elsewhere in this cheat sheet.<br />
<br />
===Other XML Parsers===<br />
There are many 3rd party libraries that parse XML either directly or through their use of other libraries. Please test and verify their XML parser is secure against XXE by default. If the parser is not secure by default, look for flags supported by the parser to disable all possible external resource inclusions like the examples given above. If there’s no control exposed to the outside, make sure the untrusted content is passed through a secure parser first and then passed to insecure 3rd party parser similar to how the Unmarshaller is secured.<br />
<br />
==== Spring Framework MVC/OXM XXE Vulnerabilities ====<br />
<br />
For example, some XXE vulnerabilities were found in [http://pivotal.io/security/cve-2013-4152 Spring OXM] and [http://pivotal.io/security/cve-2013-7315 Spring MVC]. The following versions of the Spring Framework are vulnerable to XXE:<br />
<br />
* 3.0.0 to 3.2.3 (Spring OXM & Spring MVC)<br />
* 4.0.0.M1 (Spring OXM)<br />
* 4.0.0.M1-4.0.0.M2 (Spring MVC)<br />
<br />
There were other issues as well that were fixed later, so to fully address these issues, Spring recommends you upgrade to Spring Framework 3.2.8+ or 4.0.2+.<br />
<br />
For Spring OXM, this is referring to the use of org.springframework.oxm.jaxb.Jaxb2Marshaller. Note that the CVE for Spring OXM specifically indicates that 2 XML parsing situations are up to the developer to get right, and 2 are the responsibility of Spring and were fixed to address this CVE. Here's what they say:<br />
<br />
'''Two situations developers must handle:'''<br />
For a DOMSource, the XML has already been parsed by user code and that code is responsible for protecting against XXE.<br />
For a StAXSource, the XMLStreamReader has already been created by user code and that code is responsible for protecting against XXE.<br />
<br />
'''The issue Spring fixed:'''<br />
<br />
For SAXSource and StreamSource instances, Spring processed external entities by default thereby creating this vulnerability.<br />
Here's an example of using a StreamSource that was vulnerable, but is now safe, if you are using a fixed version of Spring OXM or Spring MVC:<br />
<br />
org.springframework.oxm.Jaxb2Marshaller marshaller = new org.springframework.oxm.jaxb.Jaxb2Marshaller();<br />
marshaller.unmarshal(new StreamSource(new StringReader(some_string_containing_XML)); // Must cast return Object to whatever type you are unmarshalling<br />
<br />
So, per the [http://pivotal.io/security/cve-2013-4152 Spring OXM CVE writeup], the above is now safe. But if you were to use a DOMSource or StAXSource instead, it would be up to you to configure those sources to be safe from XXE.<br />
<br />
==.NET==<br />
<br />
The following information for XXE injection in .NET is directly from this web application of unit tests by Dean Fleming: https://github.com/deanf1/dotnet-security-unit-tests. <br />
<br />
This web application covers all currently supported .NET XML parsers, and has test cases for each demonstrating when they are safe from XXE injection and when they are not. <br />
<br />
Previously, this information was based on James Jardine's excellent .NET XXE article: https://www.jardinesoftware.net/2016/05/26/xxe-and-net/.<br />
<br />
<br />
It originally provided more recent and more detailed information than the older article from Microsoft on how to prevent XXE and XML Denial of Service in .NET: http://msdn.microsoft.com/en-us/magazine/ee335713.aspx, however, it has some inaccuracies that the web application covers.<br />
<br />
The following table lists all supported .NET XML parsers and their default safety levels:<br />
<br />
{| style="width: 25%; align:center; text-align:left; border: 2px solid #4d953d; background-color:#F2F2F2; padding=2;" <br />
|- style="background-color: #4d953d; color: #FFFFFF;"<br />
! XML Parser !! Safe by Default?<br />
|- style="background-color: #FFFFFF;" <br />
|'''LINQ to XML'''<br />
|Yes<br />
|- style="background-color: #FFFFFF;" <br />
|'''XmlDictionaryReader'''<br />
|Yes<br />
|- style="background-color: #FFFFFF;" <br />
|'''XmlDocument'''<br />
|<br />
|-<br />
|...prior to 4.5.2<br />
|No<br />
|-<br />
|...in versions 4.5.2 +<br />
|Yes<br />
|- style="background-color: #FFFFFF;" <br />
| '''XmlNodeReader'''<br />
| Yes<br />
|- style="background-color: #FFFFFF;" <br />
| '''XmlReader'''<br />
| Yes<br />
|- style="background-color: #FFFFFF;" <br />
| '''XmlTextReader'''<br />
| <br />
|-<br />
| ...prior to 4.5.2<br />
| No<br />
|-<br />
|...in versions 4.5.2 +<br />
|Yes<br />
|- style="background-color: #FFFFFF;" <br />
| '''XPathNavigator'''<br />
| <br />
|-<br />
|...prior to 4.5.2<br />
|No<br />
|-<br />
|...in versions 4.5.2 +<br />
|Yes<br />
|- style="background-color: #FFFFFF;" <br />
| '''XslCompiledTransform'''<br />
| Yes<br />
|}<br />
<br />
=== LINQ to XML ===<br />
Both the <code>XElement</code> and <code>XDocument</code> objects in the <code>System.Xml.Linq</code> library are safe from XXE injection by default. <code>XElement</code> parses only the elements within the XML file, so DTDs are ignored altogether. <code>XDocument</code> has DTDs [https://github.com/dotnet/docs/blob/master/docs/visual-basic/programming-guide/concepts/linq/linq-to-xml-security.md disabled by default], and is only unsafe if constructed with a different unsafe XML parser.<br />
<br />
=== XmlDictionaryReader ===<br />
<code>System.Xml.XmlDictionaryReader</code> is safe by default, as when it attempts to parse the DTD, the compiler throws an exception saying that "CData elements not valid at top level of an XML document". It becomes unsafe if constructed with a different unsafe XML parser.<br />
<br />
=== XmlDocument ===<br />
Prior to .NET Framework version 4.5.2, <code>System.Xml.XmlDocument</code> is '''unsafe''' by default. The <code>XmlDocument</code> object has an <code>XmlResolver</code> object within it that needs to be set to null in versions prior to 4.5.2. In versions 4.5.2 and up, this <code>XmlResolver</code> is set to null by default. <br />
<br />
The following example shows how it is made safe:<br />
<br />
<syntaxhighlight lang="c#"><br />
static void LoadXML()<br />
{<br />
string xml = "<?xml version=\"1.0\" ?><!DOCTYPE doc <br />
[<!ENTITY win SYSTEM \"file:///C:/Users/user/Documents/testdata2.txt\">]<br />
><doc>&win;</doc>";<br />
<br />
XmlDocument xmlDoc = new XmlDocument();<br />
xmlDoc.XmlResolver = null; // Setting this to NULL disables DTDs - Its NOT null by default.<br />
xmlDoc.LoadXml(xml);<br />
Console.WriteLine(xmlDoc.InnerText);<br />
Console.ReadLine();<br />
}<br />
</syntaxhighlight><br />
<br />
<code>XmlDocument</code> can become unsafe if you create your own nonnull <code>XmlResolver</code> with default or unsafe settings. If you need to enable DTD processing, instructions on how to do so safely are described in detail in the [http://msdn.microsoft.com/en-us/magazine/ee335713.aspx referenced MSDN article].<br />
<br />
=== XmlNodeReader ===<br />
<code>System.Xml.XmlNodeReader</code> objects are safe by default and will ignore DTDs even when constructed with an unsafe parser or wrapped in another unsafe parser.<br />
<br />
=== XmlReader ===<br />
<code>System.Xml.XmlReader</code> objects are safe by default. <br />
<br />
They are set by default to have their ProhibitDtd property set to false in .NET Framework versions 4.0 and earlier, or their <code>DtdProcessing</code> property set to Prohibit in .NET versions 4.0 and later. <br />
<br />
Additionally, in .NET versions 4.5.2 and later, the <code>XmlReaderSettings</code> belonging to the <code>XmlReader</code> has its <code>XmlResolver</code> set to null by default, which provides an additional layer of safety. <br />
<br />
Therefore, <code>XmlReader</code> objects will only become unsafe in version 4.5.2 and up if both the <code>DtdProcessing</code> property is set to Parse and the <code>XmlReaderSetting</code>'s <code>XmlResolver</code> is set to a nonnull XmlResolver with default or unsafe settings. If you need to enable DTD processing, instructions on how to do so safely are described in detail in the [http://msdn.microsoft.com/en-us/magazine/ee335713.aspx referenced MSDN article].<br />
<br />
=== XmlTextReader ===<br />
<code>System.Xml.XmlTextReader</code> is '''unsafe''' by default in .NET Framework versions prior to 4.5.2. Here is how to make it safe in various .NET versions:<br />
<br />
==== Prior to .NET 4.0 ====<br />
In .NET Framework versions prior to 4.0, DTD parsing behavior for <code>XmlReader</code> objects like <code>XmlTextReader</code> are controlled by the Boolean <code>ProhibitDtd</code> property found in the <code>System.Xml.XmlReaderSettings</code> and <code>System.Xml.XmlTextReader</code> classes. <br />
<br />
Set these values to true to disable inline DTDs completely.<br />
<br />
<syntaxhighlight lang="c#"><br />
XmlTextReader reader = new XmlTextReader(stream);<br />
reader.ProhibitDtd = true; // NEEDED because the default is FALSE!!<br />
</syntaxhighlight><br />
<br />
==== .NET 4.0 - .NET 4.5.2 ====<br />
<br />
In .NET Framework version 4.0, DTD parsing behavior has been changed. The <code>ProhibitDtd</code> property has been deprecated in favor of the new <code>DtdProcessing</code> property. <br />
<br />
However, they didn't change the default settings so <code>XmlTextReader</code> is still vulnerable to XXE by default. <br />
<br />
Setting <code>DtdProcessing</code> to <code>Prohibit</code> causes the runtime to throw an exception if a <code><!DOCTYPE></code> element is present in the XML. <br />
<br />
To set this value yourself, it looks like this:<br />
<br />
<syntaxhighlight lang="c#"><br />
XmlTextReader reader = new XmlTextReader(stream);<br />
reader.DtdProcessing = DtdProcessing.Prohibit; // NEEDED because the default is Parse!!<br />
</syntaxhighlight><br />
<br />
Alternatively, you can set the <code>DtdProcessing</code> property to <code>Ignore</code>, which will not throw an exception on encountering a <code><!DOCTYPE></code> element but will simply skip over it and not process it. Finally, you can set <code>DtdProcessing</code> to <code>Parse</code> if you do want to allow and process inline DTDs.<br />
<br />
==== .NET 4.5.2 and later ====<br />
<br />
In .NET Framework versions 4.5.2 and up, <code>XmlTextReader</code>'s internal <code>XmlResolver</code> is set to null by default, making the <code>XmlTextReader</code> ignore DTDs by default. The <code>XmlTextReader</code> can become unsafe if if you create your own nonnull <code>XmlResolver</code> with default or unsafe settings.<br />
<br />
=== XPathNavigator ===<br />
<br />
<code>System.Xml.XPath.XPathNavigator</code> is '''unsafe''' by default in .NET Framework versions prior to 4.5.2. <br />
<br />
This is due to the fact that it implements <code>IXPathNavigable</code> objects like <code>XmlDocument</code>, which are also unsafe by default in versions prior to 4.5.2. <br />
<br />
You can make <code>XPathNavigator</code> safe by giving it a safe parser like <code>XmlReader</code> (which is safe by default) in the <code>XPathDocument</code>'s constructor. <br />
<br />
Here is an example:<br />
<br />
<syntaxhighlight lang="c#"><br />
XmlReader reader = XmlReader.Create("example.xml");<br />
XPathDocument doc = new XPathDocument(reader);<br />
XPathNavigator nav = doc.CreateNavigator(); <br />
string xml = nav.InnerXml.ToString();<br />
</syntaxhighlight><br />
<br />
=== XslCompiledTransform ===<br />
<code>System.Xml.Xsl.XslCompiledTransform</code> (an XML transformer) is safe by default as long as the parser it’s given is safe. <br />
<br />
It is safe by default because the default parser of the <code>Transform()</code> methods is an <code>XmlReader</code>, which is safe by default (per above). <br />
<br />
[http://www.dotnetframework.org/default.aspx/4@0/4@0/DEVDIV_TFS/Dev10/Releases/RTMRel/ndp/fx/src/Xml/System/Xml/Xslt/XslCompiledTransform@cs/1305376/XslCompiledTransform@cs The source code for this method is here.] <br />
<br />
Some of the <code>Transform()</code> methods accept an <code>XmlReader</code> or <code>IXPathNavigable</code> (e.g., <code>XmlDocument</code>) as an input, and if you pass in an unsafe XML Parser then the <code>Transform</code> will also be unsafe.<br />
<br />
==iOS==<br />
<br />
===libxml2===<br />
<br />
iOS includes the C/C++ libxml2 library described above, so that guidance applies if you are using libxml2 directly. <br />
<br />
However, the version of libxml2 provided up through iOS6 is prior to version 2.9 of libxml2 (which protects against XXE by default).<br />
<br />
===NSXMLDocument===<br />
<br />
iOS also provides an <code>NSXMLDocument</code> type, which is built on top of libxml2. <br />
<br />
However, <code>NSXMLDocument</code> provides some additional protections against XXE that aren't available in libxml2 directly. <br />
<br />
Per the 'NSXMLDocument External Entity Restriction API' section of: http://developer.apple.com/library/ios/#releasenotes/Foundation/RN-Foundation-iOS/Foundation_iOS5.html:<br />
<br />
* iOS4 and earlier: All external entities are loaded by default.<br />
<br />
* iOS5 and later: Only entities that don't require network access are loaded. (which is safer)<br />
<br />
However, to completely disable XXE in an <code>NSXMLDocument</code> in any version of iOS you simply specify <code>NSXMLNodeLoadExternalEntitiesNever</code> when creating the <code>NSXMLDocument</code>.<br />
<br />
==PHP==<br />
<br />
Per [http://php.net/manual/en/function.libxml-disable-entity-loader.php the PHP documentation], the following should be set when using the default PHP XML parser in order to prevent XXE:<br />
<br />
<syntaxhighlight lang="php"><br />
libxml_disable_entity_loader(true);<br />
</syntaxhighlight><br />
<br />
A description of how to abuse this in PHP is presented in a good [https://www.sensepost.com/blog/2014/revisting-xxe-and-abusing-protocols/ SensePost article] describing a cool PHP based XXE vulnerability that was fixed in Facebook.<br />
<br />
==References==<br />
* [https://resources.infosecinstitute.com/identify-mitigate-xxe-vulnerabilities/ XXE by InfoSecInstitute]<br />
* [[Top_10-2017_A4-XML_External_Entities_(XXE)| OWASP Top 10-2017 A4: XML External Entities (XXE)]]<br />
* [https://vsecurity.com//download/papers/XMLDTDEntityAttacks.pdf Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"]<br />
* [https://find-sec-bugs.github.io/bugs.htm#XXE_SAXPARSER FindSecBugs XXE Detection]<br />
* [https://github.com/ssexxe/XXEBugFind XXEbugFind Tool]<br />
* [[Testing for XML Injection (OTG-INPVAL-008)]]<br />
<br />
= Authors and Primary Editors =<br />
<br />
[[User:wichers|Dave Wichers]] - dave.wichers[at]owasp.org<br /><br />
[[User:Xiaoran_Wang|Xiaoran Wang]] - xiaoran[at]attacker-domain.com<br /><br />
James Jardine - james[at]jardinesoftware.com<br /><br />
Tony Hsu (Hsiang-Chih)<br /><br />
[[User:Dfleming|Dean Fleming]]<br />
<br />
= Other Cheatsheets =<br />
<br />
{{Cheatsheet_Navigation_Body}}<br />
[[Category:Cheatsheets]]<br />
|}</div>Wichershttps://wiki.owasp.org/index.php?title=Injection_Prevention_Cheat_Sheet_in_Java&diff=245543Injection Prevention Cheat Sheet in Java2018-11-26T17:41:39Z<p>Wichers: /* Log Injection */</p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
= Introduction =<br />
__TOC__{{TOC hidden}}<br />
<br />
This document has for objective to provide some tips to handle ''Injection'' into Java application code.<br />
<br />
Sample codes used in tips are located [https://github.com/righettod/injection-cheat-sheets here].<br />
<br />
= What is Injection ? =<br />
<br />
[[Top_10_2013-A1-Injection|Injection]] in OWASP Top 10 is defined as following:<br />
<br />
''Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators.''<br />
<br />
= General advices to prevent Injection =<br />
<br />
The following point can be applied, in a general way, to prevent ''Injection'' issue:<br />
<br />
# Apply '''Input Validation''' (using whitelist approach) combined with '''Output Sanitizing+Escaping''' on user input/output.<br />
# If you need to interact with system, try to use API features provided by your technology stack (Java / .Net / PHP...) instead of building command.<br />
<br />
Additional advices are provided on this [[Input_Validation_Cheat_Sheet|cheatsheet]].<br />
<br />
= Specific Injection types =<br />
<br />
''Examples in this section will be provided in Java technology (see Maven project associated) but advices are applicable to others technologies like .Net / PHP / Ruby / Python...''<br />
<br />
== SQL ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a SQL query using a String and execute it.<br />
<br />
=== How to prevent ===<br />
<br />
Use ''Query Parameterization'' in order to prevent injection.<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
/*No DB framework used here in order to show the real use of Prepared Statement from Java API*/<br />
/*Open connection with H2 database and use it*/<br />
Class.forName("org.h2.Driver");<br />
String jdbcUrl = "jdbc:h2:file:" + new File(".").getAbsolutePath() + "/target/db";<br />
try (Connection con = DriverManager.getConnection(jdbcUrl)) {<br />
<br />
/* Sample A: Select data using Prepared Statement*/<br />
String query = "select * from color where friendly_name = ?";<br />
List<String> colors = new ArrayList<>();<br />
try (PreparedStatement pStatement = con.prepareStatement(query)) {<br />
pStatement.setString(1, "yellow");<br />
try (ResultSet rSet = pStatement.executeQuery()) {<br />
while (rSet.next()) {<br />
colors.add(rSet.getString(1));<br />
}<br />
}<br />
}<br />
Assert.assertEquals(1, colors.size());<br />
Assert.assertTrue(colors.contains("yellow"));<br />
<br />
/* Sample B: Insert data using Prepared Statement*/<br />
query = "insert into color(friendly_name, red, green, blue) values(?, ?, ?, ?)";<br />
int insertedRecordCount;<br />
try (PreparedStatement pStatement = con.prepareStatement(query)) {<br />
pStatement.setString(1, "orange");<br />
pStatement.setInt(2, 239);<br />
pStatement.setInt(3, 125);<br />
pStatement.setInt(4, 11);<br />
insertedRecordCount = pStatement.executeUpdate();<br />
}<br />
Assert.assertEquals(1, insertedRecordCount);<br />
<br />
/* Sample C: Update data using Prepared Statement*/<br />
query = "update color set blue = ? where friendly_name = ?";<br />
int updatedRecordCount;<br />
try (PreparedStatement pStatement = con.prepareStatement(query)) {<br />
pStatement.setInt(1, 10);<br />
pStatement.setString(2, "orange");<br />
updatedRecordCount = pStatement.executeUpdate();<br />
}<br />
Assert.assertEquals(1, updatedRecordCount);<br />
<br />
/* Sample D: Delete data using Prepared Statement*/<br />
query = "delete from color where friendly_name = ?";<br />
int deletedRecordCount;<br />
try (PreparedStatement pStatement = con.prepareStatement(query)) {<br />
pStatement.setString(1, "orange");<br />
deletedRecordCount = pStatement.executeUpdate();<br />
}<br />
Assert.assertEquals(1, deletedRecordCount);<br />
<br />
}<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* [[SQL_Injection_Prevention_Cheat_Sheet|SQL Injection Prevention Cheat Sheet]]<br />
<br />
== JPA ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a JPA query using a String and execute it. It's quite similar to SQL injection but here the altered language is not SQL but JPA QL.<br />
<br />
=== How to prevent ===<br />
<br />
Use Java Persistence Query Language '''Query Parameterization''' in order to prevent injection.<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
EntityManager entityManager = null;<br />
try {<br />
/* Get a ref on EntityManager to access DB */<br />
entityManager = Persistence.createEntityManagerFactory("testJPA").createEntityManager();<br />
<br />
/* Define parametrized query prototype using named parameter to enhance readability */<br />
String queryPrototype = "select c from Color c where c.friendlyName = :colorName";<br />
<br />
/* Create the query, set the named parameter and execute the query */<br />
Query queryObject = entityManager.createQuery(queryPrototype);<br />
Color c = (Color) queryObject.setParameter("colorName", "yellow").getSingleResult();<br />
<br />
/* Ensure that the object obtained is the right one */<br />
Assert.assertNotNull(c);<br />
Assert.assertEquals(c.getFriendlyName(), "yellow");<br />
Assert.assertEquals(c.getRed(), 213);<br />
Assert.assertEquals(c.getGreen(), 242);<br />
Assert.assertEquals(c.getBlue(), 26);<br />
} finally {<br />
if (entityManager != null && entityManager.isOpen()) {<br />
entityManager.close();<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-persistence-api-jpa<br />
<br />
== Operating System ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a Operating System command using a String and execute it.<br />
<br />
=== How to prevent ===<br />
<br />
Use technology stack '''API''' in order to prevent injection.<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
/* The context taken is, for example, to perform a PING against a computer.<br />
* The prevention is to use the feature provided by the Java API instead of building<br />
* a system command as String and execute it */<br />
InetAddress host = InetAddress.getByName("localhost");<br />
Assert.assertTrue(host.isReachable(5000));<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* [[Command_Injection|Command Injection]]<br />
<br />
== XML: External Entity attack ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application load the received XML stream using a XML parser instance in which the resolution of External Entity is not disabled.<br />
<br />
=== How to prevent ===<br />
<br />
Disable to resolution of the External Entity in the parser instance to prevent injection.<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
/*Create a XML document builder factory*/<br />
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();<br />
<br />
/*Disable External Entity resolution for differents cases*/<br />
// This is the PRIMARY defense. If DTDs (doctypes) are disallowed,<br />
// almost all XML entity attacks are prevented<br />
// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl<br />
String feature = "http://apache.org/xml/features/disallow-doctype-decl";<br />
dbf.setFeature(feature, true);<br />
<br />
// If you can't completely disable DTDs, then at least do the following:<br />
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities<br />
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities<br />
// JDK7+ - http://xml.org/sax/features/external-general-entities<br />
feature = "http://xml.org/sax/features/external-general-entities";<br />
dbf.setFeature(feature, false);<br />
<br />
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities<br />
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities<br />
// JDK7+ - http://xml.org/sax/features/external-parameter-entities<br />
feature = "http://xml.org/sax/features/external-parameter-entities";<br />
dbf.setFeature(feature, false);<br />
<br />
// feature external DTDs as well<br />
feature = "http://apache.org/xml/features/nonvalidating/load-external-dtd";<br />
dbf.setFeature(feature, false);<br />
<br />
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"<br />
dbf.setXIncludeAware(false);<br />
dbf.setExpandEntityReferences(false);<br />
<br />
/*Load XML file*/<br />
DocumentBuilder builder = dbf.newDocumentBuilder();<br />
//Here an org.xml.sax.SAXParseException will be throws because the XML contains a External Entity.<br />
builder.parse(new File("src/test/resources/SampleXXE.xml"));<br />
</syntaxhighlight><br />
<br />
== XML: XPath Injection ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a XPath query using a String and execute it.<br />
<br />
=== How to prevent ===<br />
<br />
Use '''XPath Variable Resolver''' in order to prevent injection.<br />
<br />
=== Example ===<br />
<br />
'''Variable Resolver''' implementation.<br />
<br />
<syntaxhighlight lang="java"><br />
/**<br />
* Resolver in order to define parameter for XPATH expression.<br />
*<br />
*/<br />
public class SimpleVariableResolver implements XPathVariableResolver {<br />
<br />
private final Map<QName, Object> vars = new HashMap<QName, Object>();<br />
<br />
/**<br />
* External methods to add parameter<br />
*<br />
* @param name Parameter name<br />
* @param value Parameter value<br />
*/<br />
public void addVariable(QName name, Object value) {<br />
vars.put(name, value);<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*<br />
* @see javax.xml.xpath.XPathVariableResolver#resolveVariable(javax.xml.namespace.QName)<br />
*/<br />
public Object resolveVariable(QName variableName) {<br />
return vars.get(variableName);<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
Code using it to perform XPath query.<br />
<br />
<syntaxhighlight lang="java"><br />
/*Create a XML document builder factory*/<br />
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();<br />
<br />
/*Disable External Entity resolution for differents cases*/<br />
//Do not performed here in order to focus on variable resolver code<br />
//but do it for production code !<br />
<br />
/*Load XML file*/<br />
DocumentBuilder builder = dbf.newDocumentBuilder();<br />
Document doc = builder.parse(new File("src/test/resources/SampleXPath.xml"));<br />
<br />
/* Create and configure parameter resolver */<br />
String bid = "bk102";<br />
SimpleVariableResolver variableResolver = new SimpleVariableResolver();<br />
variableResolver.addVariable(new QName("bookId"), bid);<br />
<br />
/*Create and configure XPATH expression*/<br />
XPath xpath = XPathFactory.newInstance().newXPath();<br />
xpath.setXPathVariableResolver(variableResolver);<br />
XPathExpression xPathExpression = xpath.compile("//book[@id=$bookId]");<br />
<br />
/* Apply expression on XML document */<br />
Object nodes = xPathExpression.evaluate(doc, XPathConstants.NODESET);<br />
NodeList nodesList = (NodeList) nodes;<br />
Assert.assertNotNull(nodesList);<br />
Assert.assertEquals(1, nodesList.getLength());<br />
Element book = (Element)nodesList.item(0);<br />
Assert.assertTrue(book.getTextContent().contains("Ralls, Kim"));<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* [[XPATH_Injection|XPATH Injection]]<br />
<br />
== HTML/JavaScript/CSS ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a HTTP response and sent it to browser.<br />
<br />
=== How to prevent ===<br />
<br />
Either apply strict input validation (whitelist approach) or use output sanitizing+escaping if input validation is not possible (combine both every time is possible).<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
/*<br />
INPUT WAY: Receive data from user<br />
Here it's recommended to use strict input validation using whitelist approach.<br />
In fact, you ensure that only allowed characters are part of the input received.<br />
*/<br />
<br />
String userInput = "You user login is owasp-user01";<br />
<br />
/* First we check that the value contains only expected character*/<br />
Assert.assertTrue(Pattern.matches("[a-zA-Z0-9\\s\\-]{1,50}", userInput));<br />
<br />
/* If the first check pass then ensure that potential dangerous character that we have allowed<br />
for business requirement are not used in a dangerous way.<br />
For example here we have allowed the character '-', and, this can be used in SQL injection so, we<br />
ensure that this character is not used is a continuous form.<br />
Use the API COMMONS LANG v3 to help in String analysis...<br />
*/<br />
Assert.assertEquals(0, StringUtils.countMatches(userInput.replace(" ", ""), "--"));<br />
<br />
/*<br />
OUTPUT WAY: Send data to user<br />
Here we escape + sanitize any data sent to user<br />
Use the OWASP Java HTML Sanitizer API to handle sanitizing<br />
Use the OWASP Java Encoder API to handle HTML tag encoding (escaping)<br />
*/<br />
<br />
String outputToUser = "You <p>user login</p> is <strong>owasp-user01</strong>";<br />
outputToUser += "<script>alert(22);</script><img src='#' onload='javascript:alert(23);'>";<br />
<br />
/* Create a sanitizing policy that only allow tag '<p>' and '<strong>'*/<br />
PolicyFactory policy = new HtmlPolicyBuilder().allowElements("p", "strong").toFactory();<br />
<br />
/* Sanitize the output that will be sent to user*/<br />
String safeOutput = policy.sanitize(outputToUser);<br />
<br />
/* Encode HTML Tag*/<br />
safeOutput = Encode.forHtml(safeOutput);<br />
String finalSafeOutputExpected = "You &lt;p&gt;user login&lt;/p&gt; is &lt;strong&gt;owasp-user01&lt;/strong&gt;";<br />
Assert.assertEquals(finalSafeOutputExpected, safeOutput);<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* [[Cross-site_Scripting_(XSS)| XSS]]<br />
<br />
* https://github.com/owasp/java-html-sanitizer<br />
<br />
* https://github.com/owasp/owasp-java-encoder/<br />
<br />
* https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html<br />
<br />
* https://commons.apache.org/proper/commons-lang/javadocs/api-3.4/org/apache/commons/lang3/StringEscapeUtils.html<br />
<br />
== LDAP ==<br />
<br />
A dedicated [[LDAP_Injection_Prevention_Cheat_Sheet|cheatsheet]] has been created.<br />
<br />
== NoSQL ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a NoSQL API call expression.<br />
<br />
=== How to prevent ===<br />
<br />
As there many NoSQL database system and each one use a API for call, it's important to ensure that user input received<br />
and used to build the API call expression do not contains any character that have a special meaning in the target API syntax.<br />
This in order to avoid that it will be used to escape the initial call expression in order to create another one based on crafted user input.<br />
It's also important to not use string concatenation to build API call expression but use the API to create the expression.<br />
<br />
=== Example - MongoDB ===<br />
<br />
<syntaxhighlight lang="java"><br />
/* Here use MongoDB as target NoSQL DB */<br />
String userInput = "Brooklyn";<br />
<br />
/* First ensure that the input do no contains any special characters for the current NoSQL DB call API,<br />
here they are: ' " \ ; { } $<br />
*/<br />
//Avoid regexp this time in order to made validation code more easy to read and understand...<br />
ArrayList<String> specialCharsList = new ArrayList<String>() {{<br />
add("'");<br />
add("\"");<br />
add("\\");<br />
add(";");<br />
add("{");<br />
add("}");<br />
add("$");<br />
}};<br />
specialCharsList.forEach(specChar -> Assert.assertFalse(userInput.contains(specChar)));<br />
//Add also a check on input max size<br />
Assert.assertTrue(userInput.length() <= 50);<br />
<br />
/* Then perform query on database using API to build expression */<br />
//Connect to the local MongoDB instance<br />
try(MongoClient mongoClient = new MongoClient()){<br />
MongoDatabase db = mongoClient.getDatabase("test");<br />
//Use API query builder to create call expression<br />
//Create expression<br />
Bson expression = eq("borough", userInput);<br />
//Perform call<br />
FindIterable<org.bson.Document> restaurants = db.getCollection("restaurants").find(expression);<br />
//Verify result consistency<br />
restaurants.forEach(new Block<org.bson.Document>() {<br />
@Override<br />
public void apply(final org.bson.Document doc) {<br />
String restBorough = (String)doc.get("borough");<br />
Assert.assertTrue("Brooklyn".equals(restBorough));<br />
}<br />
});<br />
}<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
[[Testing_for_NoSQL_injection|Testing for NoSQL injection]]<br />
<br />
https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_sql_and_nosql_injection.html<br />
<br />
https://arxiv.org/ftp/arxiv/papers/1506/1506.04082.pdf<br />
<br />
== Log Injection ==<br />
<br />
=== Symptom ===<br />
<br />
[[Log_Injection|Log Injection]] occurs when an application includes untrusted data in an application log message (e.g., an attacker can cause an additional log entry that looks like it came from a completely different user, if they can inject CRLF characters in the untrusted data). More information about this attack is available on the OWASP [[Log Injection]] page.<br />
<br />
=== How to prevent ===<br />
<br />
To prevent an attacker from writing malicious content into the application log, apply defenses such as:<br />
<br />
* Filter the user input used to prevent injection of '''C'''arriage '''R'''eturn (CR) or '''L'''ine '''F'''eed (LF) characters.<br />
* Limit the size of the user input value used to create the log message.<br />
* Make sure [[XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet|all XSS defenses]] are applied when viewing log files in a web browser.<br />
<br />
=== Example using Log4j2 ===<br />
<br />
Configuration of a logging policy to roll on 10 files of 5MB each, and encode/limit the log message using the [https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout|Log4j2 Pattern ''encode{}{CRLF}''], introduced in [https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api Log4j2 v2.10.0], and the ''-500m'' message size limit.:<br />
<br />
<syntaxhighlight lang="xml" highlight="7"><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<Configuration status="error" name="SecureLoggingPolicy"><br />
<Appenders><br />
<RollingFile name="RollingFile" fileName="App.log" filePattern="App-%i.log" ignoreExceptions="false"><br />
<PatternLayout><br />
<!-- Encode any CRLF chars in the message and limit its maximum size to 500 characters --><br />
<Pattern>%d{ISO8601} %-5p - %encode{%.-500m}{CRLF}%n</Pattern><br />
</PatternLayout><br />
<Policies><br />
<SizeBasedTriggeringPolicy size="5MB"/><br />
</Policies><br />
<DefaultRolloverStrategy max="10"/><br />
</RollingFile><br />
</Appenders><br />
<Loggers><br />
<Root level="debug"><br />
<AppenderRef ref="RollingFile"/><br />
</Root><br />
</Loggers><br />
</Configuration><br />
</syntaxhighlight><br />
<br />
Usage of the logger at code level:<br />
<br />
<syntaxhighlight lang="java"><br />
import org.apache.logging.log4j.LogManager;<br />
import org.apache.logging.log4j.Logger;<br />
...<br />
// No special action needed because security actions are performed at the logging policy level<br />
Logger logger = LogManager.getLogger(MyClass.class);<br />
logger.info(logMessage);<br />
...<br />
</syntaxhighlight><br />
<br />
=== Example using Logback with the OWASP Security Logging library ===<br />
<br />
Configuration of a logging policy to roll on 10 files of 5MB each, and encode/limit the log message using the [https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging CRLFConverter], provided by the [[OWASP Security Logging Project]], and the ''-500msg'' message size limit:<br />
<br />
<syntaxhighlight lang="xml" highlight="4,17"><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<configuration><br />
<!-- Define the CRLFConverter --><br />
<conversionRule conversionWord="crlf" converterClass="org.owasp.security.logging.mask.CRLFConverter" /><br />
<appender name="RollingFile" class="ch.qos.logback.core.rolling.RollingFileAppender"><br />
<file>App.log</file><br />
<rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"><br />
<fileNamePattern>App-%i.log</fileNamePattern><br />
<minIndex>1</minIndex><br />
<maxIndex>10</maxIndex><br />
</rollingPolicy><br />
<triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"><br />
<maxFileSize>5MB</maxFileSize><br />
</triggeringPolicy><br />
<encoder><br />
<!-- Encode any CRLF chars in the message and limit its maximum size to 500 characters --><br />
<pattern>%relative [%thread] %-5level %logger{35} - %crlf(%.-500msg) %n</pattern><br />
</encoder><br />
</appender><br />
<root level="debug"><br />
<appender-ref ref="RollingFile" /><br />
</root><br />
</configuration><br />
</syntaxhighlight><br />
<br />
You also have to add the [https://github.com/javabeanz/owasp-security-logging/wiki/Usage-with-Logback OWASP Security Logging] dependency to your project.<br />
<br />
Usage of the logger at code level:<br />
<br />
<syntaxhighlight lang="java"><br />
import org.slf4j.Logger;<br />
import org.slf4j.LoggerFactory;<br />
...<br />
// No special action needed because security actions are performed at the logging policy level<br />
Logger logger = LoggerFactory.getLogger(MyClass.class);<br />
logger.info(logMessage);<br />
...<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout (See the encode{}{CRLF} function)<br />
<pre><br />
Note that the default Log4j2 encode{} encoder is HTML, which does NOT prevent log injection. It prevents XSS attacks against viewing logs using a browser. OWASP recommends defending against XSS attacks in such situations in the log viewer application itself, not by preencoding all the log messages with HTML encoding as such log entries may be used/viewed in many other log viewing/analysis tools that don't expect the log data to be pre-HTML encoded.<br />
</pre><br />
<br />
https://logging.apache.org/log4j/2.x/manual/configuration.html<br />
<br />
https://logging.apache.org/log4j/2.x/manual/appenders.html<br />
<br />
https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging - See the Logback section about the CRLFConverter this library provides.<br />
<br />
https://github.com/javabeanz/owasp-security-logging/wiki/Usage-with-Logback<br />
<br />
= Authors and Primary Editors =<br />
<br />
[[User:Dominique_RIGHETTO|Dominique Righetto]] - dominique.righetto@owasp.org<br />
<br />
[[User:wichers|Dave Wichers]] - dave.wichers@owasp.org (For just the Log Injection section)<br />
<br />
= Other Cheatsheets = <br />
<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]</div>Wichershttps://wiki.owasp.org/index.php?title=Injection_Prevention_Cheat_Sheet_in_Java&diff=245535Injection Prevention Cheat Sheet in Java2018-11-26T16:41:28Z<p>Wichers: /* Authors and Primary Editors */</p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
= Introduction =<br />
__TOC__{{TOC hidden}}<br />
<br />
This document has for objective to provide some tips to handle ''Injection'' into Java application code.<br />
<br />
Sample codes used in tips are located [https://github.com/righettod/injection-cheat-sheets here].<br />
<br />
= What is Injection ? =<br />
<br />
[[Top_10_2013-A1-Injection|Injection]] in OWASP Top 10 is defined as following:<br />
<br />
''Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators.''<br />
<br />
= General advices to prevent Injection =<br />
<br />
The following point can be applied, in a general way, to prevent ''Injection'' issue:<br />
<br />
# Apply '''Input Validation''' (using whitelist approach) combined with '''Output Sanitizing+Escaping''' on user input/output.<br />
# If you need to interact with system, try to use API features provided by your technology stack (Java / .Net / PHP...) instead of building command.<br />
<br />
Additional advices are provided on this [[Input_Validation_Cheat_Sheet|cheatsheet]].<br />
<br />
= Specific Injection types =<br />
<br />
''Examples in this section will be provided in Java technology (see Maven project associated) but advices are applicable to others technologies like .Net / PHP / Ruby / Python...''<br />
<br />
== SQL ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a SQL query using a String and execute it.<br />
<br />
=== How to prevent ===<br />
<br />
Use ''Query Parameterization'' in order to prevent injection.<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
/*No DB framework used here in order to show the real use of Prepared Statement from Java API*/<br />
/*Open connection with H2 database and use it*/<br />
Class.forName("org.h2.Driver");<br />
String jdbcUrl = "jdbc:h2:file:" + new File(".").getAbsolutePath() + "/target/db";<br />
try (Connection con = DriverManager.getConnection(jdbcUrl)) {<br />
<br />
/* Sample A: Select data using Prepared Statement*/<br />
String query = "select * from color where friendly_name = ?";<br />
List<String> colors = new ArrayList<>();<br />
try (PreparedStatement pStatement = con.prepareStatement(query)) {<br />
pStatement.setString(1, "yellow");<br />
try (ResultSet rSet = pStatement.executeQuery()) {<br />
while (rSet.next()) {<br />
colors.add(rSet.getString(1));<br />
}<br />
}<br />
}<br />
Assert.assertEquals(1, colors.size());<br />
Assert.assertTrue(colors.contains("yellow"));<br />
<br />
/* Sample B: Insert data using Prepared Statement*/<br />
query = "insert into color(friendly_name, red, green, blue) values(?, ?, ?, ?)";<br />
int insertedRecordCount;<br />
try (PreparedStatement pStatement = con.prepareStatement(query)) {<br />
pStatement.setString(1, "orange");<br />
pStatement.setInt(2, 239);<br />
pStatement.setInt(3, 125);<br />
pStatement.setInt(4, 11);<br />
insertedRecordCount = pStatement.executeUpdate();<br />
}<br />
Assert.assertEquals(1, insertedRecordCount);<br />
<br />
/* Sample C: Update data using Prepared Statement*/<br />
query = "update color set blue = ? where friendly_name = ?";<br />
int updatedRecordCount;<br />
try (PreparedStatement pStatement = con.prepareStatement(query)) {<br />
pStatement.setInt(1, 10);<br />
pStatement.setString(2, "orange");<br />
updatedRecordCount = pStatement.executeUpdate();<br />
}<br />
Assert.assertEquals(1, updatedRecordCount);<br />
<br />
/* Sample D: Delete data using Prepared Statement*/<br />
query = "delete from color where friendly_name = ?";<br />
int deletedRecordCount;<br />
try (PreparedStatement pStatement = con.prepareStatement(query)) {<br />
pStatement.setString(1, "orange");<br />
deletedRecordCount = pStatement.executeUpdate();<br />
}<br />
Assert.assertEquals(1, deletedRecordCount);<br />
<br />
}<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* [[SQL_Injection_Prevention_Cheat_Sheet|SQL Injection Prevention Cheat Sheet]]<br />
<br />
== JPA ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a JPA query using a String and execute it. It's quite similar to SQL injection but here the altered language is not SQL but JPA QL.<br />
<br />
=== How to prevent ===<br />
<br />
Use Java Persistence Query Language '''Query Parameterization''' in order to prevent injection.<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
EntityManager entityManager = null;<br />
try {<br />
/* Get a ref on EntityManager to access DB */<br />
entityManager = Persistence.createEntityManagerFactory("testJPA").createEntityManager();<br />
<br />
/* Define parametrized query prototype using named parameter to enhance readability */<br />
String queryPrototype = "select c from Color c where c.friendlyName = :colorName";<br />
<br />
/* Create the query, set the named parameter and execute the query */<br />
Query queryObject = entityManager.createQuery(queryPrototype);<br />
Color c = (Color) queryObject.setParameter("colorName", "yellow").getSingleResult();<br />
<br />
/* Ensure that the object obtained is the right one */<br />
Assert.assertNotNull(c);<br />
Assert.assertEquals(c.getFriendlyName(), "yellow");<br />
Assert.assertEquals(c.getRed(), 213);<br />
Assert.assertEquals(c.getGreen(), 242);<br />
Assert.assertEquals(c.getBlue(), 26);<br />
} finally {<br />
if (entityManager != null && entityManager.isOpen()) {<br />
entityManager.close();<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-persistence-api-jpa<br />
<br />
== Operating System ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a Operating System command using a String and execute it.<br />
<br />
=== How to prevent ===<br />
<br />
Use technology stack '''API''' in order to prevent injection.<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
/* The context taken is, for example, to perform a PING against a computer.<br />
* The prevention is to use the feature provided by the Java API instead of building<br />
* a system command as String and execute it */<br />
InetAddress host = InetAddress.getByName("localhost");<br />
Assert.assertTrue(host.isReachable(5000));<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* [[Command_Injection|Command Injection]]<br />
<br />
== XML: External Entity attack ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application load the received XML stream using a XML parser instance in which the resolution of External Entity is not disabled.<br />
<br />
=== How to prevent ===<br />
<br />
Disable to resolution of the External Entity in the parser instance to prevent injection.<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
/*Create a XML document builder factory*/<br />
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();<br />
<br />
/*Disable External Entity resolution for differents cases*/<br />
// This is the PRIMARY defense. If DTDs (doctypes) are disallowed,<br />
// almost all XML entity attacks are prevented<br />
// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl<br />
String feature = "http://apache.org/xml/features/disallow-doctype-decl";<br />
dbf.setFeature(feature, true);<br />
<br />
// If you can't completely disable DTDs, then at least do the following:<br />
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities<br />
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities<br />
// JDK7+ - http://xml.org/sax/features/external-general-entities<br />
feature = "http://xml.org/sax/features/external-general-entities";<br />
dbf.setFeature(feature, false);<br />
<br />
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities<br />
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities<br />
// JDK7+ - http://xml.org/sax/features/external-parameter-entities<br />
feature = "http://xml.org/sax/features/external-parameter-entities";<br />
dbf.setFeature(feature, false);<br />
<br />
// feature external DTDs as well<br />
feature = "http://apache.org/xml/features/nonvalidating/load-external-dtd";<br />
dbf.setFeature(feature, false);<br />
<br />
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"<br />
dbf.setXIncludeAware(false);<br />
dbf.setExpandEntityReferences(false);<br />
<br />
/*Load XML file*/<br />
DocumentBuilder builder = dbf.newDocumentBuilder();<br />
//Here an org.xml.sax.SAXParseException will be throws because the XML contains a External Entity.<br />
builder.parse(new File("src/test/resources/SampleXXE.xml"));<br />
</syntaxhighlight><br />
<br />
== XML: XPath Injection ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a XPath query using a String and execute it.<br />
<br />
=== How to prevent ===<br />
<br />
Use '''XPath Variable Resolver''' in order to prevent injection.<br />
<br />
=== Example ===<br />
<br />
'''Variable Resolver''' implementation.<br />
<br />
<syntaxhighlight lang="java"><br />
/**<br />
* Resolver in order to define parameter for XPATH expression.<br />
*<br />
*/<br />
public class SimpleVariableResolver implements XPathVariableResolver {<br />
<br />
private final Map<QName, Object> vars = new HashMap<QName, Object>();<br />
<br />
/**<br />
* External methods to add parameter<br />
*<br />
* @param name Parameter name<br />
* @param value Parameter value<br />
*/<br />
public void addVariable(QName name, Object value) {<br />
vars.put(name, value);<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*<br />
* @see javax.xml.xpath.XPathVariableResolver#resolveVariable(javax.xml.namespace.QName)<br />
*/<br />
public Object resolveVariable(QName variableName) {<br />
return vars.get(variableName);<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
Code using it to perform XPath query.<br />
<br />
<syntaxhighlight lang="java"><br />
/*Create a XML document builder factory*/<br />
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();<br />
<br />
/*Disable External Entity resolution for differents cases*/<br />
//Do not performed here in order to focus on variable resolver code<br />
//but do it for production code !<br />
<br />
/*Load XML file*/<br />
DocumentBuilder builder = dbf.newDocumentBuilder();<br />
Document doc = builder.parse(new File("src/test/resources/SampleXPath.xml"));<br />
<br />
/* Create and configure parameter resolver */<br />
String bid = "bk102";<br />
SimpleVariableResolver variableResolver = new SimpleVariableResolver();<br />
variableResolver.addVariable(new QName("bookId"), bid);<br />
<br />
/*Create and configure XPATH expression*/<br />
XPath xpath = XPathFactory.newInstance().newXPath();<br />
xpath.setXPathVariableResolver(variableResolver);<br />
XPathExpression xPathExpression = xpath.compile("//book[@id=$bookId]");<br />
<br />
/* Apply expression on XML document */<br />
Object nodes = xPathExpression.evaluate(doc, XPathConstants.NODESET);<br />
NodeList nodesList = (NodeList) nodes;<br />
Assert.assertNotNull(nodesList);<br />
Assert.assertEquals(1, nodesList.getLength());<br />
Element book = (Element)nodesList.item(0);<br />
Assert.assertTrue(book.getTextContent().contains("Ralls, Kim"));<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* [[XPATH_Injection|XPATH Injection]]<br />
<br />
== HTML/JavaScript/CSS ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a HTTP response and sent it to browser.<br />
<br />
=== How to prevent ===<br />
<br />
Either apply strict input validation (whitelist approach) or use output sanitizing+escaping if input validation is not possible (combine both every time is possible).<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
/*<br />
INPUT WAY: Receive data from user<br />
Here it's recommended to use strict input validation using whitelist approach.<br />
In fact, you ensure that only allowed characters are part of the input received.<br />
*/<br />
<br />
String userInput = "You user login is owasp-user01";<br />
<br />
/* First we check that the value contains only expected character*/<br />
Assert.assertTrue(Pattern.matches("[a-zA-Z0-9\\s\\-]{1,50}", userInput));<br />
<br />
/* If the first check pass then ensure that potential dangerous character that we have allowed<br />
for business requirement are not used in a dangerous way.<br />
For example here we have allowed the character '-', and, this can be used in SQL injection so, we<br />
ensure that this character is not used is a continuous form.<br />
Use the API COMMONS LANG v3 to help in String analysis...<br />
*/<br />
Assert.assertEquals(0, StringUtils.countMatches(userInput.replace(" ", ""), "--"));<br />
<br />
/*<br />
OUTPUT WAY: Send data to user<br />
Here we escape + sanitize any data sent to user<br />
Use the OWASP Java HTML Sanitizer API to handle sanitizing<br />
Use the OWASP Java Encoder API to handle HTML tag encoding (escaping)<br />
*/<br />
<br />
String outputToUser = "You <p>user login</p> is <strong>owasp-user01</strong>";<br />
outputToUser += "<script>alert(22);</script><img src='#' onload='javascript:alert(23);'>";<br />
<br />
/* Create a sanitizing policy that only allow tag '<p>' and '<strong>'*/<br />
PolicyFactory policy = new HtmlPolicyBuilder().allowElements("p", "strong").toFactory();<br />
<br />
/* Sanitize the output that will be sent to user*/<br />
String safeOutput = policy.sanitize(outputToUser);<br />
<br />
/* Encode HTML Tag*/<br />
safeOutput = Encode.forHtml(safeOutput);<br />
String finalSafeOutputExpected = "You &lt;p&gt;user login&lt;/p&gt; is &lt;strong&gt;owasp-user01&lt;/strong&gt;";<br />
Assert.assertEquals(finalSafeOutputExpected, safeOutput);<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* [[Cross-site_Scripting_(XSS)| XSS]]<br />
<br />
* https://github.com/owasp/java-html-sanitizer<br />
<br />
* https://github.com/owasp/owasp-java-encoder/<br />
<br />
* https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html<br />
<br />
* https://commons.apache.org/proper/commons-lang/javadocs/api-3.4/org/apache/commons/lang3/StringEscapeUtils.html<br />
<br />
== LDAP ==<br />
<br />
A dedicated [[LDAP_Injection_Prevention_Cheat_Sheet|cheatsheet]] has been created.<br />
<br />
== NoSQL ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a NoSQL API call expression.<br />
<br />
=== How to prevent ===<br />
<br />
As there many NoSQL database system and each one use a API for call, it's important to ensure that user input received<br />
and used to build the API call expression do not contains any character that have a special meaning in the target API syntax.<br />
This in order to avoid that it will be used to escape the initial call expression in order to create another one based on crafted user input.<br />
It's also important to not use string concatenation to build API call expression but use the API to create the expression.<br />
<br />
=== Example - MongoDB ===<br />
<br />
<syntaxhighlight lang="java"><br />
/* Here use MongoDB as target NoSQL DB */<br />
String userInput = "Brooklyn";<br />
<br />
/* First ensure that the input do no contains any special characters for the current NoSQL DB call API,<br />
here they are: ' " \ ; { } $<br />
*/<br />
//Avoid regexp this time in order to made validation code more easy to read and understand...<br />
ArrayList<String> specialCharsList = new ArrayList<String>() {{<br />
add("'");<br />
add("\"");<br />
add("\\");<br />
add(";");<br />
add("{");<br />
add("}");<br />
add("$");<br />
}};<br />
specialCharsList.forEach(specChar -> Assert.assertFalse(userInput.contains(specChar)));<br />
//Add also a check on input max size<br />
Assert.assertTrue(userInput.length() <= 50);<br />
<br />
/* Then perform query on database using API to build expression */<br />
//Connect to the local MongoDB instance<br />
try(MongoClient mongoClient = new MongoClient()){<br />
MongoDatabase db = mongoClient.getDatabase("test");<br />
//Use API query builder to create call expression<br />
//Create expression<br />
Bson expression = eq("borough", userInput);<br />
//Perform call<br />
FindIterable<org.bson.Document> restaurants = db.getCollection("restaurants").find(expression);<br />
//Verify result consistency<br />
restaurants.forEach(new Block<org.bson.Document>() {<br />
@Override<br />
public void apply(final org.bson.Document doc) {<br />
String restBorough = (String)doc.get("borough");<br />
Assert.assertTrue("Brooklyn".equals(restBorough));<br />
}<br />
});<br />
}<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
[[Testing_for_NoSQL_injection|Testing for NoSQL injection]]<br />
<br />
https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_sql_and_nosql_injection.html<br />
<br />
https://arxiv.org/ftp/arxiv/papers/1506/1506.04082.pdf<br />
<br />
== Log Injection ==<br />
<br />
<pre>This section is under work, so, is not yet ready for production usage!</pre><br />
<br />
=== Symptom ===<br />
<br />
[[Log_Injection|Log Injection]] occurs when an application includes untrusted data in an application log message (e.g., an attacker can cause an additional log entry that looks like it came from a completely different user, if they can inject CRLF characters in the untrusted data).<br />
<br />
More information about this attack is available on the OWASP [[Log Injection]] page.<br />
<br />
=== How to prevent ===<br />
<br />
To prevent an attacker from writing malicious content into the application log, apply defenses such as:<br />
<br />
* Filter the user input used to prevent injection of '''C'''arriage '''R'''eturn (CR) or '''L'''ine '''F'''eed (LF) characters.<br />
* Limit the size of the user input value used to create the log message.<br />
* Make sure [[XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet|all XSS defenses]] are applied when viewing log files in a web browser.<br />
<br />
=== Example using Log4j2 ===<br />
<br />
Configuration of a logging policy to roll on 10 files of 5MB each, and encode/limit the log message using the [https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout|Log4j2 Pattern ''encode{}{CRLF}''], introduced in [https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api Log4j2 v2.10.0], and the ''-500m'' message size limit.:<br />
<br />
<syntaxhighlight lang="xml" highlight="7"><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<Configuration status="error" name="SecureLoggingPolicy"><br />
<Appenders><br />
<RollingFile name="RollingFile" fileName="App.log" filePattern="App-%i.log" ignoreExceptions="false"><br />
<PatternLayout><br />
<!-- Encode any CRLF chars in the message and limit its maximum size to 500 characters --><br />
<Pattern>%d{ISO8601} %-5p - %encode{%.-500m}{CRLF}%n</Pattern><br />
</PatternLayout><br />
<Policies><br />
<SizeBasedTriggeringPolicy size="5MB"/><br />
</Policies><br />
<DefaultRolloverStrategy max="10"/><br />
</RollingFile><br />
</Appenders><br />
<Loggers><br />
<Root level="debug"><br />
<AppenderRef ref="RollingFile"/><br />
</Root><br />
</Loggers><br />
</Configuration><br />
</syntaxhighlight><br />
<br />
Usage of the logger at code level:<br />
<br />
<syntaxhighlight lang="java"><br />
import org.apache.logging.log4j.LogManager;<br />
import org.apache.logging.log4j.Logger;<br />
...<br />
// No special action needed because security actions are performed at the logging policy level<br />
Logger logger = LogManager.getLogger(MyClass.class);<br />
logger.info(logMessage);<br />
...<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout (See the encode{}{CRLF} function)<br />
Note that the default Log4j2 encode{} encoder is HTML, which does NOT prevent log injection. It prevents XSS attacks against viewing logs using a browser. OWASP recommends defending against XSS attacks in such situations in the log viewer application itself, not by preencoding all the log messages with HTML encoding as such log entries may be used/viewed in many other log viewing/analysis tools that don't expect the log data to be pre-HTML encoded.<br />
<br />
https://logging.apache.org/log4j/2.x/manual/configuration.html<br />
<br />
https://logging.apache.org/log4j/2.x/manual/appenders.html<br />
<br />
= Authors and Primary Editors =<br />
<br />
[[User:Dominique_RIGHETTO|Dominique Righetto]] - dominique.righetto@owasp.org<br />
<br />
[[User:wichers|Dave Wichers]] - dave.wichers@owasp.org (For just the Log Injection section)<br />
<br />
= Other Cheatsheets = <br />
<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]</div>Wichershttps://wiki.owasp.org/index.php?title=Injection_Prevention_Cheat_Sheet_in_Java&diff=245528Injection Prevention Cheat Sheet in Java2018-11-26T15:12:49Z<p>Wichers: /* Log Injection */</p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
= Introduction =<br />
__TOC__{{TOC hidden}}<br />
<br />
This document has for objective to provide some tips to handle ''Injection'' into Java application code.<br />
<br />
Sample codes used in tips are located [https://github.com/righettod/injection-cheat-sheets here].<br />
<br />
= What is Injection ? =<br />
<br />
[[Top_10_2013-A1-Injection|Injection]] in OWASP Top 10 is defined as following:<br />
<br />
''Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators.''<br />
<br />
= General advices to prevent Injection =<br />
<br />
The following point can be applied, in a general way, to prevent ''Injection'' issue:<br />
<br />
# Apply '''Input Validation''' (using whitelist approach) combined with '''Output Sanitizing+Escaping''' on user input/output.<br />
# If you need to interact with system, try to use API features provided by your technology stack (Java / .Net / PHP...) instead of building command.<br />
<br />
Additional advices are provided on this [[Input_Validation_Cheat_Sheet|cheatsheet]].<br />
<br />
= Specific Injection types =<br />
<br />
''Examples in this section will be provided in Java technology (see Maven project associated) but advices are applicable to others technologies like .Net / PHP / Ruby / Python...''<br />
<br />
== SQL ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a SQL query using a String and execute it.<br />
<br />
=== How to prevent ===<br />
<br />
Use ''Query Parameterization'' in order to prevent injection.<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
/*No DB framework used here in order to show the real use of Prepared Statement from Java API*/<br />
/*Open connection with H2 database and use it*/<br />
Class.forName("org.h2.Driver");<br />
String jdbcUrl = "jdbc:h2:file:" + new File(".").getAbsolutePath() + "/target/db";<br />
try (Connection con = DriverManager.getConnection(jdbcUrl)) {<br />
<br />
/* Sample A: Select data using Prepared Statement*/<br />
String query = "select * from color where friendly_name = ?";<br />
List<String> colors = new ArrayList<>();<br />
try (PreparedStatement pStatement = con.prepareStatement(query)) {<br />
pStatement.setString(1, "yellow");<br />
try (ResultSet rSet = pStatement.executeQuery()) {<br />
while (rSet.next()) {<br />
colors.add(rSet.getString(1));<br />
}<br />
}<br />
}<br />
Assert.assertEquals(1, colors.size());<br />
Assert.assertTrue(colors.contains("yellow"));<br />
<br />
/* Sample B: Insert data using Prepared Statement*/<br />
query = "insert into color(friendly_name, red, green, blue) values(?, ?, ?, ?)";<br />
int insertedRecordCount;<br />
try (PreparedStatement pStatement = con.prepareStatement(query)) {<br />
pStatement.setString(1, "orange");<br />
pStatement.setInt(2, 239);<br />
pStatement.setInt(3, 125);<br />
pStatement.setInt(4, 11);<br />
insertedRecordCount = pStatement.executeUpdate();<br />
}<br />
Assert.assertEquals(1, insertedRecordCount);<br />
<br />
/* Sample C: Update data using Prepared Statement*/<br />
query = "update color set blue = ? where friendly_name = ?";<br />
int updatedRecordCount;<br />
try (PreparedStatement pStatement = con.prepareStatement(query)) {<br />
pStatement.setInt(1, 10);<br />
pStatement.setString(2, "orange");<br />
updatedRecordCount = pStatement.executeUpdate();<br />
}<br />
Assert.assertEquals(1, updatedRecordCount);<br />
<br />
/* Sample D: Delete data using Prepared Statement*/<br />
query = "delete from color where friendly_name = ?";<br />
int deletedRecordCount;<br />
try (PreparedStatement pStatement = con.prepareStatement(query)) {<br />
pStatement.setString(1, "orange");<br />
deletedRecordCount = pStatement.executeUpdate();<br />
}<br />
Assert.assertEquals(1, deletedRecordCount);<br />
<br />
}<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* [[SQL_Injection_Prevention_Cheat_Sheet|SQL Injection Prevention Cheat Sheet]]<br />
<br />
== JPA ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a JPA query using a String and execute it. It's quite similar to SQL injection but here the altered language is not SQL but JPA QL.<br />
<br />
=== How to prevent ===<br />
<br />
Use Java Persistence Query Language '''Query Parameterization''' in order to prevent injection.<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
EntityManager entityManager = null;<br />
try {<br />
/* Get a ref on EntityManager to access DB */<br />
entityManager = Persistence.createEntityManagerFactory("testJPA").createEntityManager();<br />
<br />
/* Define parametrized query prototype using named parameter to enhance readability */<br />
String queryPrototype = "select c from Color c where c.friendlyName = :colorName";<br />
<br />
/* Create the query, set the named parameter and execute the query */<br />
Query queryObject = entityManager.createQuery(queryPrototype);<br />
Color c = (Color) queryObject.setParameter("colorName", "yellow").getSingleResult();<br />
<br />
/* Ensure that the object obtained is the right one */<br />
Assert.assertNotNull(c);<br />
Assert.assertEquals(c.getFriendlyName(), "yellow");<br />
Assert.assertEquals(c.getRed(), 213);<br />
Assert.assertEquals(c.getGreen(), 242);<br />
Assert.assertEquals(c.getBlue(), 26);<br />
} finally {<br />
if (entityManager != null && entityManager.isOpen()) {<br />
entityManager.close();<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-persistence-api-jpa<br />
<br />
== Operating System ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a Operating System command using a String and execute it.<br />
<br />
=== How to prevent ===<br />
<br />
Use technology stack '''API''' in order to prevent injection.<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
/* The context taken is, for example, to perform a PING against a computer.<br />
* The prevention is to use the feature provided by the Java API instead of building<br />
* a system command as String and execute it */<br />
InetAddress host = InetAddress.getByName("localhost");<br />
Assert.assertTrue(host.isReachable(5000));<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* [[Command_Injection|Command Injection]]<br />
<br />
== XML: External Entity attack ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application load the received XML stream using a XML parser instance in which the resolution of External Entity is not disabled.<br />
<br />
=== How to prevent ===<br />
<br />
Disable to resolution of the External Entity in the parser instance to prevent injection.<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
/*Create a XML document builder factory*/<br />
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();<br />
<br />
/*Disable External Entity resolution for differents cases*/<br />
// This is the PRIMARY defense. If DTDs (doctypes) are disallowed,<br />
// almost all XML entity attacks are prevented<br />
// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl<br />
String feature = "http://apache.org/xml/features/disallow-doctype-decl";<br />
dbf.setFeature(feature, true);<br />
<br />
// If you can't completely disable DTDs, then at least do the following:<br />
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities<br />
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities<br />
// JDK7+ - http://xml.org/sax/features/external-general-entities<br />
feature = "http://xml.org/sax/features/external-general-entities";<br />
dbf.setFeature(feature, false);<br />
<br />
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities<br />
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities<br />
// JDK7+ - http://xml.org/sax/features/external-parameter-entities<br />
feature = "http://xml.org/sax/features/external-parameter-entities";<br />
dbf.setFeature(feature, false);<br />
<br />
// feature external DTDs as well<br />
feature = "http://apache.org/xml/features/nonvalidating/load-external-dtd";<br />
dbf.setFeature(feature, false);<br />
<br />
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"<br />
dbf.setXIncludeAware(false);<br />
dbf.setExpandEntityReferences(false);<br />
<br />
/*Load XML file*/<br />
DocumentBuilder builder = dbf.newDocumentBuilder();<br />
//Here an org.xml.sax.SAXParseException will be throws because the XML contains a External Entity.<br />
builder.parse(new File("src/test/resources/SampleXXE.xml"));<br />
</syntaxhighlight><br />
<br />
== XML: XPath Injection ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a XPath query using a String and execute it.<br />
<br />
=== How to prevent ===<br />
<br />
Use '''XPath Variable Resolver''' in order to prevent injection.<br />
<br />
=== Example ===<br />
<br />
'''Variable Resolver''' implementation.<br />
<br />
<syntaxhighlight lang="java"><br />
/**<br />
* Resolver in order to define parameter for XPATH expression.<br />
*<br />
*/<br />
public class SimpleVariableResolver implements XPathVariableResolver {<br />
<br />
private final Map<QName, Object> vars = new HashMap<QName, Object>();<br />
<br />
/**<br />
* External methods to add parameter<br />
*<br />
* @param name Parameter name<br />
* @param value Parameter value<br />
*/<br />
public void addVariable(QName name, Object value) {<br />
vars.put(name, value);<br />
}<br />
<br />
/**<br />
* {@inheritDoc}<br />
*<br />
* @see javax.xml.xpath.XPathVariableResolver#resolveVariable(javax.xml.namespace.QName)<br />
*/<br />
public Object resolveVariable(QName variableName) {<br />
return vars.get(variableName);<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
Code using it to perform XPath query.<br />
<br />
<syntaxhighlight lang="java"><br />
/*Create a XML document builder factory*/<br />
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();<br />
<br />
/*Disable External Entity resolution for differents cases*/<br />
//Do not performed here in order to focus on variable resolver code<br />
//but do it for production code !<br />
<br />
/*Load XML file*/<br />
DocumentBuilder builder = dbf.newDocumentBuilder();<br />
Document doc = builder.parse(new File("src/test/resources/SampleXPath.xml"));<br />
<br />
/* Create and configure parameter resolver */<br />
String bid = "bk102";<br />
SimpleVariableResolver variableResolver = new SimpleVariableResolver();<br />
variableResolver.addVariable(new QName("bookId"), bid);<br />
<br />
/*Create and configure XPATH expression*/<br />
XPath xpath = XPathFactory.newInstance().newXPath();<br />
xpath.setXPathVariableResolver(variableResolver);<br />
XPathExpression xPathExpression = xpath.compile("//book[@id=$bookId]");<br />
<br />
/* Apply expression on XML document */<br />
Object nodes = xPathExpression.evaluate(doc, XPathConstants.NODESET);<br />
NodeList nodesList = (NodeList) nodes;<br />
Assert.assertNotNull(nodesList);<br />
Assert.assertEquals(1, nodesList.getLength());<br />
Element book = (Element)nodesList.item(0);<br />
Assert.assertTrue(book.getTextContent().contains("Ralls, Kim"));<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* [[XPATH_Injection|XPATH Injection]]<br />
<br />
== HTML/JavaScript/CSS ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a HTTP response and sent it to browser.<br />
<br />
=== How to prevent ===<br />
<br />
Either apply strict input validation (whitelist approach) or use output sanitizing+escaping if input validation is not possible (combine both every time is possible).<br />
<br />
=== Example ===<br />
<br />
<syntaxhighlight lang="java"><br />
/*<br />
INPUT WAY: Receive data from user<br />
Here it's recommended to use strict input validation using whitelist approach.<br />
In fact, you ensure that only allowed characters are part of the input received.<br />
*/<br />
<br />
String userInput = "You user login is owasp-user01";<br />
<br />
/* First we check that the value contains only expected character*/<br />
Assert.assertTrue(Pattern.matches("[a-zA-Z0-9\\s\\-]{1,50}", userInput));<br />
<br />
/* If the first check pass then ensure that potential dangerous character that we have allowed<br />
for business requirement are not used in a dangerous way.<br />
For example here we have allowed the character '-', and, this can be used in SQL injection so, we<br />
ensure that this character is not used is a continuous form.<br />
Use the API COMMONS LANG v3 to help in String analysis...<br />
*/<br />
Assert.assertEquals(0, StringUtils.countMatches(userInput.replace(" ", ""), "--"));<br />
<br />
/*<br />
OUTPUT WAY: Send data to user<br />
Here we escape + sanitize any data sent to user<br />
Use the OWASP Java HTML Sanitizer API to handle sanitizing<br />
Use the OWASP Java Encoder API to handle HTML tag encoding (escaping)<br />
*/<br />
<br />
String outputToUser = "You <p>user login</p> is <strong>owasp-user01</strong>";<br />
outputToUser += "<script>alert(22);</script><img src='#' onload='javascript:alert(23);'>";<br />
<br />
/* Create a sanitizing policy that only allow tag '<p>' and '<strong>'*/<br />
PolicyFactory policy = new HtmlPolicyBuilder().allowElements("p", "strong").toFactory();<br />
<br />
/* Sanitize the output that will be sent to user*/<br />
String safeOutput = policy.sanitize(outputToUser);<br />
<br />
/* Encode HTML Tag*/<br />
safeOutput = Encode.forHtml(safeOutput);<br />
String finalSafeOutputExpected = "You &lt;p&gt;user login&lt;/p&gt; is &lt;strong&gt;owasp-user01&lt;/strong&gt;";<br />
Assert.assertEquals(finalSafeOutputExpected, safeOutput);<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
* [[Cross-site_Scripting_(XSS)| XSS]]<br />
<br />
* https://github.com/owasp/java-html-sanitizer<br />
<br />
* https://github.com/owasp/owasp-java-encoder/<br />
<br />
* https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html<br />
<br />
* https://commons.apache.org/proper/commons-lang/javadocs/api-3.4/org/apache/commons/lang3/StringEscapeUtils.html<br />
<br />
== LDAP ==<br />
<br />
A dedicated [[LDAP_Injection_Prevention_Cheat_Sheet|cheatsheet]] has been created.<br />
<br />
== NoSQL ==<br />
<br />
=== Symptom ===<br />
<br />
Injection of this type occur when the application use untrusted user input to build a NoSQL API call expression.<br />
<br />
=== How to prevent ===<br />
<br />
As there many NoSQL database system and each one use a API for call, it's important to ensure that user input received<br />
and used to build the API call expression do not contains any character that have a special meaning in the target API syntax.<br />
This in order to avoid that it will be used to escape the initial call expression in order to create another one based on crafted user input.<br />
It's also important to not use string concatenation to build API call expression but use the API to create the expression.<br />
<br />
=== Example - MongoDB ===<br />
<br />
<syntaxhighlight lang="java"><br />
/* Here use MongoDB as target NoSQL DB */<br />
String userInput = "Brooklyn";<br />
<br />
/* First ensure that the input do no contains any special characters for the current NoSQL DB call API,<br />
here they are: ' " \ ; { } $<br />
*/<br />
//Avoid regexp this time in order to made validation code more easy to read and understand...<br />
ArrayList<String> specialCharsList = new ArrayList<String>() {{<br />
add("'");<br />
add("\"");<br />
add("\\");<br />
add(";");<br />
add("{");<br />
add("}");<br />
add("$");<br />
}};<br />
specialCharsList.forEach(specChar -> Assert.assertFalse(userInput.contains(specChar)));<br />
//Add also a check on input max size<br />
Assert.assertTrue(userInput.length() <= 50);<br />
<br />
/* Then perform query on database using API to build expression */<br />
//Connect to the local MongoDB instance<br />
try(MongoClient mongoClient = new MongoClient()){<br />
MongoDatabase db = mongoClient.getDatabase("test");<br />
//Use API query builder to create call expression<br />
//Create expression<br />
Bson expression = eq("borough", userInput);<br />
//Perform call<br />
FindIterable<org.bson.Document> restaurants = db.getCollection("restaurants").find(expression);<br />
//Verify result consistency<br />
restaurants.forEach(new Block<org.bson.Document>() {<br />
@Override<br />
public void apply(final org.bson.Document doc) {<br />
String restBorough = (String)doc.get("borough");<br />
Assert.assertTrue("Brooklyn".equals(restBorough));<br />
}<br />
});<br />
}<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
[[Testing_for_NoSQL_injection|Testing for NoSQL injection]]<br />
<br />
https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_sql_and_nosql_injection.html<br />
<br />
https://arxiv.org/ftp/arxiv/papers/1506/1506.04082.pdf<br />
<br />
== Log Injection ==<br />
<br />
=== Symptom ===<br />
<br />
[[Log_Injection|Log Injection]] occurs when an application includes untrusted data in an application log message (e.g., an attacker can cause an additional log entry that looks like it came from a completely different user, if they can inject CRLF characters in the untrusted data).<br />
<br />
More information about this attack is available on the OWASP [[Log Injection]] page.<br />
<br />
=== How to prevent ===<br />
<br />
To prevent an attacker from writing malicious content into the application log, apply defenses such as:<br />
<br />
* Filter the user input used to prevent injection of '''C'''arriage '''R'''eturn (CR) or '''L'''ine '''F'''eed (LF) characters.<br />
* Limit the size of the user input value used to create the log message.<br />
* Make sure [[XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet|all XSS defenses]] are applied when viewing log files in a web browser.<br />
<br />
The [[OWASP Security Logging Project]] can be used to protect the application log against ''Log Injection'' attacks.<br />
<br />
=== Example using Log4j2 ===<br />
<br />
Configuration of a logging policy to roll on 10 files of 5MB each, and encode/limit the log message using the [https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout|Log4j2 Pattern ''encode{}{CRLF}''], introduced in Log4j2 v2.10.0, and the ''-500m'' message size limit.:<br />
<br />
<syntaxhighlight lang="xml" highlight="7"><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<Configuration status="error" name="SecureLoggingPolicy"><br />
<Appenders><br />
<RollingFile name="RollingFile" fileName="App.log" filePattern="App-%i.log" ignoreExceptions="false"><br />
<PatternLayout><br />
<!-- Encode any CRLF chars in the message and limit its maximum size to 500 characters --><br />
<Pattern>%d{ISO8601} %-5p - %encode{%.-500m}{CRLF}%n</Pattern><br />
</PatternLayout><br />
<Policies><br />
<SizeBasedTriggeringPolicy size="5MB"/><br />
</Policies><br />
<DefaultRolloverStrategy max="10"/><br />
</RollingFile><br />
</Appenders><br />
<Loggers><br />
<Root level="debug"><br />
<AppenderRef ref="RollingFile"/><br />
</Root><br />
</Loggers><br />
</Configuration><br />
</syntaxhighlight><br />
<br />
Usage of the logger at code level:<br />
<br />
<syntaxhighlight lang="java"><br />
import org.apache.logging.log4j.LogManager;<br />
import org.apache.logging.log4j.Logger;<br />
...<br />
// No special action needed because security actions are performed at the logging policy level<br />
Logger logger = LogManager.getLogger(MyClass.class);<br />
logger.info(logMessage);<br />
...<br />
</syntaxhighlight><br />
<br />
=== References ===<br />
<br />
https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout (See the encode{}{CRLF} function)<br />
Note that the default Log4j2 encode{} encoder is HTML, which does NOT prevent log injection. It prevents XSS attacks against viewing logs using a browser. OWASP recommends defending against XSS attacks in such situations in the log viewer application itself, not by preencoding all the log messages with HTML encoding as such log entries may be used/viewed in many other log viewing/analysis tools that don't expect the log data to be pre-HTML encoded.<br />
<br />
https://logging.apache.org/log4j/2.x/manual/configuration.html<br />
<br />
https://logging.apache.org/log4j/2.x/manual/appenders.html<br />
<br />
https://github.com/javabeanz/owasp-security-logging<br />
<br />
= Authors and Primary Editors =<br />
<br />
[[User:Dominique_RIGHETTO|Dominique Righetto]] - dominique.righetto@owasp.org<br />
<br />
= Other Cheatsheets = <br />
<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]</div>Wichershttps://wiki.owasp.org/index.php?title=Free_for_Open_Source_Application_Security_Tools&diff=244978Free for Open Source Application Security Tools2018-11-07T21:12:12Z<p>Wichers: /* Free for Open Source Tools */</p>
<hr />
<div>__NOTOC__<br />
== Introduction ==<br />
OWASP's mission is to help the world improve the security of its software. One of the best ways OWASP can do that is to help Open Source developers improve the software they are producing that everyone else relies on. As such, the following lists of '''automated vulnerability detection tools''' that are '''free for open source''' projects have been gathered together here to raise awareness of their availability.<br />
<br />
We would encourage open source projects to use the following types of tools to improve the security and quality of their code:<br />
* Static Application Security Testing ([[SAST]]) Tools <br />
* Dynamic Application Security Testing ([[DAST]]) Tools - (Primarily for web apps)<br />
* Interactive Application Security Testing (IAST) Tools - (Primarily for web apps and web APIs)<br />
* Keeping Open Source libraries up-to-date (to avoid [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]])<br />
* Static Code Quality Tools<br />
<br />
<br> '''Disclaimer:''' <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them below. They are simply listed if we believe they are free for use by open source projects. We have made every effort to provide this information as accurately as possible. If you are the vendor of a free for open source tool and think this information is incomplete or incorrect, please send an e-mail to dave.wichers (at) owasp.org and we will make every effort to correct this information.</b><br />
<br />
== Free for Open Source Tools ==<br />
Tools that are free for open source projects in each of the above categories are listed below.<br />
<br />
=== SAST Tools ===<br />
OWASP already maintains a page of known SAST tools: [[Source Code Analysis Tools]], which includes a list of those that are "Open Source or Free Tools Of This Type". Any such tools could certainly be used. One such cloud service that looks promising is:<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM.com] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python<br />
In addition, we are aware of the following commercial SAST tools that are free for Open Source projects:<br />
* [https://scan.coverity.com/ Coverity Scan Static Analysis] - Can be lashed into Travis-CI so it's done automatically with online resources. Supports over a dozen programming languages as documented here in the section [https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html Comprehensive support for these programming languages and frameworks].<br />
<br />
=== DAST Tools ===<br />
If your project has a web application component, we recommend running automated scans against it to look for vulnerabilities. OWASP maintains a page of known DAST Tools: [[:Category:Vulnerability Scanning Tools|Vulnerability Scanning Tools]], and the '''Licence''' column on this page indicates which of those tools have free capabilities. Our primary recommendation is to use one of these:<br />
* [[OWASP Zed Attack Proxy Project|OWASP ZAP]] - A full featured free and open source DAST tool that includes both automated scanning for vulnerabilities and tools to assist expert manual web app pen testing.<br />
** The ZAP team has also been working hard to make it easier to integrate ZAP into your CI/CD pipeline. (e.g., here's a [https://www.we45.com/blog/how-to-integrate-zap-into-jenkins-ci-pipeline-we45-blog blog post on how to integrate ZAP with Jenkins]).<br />
* [http://www.arachni-scanner.com/ Arachni] - Arachni is a commercially supported scanner, but its free for most use cases, including scanning open source projects.<br />
We are not aware of any other commercial grade tools that offer their full featured DAST product free for open source projects.<br />
<br />
=== IAST Tools ===<br />
IAST tools are typically geared to analyze Web Applications and Web APIs, but that is vendor specific. There may be IAST products that can perform good security analysis on non-web applications as well.<br />
<br />
We are aware of only one IAST Tool that is free for open source at this time:<br />
* [https://www.contrastsecurity.com/contrast-community-edition Contrast Community Edition (CE)] - Fully featured version for 1 app and up to 5 users (some Enterprise features disabled). Contrast CE supports Java only.<br />
<br />
=== Open Source Software (OSS) Security Tools ===<br />
OSS refers to the open source libraries or components that application developers leverage to quickly develop new applications and add features to existing apps. Gartner refers to the analysis of the security of these components as software composition analysis (SCA). So OSS Analysis and SCA are the same thing.<br />
<br />
OWASP recommends that all software projects generally try to keep the libraries they use as up-to-date as possible to reduce the likelihood of [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]]. There are two recommended approaches for this:<br />
<br />
==== Keeping Your Libraries Updated ====<br />
Using the latest version of each library is recommended because security issues are frequently fixed 'silently' by the component maintainer. By silently, we mean without publishing a [https://cve.mitre.org/ CVE] for the security fix.<br />
* [https://www.mojohaus.org/versions-maven-plugin/ Maven Versions plugin]<br />
** For Maven projects, can be used to generate a report of all dependencies used and when upgrades are available for them. Either a direct report, or part of the overall project documentation using: mvn site.<br />
* Dependabot - https://dependabot.com/<br />
** A GitHub only service that creates pull requests to keep your dependencies up-to-date. It automatically generates a pull request for each dependency you can upgrade, which you can then ignore, or accept, as you like. It supports tons of languages.<br />
** Recommended for all open source projects maintained on GitHub!<br />
<br />
==== Detecting Known Vulnerable Components ====<br />
As an alternative, or in addition to, trying to keep all your components up-to-date, a project can specifically monitor whether any of the components they use have known vulnerable components.<br />
<br />
Free tools of this type:<br />
* OWASP has its own free open source tool [[OWASP Dependency Check]] that is free for anyone to use.<br />
* GitHub: Security alerts for vulnerable dependencies - https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/<br />
** A native GitHub feature that reports known vulnerable dependencies in your GitHub projects. Supports: Java, .NET, JavaScript, Ruby, and Python. Your GitHub projects are automatically signed up for this service.<br />
Commercial tools of this type that are free for open source:<br />
* Contrast Community Edition (CE) (mentioned earlier) also has both Known Vulnerable Component detection and Available Updates reporting for OSS. CE supports Java only.<br />
* Snyk - https://www.snyk.io - Supports Node.js, Ruby, Java, Python, Scala, Golang, .NET, PHP - Latest list here: https://snyk.io/docs<br />
** A Commercial tool that identifies vulnerable components and integrates with numerous CI/CD pipelines. It is free for open source: https://snyk.io/plans<br />
** If you don't want to grant Snyk write access to your repo (see it can auto-create pull requests) you can use the Command Line Interface (CLI) instead. See: https://snyk.io/docs/using-snyk. If you do this and want it to be free, you have to configure Snyk so it know its open source: https://support.snyk.io/snyk-cli/how-can-i-set-a-snyk-cli-project-as-open-source<br />
*** Another benefit of using the Snyk CLI is that it won't auto create Pull requests for you (which makes these 'issues' more public than you might prefer)<br />
** They also provide detailed information and remediation guidance for known vulnerabilities here: https://snyk.io/vuln<br />
* SourceClear - https://www.sourceclear.com/ - Supports: Java, Ruby, JavaScript, Python, Objective C, GO, PHP<br />
** They have a free trial right from their [https://www.sourceclear.com/ home page]. When the 30 day trial expires, it converts into a free "Personal Account" per: "Upgrade at any time to get the features that matter most to you, or choose the Personal plan when your trial ends." Personal Account described here: https://www.sourceclear.com/pricing/<br />
** They also make their component vulnerability data (for publicly known vulns) free to search: https://www.sourceclear.com/vulnerability-database/search#_ (Very useful when trying to research a particular library)<br />
* WhiteSource Bolt - Supports 200+ programming languages. https://www.whitesourcesoftware.com/<br />
** Azure version: https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt<br />
** GitHub version: https://github.com/apps/whitesource-bolt-for-github Available starting in Nov. 2018.<br />
<br />
=== Code Quality tools ===<br />
Quality has a significant correlation to security. As such, we recommend open source projects also consider using good code quality tools. A few that we are aware of are:<br />
* SpotBugs (https://github.com/spotbugs/spotbugs) - Open source code quality tool for Java<br />
** This is the active fork for FindBugs, so if you use Findbugs, you should switch to this.<br />
** SpotBugs users should add the FindSecBugs plugin (http://find-sec-bugs.github.io/) to their SpotBugs setup, as it significantly improves on the very basic security checking native to SpotBugs.<br />
<br />
* SonarQube (https://www.sonarqube.org/)<br />
** This is a commercially supported, very popular, free (and commercial) code quality tool. It includes most if not all the FindSecBugs security rules plus lots more for quality, including a free, internet online CI setup to run it against your open source projects. SonarQube supports numerous languages: https://www.sonarqube.org/features/multi-languages/<br />
<br />
Please let us know if you are aware of any other high quality application security tools that are free for open source (or simply add them to this page). We are particularly interested in identifying and listing commercial tools that are free for open source, as they tend to be better and easier to use than open source (free) tools. If you are aware of any missing from this list, please add them, or let us know (dave.wichers (at) owasp.org) and we'll confirm they are free, and add them for you. Please encourage your favorite commercial tool vendor to make their tool free for open source projects as well!!<br />
<br />
Finally, please forward this page to the open source projects you rely on and encourage them to use these free tools!</div>Wichershttps://wiki.owasp.org/index.php?title=Source_Code_Analysis_Tools&diff=244977Source Code Analysis Tools2018-11-07T21:07:11Z<p>Wichers: Add LGTM SAST Tool to list.</p>
<hr />
<div>Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. <br />
<br />
Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.<br />
<br />
== Strengths and Weaknesses ==<br />
<br />
=== Strengths ===<br />
<br />
* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)<br />
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth<br />
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected<br />
<br />
=== Weaknesses ===<br />
<br />
* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.<br />
* High numbers of false positives.<br />
* Frequently can't find configuration issues, since they are not represented in the code.<br />
* Difficult to 'prove' that an identified security issue is an actual vulnerability.<br />
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.<br />
<br />
==Important Selection Criteria==<br />
<br />
* Requirement: Must support your programming language, but not usually a key factor once it does.<br />
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)<br />
* How accurate is it? False Positive/False Negative rates?<br />
** Does the tool have an OWASP [[Benchmark]] score?<br />
* Does it understand the libraries/frameworks you use?<br />
* Does it require a fully buildable set of source?<br />
* Can it run against binaries instead of source?<br />
* Can it be integrated into the developer's IDE?<br />
* How hard is it to setup/use?<br />
* Can it be run continuously and automatically?<br />
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)<br />
<br />
==OWASP Tools Of This Type==<br />
<br />
* [[OWASP SonarQube Project]]<br />
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]<br />
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]<br />
* [[OWASP O2 Platform]]<br />
* [[OWASP WAP-Web Application Protection]]<br />
<br />
==Disclaimer==<br />
<br />
Disclaimer: <b>The tools listed in the tables below are presented in alphabetical order. <i>OWASP does not endorse any of the vendors or tools by listing them in the table below.</i> We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.</b><br />
<br />
==Open Source or Free Tools Of This Type==<br />
<br />
* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python<br />
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications<br />
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby<br />
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs<br />
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,<br />
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++<br />
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''<br />
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.<br />
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python<br />
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)<br />
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.<br />
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.<br />
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.<br />
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.<br />
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.<br />
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.<br />
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].<br />
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.<br />
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.<br />
<br />
==Commercial Tools Of This Type==<br />
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. <br />
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service. <br />
* [http://www-01.ibm.com/software/rational/products/appscan/source/ AppScan Source] (IBM)<br />
* [http://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.<br />
* [https://buguroo.com/products/bugblast-next-gen-appsec-platform/bugscout-sca bugScout] (Buguroo Offensive Security)<br />
* [http://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages.<br />
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)<br />
* [http://www.contrastsecurity.com/ Contrast] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.<br />
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)<br />
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)<br />
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (Micro Focus, Formally HP)<br />
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis<br />
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)<br />
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis<br />
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)<br />
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)<br />
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#<br />
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.<br />
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for PHP that detects unknown security vulnerabilities and code quality issues.<br />
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)<br />
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)<br />
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.<br />
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)<br />
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).<br />
<br />
==More info==<br />
<br />
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]<br />
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]<br />
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools<br />
<br />
[[Category:OWASP .NET Project]]<br />
[[Category:SAMM-CR-2]]<br />
__NOTOC__</div>Wichershttps://wiki.owasp.org/index.php?title=Benchmark&diff=244841Benchmark2018-11-04T21:03:56Z<p>Wichers: /* Using a VM instead */</p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Benchmark Project ==<br />
The OWASP Benchmark for Security Automation (OWASP Benchmark) is a free and open test suite designed to evaluate the speed, coverage, and accuracy of automated software vulnerability detection tools and services (henceforth simply referred to as 'tools'). Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other. Each version of the OWASP Benchmark contains thousands of test cases that are fully runnable and exploitable, each of which maps to the appropriate CWE number for that vulnerability.<br />
<br />
You can use the OWASP Benchmark with [[Source_Code_Analysis_Tools | Static Application Security Testing (SAST)]] tools, [[:Category:Vulnerability_Scanning_Tools | Dynamic Application Security Testing (DAST)]] tools like OWASP [[ZAP]] and Interactive Application Security Testing (IAST) tools. The current version of the Benchmark is implemented in Java. Future versions may expand to include other languages.<br />
<br />
==Benchmark Project Scoring Philosophy==<br />
<br />
Security tools (SAST, DAST, and IAST) are amazing when they find a complex vulnerability in your code. But with widespread misunderstanding of the specific vulnerabilities automated tools cover, end users are often left with a false sense of security.<br />
<br />
We are on a quest to measure just how good these tools are at discovering and properly diagnosing security problems in applications. We rely on the [http://en.wikipedia.org/wiki/Receiver_operating_characteristic long history] of military and medical evaluation of detection technology as a foundation for our research. Therefore, the test suite tests both real and fake vulnerabilities.<br />
<br />
There are four possible test outcomes in the Benchmark:<br />
<br />
# Tool correctly identifies a real vulnerability (True Positive - TP)<br />
# Tool fails to identify a real vulnerability (False Negative - FN)<br />
# Tool correctly ignores a false alarm (True Negative - TN)<br />
# Tool fails to ignore a false alarm (False Positive - FP)<br />
<br />
We can learn a lot about a tool from these four metrics. Consider a tool that simply flags every line of code as vulnerable. This tool will perfectly identify all vulnerabilities! But it will also have 100% false positives and thus adds no value. Similarly, consider a tool that reports absolutely nothing. This tool will have zero false positives, but will also identify zero real vulnerabilities and is also worthless. You can even imagine a tool that flips a coin to decide whether to report whether each test case contains a vulnerability. The result would be 50% true positives and 50% false positives. We need a way to distinguish valuable security tools from these trivial ones.<br />
<br />
If you imagine the line that connects all these points, from 0,0 to 100,100 establishes a line that roughly translates to "random guessing." The ultimate measure of a security tool is how much better it can do than this line. The diagram below shows how we will evaluate security tools against the Benchmark.<br />
<br />
[[File:Wbe guide.png]]<br />
<br />
A point plotted on this chart provides a visual indication of how well a tool did considering both the True Positives the tool reported, as well as the False Positives it reported. We also want to compute an individual score for that point in the range 0 - 100, which we call the Benchmark Accuracy Score.<br />
<br />
The Benchmark Accuracy Score is essentially a [https://en.wikipedia.org/wiki/Youden%27s_J_statistic Youden Index], which is a standard way of summarizing the accuracy of a set of tests. Youden's index is one of the oldest measures for diagnostic accuracy. It is also a global measure of a test performance, used for the evaluation of overall discriminative power of a diagnostic procedure and for comparison of this test with other tests. Youden's index is calculated by deducting 1 from the sum of a test’s sensitivity and specificity expressed not as percentage but as a part of a whole number: (sensitivity + specificity) – 1. For a test with poor diagnostic accuracy, Youden's index equals 0, and in a perfect test Youden's index equals 1.<br />
<br />
So for example, if a tool has a True Positive Rate (TPR) of .98 (i.e., 98%) <br />
and False Positive Rate (FPR) of .05 (i.e., 5%)<br />
Sensitivity = TPR (.98)<br />
Specificity = 1-FPR (.95)<br />
So the Youden Index is (.98+.95) - 1 = .93<br />
<br />
And this would equate to a Benchmark score of 93 (since we normalize this to the range 0 - 100)<br />
<br />
On the graph, the Benchmark Score is the length of the line from the point down to the diagonal “guessing” line. Note that a Benchmark score can actually be negative if the point is below the line. This is caused when the False Positive Rate is actually higher than the True Positive Rate.<br />
<br />
==Benchmark Validity==<br />
<br />
The Benchmark tests are not exactly like real applications. The tests are derived from coding patterns observed in real applications, but the majority of them are considerably '''simpler''' than real applications. That is, most real world applications will be considerably harder to successfully analyze than the OWASP Benchmark Test Suite. Although the tests are based on real code, it is possible that some tests may have coding patterns that don't occur frequently in real code.<br />
<br />
Remember, we are trying to test the capabilities of the tools and make them explicit, so that users can make informed decisions about what tools to use, how to use them, and what results to expect. This is exactly aligned with the OWASP mission to make application security visible.<br />
<br />
==Generating Benchmark Scores==<br />
<br />
Anyone can use this Benchmark to evaluate vulnerability detection tools. The basic steps are:<br />
# Download the Benchmark from github<br />
# Run your tools against the Benchmark<br />
# Run the BenchmarkScore tool on the reports from your tools<br />
<br />
That's it!<br />
<br />
Full details on how to do this are at the bottom of the page on the Quick_Start tab.<br />
<br />
We encourage both vendors, open source tools, and end users to verify their application security tools against the Benchmark. In order to ensure that the results are fair and useful, we ask that you follow a few simple rules when publishing results. We won't recognize any results that aren't easily reproducible:<br />
<br />
# A description of the default “out-of-the-box” installation, version numbers, etc…<br />
# Any and all configuration, tailoring, onboarding, etc… performed to make the tool run<br />
# Any and all changes to default security rules, tests, or checks used to achieve the results<br />
# Easily reproducible steps to run the tool<br />
<br />
== Reporting Format==<br />
<br />
The Benchmark includes tools to interpret raw tool output, compare it to the expected results, and generate summary charts and graphs. We use the following table format in order to capture all the information generated during the evaluation.<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! style="background:#DDDDDD" | Security Category<br />
! TP<br />
! FN<br />
! TN<br />
! FP<br />
! style="background:#DDDDDD" | Total<br />
! TPR<br />
! FPR<br />
! style="background:#DDDDDD" | Score<br />
|-<br />
! style="background:#DDDDDD" valign="top" width="11%"| General security category for test cases.<br />
| valign="top" width="11%"| '''True Positives''': Tests with real vulnerabilities that were correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Negative''': Tests with real vulnerabilities that were not correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''True Negative''': Tests with fake vulnerabilities that were correctly not reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Positive''':Tests with fake vulnerabilities that were incorrectly reported as vulnerable by the tool.<br />
| style="background:#DDDDDD" valign="top" width="11%"| Total test cases for this category.<br />
| valign="top" width="11%"| '''True Positive Rate''': TP / ( TP + FN ) - Also referred to as Precision, as defined at [https://en.wikipedia.org/wiki/Precision_and_recall Wikipedia].<br />
| valign="top" width="11%"| '''False Positive Rate''': FP / ( FP + TN ).<br />
| style="background:#DDDDDD" valign="top" width="11%"| Normalized distance from the “guess line” TPR - FPR.<br />
|-<br />
! style="background:#DDDDDD" | Command Injection<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | Etc...<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | <br />
! Total TP<br />
! Total FN<br />
! Total TN<br />
! Total FP<br />
! style="background:#DDDDDD" | Total TC<br />
! Average TPR<br />
! Average FPR<br />
! style="background:#DDDDDD" | Average Score<br />
|}<br />
<br />
==Code Repo and Build/Run Instructions ==<br />
<br />
See the '''Getting Started''' and '''Getting, Building, and Running the Benchmark''' sections on the Quick Start tab.<br />
<br />
==Licensing==<br />
<br />
The OWASP Benchmark is free to use under the [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0].<br />
<br />
== Mailing List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-benchmark-project OWASP Benchmark Mailing List]<br />
<br />
== Project Leaders ==<br />
<br />
[https://www.owasp.org/index.php/User:Wichers Dave Wichers] [mailto:dave.wichers@owasp.org @]<br />
<br />
== Project References ==<br />
* [https://www.mir-swamp.org/#packages/public Software Assurance Marketplace (SWAMP) - set of curated packages to test tools against]<br />
* [http://samate.nist.gov/Other_Test_Collections.html SAMATE List of Test Collections]<br />
<br />
== Related Projects ==<br />
<br />
* [http://samate.nist.gov/SARD/testsuite.php NSA's Juliet for Java]<br />
* [http://sectoolmarket.com/ The Web Application Vulnerability Scanner Evaluation Project (WAVSEP)]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
All test code and project files can be downloaded from [https://github.com/OWASP/benchmark OWASP GitHub].<br />
<br />
== Project Intro Video ==<br />
<br />
[[File:BenchmarkPodcastTitlePage.jpg|200px|link=https://www.youtube.com/watch?v=HQP8dwc3jJA&index=5&list=PLGB2s-U5FSWOmEStMt3JqlMFJvRYqeVW5]]<br />
<br />
== News and Events ==<br />
* LOOKING FOR VOLUNTEERS!! - We are looking for individuals and organizations to join and make this a much more community driven project, including additional coleaders to help take this project to the next level. Contributors could work on things like new test cases, additional tool scorecard generators, adding support for languages beyond Java, and a host of other improvements. Please contact [mailto:dave.wichers@owasp.org me] if you are interested in contributing at any level.<br />
* June 5, 2016 - Benchmark Version 1.2 Released<br />
* Sep 24, 2015 - Benchmark introduced to broader OWASP community at [https://appsecusa2015.sched.org/event/3r9k/using-the-owasp-benchmark-to-assess-automated-vulnerability-analysis-tools AppSec USA]<br />
* Aug 27, 2015 - U.S. Dept. of Homeland Security (DHS) is financially supporting the Benchmark project.<br />
* Aug 15, 2015 - Benchmark Version 1.2beta Released with full DAST Support. Checkmarx and ZAP scorecard generators also released.<br />
* July 10, 2015 - Benchmark Scorecard generator and open source scorecards released<br />
* May 23, 2015 - Benchmark Version 1.1 Released<br />
* April 15, 2015 - Benchmark Version 1.0 Released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Test Cases =<br />
<br />
Version 1.0 of the Benchmark was published on April 15, 2015 and had 20,983 test cases. On May 23, 2015, version 1.1 of the Benchmark was released. The 1.1 release improves on the previous version by making sure that there are both true positives and false positives in every vulnerability area. Version 1.2 was released on June 5, 2016 (and the 1.2beta August 15, 2015).<br />
<br />
Version 1.2 and forward of the Benchmark is a fully executable web application, which means it is scannable by any kind of vulnerability detection tool. The 1.2 has been limited to slightly less than 3,000 test cases, to make it easier for DAST tools to scan it (so it doesn't take so long and they don't run out of memory, or blow up the size of their database). The 1.2 release covers the same vulnerability areas that 1.1 covers. We added a few Spring database SQL Injection tests, but that's it. The bulk of the work was turning each test case into something that actually runs correctly AND is fully exploitable, and then generating a UI on top of it that works in order to turn the test cases into a real running application.<br />
<br />
You can still download Benchmark version 1.1 by cloning the release marked with the GIT tag '1.1'.<br />
<br />
The test case areas and quantities for the Benchmark releases are:<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! Vulnerability Area<br />
! # of Tests in v1.1<br />
! # of Tests in v1.2<br />
! CWE Number<br />
|-<br />
| [[Command Injection]]<br />
| 2708<br />
| 251<br />
| [https://cwe.mitre.org/data/definitions/78.html 78]<br />
|-<br />
| Weak Cryptography<br />
| 1440<br />
| 246<br />
| [https://cwe.mitre.org/data/definitions/327.html 327]<br />
|-<br />
| Weak Hashing<br />
| 1421<br />
| 236<br />
| [https://cwe.mitre.org/data/definitions/328.html 328]<br />
|-<br />
| [[LDAP injection | LDAP Injection]]<br />
| 736<br />
| 59<br />
| [https://cwe.mitre.org/data/definitions/90.html 90]<br />
|-<br />
| [[Path Traversal]]<br />
| 2630<br />
| 268<br />
| [https://cwe.mitre.org/data/definitions/22.html 22]<br />
|-<br />
| Secure Cookie Flag<br />
| 416<br />
| 67<br />
| [https://cwe.mitre.org/data/definitions/614.html 614]<br />
|-<br />
| [[SQL Injection]]<br />
| 3529<br />
| 504<br />
| [https://cwe.mitre.org/data/definitions/89.html 89]<br />
|-<br />
| [[Trust Boundary Violation]]<br />
| 725<br />
| 126<br />
| [https://cwe.mitre.org/data/definitions/501.html 501]<br />
|-<br />
| Weak Randomness<br />
| 3640<br />
| 493<br />
| [https://cwe.mitre.org/data/definitions/330.html 330]<br />
|-<br />
| [[XPATH Injection]]<br />
| 347<br />
| 35<br />
| [https://cwe.mitre.org/data/definitions/643.html 643]<br />
|-<br />
| [[XSS]] (Cross-Site Scripting)<br />
| 3449<br />
| 455<br />
| [https://cwe.mitre.org/data/definitions/79.html 79]<br />
|-<br />
| Total Test Cases<br />
| 21,041<br />
| 2,740<br />
|}<br />
<br />
Each Benchmark version comes with a spreadsheet that lists every test case, the vulnerability category, the CWE number, and the expected result (true finding/false positive). Look for the file: expectedresults-VERSION#.csv in the project root directory.<br />
<br />
Every test case is:<br />
* a servlet or JSP (currently they are all servlets, but we plan to add JSPs)<br />
* either a true vulnerability or a false positive for a single issue<br />
<br />
The Benchmark is intended to help determine how well analysis tools correctly analyze a broad array of application and framework behavior, including:<br />
<br />
* HTTP request and response problems<br />
* Simple and complex data flow<br />
* Simple and complex control flow<br />
* Popular frameworks<br />
* Inversion of control<br />
* Reflection<br />
* Class loading<br />
* Annotations<br />
* Popular UI technologies (particularly JavaScript frameworks)<br />
<br />
Not all of these are yet tested by the Benchmark but future enhancements intend to provide more coverage of these issues.<br />
<br />
Additional future enhancements could cover:<br />
* All vulnerability types in the [[Top10 | OWASP Top 10]]<br />
* Does the tool find flaws in libraries?<br />
* Does the tool find flaws spanning custom code and libraries?<br />
* Does tool handle web services? REST, XML, GWT, etc…<br />
* Does tool work with different app servers? Java platforms?<br />
<br />
== Example Test Case ==<br />
<br />
Each test case is a simple Java EE servlet. BenchmarkTest00001 in version 1.0 of the Benchmark was an LDAP Injection test with the following metadata in the accompanying BenchmarkTest00001.xml file:<br />
<br />
<test-metadata><br />
<category>ldapi</category><br />
<test-number>00001</test-number><br />
<vulnerability>true</vulnerability><br />
<cwe>90</cwe><br />
</test-metadata><br />
<br />
BenchmarkTest00001.java in the OWASP Benchmark 1.0 simply reads in all the cookie values, looks for a cookie named "foo", and uses the value of this cookie when performing an LDAP query. Here's the code for BenchmarkTest00001.java:<br />
<br />
package org.owasp.benchmark.testcode;<br />
<br />
import java.io.IOException;<br />
<br />
import javax.servlet.ServletException;<br />
import javax.servlet.annotation.WebServlet;<br />
import javax.servlet.http.HttpServlet;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
<br />
@WebServlet("/BenchmarkTest00001")<br />
public class BenchmarkTest00001 extends HttpServlet {<br />
<br />
private static final long serialVersionUID = 1L;<br />
<br />
@Override<br />
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
doPost(request, response);<br />
}<br />
<br />
@Override<br />
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
// some code<br />
<br />
javax.servlet.http.Cookie[] cookies = request.getCookies();<br />
<br />
String param = null;<br />
boolean foundit = false;<br />
if (cookies != null) {<br />
for (javax.servlet.http.Cookie cookie : cookies) {<br />
if (cookie.getName().equals("foo")) {<br />
param = cookie.getValue();<br />
foundit = true;<br />
}<br />
}<br />
if (!foundit) {<br />
// no cookie found in collection<br />
param = "";<br />
}<br />
} else {<br />
// no cookies<br />
param = "";<br />
}<br />
<br />
try {<br />
javax.naming.directory.DirContext dc = org.owasp.benchmark.helpers.Utils.getDirContext();<br />
Object[] filterArgs = {"a","b"};<br />
dc.search("name", param, filterArgs, new javax.naming.directory.SearchControls());<br />
} catch (javax.naming.NamingException e) {<br />
throw new ServletException(e);<br />
}<br />
}<br />
}<br />
<br />
= Test Case Details =<br />
<br />
The following describes situations in the Benchmark that have come up for debate as to the validity/accuracy of the test cases in these scenarios. <br />
<br />
== Cookies as a Source of Attack for XSS ==<br />
<br />
Benchmark v1.1 and early versions of the 1.2beta included test cases that used cookies as a source of data that flowed into XSS vulnerabilities. The Benchmark treated these tests as False Positives because the Benchmark team figured that you'd have to use an XSS vulnerability in the first place to set the cookie value, and so it wasn't fair/reasonable to consider an XSS vulnerability whose data source was a cookie value as actually exploitable. However, we got feedback from some tool vendors, like Fortify, Burp, and Arachni, that they disagreed with this analysis and felt that, in fact, cookies were a valid source of attack against XSS vulnerabilities. Given that there are good arguments on both sides of this safe vs. unsafe question, we decided on Aug 25, 2015 to simply remove those test cases from the Benchmark. If, in the future, we decide who is right, we may add such test cases back in.<br />
<br />
== Headers as a Source of Attack for XSS ==<br />
<br />
Similarly, the Benchmark team believes that the names of headers aren't a valid source of XSS attack for the same reason we thought cookie values aren't a valid source. Because it would require an XSS vulnerability to be exploited in the first place to set them. In fact, we feel that this argument is much stronger for header names, than cookie values. Right now, the Benchmark doesn't include any header names as sources for XSS test cases, but we plan to add them, and mark them as false positive in the Benchmark.<br />
<br />
We do have header values as sources for some XSS test cases in the Benchmark and only 'referer' is treated as a valid XSS source (i.e., true positives) because other headers are not viable XSS sources. Other headers are, of course, valid sources for other attack vectors, like SQL injection or Command Injection.<br />
<br />
== False Positive Scenario: Static Values Passed to Unsafe (Weak) Sinks ==<br />
<br />
The Benchmark has MANY test cases where unsafe data flows in from the browser, but that data is replaced with static content as it goes through the propagators in the that specific test case. This static (safe) data then flows to the sink, which may be a weak/unsafe sink, like, for example, an unsafely constructed SQL statement. The Benchmark treats those test cases as false positives because there is absolutely no way for that weakness to be exploited. The NSA Juliet SAST benchmark treats such test cases exactly the same way, as false positives. We do recognize that there are weaknesses in those test cases, even though they aren't exploitable.<br />
<br />
Some SAST tool vendors feel it is appropriate to point out those weaknesses, and that's fine. However, if the tool points those weaknesses out, and does not distinguish them from truly exploitable vulnerabilities, then the Benchmark treats those findings as false positives. If the tool allows a user to differentiate these non-exploitable weaknesses from exploitable vulnerabilities, then the Benchmark scorecard generator can use that information to filter out these extra findings (along with any other similarly marked findings) so they don't count against that tool when calculating that tool's Benchmark score. In the real world, its important for analysts to be able to filter out such findings if they only have time to deal with the most critical, actually exploitable, vulnerabilities. If a tool doesn't make it easy for an analyst to distinguish the two situations, then they are providing a disservice to the analyst.<br />
<br />
This issue doesn't affect DAST tools. They only report what appears to be exploitable to them. So this has no affect on them.<br />
<br />
If you are a SAST tool vendor or user, and you believe the Benchmark scorecard generator is counting such findings against that tool, and there is a way to tell them apart, please let the project team know so the scorecard generator can be adjusted to not count those findings against the tool. The Benchmark project's goal is the generate the most fair and accurate results it can generate. If such an adjustment is made to how a scorecard is generated for that tool, we plan to document this was done for that tool, and explain how others could perform the same filtering within that tool in order to get the same focused set of results.<br />
<br />
== Dead Code ==<br />
<br />
Some SAST tools point out weaknesses in dead code because they might eventually end up being used, and serve as bad coding examples (think cut/paste of code). We think this is fine/appropriate. However, there is no dead code in the OWASP Benchmark (at least not intentionally). So dead code should not be causing any tool to report unnecessary false positives.<br />
<br />
= Tool Support/Results =<br />
<br />
The results for 5 free tools, PMD, FindBugs, FindBugs with the FindSecBugs plugin, SonarQube and OWASP ZAP are available here against version 1.2 of the Benchmark: https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html. We've included multiple versions of FindSecBugs' and ZAP's results so you can see the improvements they are making finding vulnerabilities in Benchmark.<br />
<br />
We have Benchmark results for all the following tools, but haven't publicly released the results for any commercial tools. However, we included a 'Commercial Average' page, which includes a summary of results for 6 commercial SAST tools along with anonymous versions of each SAST tool's scorecard.<br />
<br />
The Benchmark can generate results for the following tools: <br />
<br />
'''Free Static Application Security Testing (SAST) Tools:'''<br />
<br />
* [https://pmd.github.io/ PMD] (which really has no security rules) - .xml results file<br />
* [http://findbugs.sourceforge.net/ Findbugs] - .xml results file (Note: The 'new' Findbugs is now at: https://spotbugs.github.io/)<br />
* FindBugs with the [http://find-sec-bugs.github.io/ FindSecurityBugs plugin] - .xml results file<br />
* [https://www.sonarqube.org/downloads/ SonarQube] - .xml results file<br />
<br />
Note: We looked into supporting [http://checkstyle.sourceforge.net/ Checkstyle] but it has no security rules, just like PMD. The [http://fb-contrib.sourceforge.net/ fb-contrib] FindBugs plugin doesn't have any security rules either. We did test [http://errorprone.info/ Error Prone], and found that it does report some use of [http://errorprone.info/bugpattern/InsecureCipherMode) insecure ciphers (CWE-327)], but that's it.<br />
<br />
'''Commercial SAST Tools:'''<br />
<br />
* [http://www.castsoftware.com/products/application-intelligence-platform CAST Application Intelligence Platform (AIP)] - .xml results file<br />
* [https://www.checkmarx.com/products/static-application-security-testing/ Checkmarx CxSAST] - .xml results file<br />
* [https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/SAST-Coverity-datasheet.pdf Synopsys Static Analysis (Formerly Coverity Code Advisor) (On-Demand and stand-alone versions)] - .json results file (You can scan Benchmark w/Coverity for free. See: https://scan.coverity.com/)<br />
* [https://software.microfocus.com/en-us/products/static-code-analysis-sast/overview Micro Focus (Formally HPE) Fortify (On-Demand and stand-alone versions)] - .fpr results file<br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source IBM AppScan Source (Standalone and Cloud)] - .ozasmt or .xml results file<br />
* [https://juliasoft.com/solutions/julia-for-security/ Julia Analyzer] - .xml results file<br />
* [https://www.parasoft.com/products/jtest/ Parasoft Jtest] - .xml results file<br />
* [https://www.shiftleft.io/product/ ShiftLeft SAST] - .sl results file (Benchmark specific format. Ask vendor how to generate this)<br />
* [https://www.sourcemeter.com/features/ SourceMeter] - .txt results file of ALL results from VulnerabilityHunter<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] - .xml results file<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode SAST] - .xml results file<br />
* [https://www.rigs-it.com/xanitizer/ XANITIZER] - xml results file ([https://www.rigs-it.com/wp-content/uploads/2018/03/howtosetupxanitizerforowaspbenchmarkproject.pdf Their white paper on how to setup Xanitizer to scan Benchmark.]) (Free trial available)<br />
<br />
We are looking for results for other commercial static analysis tools like: [http://www.grammatech.com/codesonar Grammatech CodeSonar], [http://www.klocwork.com/products-services/klocwork Klocwork], etc. If you have a license for any static analysis tool not already listed above and can run it on the Benchmark and send us the results file that would be very helpful. <br />
<br />
The free SAST tools come bundled with the Benchmark so you can run them yourselves. If you have a license for any commercial SAST tool, you can also run them against the Benchmark. Just put your results files in the /results folder of the project, and then run the BenchmarkScore script for your platform (.sh / .bat) and it will generate a scorecard in the /scorecard directory for all the tools you have results for that are currently supported.<br />
<br />
'''Free Dynamic Application Security Testing (DAST) Tools:'''<br />
<br />
Note: While we support scorecard generators for these Free and Commercial DAST tools, we haven't been able to get a full/clean run against the Benchmark from most of these tools. As such, some of these scorecard generators might still need some work to properly reflect their results. If you notice any problems, let us know.<br />
<br />
* [http://www.arachni-scanner.com/ Arachni] - .xml results file<br />
** To generate .xml, run: ./bin/arachni_reporter "Your_AFR_Results_Filename.afr" --reporter=xml:outfile=Benchmark1.2-Arachni.xml<br />
* [https://www.owasp.org/index.php/ZAP OWASP ZAP] - .xml results file. To generate a complete ZAP XML results file so you can generate a valid scorecard, make sure you:<br />
** Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
** Then: Report > Generate XML Report...<br />
<br />
'''Commercial DAST Tools:'''<br />
<br />
* [https://www.acunetix.com/vulnerability-scanner/ Acunetix Web Vulnerability Scanner (WVS)] - .xml results file (Generated using [https://www.acunetix.com/resources/wvs7manual.pdf command line interface (see Chapter 10.)] /ExportXML switch)<br />
* [https://portswigger.net/burp/ Burp Pro] - .xml results file<br />
**You must use Burp Pro v1.6.30+ to scan the Benchmark due to a limitation fixed in v1.6.30.<br />
* [https://software.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/overview Micro Focus (Formally HPE) WebInspect] - .xml results file<br />
* [http://www-03.ibm.com/software/products/en/appscan This was IBM AppScan (but I believe IBM sold this product off. To whom?] - .xml results file<br />
* [https://www.netsparker.com/web-vulnerability-scanner/ Netsparker] - .xml results file<br />
* [https://www.rapid7.com/products/appspider/ Rapid7 AppSpider] - .xml results file<br />
<br />
* Qualys - We ran Qualys against v1.2 of the Benchmark and it found none of the vulnerabilities we test for as far as we could tell. So we haven't implemented a scorecard generator for it. If you get results where you think it does find some real issues, send us the results file and, if confirmed, we'll produce a scorecard generator for it.<br />
<br />
If you have access to other DAST Tools, PLEASE RUN THEM FOR US against the Benchmark, and send us the results file so we can build a scorecard generator for that tool.<br />
<br />
'''Commercial Interactive Application Security Testing (IAST) Tools:'''<br />
<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] - .zip results file (You can scan Benchmark w/Contrast for free. See: https://www.contrastsecurity.com/contrast-community-edition)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection (IAST)] - .hlg results file<br />
<br />
'''Commercial Hybrid Analysis Application Security Testing Tools:'''<br />
<br />
* [http://www.iappsecure.com/products.html Fusion Lite Insight] - .xml results file<br />
<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It may be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.'''<br />
<br />
The project has automated test harnesses for these vulnerability detection tools, so we can repeatably run the tools against each version of the Benchmark and automatically produce scorecards in our desired format.<br />
<br />
We want to test as many tools as possible against the Benchmark. If you are:<br />
<br />
* A tool vendor and want to participate in the project<br />
* Someone who wants to help score a free tool against the project<br />
* Someone who has a license to a commercial tool and the terms of the license allow you to publish tool results, and you want to participate<br />
<br />
please let [mailto:dave.wichers@owasp.org me] know!<br />
<br />
= Quick Start =<br />
<br />
==What is in the Benchmark?==<br />
The Benchmark is a Java Maven project. Its primary component is thousands of test cases (e.g., BenchmarkTest00001.java) , each of which is a single Java servlet that contains a single vulnerability (either a true positive or false positive). The vulnerabilities span about a dozen different types currently and are expected to expand significantly in the future.<br />
<br />
An expectedresults.csv is published with each version of the Benchmark (e.g., expectedresults-1.1.csv) and it specifically lists the expected results for each test case. Here’s what the first two rows in this file looks like for version 1.1 of the Benchmark:<br />
<br />
# test name category real vulnerability CWE Benchmark version: 1.1 2015-05-22<br />
BenchmarkTest00001 crypto TRUE 327<br />
<br />
This simply means that the first test case is a crypto test case (use of weak cryptographic algorithms), this is a real vulnerability (as opposed to a false positive), and this issue maps to CWE 327. It also indicates this expected results file is for Benchmark version 1.1 (produced May 22, 2015). There is a row in this file for each of the tens of thousands of test cases in the Benchmark. Each time a new version of the Benchmark is published, a new corresponding results file is generated and each test case can be completely different from one version to the next.<br />
<br />
The Benchmark also comes with a bunch of different utilities, commands, and prepackaged open source security analysis tools, all of which can be executed through Maven goals, including:<br />
<br />
* Open source vulnerability detection tools to be run against the Benchmark<br />
* A scorecard generator, which computes a scorecard for each of the tools you have results files for.<br />
<br />
==What Can You Do With the Benchmark?==<br />
* Compile all the software in the Benchmark project (e.g., mvn compile)<br />
* Run a static vulnerability analysis tool (SAST) against the Benchmark test case code<br />
<br />
* Scan a running version of the Benchmark with a dynamic application security testing tool (DAST)<br />
** Instructions on how to run it are provided below<br />
<br />
* Generate scorecards for each of the tools you have results files for<br />
** See the Tool Support/Results page for the list of tools the Benchmark supports generating scorecards for<br />
<br />
==Getting Started==<br />
Before downloading or using the Benchmark make sure you have the following installed and configured properly:<br />
<br />
GIT: http://git-scm.com/ or https://github.com/<br />
Maven: https://maven.apache.org/ (Version: 3.2.3 or newer works. We heard that 3.0.5 throws an error.)<br />
Java: http://www.oracle.com/technetwork/java/javase/downloads/index.html (Java 7 or 8) (64-bit) - Takes ALOT of memory to compile the Benchmark.<br />
<br />
==Getting, Building, and Running the Benchmark==<br />
<br />
To download and build everything:<br />
<br />
$ git clone https://github.com/OWASP/benchmark <br />
$ cd benchmark<br />
$ mvn compile (This compiles it)<br />
$ runBenchmark.sh/.bat - This compiles and runs it.<br />
<br />
Then navigate to: https://localhost:8443/benchmark/ to go to its home page. It uses a self signed SSL certificate, so you'll get a security warning when you hit the home page.<br />
<br />
Note: We have set the Benchmark app to use up to 6 Gig of RAM, which it may need when it is fully scanned by a DAST scanner. The DAST tool probably also requires 3+ Gig of RAM. As such, we recommend having a 16 Gig machine if you are going to try to run a full DAST scan. And at least 4 or ideally 8 Gig if you are going to play around with the running Benchmark app.<br />
<br />
== Using a VM instead ==<br />
We have several preconstructed VMs or instructions on how to build one that you can use instead:<br />
<br />
* Docker: A Dockerfile is checked into the project [https://github.com/OWASP/Benchmark/blob/master/VMs/Dockerfile here]. This Docker file should automatically produce a Docker VM with the latest Benchmark project files. After you have Docker installed, cd to /VMs then run: <br />
./buildDockerImage.sh --> This builds the Docker Benchmark VM (This will take a WHILE)<br />
docker images --> You should see the new benchmark:latest image in the list provided<br />
# The Benchmark Docker Image only has to be created once. <br />
<br />
To run the Benchmark in your Docker VM, just run:<br />
./runDockerImage.sh --> This pulls in any updates to Benchmark since the Image was built, builds everything, and starts a remotely accessible Benchmark web app.<br />
If successful, you should see this at the end:<br />
[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]<br />
[INFO] Press Ctrl-C to stop the container...<br />
Then simply navigate to: https://localhost:8443/benchmark from the machine you are running Docker<br />
<br />
Or if you want to access from a different machine:<br />
docker-machine ls (in a different terminal) --> To get IP Docker VM is exporting (e.g., tcp://192.168.99.100:2376)<br />
Navigate to: https://192.168.99.100:8443/benchmark in your browser (using the above IP as an example)<br />
<br />
* Amazon Web Services (AWS) - Here's how you set up the Benchmark on an AWS VM:<br />
sudo yum install git<br />
sudo yum install maven<br />
sudo yum install mvn<br />
sudo wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo sed -i s/\$releasever/6/g /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo yum install -y apache-maven<br />
git clone https://github.com/OWASP/benchmark<br />
cd benchmark<br />
chmod 755 *.sh<br />
./runBenchmark.sh -- to run it locally on the VM.<br />
./runRemoteAccessibleBenchmark.sh -- to run it so it can be accessed outside the VM (on port 8443).<br />
<br />
==Running Free Static Analysis Tools Against the Benchmark==<br />
There are scripts for running each of the free SAST vulnerability detection tools included with the Benchmark against the Benchmark test cases. On Linux, you might have to make them executable (e.g., chmod 755 *.sh) before you can run them.<br />
<br />
Generating Test Results for PMD:<br />
<br />
$ ./scripts/runPMD.sh (Linux) or .\scripts\runPMD.bat (Windows)<br />
<br />
Generating Test Results for FindBugs:<br />
<br />
$ ./scripts/runFindBugs.sh (Linux) or .\scripts\runFindBugs.bat (Windows)<br />
<br />
Generating Test Results for FindBugs with the FindSecBugs plugin:<br />
<br />
$ ./scripts/runFindSecBugs.sh (Linux) or .\scripts\runFindSecBugs.bat (Windows)<br />
<br />
In each case, the script will generate a results file and put it in the /results directory. For example: <br />
<br />
Benchmark_1.2-findbugs-v3.0.1-1026.xml<br />
<br />
This results file name is carefully constructed to mean the following: It's a results file against the OWASP Benchmark version 1.2, FindBugs was the analysis tool, it was version 3.0.1 of FindBugs, and it took 1026 seconds to run the analysis.<br />
<br />
NOTE: If you create a results file yourself, by running a commercial tool for example, you can add the version # and the compute time to the filename just like this and the Benchmark Scorecard generator will pick this information up and include it in the generated scorecard. If you don't, depending on what metadata is included in the tool results, the Scorecard generator might do this automatically anyway.<br />
<br />
==Generating Scorecards==<br />
The scorecard generation application BenchmarkScore is included with the Benchmark. It parses the output files generated by any of the supported security tools run against the Benchmark and compares them against the expected results, and produces a set of web pages that detail the accuracy and speed of the tools involved. For the list of currently supported tools, check out the: Tools Support/Results tab. If you are using a tool that is not yet supported, simply send us a results file from that tool and we'll write a parser for that tool and add it to the supported tools list.<br />
<br />
The following command will compute a Benchmark scorecard for all the results files in the '''/results''' directory. The generated scorecard is put into the '''/scorecard''' directory.<br />
<br />
createScorecard.sh (Linux) or createScorecard.bat (Windows)<br />
<br />
An example of a real scorecard for some open source tools is provided at the top of the Tool Support/Results tab so you can see what one looks like.<br />
<br />
We recommend including the Benchmark version number in any results file name, in order to help prevent mismatches between the expected results and the actual results files. A tool will not score well against the wrong expected results.<br />
<br />
===Customizing Your Scorecard Generation===<br />
<br />
The createScorecard scripts are very simple. They only have one line. Here's what the 1.2 version looks like:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv results"<br />
<br />
This Maven command simply says to run the BenchmarkScore application, passing in two parameters. The 1st is the Benchmark expected results file to compare the tool results against. And the 2nd is the name of the directory that contains all the results from tools run against that version of the Benchmark. If you have tool results older than the current version of the Benchmark, like 1.1 results for example, then you would do something like this instead:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.1.csv 1.1_results"<br />
<br />
To keep things organized, we actually put the expected results file inside the same results folder for that version of the Benchmark, so our command looks like this:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="1.1_results/expectedresults-1.1.csv 1.1_results"<br />
<br />
In all cases, the generated scorecard is put in the /scorecard folder.<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It is likely to be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.''' It is for just this reason that the Benchmark project isn't releasing such results itself.<br />
<br />
= Tool Scanning Tips =<br />
<br />
People frequently have difficulty scanning the Benchmark with various tools due to many reasons, including size of the Benchmark app and its codebase, and complexity of the tools used. Here is some guidance for some of the tools we have used to scan the Benchmark. If you've learned any tricks on how to get better or easier results for a particular tool against the Benchmark, let us know or update this page directly.<br />
<br />
== Generic Tips ==<br />
<br />
Because of the size of the Benchmark, you may need to give your tool more memory before it starts the scan. If its a Java based tool, you may want to pass more memory to it like this:<br />
<br />
-Xmx4G (This gives the Java application 4 Gig of memory)<br />
<br />
== SAST Tools ==<br />
<br />
=== Checkmarx ===<br />
<br />
The Checkmarx SAST Tool (CxSAST) is ready to scan the OWASP Benchmark out-of-the-box. <br />
Please notice that the OWASP Benchmark “hides” some vulnerabilities in dead code areas, for example:<br />
<syntaxhighlight lang="java"><br />
if (0>1)<br />
{<br />
//vulnerable code<br />
}</syntaxhighlight><br />
By default, CxSAST will find these vulnerabilities since Checkmarx believes that including dead code in the scan results is a SAST best practice. <br />
<br />
Checkmarx's experience shows that security experts expect to find these types of code vulnerabilities, and demand that their developers fix them. However, OWASP Benchmark considers the flagging of these vulnerabilities as False Positives, as a result lowering Checkmarx's overall score. <br />
<br />
Therefore, in order to receive an OWASP score untainted by dead code, re-configure CxSAST as follows:<br />
# Open the CxAudit client for editing Java queries.<br />
# Override the "Find_Dead_Code" query.<br />
# Add the commented text of the original query to the new override query.<br />
# Save the queries.<br />
<br />
=== FindBugs ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindBugs.(sh or bat). If you want to run a different version of FindBugs, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== FindBugs with FindSecBugs ===<br />
<br />
[http://h3xstream.github.io/find-sec-bugs/ FindSecurityBugs] is a great plugin for FindBugs that significantly increases the ability for FindBugs to find security issues. We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindSecBugs.(sh or bat). If you want to run a different version of FindSecBugs, just change the version number of the findsecbugs-plugin artifact in the Benchmark pom.xml file.<br />
<br />
=== Micro Focus (Formally HP) Fortify ===<br />
<br />
If you are using the Audit Workbench, you can give it more memory and make sure you invoke it in 64-bit mode by doing this:<br />
<br />
set AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
export AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
auditworkbench -64<br />
<br />
We found it was easier to use the Maven support in Fortify to scan the Benchmark and to do it in 2 phases, translate, and then scan. We did something like this:<br />
<br />
Translate Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_17.10/bin<br />
export SCA_VM_OPTS="-Xmx2G -version 1.7"<br />
mvn sca:clean<br />
mvn sca:translate<br />
<br />
Scan Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_4.10/bin<br />
export SCA_VM_OPTS="-Xmx10G -version 1.7"<br />
mvn sca:scan<br />
<br />
=== PMD ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runPMD.(sh or bat). If you want to run a different version of PMD, just change its version number in the Benchmark pom.xml file. (NOTE: PMD doesn't find any security issues. We include it because its interesting to know that it doesn't.)<br />
<br />
=== SonarQube ===<br />
<br />
We include this free tool in the Benchmark and its mostly dialed in. But its a bit tricky because SonarQube requires two parts. There is a stand alone scanner for Java. And then there is a web application that accepts the results, and in turn can then produce the results file required by the Benchmark scorecard generator for SonarQube. Running the script runSonarQube.(sh or bat) will generate the results, but if the SonarQube Web Application isn't running where the runSonarQube script expects it to be, then the script will fail.<br />
<br />
If you want to run a different version of SonarQube, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== Xanitizer ===<br />
<br />
The vendor has written their own guide to [http://www.rigs-it.net/opendownloads/whitepapers/HowToSetUpXanitizerForOWASPBenchmarkProject.pdf How to Set Up Xanitizer for OWASP Benchmark].<br />
<br />
== DAST Tools ==<br />
<br />
=== Burp Pro ===<br />
<br />
You must use Burp Pro v1.6.29 or greater to scan the Benchmark due to a previous limitation in Burp Pro related to ensuring the path attribute for cookies was honored. This issue was fixed in the v1.6.29 release.<br />
<br />
To scan, first spider the entire Benchmark, and then select the /Benchmark URL and actively scan that branch. You can skip all the .html pages and any other pages that Burp says have no parameters.<br />
<br />
NOTE: We have been unable to simply run Burp Pro against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get Burp Pro to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
=== OWASP ZAP ===<br />
<br />
ZAP may require additional memory to be able to scan the Benchmark. To configure the amount of memory:<br />
* Tools --> Options --> JVM: Recommend setting to: -Xmx2048m (or larger). (Then restart ZAP).<br />
<br />
To run ZAP against Benchmark:<br />
# Because Benchmark uses Cookies and Headers as sources of attack for many test cases: Tools --> Options --> Active Scan Input Vectors: Then check the HTTP Headers, All Requests, and Cookie Data checkboxes and hit OK<br />
# Click on Show All Tabs button (if spider tab isn't visible)<br />
# Go to Spider tab (the black spider) and click on New Scan button<br />
# Enter: https://localhost:8443/benchmark/ into the 'Starting Point' box and hit 'Start Scan'<br />
#* Do this again. For some reason it takes 2 passes with the Spider before it stops finding more Benchmark endpoints.<br />
# When Spider completes, click on 'benchmark' folder in Site Map, right click and select: 'Attack --> Active Scan'<br />
#* It will take several hours, like 3+ to complete (it's actually likely to simply freeze before completing the scan - see NOTE: below)<br />
<br />
For faster active scan you can<br />
* Disable the ZAP DB log (in ZAP 2.5.0+):<br />
** Disable it via Options / Database / Recover Log<br />
** Set it on the command line using "-config database.recoverylog=false"<br />
* Disable unnecessary plugins / Technologies: When you launch the Active Scan<br />
** On the Policy tab, disable all plugins except: XSS (Reflected), Path Traversal, SQLi, OS Command Injection<br />
** Go the Technology Tab, disable everything and only enable: MySQL, YOUR_OS, Tomcat<br />
** Note: This 2nd performance improvement step is a bit like cheating as you wouldn't do this for a normal site scan. You'd want to leave all this on in case these other plugins/technologies are helpful in finding more issues. So a fair performance comparison of ZAP to other tools would leave all this on.<br />
<br />
To generate the ZAP XML results file so you can generate its scorecard:<br />
* Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
* Then: Report > Generate XML Report...<br />
<br />
NOTE: Similar to Burp, we can't simply run ZAP against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get ZAP to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
Things we tried that didn't improve the score:<br />
* AJAX Spider - the traditional spider appears to find all (or 99%) of the test cases so the AJAX Spider does not appear to be needed against Benchmark v1.2<br />
* XSS (Persistent) - There are 3 of these plugins that run by default. There aren't any stored XSS in Benchmark, so you can disable these plugins for a faster scan.<br />
* DOM XSS Plugin - This is an optional plugin that didn't seem to find any additional XSS issues. There aren't an DOM specific XSS issues in Benchmark v1.2, so not surprising.<br />
<br />
== IAST Tools ==<br />
<br />
Interactive Application Security Testing (IAST) tools work differently than scanners. IAST tools monitor an application as it runs to identify application vulnerabilities using context from inside the running application. Typically these tools run continuously, immediately notifying users of vulnerabilities, but you can also get a full report of an entire application. To do this, we simply run the Benchmark application with an IAST agent and use a crawler to hit all the pages.<br />
<br />
=== Contrast Assess ===<br />
<br />
To use Contrast Assess, we simply add the Java agent to the Benchmark environment and run the BenchmarkCrawler. The entire process should only take a few minutes. We provided a few scripts, which simply add the -javaagent:contrast.jar flag to the Benchmark launch configuration. We have tested on MacOS, Ubuntu, and Windows. Be sure your VM has at least 4M of memory.<br />
<br />
* Ensure your environment has Java, Maven, and git installed, then build the Benchmark project<br />
'''$ git clone https://github.com/OWASP/Benchmark.git'''<br />
'''$ cd Benchmark'''<br />
'''$ mvn compile'''<br />
<br />
* Download a licensed copy of the Contrast Assess Java Agent (contrast.jar) from your Contrast TeamServer account and put it in the /Benchmark/tools/Contrast directory.<br />
'''$ cp ~/Downloads/contrast.jar tools/Contrast'''<br />
<br />
* In Terminal 1, launch the Benchmark application and wait until it starts<br />
'''$ cd tools/Contrast <br />
'''$ ./runBenchmark_wContrast.sh''' (.bat on Windows)<br />
'''[INFO] Scanning for projects...<br />
'''[INFO] <br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] Building OWASP Benchmark Project 1.2<br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] <br />
'''...<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]'''<br />
'''[INFO] Press Ctrl-C to stop the container...'''<br />
<br />
* In Terminal 2, launch the crawler and wait a minute or two for the crawl to complete.<br />
'''$ ./runCrawler.sh''' (.bat on Windows)<br />
<br />
* A Contrast report has been generated in /Benchmark/tools/Contrast/working/contrast.log. This report will be automatically copied (and renamed with version number) to /Benchmark/results directory.<br />
'''$ more tools/Contrast/working/contrast.log'''<br />
'''2016-04-22 12:29:29,716 [main b] INFO - Contrast Runtime Engine<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Copyright (C) 2012<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Pat. 8,458,789 B2<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Contrast Security, Inc.<br />
'''2016-04-22 12:29:29,717 [main b] INFO - All Rights Reserved<br />
'''2016-04-22 12:29:29,717 [main b] INFO - https://www.contrastsecurity.com/<br />
'''...'''<br />
<br />
* Press Ctrl-C to stop the Benchmark in Terminal 1. Note: on Windows, select "N" when asked Terminate batch job (Y/N))<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x is stopped'''<br />
'''Copying Contrast report to results directory'''<br />
<br />
* In Terminal 2, generate scorecards in /Benchmark/scorecard<br />
'''$ ./createScorecards.sh''' (.bat on Windows)<br />
'''Analyzing results from Benchmark_1.2-Contrast.log<br />
'''Actual results file generated: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.csv<br />
'''Report written to: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html<br />
<br />
* Open the Benchmark Scorecard in your browser<br />
'''/Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html'''<br />
<br />
=== Hdiv Detection ===<br />
<br />
Hdiv has written their own instructions on how to run the detection component of their product on the Benchmark here: https://hdivsecurity.com/docs/features/benchmark/#how-to-run-hdiv-in-owasp-benchmark-project. You'll see that these instructions involve using the same crawler used to exercise all the test cases in the Benchmark, just like Contrast above.<br />
<br />
= RoadMap =<br />
<br />
Benchmark v1.0 - Released April 15, 2015 - This initial release included over 20,000 test cases in 11 different vulnerability categories. As this initial version was not a runnable application, it was only suitable for assessing static analysis tools (SAST).<br />
<br />
Benchmark v1.1 - Released May 23, 2015 - This update fixed some inaccurate test cases, and made sure that every vulnerability area included both True Positives and False Positives.<br />
<br />
Benchmark Scorecard Generator - Released July 10, 2015 - The ability to automatically and repeatably produce a scorecard of how well tools do against the Benchmark was released for most of the SAST tools supported by the Benchmark. Scorecards present graphical as well as statistical data on how well a tool does against the Benchmark down to the level of detail of how exactly it did against each individual test in the Benchmark. [https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html Here are the latest public scorecards]. Support for producing scorecards for additional tools is being added all the time and the current full set is documented on the '''Tool Support/Results''' and '''Quick Start''' tabs of this wiki.<br />
<br />
Benchmark v1.2beta - Released Aug 15, 2015 - The 1st release of a fully runnable version of the Benchmark to support assessing all types of vulnerability detection and prevention technologies, including DAST, IAST, RASP, WAFs, etc. This involved creating a user interface for every test case, and enhancing each test case to make sure its actually exploitable, not just uses something that is theoretically weak. This release is under 3,000 test cases to make it practical to scan the entire Benchmark with a DAST tool in a reasonable amount of time, with commodity hardware specs.<br />
<br />
Benchmark 1.2 - Released June 5, 2016 - Based on feedback from a number of DAST tool developers, and other vendors as well, we made the Benchmark more realistic in a number of ways to facilitate external DAST scanning, and also made the Benchmark more resilient against attack so it could properly survive various DAST vulnerability detection and exploit verification techniques.<br />
<br />
Plans for Benchmark 1.3:<br />
<br />
While we don't have hard and fast rules of exactly what we are going to do next, enhancements in the following areas are planned for the next release:<br />
<br />
* Add new vulnerability categories (e.g., XXE, Hibernate Injection)<br />
* Add support for popular server side Java frameworks (e.g., Spring)<br />
* Add web services test cases<br />
<br />
We are also starting to work on the ability to score WAFs/RASPs and other defensive technology against Benchmark.<br />
<br />
= FAQ =<br />
<br />
==1. How are the scores computed for the Benchmark?==<br />
<br />
Each test case has a single vulnerability of a specific type. Its either a real vulnerability (True Positive) or not (a False Positive). We document all the test cases for each version of the Benchmark in the expectedresults-VERSION#.csv file (e.g., expectedresults-1.1.csv). This file lists the test case name, the CWE type of the vulnerability, and whether it is a True Positive or not. The Benchmark supports scorecard generators for computing exactly how a tool did when analyzing a version of the Benchmark. The full list of supported tools is on the Tools Support/Results tab. For each tool there is a parser that can parse the native results format for that tool (usually XML). This parser simply, for each test case, looks to see if that tool reported a vulnerability of the type expected in the test case source code file (for SAST) or the test case URL (for DAST/IAST). If it did, and the test case was a True Positive, the tool gets credit for finding it. If it is a False Positive test, and the tool reports that type of finding, then its recorded as a False Positive. If the tool didn't report that type of vulnerability for a test case, then they get either a False Negative, or a True Negative as appropriate. After calculating all of the individual test case results, a scorecard is generated providing a chart and statistics for that tool across all the vulnerability categories, and pages are also created comparing different tools to each other in each vulnerability category (if multiple tools are being scored together).<br />
<br />
A detailed file explaining exactly how that tool did against each individual test case in that version of the Benchmark is produced as part of scorecard generation, and is available via the Actual Results link on each tool's scorecard page. (e.g., Benchmark_v1.1_Scorecard_for_FindBugs.csv).<br />
<br />
==2. What if the tool I'm using doesn't have a scorecard generator for it?==<br />
<br />
Send us the results file! We'll be happy to create a parser for that tool so its now supported.<br />
<br />
==3. What if a tool finds other unexpected vulnerabilities?==<br />
<br />
We are sure there are vulnerabilities we didn't intend to be there and we are eliminating them as we find them. If you find some, let us know and we'll fix them too. We are primarily focused on unintentional vulnerabilities in the categories of vulnerabilities the Benchmark currently supports, since that is what is actually measured.<br />
<br />
Right now, two types of vulnerabilities that get reported are ignored by the scorecard generator:<br />
# Vulnerabilities in categories not yet supported<br />
# Vulnerabilities of a type that is supported, but reported in test cases not of that type<br />
<br />
In the case of #2, false positives reported in unexpected areas are also ignored, which is primarily a DAST problem. Right now those false positives are completely ignored, but we are thinking about including them in the false positive score in some fashion. We just haven't decided how yet.<br />
<br />
==4. How should I configure my tool to scan the Benchmark?==<br />
<br />
All tools support various levels of configuration in order to improve their results. The Benchmark project, in general, is trying to '''compare out of the box capabilities of tools'''. However, if a few simple tweaks to a tool can be done to improve that tool's score, that's fine. We'd like to understand what those simple tweaks are, and document them here, so others can repeat those tests in exactly the same way. For example, just turn on the 'test cookies and headers' flag, which is off by default. Or turn on the 'advanced' scan, so it will work harder, find more vulnerabilities. Its simple things like this we are talking about, not an extensive effort to teach the tool about the app, or perform 'expert' configuration of the tool.<br />
<br />
So, if you know of some simple tweaks to improve a tool's results, let us know what they are and we'll document them here so everyone can benefit and make it easier to do apples to apples comparisons. And we'll link to that guidance once we start documenting it, but we don't have any such guidance right now.<br />
<br />
==5. I'm having difficulty scanning the Benchmark with a DAST tool. How can I get it to work?==<br />
<br />
We've run into 2 primary issues giving DAST tools problems.<br />
<br />
a) The Benchmark Generates Lots of Cookies<br />
<br />
The Burp team pointed out a cookies bug in the 1.2beta Benchmark. Each Weak Randomness test case generates its own cookie, 1 per test case. This caused the creation of so many cookies that servers would eventually start returning 400 errors because there were simply too many cookies being submitted in a request. This was fixed in the Aug 27, 2015 update to the Benchmark by setting the path attribute for each of these cookies to be the path to that individual test case. Now, only at most one of these cookies should be submitted with each request, eliminating this 'too many cookies' problem. However, if a DAST tool doesn't honor this path attribute, it may continue to send too many cookies, making the Benchmark unscannable for that tool. Burp Pro prior to 1.6.29 had this issue, but it was fixed in the 1.6.29 release.<br />
<br />
b) The Benchmark is a BIG Application<br />
<br />
Yes. It is, so you might have to give your scanner more memory than it normally uses by default in order to successfully scan the entire Benchmark. Please consult your tool vendor's documentation on how to give it more memory.<br />
<br />
Your machine itself might not have enough memory in the first place. For example, we were not able to successfully scan the 1.2beta with OWASP ZAP with only 8 Gig of RAM. So, you might need a more powerful machine or use a cloud provided machine to successfully scan the Benchmark with certain DAST tools. You may have similar problems with SAST tools against large versions of the Benchmark, like the 1.1 release.<br />
<br />
= Acknowledgements =<br />
<br />
The following people, organizations, and many others, have contributed to this project and their contributions are much appreciated!<br />
<br />
* Lots of Vendors - Many vendors have provided us with either trial licenses we can use, or they have run their tools themselves and either sent us results files, or written and contributed scorecard generators for their tool. Many have also provided valuable feedback so we can make the Benchmark more accurate and more realistic.<br />
* Juan Gama - Development of initial release and continued support<br />
* Ken Prole - Assistance with automated scorecard development using CodeDx<br />
* Nick Sanidas - Development of initial release<br />
* Denim Group - Contribution of scan results to facilitate scorecard development<br />
* Tasos Laskos - Significant feedback on the DAST version of the Benchmark<br />
* Ann Campbell - From SonarSource - for fixing our SonarQube results parser<br />
* Dhiraj Mishra - OWASP Member - contributed SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring<br />
<br />
[[File:CWE_Logo.jpeg|link=https://cwe.mitre.org/]] - The CWE project for providing a mapping mechanism to easily map test cases to issues found by vulnerability detection tools.<br />
<br />
We are looking for volunteers. Please contact [mailto:dave.wichers@owasp.org Dave Wichers] if you are interested in contributing new test cases, tool results run against the benchmark, or anything else.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]]</div>Wichershttps://wiki.owasp.org/index.php?title=Benchmark&diff=244840Benchmark2018-11-04T21:01:22Z<p>Wichers: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Benchmark Project ==<br />
The OWASP Benchmark for Security Automation (OWASP Benchmark) is a free and open test suite designed to evaluate the speed, coverage, and accuracy of automated software vulnerability detection tools and services (henceforth simply referred to as 'tools'). Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other. Each version of the OWASP Benchmark contains thousands of test cases that are fully runnable and exploitable, each of which maps to the appropriate CWE number for that vulnerability.<br />
<br />
You can use the OWASP Benchmark with [[Source_Code_Analysis_Tools | Static Application Security Testing (SAST)]] tools, [[:Category:Vulnerability_Scanning_Tools | Dynamic Application Security Testing (DAST)]] tools like OWASP [[ZAP]] and Interactive Application Security Testing (IAST) tools. The current version of the Benchmark is implemented in Java. Future versions may expand to include other languages.<br />
<br />
==Benchmark Project Scoring Philosophy==<br />
<br />
Security tools (SAST, DAST, and IAST) are amazing when they find a complex vulnerability in your code. But with widespread misunderstanding of the specific vulnerabilities automated tools cover, end users are often left with a false sense of security.<br />
<br />
We are on a quest to measure just how good these tools are at discovering and properly diagnosing security problems in applications. We rely on the [http://en.wikipedia.org/wiki/Receiver_operating_characteristic long history] of military and medical evaluation of detection technology as a foundation for our research. Therefore, the test suite tests both real and fake vulnerabilities.<br />
<br />
There are four possible test outcomes in the Benchmark:<br />
<br />
# Tool correctly identifies a real vulnerability (True Positive - TP)<br />
# Tool fails to identify a real vulnerability (False Negative - FN)<br />
# Tool correctly ignores a false alarm (True Negative - TN)<br />
# Tool fails to ignore a false alarm (False Positive - FP)<br />
<br />
We can learn a lot about a tool from these four metrics. Consider a tool that simply flags every line of code as vulnerable. This tool will perfectly identify all vulnerabilities! But it will also have 100% false positives and thus adds no value. Similarly, consider a tool that reports absolutely nothing. This tool will have zero false positives, but will also identify zero real vulnerabilities and is also worthless. You can even imagine a tool that flips a coin to decide whether to report whether each test case contains a vulnerability. The result would be 50% true positives and 50% false positives. We need a way to distinguish valuable security tools from these trivial ones.<br />
<br />
If you imagine the line that connects all these points, from 0,0 to 100,100 establishes a line that roughly translates to "random guessing." The ultimate measure of a security tool is how much better it can do than this line. The diagram below shows how we will evaluate security tools against the Benchmark.<br />
<br />
[[File:Wbe guide.png]]<br />
<br />
A point plotted on this chart provides a visual indication of how well a tool did considering both the True Positives the tool reported, as well as the False Positives it reported. We also want to compute an individual score for that point in the range 0 - 100, which we call the Benchmark Accuracy Score.<br />
<br />
The Benchmark Accuracy Score is essentially a [https://en.wikipedia.org/wiki/Youden%27s_J_statistic Youden Index], which is a standard way of summarizing the accuracy of a set of tests. Youden's index is one of the oldest measures for diagnostic accuracy. It is also a global measure of a test performance, used for the evaluation of overall discriminative power of a diagnostic procedure and for comparison of this test with other tests. Youden's index is calculated by deducting 1 from the sum of a test’s sensitivity and specificity expressed not as percentage but as a part of a whole number: (sensitivity + specificity) – 1. For a test with poor diagnostic accuracy, Youden's index equals 0, and in a perfect test Youden's index equals 1.<br />
<br />
So for example, if a tool has a True Positive Rate (TPR) of .98 (i.e., 98%) <br />
and False Positive Rate (FPR) of .05 (i.e., 5%)<br />
Sensitivity = TPR (.98)<br />
Specificity = 1-FPR (.95)<br />
So the Youden Index is (.98+.95) - 1 = .93<br />
<br />
And this would equate to a Benchmark score of 93 (since we normalize this to the range 0 - 100)<br />
<br />
On the graph, the Benchmark Score is the length of the line from the point down to the diagonal “guessing” line. Note that a Benchmark score can actually be negative if the point is below the line. This is caused when the False Positive Rate is actually higher than the True Positive Rate.<br />
<br />
==Benchmark Validity==<br />
<br />
The Benchmark tests are not exactly like real applications. The tests are derived from coding patterns observed in real applications, but the majority of them are considerably '''simpler''' than real applications. That is, most real world applications will be considerably harder to successfully analyze than the OWASP Benchmark Test Suite. Although the tests are based on real code, it is possible that some tests may have coding patterns that don't occur frequently in real code.<br />
<br />
Remember, we are trying to test the capabilities of the tools and make them explicit, so that users can make informed decisions about what tools to use, how to use them, and what results to expect. This is exactly aligned with the OWASP mission to make application security visible.<br />
<br />
==Generating Benchmark Scores==<br />
<br />
Anyone can use this Benchmark to evaluate vulnerability detection tools. The basic steps are:<br />
# Download the Benchmark from github<br />
# Run your tools against the Benchmark<br />
# Run the BenchmarkScore tool on the reports from your tools<br />
<br />
That's it!<br />
<br />
Full details on how to do this are at the bottom of the page on the Quick_Start tab.<br />
<br />
We encourage both vendors, open source tools, and end users to verify their application security tools against the Benchmark. In order to ensure that the results are fair and useful, we ask that you follow a few simple rules when publishing results. We won't recognize any results that aren't easily reproducible:<br />
<br />
# A description of the default “out-of-the-box” installation, version numbers, etc…<br />
# Any and all configuration, tailoring, onboarding, etc… performed to make the tool run<br />
# Any and all changes to default security rules, tests, or checks used to achieve the results<br />
# Easily reproducible steps to run the tool<br />
<br />
== Reporting Format==<br />
<br />
The Benchmark includes tools to interpret raw tool output, compare it to the expected results, and generate summary charts and graphs. We use the following table format in order to capture all the information generated during the evaluation.<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! style="background:#DDDDDD" | Security Category<br />
! TP<br />
! FN<br />
! TN<br />
! FP<br />
! style="background:#DDDDDD" | Total<br />
! TPR<br />
! FPR<br />
! style="background:#DDDDDD" | Score<br />
|-<br />
! style="background:#DDDDDD" valign="top" width="11%"| General security category for test cases.<br />
| valign="top" width="11%"| '''True Positives''': Tests with real vulnerabilities that were correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Negative''': Tests with real vulnerabilities that were not correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''True Negative''': Tests with fake vulnerabilities that were correctly not reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Positive''':Tests with fake vulnerabilities that were incorrectly reported as vulnerable by the tool.<br />
| style="background:#DDDDDD" valign="top" width="11%"| Total test cases for this category.<br />
| valign="top" width="11%"| '''True Positive Rate''': TP / ( TP + FN ) - Also referred to as Precision, as defined at [https://en.wikipedia.org/wiki/Precision_and_recall Wikipedia].<br />
| valign="top" width="11%"| '''False Positive Rate''': FP / ( FP + TN ).<br />
| style="background:#DDDDDD" valign="top" width="11%"| Normalized distance from the “guess line” TPR - FPR.<br />
|-<br />
! style="background:#DDDDDD" | Command Injection<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | Etc...<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | <br />
! Total TP<br />
! Total FN<br />
! Total TN<br />
! Total FP<br />
! style="background:#DDDDDD" | Total TC<br />
! Average TPR<br />
! Average FPR<br />
! style="background:#DDDDDD" | Average Score<br />
|}<br />
<br />
==Code Repo and Build/Run Instructions ==<br />
<br />
See the '''Getting Started''' and '''Getting, Building, and Running the Benchmark''' sections on the Quick Start tab.<br />
<br />
==Licensing==<br />
<br />
The OWASP Benchmark is free to use under the [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0].<br />
<br />
== Mailing List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-benchmark-project OWASP Benchmark Mailing List]<br />
<br />
== Project Leaders ==<br />
<br />
[https://www.owasp.org/index.php/User:Wichers Dave Wichers] [mailto:dave.wichers@owasp.org @]<br />
<br />
== Project References ==<br />
* [https://www.mir-swamp.org/#packages/public Software Assurance Marketplace (SWAMP) - set of curated packages to test tools against]<br />
* [http://samate.nist.gov/Other_Test_Collections.html SAMATE List of Test Collections]<br />
<br />
== Related Projects ==<br />
<br />
* [http://samate.nist.gov/SARD/testsuite.php NSA's Juliet for Java]<br />
* [http://sectoolmarket.com/ The Web Application Vulnerability Scanner Evaluation Project (WAVSEP)]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
All test code and project files can be downloaded from [https://github.com/OWASP/benchmark OWASP GitHub].<br />
<br />
== Project Intro Video ==<br />
<br />
[[File:BenchmarkPodcastTitlePage.jpg|200px|link=https://www.youtube.com/watch?v=HQP8dwc3jJA&index=5&list=PLGB2s-U5FSWOmEStMt3JqlMFJvRYqeVW5]]<br />
<br />
== News and Events ==<br />
* LOOKING FOR VOLUNTEERS!! - We are looking for individuals and organizations to join and make this a much more community driven project, including additional coleaders to help take this project to the next level. Contributors could work on things like new test cases, additional tool scorecard generators, adding support for languages beyond Java, and a host of other improvements. Please contact [mailto:dave.wichers@owasp.org me] if you are interested in contributing at any level.<br />
* June 5, 2016 - Benchmark Version 1.2 Released<br />
* Sep 24, 2015 - Benchmark introduced to broader OWASP community at [https://appsecusa2015.sched.org/event/3r9k/using-the-owasp-benchmark-to-assess-automated-vulnerability-analysis-tools AppSec USA]<br />
* Aug 27, 2015 - U.S. Dept. of Homeland Security (DHS) is financially supporting the Benchmark project.<br />
* Aug 15, 2015 - Benchmark Version 1.2beta Released with full DAST Support. Checkmarx and ZAP scorecard generators also released.<br />
* July 10, 2015 - Benchmark Scorecard generator and open source scorecards released<br />
* May 23, 2015 - Benchmark Version 1.1 Released<br />
* April 15, 2015 - Benchmark Version 1.0 Released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Test Cases =<br />
<br />
Version 1.0 of the Benchmark was published on April 15, 2015 and had 20,983 test cases. On May 23, 2015, version 1.1 of the Benchmark was released. The 1.1 release improves on the previous version by making sure that there are both true positives and false positives in every vulnerability area. Version 1.2 was released on June 5, 2016 (and the 1.2beta August 15, 2015).<br />
<br />
Version 1.2 and forward of the Benchmark is a fully executable web application, which means it is scannable by any kind of vulnerability detection tool. The 1.2 has been limited to slightly less than 3,000 test cases, to make it easier for DAST tools to scan it (so it doesn't take so long and they don't run out of memory, or blow up the size of their database). The 1.2 release covers the same vulnerability areas that 1.1 covers. We added a few Spring database SQL Injection tests, but that's it. The bulk of the work was turning each test case into something that actually runs correctly AND is fully exploitable, and then generating a UI on top of it that works in order to turn the test cases into a real running application.<br />
<br />
You can still download Benchmark version 1.1 by cloning the release marked with the GIT tag '1.1'.<br />
<br />
The test case areas and quantities for the Benchmark releases are:<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! Vulnerability Area<br />
! # of Tests in v1.1<br />
! # of Tests in v1.2<br />
! CWE Number<br />
|-<br />
| [[Command Injection]]<br />
| 2708<br />
| 251<br />
| [https://cwe.mitre.org/data/definitions/78.html 78]<br />
|-<br />
| Weak Cryptography<br />
| 1440<br />
| 246<br />
| [https://cwe.mitre.org/data/definitions/327.html 327]<br />
|-<br />
| Weak Hashing<br />
| 1421<br />
| 236<br />
| [https://cwe.mitre.org/data/definitions/328.html 328]<br />
|-<br />
| [[LDAP injection | LDAP Injection]]<br />
| 736<br />
| 59<br />
| [https://cwe.mitre.org/data/definitions/90.html 90]<br />
|-<br />
| [[Path Traversal]]<br />
| 2630<br />
| 268<br />
| [https://cwe.mitre.org/data/definitions/22.html 22]<br />
|-<br />
| Secure Cookie Flag<br />
| 416<br />
| 67<br />
| [https://cwe.mitre.org/data/definitions/614.html 614]<br />
|-<br />
| [[SQL Injection]]<br />
| 3529<br />
| 504<br />
| [https://cwe.mitre.org/data/definitions/89.html 89]<br />
|-<br />
| [[Trust Boundary Violation]]<br />
| 725<br />
| 126<br />
| [https://cwe.mitre.org/data/definitions/501.html 501]<br />
|-<br />
| Weak Randomness<br />
| 3640<br />
| 493<br />
| [https://cwe.mitre.org/data/definitions/330.html 330]<br />
|-<br />
| [[XPATH Injection]]<br />
| 347<br />
| 35<br />
| [https://cwe.mitre.org/data/definitions/643.html 643]<br />
|-<br />
| [[XSS]] (Cross-Site Scripting)<br />
| 3449<br />
| 455<br />
| [https://cwe.mitre.org/data/definitions/79.html 79]<br />
|-<br />
| Total Test Cases<br />
| 21,041<br />
| 2,740<br />
|}<br />
<br />
Each Benchmark version comes with a spreadsheet that lists every test case, the vulnerability category, the CWE number, and the expected result (true finding/false positive). Look for the file: expectedresults-VERSION#.csv in the project root directory.<br />
<br />
Every test case is:<br />
* a servlet or JSP (currently they are all servlets, but we plan to add JSPs)<br />
* either a true vulnerability or a false positive for a single issue<br />
<br />
The Benchmark is intended to help determine how well analysis tools correctly analyze a broad array of application and framework behavior, including:<br />
<br />
* HTTP request and response problems<br />
* Simple and complex data flow<br />
* Simple and complex control flow<br />
* Popular frameworks<br />
* Inversion of control<br />
* Reflection<br />
* Class loading<br />
* Annotations<br />
* Popular UI technologies (particularly JavaScript frameworks)<br />
<br />
Not all of these are yet tested by the Benchmark but future enhancements intend to provide more coverage of these issues.<br />
<br />
Additional future enhancements could cover:<br />
* All vulnerability types in the [[Top10 | OWASP Top 10]]<br />
* Does the tool find flaws in libraries?<br />
* Does the tool find flaws spanning custom code and libraries?<br />
* Does tool handle web services? REST, XML, GWT, etc…<br />
* Does tool work with different app servers? Java platforms?<br />
<br />
== Example Test Case ==<br />
<br />
Each test case is a simple Java EE servlet. BenchmarkTest00001 in version 1.0 of the Benchmark was an LDAP Injection test with the following metadata in the accompanying BenchmarkTest00001.xml file:<br />
<br />
<test-metadata><br />
<category>ldapi</category><br />
<test-number>00001</test-number><br />
<vulnerability>true</vulnerability><br />
<cwe>90</cwe><br />
</test-metadata><br />
<br />
BenchmarkTest00001.java in the OWASP Benchmark 1.0 simply reads in all the cookie values, looks for a cookie named "foo", and uses the value of this cookie when performing an LDAP query. Here's the code for BenchmarkTest00001.java:<br />
<br />
package org.owasp.benchmark.testcode;<br />
<br />
import java.io.IOException;<br />
<br />
import javax.servlet.ServletException;<br />
import javax.servlet.annotation.WebServlet;<br />
import javax.servlet.http.HttpServlet;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
<br />
@WebServlet("/BenchmarkTest00001")<br />
public class BenchmarkTest00001 extends HttpServlet {<br />
<br />
private static final long serialVersionUID = 1L;<br />
<br />
@Override<br />
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
doPost(request, response);<br />
}<br />
<br />
@Override<br />
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
// some code<br />
<br />
javax.servlet.http.Cookie[] cookies = request.getCookies();<br />
<br />
String param = null;<br />
boolean foundit = false;<br />
if (cookies != null) {<br />
for (javax.servlet.http.Cookie cookie : cookies) {<br />
if (cookie.getName().equals("foo")) {<br />
param = cookie.getValue();<br />
foundit = true;<br />
}<br />
}<br />
if (!foundit) {<br />
// no cookie found in collection<br />
param = "";<br />
}<br />
} else {<br />
// no cookies<br />
param = "";<br />
}<br />
<br />
try {<br />
javax.naming.directory.DirContext dc = org.owasp.benchmark.helpers.Utils.getDirContext();<br />
Object[] filterArgs = {"a","b"};<br />
dc.search("name", param, filterArgs, new javax.naming.directory.SearchControls());<br />
} catch (javax.naming.NamingException e) {<br />
throw new ServletException(e);<br />
}<br />
}<br />
}<br />
<br />
= Test Case Details =<br />
<br />
The following describes situations in the Benchmark that have come up for debate as to the validity/accuracy of the test cases in these scenarios. <br />
<br />
== Cookies as a Source of Attack for XSS ==<br />
<br />
Benchmark v1.1 and early versions of the 1.2beta included test cases that used cookies as a source of data that flowed into XSS vulnerabilities. The Benchmark treated these tests as False Positives because the Benchmark team figured that you'd have to use an XSS vulnerability in the first place to set the cookie value, and so it wasn't fair/reasonable to consider an XSS vulnerability whose data source was a cookie value as actually exploitable. However, we got feedback from some tool vendors, like Fortify, Burp, and Arachni, that they disagreed with this analysis and felt that, in fact, cookies were a valid source of attack against XSS vulnerabilities. Given that there are good arguments on both sides of this safe vs. unsafe question, we decided on Aug 25, 2015 to simply remove those test cases from the Benchmark. If, in the future, we decide who is right, we may add such test cases back in.<br />
<br />
== Headers as a Source of Attack for XSS ==<br />
<br />
Similarly, the Benchmark team believes that the names of headers aren't a valid source of XSS attack for the same reason we thought cookie values aren't a valid source. Because it would require an XSS vulnerability to be exploited in the first place to set them. In fact, we feel that this argument is much stronger for header names, than cookie values. Right now, the Benchmark doesn't include any header names as sources for XSS test cases, but we plan to add them, and mark them as false positive in the Benchmark.<br />
<br />
We do have header values as sources for some XSS test cases in the Benchmark and only 'referer' is treated as a valid XSS source (i.e., true positives) because other headers are not viable XSS sources. Other headers are, of course, valid sources for other attack vectors, like SQL injection or Command Injection.<br />
<br />
== False Positive Scenario: Static Values Passed to Unsafe (Weak) Sinks ==<br />
<br />
The Benchmark has MANY test cases where unsafe data flows in from the browser, but that data is replaced with static content as it goes through the propagators in the that specific test case. This static (safe) data then flows to the sink, which may be a weak/unsafe sink, like, for example, an unsafely constructed SQL statement. The Benchmark treats those test cases as false positives because there is absolutely no way for that weakness to be exploited. The NSA Juliet SAST benchmark treats such test cases exactly the same way, as false positives. We do recognize that there are weaknesses in those test cases, even though they aren't exploitable.<br />
<br />
Some SAST tool vendors feel it is appropriate to point out those weaknesses, and that's fine. However, if the tool points those weaknesses out, and does not distinguish them from truly exploitable vulnerabilities, then the Benchmark treats those findings as false positives. If the tool allows a user to differentiate these non-exploitable weaknesses from exploitable vulnerabilities, then the Benchmark scorecard generator can use that information to filter out these extra findings (along with any other similarly marked findings) so they don't count against that tool when calculating that tool's Benchmark score. In the real world, its important for analysts to be able to filter out such findings if they only have time to deal with the most critical, actually exploitable, vulnerabilities. If a tool doesn't make it easy for an analyst to distinguish the two situations, then they are providing a disservice to the analyst.<br />
<br />
This issue doesn't affect DAST tools. They only report what appears to be exploitable to them. So this has no affect on them.<br />
<br />
If you are a SAST tool vendor or user, and you believe the Benchmark scorecard generator is counting such findings against that tool, and there is a way to tell them apart, please let the project team know so the scorecard generator can be adjusted to not count those findings against the tool. The Benchmark project's goal is the generate the most fair and accurate results it can generate. If such an adjustment is made to how a scorecard is generated for that tool, we plan to document this was done for that tool, and explain how others could perform the same filtering within that tool in order to get the same focused set of results.<br />
<br />
== Dead Code ==<br />
<br />
Some SAST tools point out weaknesses in dead code because they might eventually end up being used, and serve as bad coding examples (think cut/paste of code). We think this is fine/appropriate. However, there is no dead code in the OWASP Benchmark (at least not intentionally). So dead code should not be causing any tool to report unnecessary false positives.<br />
<br />
= Tool Support/Results =<br />
<br />
The results for 5 free tools, PMD, FindBugs, FindBugs with the FindSecBugs plugin, SonarQube and OWASP ZAP are available here against version 1.2 of the Benchmark: https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html. We've included multiple versions of FindSecBugs' and ZAP's results so you can see the improvements they are making finding vulnerabilities in Benchmark.<br />
<br />
We have Benchmark results for all the following tools, but haven't publicly released the results for any commercial tools. However, we included a 'Commercial Average' page, which includes a summary of results for 6 commercial SAST tools along with anonymous versions of each SAST tool's scorecard.<br />
<br />
The Benchmark can generate results for the following tools: <br />
<br />
'''Free Static Application Security Testing (SAST) Tools:'''<br />
<br />
* [https://pmd.github.io/ PMD] (which really has no security rules) - .xml results file<br />
* [http://findbugs.sourceforge.net/ Findbugs] - .xml results file (Note: The 'new' Findbugs is now at: https://spotbugs.github.io/)<br />
* FindBugs with the [http://find-sec-bugs.github.io/ FindSecurityBugs plugin] - .xml results file<br />
* [https://www.sonarqube.org/downloads/ SonarQube] - .xml results file<br />
<br />
Note: We looked into supporting [http://checkstyle.sourceforge.net/ Checkstyle] but it has no security rules, just like PMD. The [http://fb-contrib.sourceforge.net/ fb-contrib] FindBugs plugin doesn't have any security rules either. We did test [http://errorprone.info/ Error Prone], and found that it does report some use of [http://errorprone.info/bugpattern/InsecureCipherMode) insecure ciphers (CWE-327)], but that's it.<br />
<br />
'''Commercial SAST Tools:'''<br />
<br />
* [http://www.castsoftware.com/products/application-intelligence-platform CAST Application Intelligence Platform (AIP)] - .xml results file<br />
* [https://www.checkmarx.com/products/static-application-security-testing/ Checkmarx CxSAST] - .xml results file<br />
* [https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/SAST-Coverity-datasheet.pdf Synopsys Static Analysis (Formerly Coverity Code Advisor) (On-Demand and stand-alone versions)] - .json results file (You can scan Benchmark w/Coverity for free. See: https://scan.coverity.com/)<br />
* [https://software.microfocus.com/en-us/products/static-code-analysis-sast/overview Micro Focus (Formally HPE) Fortify (On-Demand and stand-alone versions)] - .fpr results file<br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source IBM AppScan Source (Standalone and Cloud)] - .ozasmt or .xml results file<br />
* [https://juliasoft.com/solutions/julia-for-security/ Julia Analyzer] - .xml results file<br />
* [https://www.parasoft.com/products/jtest/ Parasoft Jtest] - .xml results file<br />
* [https://www.shiftleft.io/product/ ShiftLeft SAST] - .sl results file (Benchmark specific format. Ask vendor how to generate this)<br />
* [https://www.sourcemeter.com/features/ SourceMeter] - .txt results file of ALL results from VulnerabilityHunter<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] - .xml results file<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode SAST] - .xml results file<br />
* [https://www.rigs-it.com/xanitizer/ XANITIZER] - xml results file ([https://www.rigs-it.com/wp-content/uploads/2018/03/howtosetupxanitizerforowaspbenchmarkproject.pdf Their white paper on how to setup Xanitizer to scan Benchmark.]) (Free trial available)<br />
<br />
We are looking for results for other commercial static analysis tools like: [http://www.grammatech.com/codesonar Grammatech CodeSonar], [http://www.klocwork.com/products-services/klocwork Klocwork], etc. If you have a license for any static analysis tool not already listed above and can run it on the Benchmark and send us the results file that would be very helpful. <br />
<br />
The free SAST tools come bundled with the Benchmark so you can run them yourselves. If you have a license for any commercial SAST tool, you can also run them against the Benchmark. Just put your results files in the /results folder of the project, and then run the BenchmarkScore script for your platform (.sh / .bat) and it will generate a scorecard in the /scorecard directory for all the tools you have results for that are currently supported.<br />
<br />
'''Free Dynamic Application Security Testing (DAST) Tools:'''<br />
<br />
Note: While we support scorecard generators for these Free and Commercial DAST tools, we haven't been able to get a full/clean run against the Benchmark from most of these tools. As such, some of these scorecard generators might still need some work to properly reflect their results. If you notice any problems, let us know.<br />
<br />
* [http://www.arachni-scanner.com/ Arachni] - .xml results file<br />
** To generate .xml, run: ./bin/arachni_reporter "Your_AFR_Results_Filename.afr" --reporter=xml:outfile=Benchmark1.2-Arachni.xml<br />
* [https://www.owasp.org/index.php/ZAP OWASP ZAP] - .xml results file. To generate a complete ZAP XML results file so you can generate a valid scorecard, make sure you:<br />
** Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
** Then: Report > Generate XML Report...<br />
<br />
'''Commercial DAST Tools:'''<br />
<br />
* [https://www.acunetix.com/vulnerability-scanner/ Acunetix Web Vulnerability Scanner (WVS)] - .xml results file (Generated using [https://www.acunetix.com/resources/wvs7manual.pdf command line interface (see Chapter 10.)] /ExportXML switch)<br />
* [https://portswigger.net/burp/ Burp Pro] - .xml results file<br />
**You must use Burp Pro v1.6.30+ to scan the Benchmark due to a limitation fixed in v1.6.30.<br />
* [https://software.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/overview Micro Focus (Formally HPE) WebInspect] - .xml results file<br />
* [http://www-03.ibm.com/software/products/en/appscan This was IBM AppScan (but I believe IBM sold this product off. To whom?] - .xml results file<br />
* [https://www.netsparker.com/web-vulnerability-scanner/ Netsparker] - .xml results file<br />
* [https://www.rapid7.com/products/appspider/ Rapid7 AppSpider] - .xml results file<br />
<br />
* Qualys - We ran Qualys against v1.2 of the Benchmark and it found none of the vulnerabilities we test for as far as we could tell. So we haven't implemented a scorecard generator for it. If you get results where you think it does find some real issues, send us the results file and, if confirmed, we'll produce a scorecard generator for it.<br />
<br />
If you have access to other DAST Tools, PLEASE RUN THEM FOR US against the Benchmark, and send us the results file so we can build a scorecard generator for that tool.<br />
<br />
'''Commercial Interactive Application Security Testing (IAST) Tools:'''<br />
<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] - .zip results file (You can scan Benchmark w/Contrast for free. See: https://www.contrastsecurity.com/contrast-community-edition)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection (IAST)] - .hlg results file<br />
<br />
'''Commercial Hybrid Analysis Application Security Testing Tools:'''<br />
<br />
* [http://www.iappsecure.com/products.html Fusion Lite Insight] - .xml results file<br />
<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It may be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.'''<br />
<br />
The project has automated test harnesses for these vulnerability detection tools, so we can repeatably run the tools against each version of the Benchmark and automatically produce scorecards in our desired format.<br />
<br />
We want to test as many tools as possible against the Benchmark. If you are:<br />
<br />
* A tool vendor and want to participate in the project<br />
* Someone who wants to help score a free tool against the project<br />
* Someone who has a license to a commercial tool and the terms of the license allow you to publish tool results, and you want to participate<br />
<br />
please let [mailto:dave.wichers@owasp.org me] know!<br />
<br />
= Quick Start =<br />
<br />
==What is in the Benchmark?==<br />
The Benchmark is a Java Maven project. Its primary component is thousands of test cases (e.g., BenchmarkTest00001.java) , each of which is a single Java servlet that contains a single vulnerability (either a true positive or false positive). The vulnerabilities span about a dozen different types currently and are expected to expand significantly in the future.<br />
<br />
An expectedresults.csv is published with each version of the Benchmark (e.g., expectedresults-1.1.csv) and it specifically lists the expected results for each test case. Here’s what the first two rows in this file looks like for version 1.1 of the Benchmark:<br />
<br />
# test name category real vulnerability CWE Benchmark version: 1.1 2015-05-22<br />
BenchmarkTest00001 crypto TRUE 327<br />
<br />
This simply means that the first test case is a crypto test case (use of weak cryptographic algorithms), this is a real vulnerability (as opposed to a false positive), and this issue maps to CWE 327. It also indicates this expected results file is for Benchmark version 1.1 (produced May 22, 2015). There is a row in this file for each of the tens of thousands of test cases in the Benchmark. Each time a new version of the Benchmark is published, a new corresponding results file is generated and each test case can be completely different from one version to the next.<br />
<br />
The Benchmark also comes with a bunch of different utilities, commands, and prepackaged open source security analysis tools, all of which can be executed through Maven goals, including:<br />
<br />
* Open source vulnerability detection tools to be run against the Benchmark<br />
* A scorecard generator, which computes a scorecard for each of the tools you have results files for.<br />
<br />
==What Can You Do With the Benchmark?==<br />
* Compile all the software in the Benchmark project (e.g., mvn compile)<br />
* Run a static vulnerability analysis tool (SAST) against the Benchmark test case code<br />
<br />
* Scan a running version of the Benchmark with a dynamic application security testing tool (DAST)<br />
** Instructions on how to run it are provided below<br />
<br />
* Generate scorecards for each of the tools you have results files for<br />
** See the Tool Support/Results page for the list of tools the Benchmark supports generating scorecards for<br />
<br />
==Getting Started==<br />
Before downloading or using the Benchmark make sure you have the following installed and configured properly:<br />
<br />
GIT: http://git-scm.com/ or https://github.com/<br />
Maven: https://maven.apache.org/ (Version: 3.2.3 or newer works. We heard that 3.0.5 throws an error.)<br />
Java: http://www.oracle.com/technetwork/java/javase/downloads/index.html (Java 7 or 8) (64-bit) - Takes ALOT of memory to compile the Benchmark.<br />
<br />
==Getting, Building, and Running the Benchmark==<br />
<br />
To download and build everything:<br />
<br />
$ git clone https://github.com/OWASP/benchmark <br />
$ cd benchmark<br />
$ mvn compile (This compiles it)<br />
$ runBenchmark.sh/.bat - This compiles and runs it.<br />
<br />
Then navigate to: https://localhost:8443/benchmark/ to go to its home page. It uses a self signed SSL certificate, so you'll get a security warning when you hit the home page.<br />
<br />
Note: We have set the Benchmark app to use up to 6 Gig of RAM, which it may need when it is fully scanned by a DAST scanner. The DAST tool probably also requires 3+ Gig of RAM. As such, we recommend having a 16 Gig machine if you are going to try to run a full DAST scan. And at least 4 or ideally 8 Gig if you are going to play around with the running Benchmark app.<br />
<br />
== Using a VM instead ==<br />
We have several preconstructed VMs or instructions on how to build one that you can use instead:<br />
<br />
* Docker: A Dockerfile is checked into the project [https://github.com/OWASP/Benchmark/blob/master/VMs/Dockerfile here]. This Docker file should automatically produce a Docker VM with the latest Benchmark project files. After you have Docker installed, cd to /VMs then run: <br />
buildDockerImage.sh --> This builds the Docker Benchmark VM (This will take a WHILE)<br />
docker images --> You should see the new benchmark:latest image in the list provided<br />
# The Benchmark Docker Image only has to be created once. <br />
<br />
To run the Benchmark in your Docker VM, just run:<br />
runDockerImage.sh --> This pulls in any updates to Benchmark since the Image was built, builds everything, and starts a remotely accessible Benchmark web app.<br />
If successful, you should see this at the end:<br />
[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]<br />
[INFO] Press Ctrl-C to stop the container...<br />
Then simply navigate to: https://localhost:8443/benchmark from the machine you are running Docker<br />
<br />
Or if you want to access from a different machine:<br />
run: docker-machine ls (in a different window) --> To get IP Docker VM is exporting (e.g., tcp://192.168.99.100:2376)<br />
Navigate to: https://192.168.99.100:8443/benchmark (using the above IP as an example)<br />
<br />
* Amazon Web Services (AWS) - Here's how you set up the Benchmark on an AWS VM:<br />
sudo yum install git<br />
sudo yum install maven<br />
sudo yum install mvn<br />
sudo wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo sed -i s/\$releasever/6/g /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo yum install -y apache-maven<br />
git clone https://github.com/OWASP/benchmark<br />
cd benchmark<br />
chmod 755 *.sh<br />
./runBenchmark.sh -- to run it locally on the VM.<br />
./runRemoteAccessibleBenchmark.sh -- to run it so it can be accessed outside the VM (on port 8443).<br />
<br />
==Running Free Static Analysis Tools Against the Benchmark==<br />
There are scripts for running each of the free SAST vulnerability detection tools included with the Benchmark against the Benchmark test cases. On Linux, you might have to make them executable (e.g., chmod 755 *.sh) before you can run them.<br />
<br />
Generating Test Results for PMD:<br />
<br />
$ ./scripts/runPMD.sh (Linux) or .\scripts\runPMD.bat (Windows)<br />
<br />
Generating Test Results for FindBugs:<br />
<br />
$ ./scripts/runFindBugs.sh (Linux) or .\scripts\runFindBugs.bat (Windows)<br />
<br />
Generating Test Results for FindBugs with the FindSecBugs plugin:<br />
<br />
$ ./scripts/runFindSecBugs.sh (Linux) or .\scripts\runFindSecBugs.bat (Windows)<br />
<br />
In each case, the script will generate a results file and put it in the /results directory. For example: <br />
<br />
Benchmark_1.2-findbugs-v3.0.1-1026.xml<br />
<br />
This results file name is carefully constructed to mean the following: It's a results file against the OWASP Benchmark version 1.2, FindBugs was the analysis tool, it was version 3.0.1 of FindBugs, and it took 1026 seconds to run the analysis.<br />
<br />
NOTE: If you create a results file yourself, by running a commercial tool for example, you can add the version # and the compute time to the filename just like this and the Benchmark Scorecard generator will pick this information up and include it in the generated scorecard. If you don't, depending on what metadata is included in the tool results, the Scorecard generator might do this automatically anyway.<br />
<br />
==Generating Scorecards==<br />
The scorecard generation application BenchmarkScore is included with the Benchmark. It parses the output files generated by any of the supported security tools run against the Benchmark and compares them against the expected results, and produces a set of web pages that detail the accuracy and speed of the tools involved. For the list of currently supported tools, check out the: Tools Support/Results tab. If you are using a tool that is not yet supported, simply send us a results file from that tool and we'll write a parser for that tool and add it to the supported tools list.<br />
<br />
The following command will compute a Benchmark scorecard for all the results files in the '''/results''' directory. The generated scorecard is put into the '''/scorecard''' directory.<br />
<br />
createScorecard.sh (Linux) or createScorecard.bat (Windows)<br />
<br />
An example of a real scorecard for some open source tools is provided at the top of the Tool Support/Results tab so you can see what one looks like.<br />
<br />
We recommend including the Benchmark version number in any results file name, in order to help prevent mismatches between the expected results and the actual results files. A tool will not score well against the wrong expected results.<br />
<br />
===Customizing Your Scorecard Generation===<br />
<br />
The createScorecard scripts are very simple. They only have one line. Here's what the 1.2 version looks like:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv results"<br />
<br />
This Maven command simply says to run the BenchmarkScore application, passing in two parameters. The 1st is the Benchmark expected results file to compare the tool results against. And the 2nd is the name of the directory that contains all the results from tools run against that version of the Benchmark. If you have tool results older than the current version of the Benchmark, like 1.1 results for example, then you would do something like this instead:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.1.csv 1.1_results"<br />
<br />
To keep things organized, we actually put the expected results file inside the same results folder for that version of the Benchmark, so our command looks like this:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="1.1_results/expectedresults-1.1.csv 1.1_results"<br />
<br />
In all cases, the generated scorecard is put in the /scorecard folder.<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It is likely to be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.''' It is for just this reason that the Benchmark project isn't releasing such results itself.<br />
<br />
= Tool Scanning Tips =<br />
<br />
People frequently have difficulty scanning the Benchmark with various tools due to many reasons, including size of the Benchmark app and its codebase, and complexity of the tools used. Here is some guidance for some of the tools we have used to scan the Benchmark. If you've learned any tricks on how to get better or easier results for a particular tool against the Benchmark, let us know or update this page directly.<br />
<br />
== Generic Tips ==<br />
<br />
Because of the size of the Benchmark, you may need to give your tool more memory before it starts the scan. If its a Java based tool, you may want to pass more memory to it like this:<br />
<br />
-Xmx4G (This gives the Java application 4 Gig of memory)<br />
<br />
== SAST Tools ==<br />
<br />
=== Checkmarx ===<br />
<br />
The Checkmarx SAST Tool (CxSAST) is ready to scan the OWASP Benchmark out-of-the-box. <br />
Please notice that the OWASP Benchmark “hides” some vulnerabilities in dead code areas, for example:<br />
<syntaxhighlight lang="java"><br />
if (0>1)<br />
{<br />
//vulnerable code<br />
}</syntaxhighlight><br />
By default, CxSAST will find these vulnerabilities since Checkmarx believes that including dead code in the scan results is a SAST best practice. <br />
<br />
Checkmarx's experience shows that security experts expect to find these types of code vulnerabilities, and demand that their developers fix them. However, OWASP Benchmark considers the flagging of these vulnerabilities as False Positives, as a result lowering Checkmarx's overall score. <br />
<br />
Therefore, in order to receive an OWASP score untainted by dead code, re-configure CxSAST as follows:<br />
# Open the CxAudit client for editing Java queries.<br />
# Override the "Find_Dead_Code" query.<br />
# Add the commented text of the original query to the new override query.<br />
# Save the queries.<br />
<br />
=== FindBugs ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindBugs.(sh or bat). If you want to run a different version of FindBugs, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== FindBugs with FindSecBugs ===<br />
<br />
[http://h3xstream.github.io/find-sec-bugs/ FindSecurityBugs] is a great plugin for FindBugs that significantly increases the ability for FindBugs to find security issues. We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindSecBugs.(sh or bat). If you want to run a different version of FindSecBugs, just change the version number of the findsecbugs-plugin artifact in the Benchmark pom.xml file.<br />
<br />
=== Micro Focus (Formally HP) Fortify ===<br />
<br />
If you are using the Audit Workbench, you can give it more memory and make sure you invoke it in 64-bit mode by doing this:<br />
<br />
set AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
export AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
auditworkbench -64<br />
<br />
We found it was easier to use the Maven support in Fortify to scan the Benchmark and to do it in 2 phases, translate, and then scan. We did something like this:<br />
<br />
Translate Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_17.10/bin<br />
export SCA_VM_OPTS="-Xmx2G -version 1.7"<br />
mvn sca:clean<br />
mvn sca:translate<br />
<br />
Scan Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_4.10/bin<br />
export SCA_VM_OPTS="-Xmx10G -version 1.7"<br />
mvn sca:scan<br />
<br />
=== PMD ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runPMD.(sh or bat). If you want to run a different version of PMD, just change its version number in the Benchmark pom.xml file. (NOTE: PMD doesn't find any security issues. We include it because its interesting to know that it doesn't.)<br />
<br />
=== SonarQube ===<br />
<br />
We include this free tool in the Benchmark and its mostly dialed in. But its a bit tricky because SonarQube requires two parts. There is a stand alone scanner for Java. And then there is a web application that accepts the results, and in turn can then produce the results file required by the Benchmark scorecard generator for SonarQube. Running the script runSonarQube.(sh or bat) will generate the results, but if the SonarQube Web Application isn't running where the runSonarQube script expects it to be, then the script will fail.<br />
<br />
If you want to run a different version of SonarQube, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== Xanitizer ===<br />
<br />
The vendor has written their own guide to [http://www.rigs-it.net/opendownloads/whitepapers/HowToSetUpXanitizerForOWASPBenchmarkProject.pdf How to Set Up Xanitizer for OWASP Benchmark].<br />
<br />
== DAST Tools ==<br />
<br />
=== Burp Pro ===<br />
<br />
You must use Burp Pro v1.6.29 or greater to scan the Benchmark due to a previous limitation in Burp Pro related to ensuring the path attribute for cookies was honored. This issue was fixed in the v1.6.29 release.<br />
<br />
To scan, first spider the entire Benchmark, and then select the /Benchmark URL and actively scan that branch. You can skip all the .html pages and any other pages that Burp says have no parameters.<br />
<br />
NOTE: We have been unable to simply run Burp Pro against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get Burp Pro to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
=== OWASP ZAP ===<br />
<br />
ZAP may require additional memory to be able to scan the Benchmark. To configure the amount of memory:<br />
* Tools --> Options --> JVM: Recommend setting to: -Xmx2048m (or larger). (Then restart ZAP).<br />
<br />
To run ZAP against Benchmark:<br />
# Because Benchmark uses Cookies and Headers as sources of attack for many test cases: Tools --> Options --> Active Scan Input Vectors: Then check the HTTP Headers, All Requests, and Cookie Data checkboxes and hit OK<br />
# Click on Show All Tabs button (if spider tab isn't visible)<br />
# Go to Spider tab (the black spider) and click on New Scan button<br />
# Enter: https://localhost:8443/benchmark/ into the 'Starting Point' box and hit 'Start Scan'<br />
#* Do this again. For some reason it takes 2 passes with the Spider before it stops finding more Benchmark endpoints.<br />
# When Spider completes, click on 'benchmark' folder in Site Map, right click and select: 'Attack --> Active Scan'<br />
#* It will take several hours, like 3+ to complete (it's actually likely to simply freeze before completing the scan - see NOTE: below)<br />
<br />
For faster active scan you can<br />
* Disable the ZAP DB log (in ZAP 2.5.0+):<br />
** Disable it via Options / Database / Recover Log<br />
** Set it on the command line using "-config database.recoverylog=false"<br />
* Disable unnecessary plugins / Technologies: When you launch the Active Scan<br />
** On the Policy tab, disable all plugins except: XSS (Reflected), Path Traversal, SQLi, OS Command Injection<br />
** Go the Technology Tab, disable everything and only enable: MySQL, YOUR_OS, Tomcat<br />
** Note: This 2nd performance improvement step is a bit like cheating as you wouldn't do this for a normal site scan. You'd want to leave all this on in case these other plugins/technologies are helpful in finding more issues. So a fair performance comparison of ZAP to other tools would leave all this on.<br />
<br />
To generate the ZAP XML results file so you can generate its scorecard:<br />
* Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
* Then: Report > Generate XML Report...<br />
<br />
NOTE: Similar to Burp, we can't simply run ZAP against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get ZAP to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
Things we tried that didn't improve the score:<br />
* AJAX Spider - the traditional spider appears to find all (or 99%) of the test cases so the AJAX Spider does not appear to be needed against Benchmark v1.2<br />
* XSS (Persistent) - There are 3 of these plugins that run by default. There aren't any stored XSS in Benchmark, so you can disable these plugins for a faster scan.<br />
* DOM XSS Plugin - This is an optional plugin that didn't seem to find any additional XSS issues. There aren't an DOM specific XSS issues in Benchmark v1.2, so not surprising.<br />
<br />
== IAST Tools ==<br />
<br />
Interactive Application Security Testing (IAST) tools work differently than scanners. IAST tools monitor an application as it runs to identify application vulnerabilities using context from inside the running application. Typically these tools run continuously, immediately notifying users of vulnerabilities, but you can also get a full report of an entire application. To do this, we simply run the Benchmark application with an IAST agent and use a crawler to hit all the pages.<br />
<br />
=== Contrast Assess ===<br />
<br />
To use Contrast Assess, we simply add the Java agent to the Benchmark environment and run the BenchmarkCrawler. The entire process should only take a few minutes. We provided a few scripts, which simply add the -javaagent:contrast.jar flag to the Benchmark launch configuration. We have tested on MacOS, Ubuntu, and Windows. Be sure your VM has at least 4M of memory.<br />
<br />
* Ensure your environment has Java, Maven, and git installed, then build the Benchmark project<br />
'''$ git clone https://github.com/OWASP/Benchmark.git'''<br />
'''$ cd Benchmark'''<br />
'''$ mvn compile'''<br />
<br />
* Download a licensed copy of the Contrast Assess Java Agent (contrast.jar) from your Contrast TeamServer account and put it in the /Benchmark/tools/Contrast directory.<br />
'''$ cp ~/Downloads/contrast.jar tools/Contrast'''<br />
<br />
* In Terminal 1, launch the Benchmark application and wait until it starts<br />
'''$ cd tools/Contrast <br />
'''$ ./runBenchmark_wContrast.sh''' (.bat on Windows)<br />
'''[INFO] Scanning for projects...<br />
'''[INFO] <br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] Building OWASP Benchmark Project 1.2<br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] <br />
'''...<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]'''<br />
'''[INFO] Press Ctrl-C to stop the container...'''<br />
<br />
* In Terminal 2, launch the crawler and wait a minute or two for the crawl to complete.<br />
'''$ ./runCrawler.sh''' (.bat on Windows)<br />
<br />
* A Contrast report has been generated in /Benchmark/tools/Contrast/working/contrast.log. This report will be automatically copied (and renamed with version number) to /Benchmark/results directory.<br />
'''$ more tools/Contrast/working/contrast.log'''<br />
'''2016-04-22 12:29:29,716 [main b] INFO - Contrast Runtime Engine<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Copyright (C) 2012<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Pat. 8,458,789 B2<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Contrast Security, Inc.<br />
'''2016-04-22 12:29:29,717 [main b] INFO - All Rights Reserved<br />
'''2016-04-22 12:29:29,717 [main b] INFO - https://www.contrastsecurity.com/<br />
'''...'''<br />
<br />
* Press Ctrl-C to stop the Benchmark in Terminal 1. Note: on Windows, select "N" when asked Terminate batch job (Y/N))<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x is stopped'''<br />
'''Copying Contrast report to results directory'''<br />
<br />
* In Terminal 2, generate scorecards in /Benchmark/scorecard<br />
'''$ ./createScorecards.sh''' (.bat on Windows)<br />
'''Analyzing results from Benchmark_1.2-Contrast.log<br />
'''Actual results file generated: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.csv<br />
'''Report written to: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html<br />
<br />
* Open the Benchmark Scorecard in your browser<br />
'''/Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html'''<br />
<br />
=== Hdiv Detection ===<br />
<br />
Hdiv has written their own instructions on how to run the detection component of their product on the Benchmark here: https://hdivsecurity.com/docs/features/benchmark/#how-to-run-hdiv-in-owasp-benchmark-project. You'll see that these instructions involve using the same crawler used to exercise all the test cases in the Benchmark, just like Contrast above.<br />
<br />
= RoadMap =<br />
<br />
Benchmark v1.0 - Released April 15, 2015 - This initial release included over 20,000 test cases in 11 different vulnerability categories. As this initial version was not a runnable application, it was only suitable for assessing static analysis tools (SAST).<br />
<br />
Benchmark v1.1 - Released May 23, 2015 - This update fixed some inaccurate test cases, and made sure that every vulnerability area included both True Positives and False Positives.<br />
<br />
Benchmark Scorecard Generator - Released July 10, 2015 - The ability to automatically and repeatably produce a scorecard of how well tools do against the Benchmark was released for most of the SAST tools supported by the Benchmark. Scorecards present graphical as well as statistical data on how well a tool does against the Benchmark down to the level of detail of how exactly it did against each individual test in the Benchmark. [https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html Here are the latest public scorecards]. Support for producing scorecards for additional tools is being added all the time and the current full set is documented on the '''Tool Support/Results''' and '''Quick Start''' tabs of this wiki.<br />
<br />
Benchmark v1.2beta - Released Aug 15, 2015 - The 1st release of a fully runnable version of the Benchmark to support assessing all types of vulnerability detection and prevention technologies, including DAST, IAST, RASP, WAFs, etc. This involved creating a user interface for every test case, and enhancing each test case to make sure its actually exploitable, not just uses something that is theoretically weak. This release is under 3,000 test cases to make it practical to scan the entire Benchmark with a DAST tool in a reasonable amount of time, with commodity hardware specs.<br />
<br />
Benchmark 1.2 - Released June 5, 2016 - Based on feedback from a number of DAST tool developers, and other vendors as well, we made the Benchmark more realistic in a number of ways to facilitate external DAST scanning, and also made the Benchmark more resilient against attack so it could properly survive various DAST vulnerability detection and exploit verification techniques.<br />
<br />
Plans for Benchmark 1.3:<br />
<br />
While we don't have hard and fast rules of exactly what we are going to do next, enhancements in the following areas are planned for the next release:<br />
<br />
* Add new vulnerability categories (e.g., XXE, Hibernate Injection)<br />
* Add support for popular server side Java frameworks (e.g., Spring)<br />
* Add web services test cases<br />
<br />
We are also starting to work on the ability to score WAFs/RASPs and other defensive technology against Benchmark.<br />
<br />
= FAQ =<br />
<br />
==1. How are the scores computed for the Benchmark?==<br />
<br />
Each test case has a single vulnerability of a specific type. Its either a real vulnerability (True Positive) or not (a False Positive). We document all the test cases for each version of the Benchmark in the expectedresults-VERSION#.csv file (e.g., expectedresults-1.1.csv). This file lists the test case name, the CWE type of the vulnerability, and whether it is a True Positive or not. The Benchmark supports scorecard generators for computing exactly how a tool did when analyzing a version of the Benchmark. The full list of supported tools is on the Tools Support/Results tab. For each tool there is a parser that can parse the native results format for that tool (usually XML). This parser simply, for each test case, looks to see if that tool reported a vulnerability of the type expected in the test case source code file (for SAST) or the test case URL (for DAST/IAST). If it did, and the test case was a True Positive, the tool gets credit for finding it. If it is a False Positive test, and the tool reports that type of finding, then its recorded as a False Positive. If the tool didn't report that type of vulnerability for a test case, then they get either a False Negative, or a True Negative as appropriate. After calculating all of the individual test case results, a scorecard is generated providing a chart and statistics for that tool across all the vulnerability categories, and pages are also created comparing different tools to each other in each vulnerability category (if multiple tools are being scored together).<br />
<br />
A detailed file explaining exactly how that tool did against each individual test case in that version of the Benchmark is produced as part of scorecard generation, and is available via the Actual Results link on each tool's scorecard page. (e.g., Benchmark_v1.1_Scorecard_for_FindBugs.csv).<br />
<br />
==2. What if the tool I'm using doesn't have a scorecard generator for it?==<br />
<br />
Send us the results file! We'll be happy to create a parser for that tool so its now supported.<br />
<br />
==3. What if a tool finds other unexpected vulnerabilities?==<br />
<br />
We are sure there are vulnerabilities we didn't intend to be there and we are eliminating them as we find them. If you find some, let us know and we'll fix them too. We are primarily focused on unintentional vulnerabilities in the categories of vulnerabilities the Benchmark currently supports, since that is what is actually measured.<br />
<br />
Right now, two types of vulnerabilities that get reported are ignored by the scorecard generator:<br />
# Vulnerabilities in categories not yet supported<br />
# Vulnerabilities of a type that is supported, but reported in test cases not of that type<br />
<br />
In the case of #2, false positives reported in unexpected areas are also ignored, which is primarily a DAST problem. Right now those false positives are completely ignored, but we are thinking about including them in the false positive score in some fashion. We just haven't decided how yet.<br />
<br />
==4. How should I configure my tool to scan the Benchmark?==<br />
<br />
All tools support various levels of configuration in order to improve their results. The Benchmark project, in general, is trying to '''compare out of the box capabilities of tools'''. However, if a few simple tweaks to a tool can be done to improve that tool's score, that's fine. We'd like to understand what those simple tweaks are, and document them here, so others can repeat those tests in exactly the same way. For example, just turn on the 'test cookies and headers' flag, which is off by default. Or turn on the 'advanced' scan, so it will work harder, find more vulnerabilities. Its simple things like this we are talking about, not an extensive effort to teach the tool about the app, or perform 'expert' configuration of the tool.<br />
<br />
So, if you know of some simple tweaks to improve a tool's results, let us know what they are and we'll document them here so everyone can benefit and make it easier to do apples to apples comparisons. And we'll link to that guidance once we start documenting it, but we don't have any such guidance right now.<br />
<br />
==5. I'm having difficulty scanning the Benchmark with a DAST tool. How can I get it to work?==<br />
<br />
We've run into 2 primary issues giving DAST tools problems.<br />
<br />
a) The Benchmark Generates Lots of Cookies<br />
<br />
The Burp team pointed out a cookies bug in the 1.2beta Benchmark. Each Weak Randomness test case generates its own cookie, 1 per test case. This caused the creation of so many cookies that servers would eventually start returning 400 errors because there were simply too many cookies being submitted in a request. This was fixed in the Aug 27, 2015 update to the Benchmark by setting the path attribute for each of these cookies to be the path to that individual test case. Now, only at most one of these cookies should be submitted with each request, eliminating this 'too many cookies' problem. However, if a DAST tool doesn't honor this path attribute, it may continue to send too many cookies, making the Benchmark unscannable for that tool. Burp Pro prior to 1.6.29 had this issue, but it was fixed in the 1.6.29 release.<br />
<br />
b) The Benchmark is a BIG Application<br />
<br />
Yes. It is, so you might have to give your scanner more memory than it normally uses by default in order to successfully scan the entire Benchmark. Please consult your tool vendor's documentation on how to give it more memory.<br />
<br />
Your machine itself might not have enough memory in the first place. For example, we were not able to successfully scan the 1.2beta with OWASP ZAP with only 8 Gig of RAM. So, you might need a more powerful machine or use a cloud provided machine to successfully scan the Benchmark with certain DAST tools. You may have similar problems with SAST tools against large versions of the Benchmark, like the 1.1 release.<br />
<br />
= Acknowledgements =<br />
<br />
The following people, organizations, and many others, have contributed to this project and their contributions are much appreciated!<br />
<br />
* Lots of Vendors - Many vendors have provided us with either trial licenses we can use, or they have run their tools themselves and either sent us results files, or written and contributed scorecard generators for their tool. Many have also provided valuable feedback so we can make the Benchmark more accurate and more realistic.<br />
* Juan Gama - Development of initial release and continued support<br />
* Ken Prole - Assistance with automated scorecard development using CodeDx<br />
* Nick Sanidas - Development of initial release<br />
* Denim Group - Contribution of scan results to facilitate scorecard development<br />
* Tasos Laskos - Significant feedback on the DAST version of the Benchmark<br />
* Ann Campbell - From SonarSource - for fixing our SonarQube results parser<br />
* Dhiraj Mishra - OWASP Member - contributed SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring<br />
<br />
[[File:CWE_Logo.jpeg|link=https://cwe.mitre.org/]] - The CWE project for providing a mapping mechanism to easily map test cases to issues found by vulnerability detection tools.<br />
<br />
We are looking for volunteers. Please contact [mailto:dave.wichers@owasp.org Dave Wichers] if you are interested in contributing new test cases, tool results run against the benchmark, or anything else.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]]</div>Wichershttps://wiki.owasp.org/index.php?title=Benchmark&diff=244838Benchmark2018-11-04T18:24:36Z<p>Wichers: Update Docker VM creation to match scripts created to make it easier.</p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Benchmark Project ==<br />
The OWASP Benchmark for Security Automation (OWASP Benchmark) is a free and open test suite designed to evaluate the speed, coverage, and accuracy of automated software vulnerability detection tools and services (henceforth simply referred to as 'tools'). Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other. Each version of the OWASP Benchmark contains thousands of test cases that are fully runnable and exploitable, each of which maps to the appropriate CWE number for that vulnerability.<br />
<br />
You can use the OWASP Benchmark with [[Source_Code_Analysis_Tools | Static Application Security Testing (SAST)]] tools, [[:Category:Vulnerability_Scanning_Tools | Dynamic Application Security Testing (DAST)]] tools like OWASP [[ZAP]] and Interactive Application Security Testing (IAST) tools. The current version of the Benchmark is implemented in Java. Future versions may expand to include other languages.<br />
<br />
==Benchmark Project Scoring Philosophy==<br />
<br />
Security tools (SAST, DAST, and IAST) are amazing when they find a complex vulnerability in your code. But with widespread misunderstanding of the specific vulnerabilities automated tools cover, end users are often left with a false sense of security.<br />
<br />
We are on a quest to measure just how good these tools are at discovering and properly diagnosing security problems in applications. We rely on the [http://en.wikipedia.org/wiki/Receiver_operating_characteristic long history] of military and medical evaluation of detection technology as a foundation for our research. Therefore, the test suite tests both real and fake vulnerabilities.<br />
<br />
There are four possible test outcomes in the Benchmark:<br />
<br />
# Tool correctly identifies a real vulnerability (True Positive - TP)<br />
# Tool fails to identify a real vulnerability (False Negative - FN)<br />
# Tool correctly ignores a false alarm (True Negative - TN)<br />
# Tool fails to ignore a false alarm (False Positive - FP)<br />
<br />
We can learn a lot about a tool from these four metrics. Consider a tool that simply flags every line of code as vulnerable. This tool will perfectly identify all vulnerabilities! But it will also have 100% false positives and thus adds no value. Similarly, consider a tool that reports absolutely nothing. This tool will have zero false positives, but will also identify zero real vulnerabilities and is also worthless. You can even imagine a tool that flips a coin to decide whether to report whether each test case contains a vulnerability. The result would be 50% true positives and 50% false positives. We need a way to distinguish valuable security tools from these trivial ones.<br />
<br />
If you imagine the line that connects all these points, from 0,0 to 100,100 establishes a line that roughly translates to "random guessing." The ultimate measure of a security tool is how much better it can do than this line. The diagram below shows how we will evaluate security tools against the Benchmark.<br />
<br />
[[File:Wbe guide.png]]<br />
<br />
A point plotted on this chart provides a visual indication of how well a tool did considering both the True Positives the tool reported, as well as the False Positives it reported. We also want to compute an individual score for that point in the range 0 - 100, which we call the Benchmark Accuracy Score.<br />
<br />
The Benchmark Accuracy Score is essentially a [https://en.wikipedia.org/wiki/Youden%27s_J_statistic Youden Index], which is a standard way of summarizing the accuracy of a set of tests. Youden's index is one of the oldest measures for diagnostic accuracy. It is also a global measure of a test performance, used for the evaluation of overall discriminative power of a diagnostic procedure and for comparison of this test with other tests. Youden's index is calculated by deducting 1 from the sum of a test’s sensitivity and specificity expressed not as percentage but as a part of a whole number: (sensitivity + specificity) – 1. For a test with poor diagnostic accuracy, Youden's index equals 0, and in a perfect test Youden's index equals 1.<br />
<br />
So for example, if a tool has a True Positive Rate (TPR) of .98 (i.e., 98%) <br />
and False Positive Rate (FPR) of .05 (i.e., 5%)<br />
Sensitivity = TPR (.98)<br />
Specificity = 1-FPR (.95)<br />
So the Youden Index is (.98+.95) - 1 = .93<br />
<br />
And this would equate to a Benchmark score of 93 (since we normalize this to the range 0 - 100)<br />
<br />
On the graph, the Benchmark Score is the length of the line from the point down to the diagonal “guessing” line. Note that a Benchmark score can actually be negative if the point is below the line. This is caused when the False Positive Rate is actually higher than the True Positive Rate.<br />
<br />
==Benchmark Validity==<br />
<br />
The Benchmark tests are not exactly like real applications. The tests are derived from coding patterns observed in real applications, but the majority of them are considerably '''simpler''' than real applications. That is, most real world applications will be considerably harder to successfully analyze than the OWASP Benchmark Test Suite. Although the tests are based on real code, it is possible that some tests may have coding patterns that don't occur frequently in real code.<br />
<br />
Remember, we are trying to test the capabilities of the tools and make them explicit, so that users can make informed decisions about what tools to use, how to use them, and what results to expect. This is exactly aligned with the OWASP mission to make application security visible.<br />
<br />
==Generating Benchmark Scores==<br />
<br />
Anyone can use this Benchmark to evaluate vulnerability detection tools. The basic steps are:<br />
# Download the Benchmark from github<br />
# Run your tools against the Benchmark<br />
# Run the BenchmarkScore tool on the reports from your tools<br />
<br />
That's it!<br />
<br />
Full details on how to do this are at the bottom of the page on the Quick_Start tab.<br />
<br />
We encourage both vendors, open source tools, and end users to verify their application security tools against the Benchmark. In order to ensure that the results are fair and useful, we ask that you follow a few simple rules when publishing results. We won't recognize any results that aren't easily reproducible:<br />
<br />
# A description of the default “out-of-the-box” installation, version numbers, etc…<br />
# Any and all configuration, tailoring, onboarding, etc… performed to make the tool run<br />
# Any and all changes to default security rules, tests, or checks used to achieve the results<br />
# Easily reproducible steps to run the tool<br />
<br />
== Reporting Format==<br />
<br />
The Benchmark includes tools to interpret raw tool output, compare it to the expected results, and generate summary charts and graphs. We use the following table format in order to capture all the information generated during the evaluation.<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! style="background:#DDDDDD" | Security Category<br />
! TP<br />
! FN<br />
! TN<br />
! FP<br />
! style="background:#DDDDDD" | Total<br />
! TPR<br />
! FPR<br />
! style="background:#DDDDDD" | Score<br />
|-<br />
! style="background:#DDDDDD" valign="top" width="11%"| General security category for test cases.<br />
| valign="top" width="11%"| '''True Positives''': Tests with real vulnerabilities that were correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Negative''': Tests with real vulnerabilities that were not correctly reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''True Negative''': Tests with fake vulnerabilities that were correctly not reported as vulnerable by the tool.<br />
| valign="top" width="11%"| '''False Positive''':Tests with fake vulnerabilities that were incorrectly reported as vulnerable by the tool.<br />
| style="background:#DDDDDD" valign="top" width="11%"| Total test cases for this category.<br />
| valign="top" width="11%"| '''True Positive Rate''': TP / ( TP + FN ) - Also referred to as Precision, as defined at [https://en.wikipedia.org/wiki/Precision_and_recall Wikipedia].<br />
| valign="top" width="11%"| '''False Positive Rate''': FP / ( FP + TN ).<br />
| style="background:#DDDDDD" valign="top" width="11%"| Normalized distance from the “guess line” TPR - FPR.<br />
|-<br />
! style="background:#DDDDDD" | Command Injection<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | Etc...<br />
| ...<br />
| ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
| ...<br />
| ...<br />
| style="background:#DDDDDD" | ...<br />
|-<br />
! style="background:#DDDDDD" | <br />
! Total TP<br />
! Total FN<br />
! Total TN<br />
! Total FP<br />
! style="background:#DDDDDD" | Total TC<br />
! Average TPR<br />
! Average FPR<br />
! style="background:#DDDDDD" | Average Score<br />
|}<br />
<br />
==Code Repo and Build/Run Instructions ==<br />
<br />
See the '''Getting Started''' and '''Getting, Building, and Running the Benchmark''' sections on the Quick Start tab.<br />
<br />
==Licensing==<br />
<br />
The OWASP Benchmark is free to use under the [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0].<br />
<br />
== Mailing List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-benchmark-project OWASP Benchmark Mailing List]<br />
<br />
== Project Leaders ==<br />
<br />
[https://www.owasp.org/index.php/User:Wichers Dave Wichers] [mailto:dave.wichers@owasp.org @]<br />
<br />
== Project References ==<br />
* [https://www.mir-swamp.org/#packages/public Software Assurance Marketplace (SWAMP) - set of curated packages to test tools against]<br />
* [http://samate.nist.gov/Other_Test_Collections.html SAMATE List of Test Collections]<br />
<br />
== Related Projects ==<br />
<br />
* [http://samate.nist.gov/SARD/testsuite.php NSA's Juliet for Java]<br />
* [http://sectoolmarket.com/ The Web Application Vulnerability Scanner Evaluation Project (WAVSEP)]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
All test code and project files can be downloaded from [https://github.com/OWASP/benchmark OWASP GitHub].<br />
<br />
== Project Intro Video ==<br />
<br />
[[File:BenchmarkPodcastTitlePage.jpg|200px|link=https://www.youtube.com/watch?v=HQP8dwc3jJA&index=5&list=PLGB2s-U5FSWOmEStMt3JqlMFJvRYqeVW5]]<br />
<br />
== News and Events ==<br />
* LOOKING FOR VOLUNTEERS!! - We are looking for individuals and organizations to join and make this a much more community driven project, including additional coleaders to help take this project to the next level. Contributors could work on things like new test cases, additional tool scorecard generators, adding support for languages beyond Java, and a host of other improvements. Please contact [mailto:dave.wichers@owasp.org me] if you are interested in contributing at any level.<br />
* June 5, 2016 - Benchmark Version 1.2 Released<br />
* Sep 24, 2015 - Benchmark introduced to broader OWASP community at [https://appsecusa2015.sched.org/event/3r9k/using-the-owasp-benchmark-to-assess-automated-vulnerability-analysis-tools AppSec USA]<br />
* Aug 27, 2015 - U.S. Dept. of Homeland Security (DHS) is financially supporting the Benchmark project.<br />
* Aug 15, 2015 - Benchmark Version 1.2beta Released with full DAST Support. Checkmarx and ZAP scorecard generators also released.<br />
* July 10, 2015 - Benchmark Scorecard generator and open source scorecards released<br />
* May 23, 2015 - Benchmark Version 1.1 Released<br />
* April 15, 2015 - Benchmark Version 1.0 Released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [http://choosealicense.com/licenses/gpl-2.0/ GNU General Public License v2.0]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Test Cases =<br />
<br />
Version 1.0 of the Benchmark was published on April 15, 2015 and had 20,983 test cases. On May 23, 2015, version 1.1 of the Benchmark was released. The 1.1 release improves on the previous version by making sure that there are both true positives and false positives in every vulnerability area. Version 1.2 was released on June 5, 2016 (and the 1.2beta August 15, 2015).<br />
<br />
Version 1.2 and forward of the Benchmark is a fully executable web application, which means it is scannable by any kind of vulnerability detection tool. The 1.2 has been limited to slightly less than 3,000 test cases, to make it easier for DAST tools to scan it (so it doesn't take so long and they don't run out of memory, or blow up the size of their database). The 1.2 release covers the same vulnerability areas that 1.1 covers. We added a few Spring database SQL Injection tests, but that's it. The bulk of the work was turning each test case into something that actually runs correctly AND is fully exploitable, and then generating a UI on top of it that works in order to turn the test cases into a real running application.<br />
<br />
You can still download Benchmark version 1.1 by cloning the release marked with the GIT tag '1.1'.<br />
<br />
The test case areas and quantities for the Benchmark releases are:<br />
<br />
{| class="wikitable nowraplinks"<br />
|-<br />
! Vulnerability Area<br />
! # of Tests in v1.1<br />
! # of Tests in v1.2<br />
! CWE Number<br />
|-<br />
| [[Command Injection]]<br />
| 2708<br />
| 251<br />
| [https://cwe.mitre.org/data/definitions/78.html 78]<br />
|-<br />
| Weak Cryptography<br />
| 1440<br />
| 246<br />
| [https://cwe.mitre.org/data/definitions/327.html 327]<br />
|-<br />
| Weak Hashing<br />
| 1421<br />
| 236<br />
| [https://cwe.mitre.org/data/definitions/328.html 328]<br />
|-<br />
| [[LDAP injection | LDAP Injection]]<br />
| 736<br />
| 59<br />
| [https://cwe.mitre.org/data/definitions/90.html 90]<br />
|-<br />
| [[Path Traversal]]<br />
| 2630<br />
| 268<br />
| [https://cwe.mitre.org/data/definitions/22.html 22]<br />
|-<br />
| Secure Cookie Flag<br />
| 416<br />
| 67<br />
| [https://cwe.mitre.org/data/definitions/614.html 614]<br />
|-<br />
| [[SQL Injection]]<br />
| 3529<br />
| 504<br />
| [https://cwe.mitre.org/data/definitions/89.html 89]<br />
|-<br />
| [[Trust Boundary Violation]]<br />
| 725<br />
| 126<br />
| [https://cwe.mitre.org/data/definitions/501.html 501]<br />
|-<br />
| Weak Randomness<br />
| 3640<br />
| 493<br />
| [https://cwe.mitre.org/data/definitions/330.html 330]<br />
|-<br />
| [[XPATH Injection]]<br />
| 347<br />
| 35<br />
| [https://cwe.mitre.org/data/definitions/643.html 643]<br />
|-<br />
| [[XSS]] (Cross-Site Scripting)<br />
| 3449<br />
| 455<br />
| [https://cwe.mitre.org/data/definitions/79.html 79]<br />
|-<br />
| Total Test Cases<br />
| 21,041<br />
| 2,740<br />
|}<br />
<br />
Each Benchmark version comes with a spreadsheet that lists every test case, the vulnerability category, the CWE number, and the expected result (true finding/false positive). Look for the file: expectedresults-VERSION#.csv in the project root directory.<br />
<br />
Every test case is:<br />
* a servlet or JSP (currently they are all servlets, but we plan to add JSPs)<br />
* either a true vulnerability or a false positive for a single issue<br />
<br />
The Benchmark is intended to help determine how well analysis tools correctly analyze a broad array of application and framework behavior, including:<br />
<br />
* HTTP request and response problems<br />
* Simple and complex data flow<br />
* Simple and complex control flow<br />
* Popular frameworks<br />
* Inversion of control<br />
* Reflection<br />
* Class loading<br />
* Annotations<br />
* Popular UI technologies (particularly JavaScript frameworks)<br />
<br />
Not all of these are yet tested by the Benchmark but future enhancements intend to provide more coverage of these issues.<br />
<br />
Additional future enhancements could cover:<br />
* All vulnerability types in the [[Top10 | OWASP Top 10]]<br />
* Does the tool find flaws in libraries?<br />
* Does the tool find flaws spanning custom code and libraries?<br />
* Does tool handle web services? REST, XML, GWT, etc…<br />
* Does tool work with different app servers? Java platforms?<br />
<br />
== Example Test Case ==<br />
<br />
Each test case is a simple Java EE servlet. BenchmarkTest00001 in version 1.0 of the Benchmark was an LDAP Injection test with the following metadata in the accompanying BenchmarkTest00001.xml file:<br />
<br />
<test-metadata><br />
<category>ldapi</category><br />
<test-number>00001</test-number><br />
<vulnerability>true</vulnerability><br />
<cwe>90</cwe><br />
</test-metadata><br />
<br />
BenchmarkTest00001.java in the OWASP Benchmark 1.0 simply reads in all the cookie values, looks for a cookie named "foo", and uses the value of this cookie when performing an LDAP query. Here's the code for BenchmarkTest00001.java:<br />
<br />
package org.owasp.benchmark.testcode;<br />
<br />
import java.io.IOException;<br />
<br />
import javax.servlet.ServletException;<br />
import javax.servlet.annotation.WebServlet;<br />
import javax.servlet.http.HttpServlet;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
<br />
@WebServlet("/BenchmarkTest00001")<br />
public class BenchmarkTest00001 extends HttpServlet {<br />
<br />
private static final long serialVersionUID = 1L;<br />
<br />
@Override<br />
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
doPost(request, response);<br />
}<br />
<br />
@Override<br />
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {<br />
// some code<br />
<br />
javax.servlet.http.Cookie[] cookies = request.getCookies();<br />
<br />
String param = null;<br />
boolean foundit = false;<br />
if (cookies != null) {<br />
for (javax.servlet.http.Cookie cookie : cookies) {<br />
if (cookie.getName().equals("foo")) {<br />
param = cookie.getValue();<br />
foundit = true;<br />
}<br />
}<br />
if (!foundit) {<br />
// no cookie found in collection<br />
param = "";<br />
}<br />
} else {<br />
// no cookies<br />
param = "";<br />
}<br />
<br />
try {<br />
javax.naming.directory.DirContext dc = org.owasp.benchmark.helpers.Utils.getDirContext();<br />
Object[] filterArgs = {"a","b"};<br />
dc.search("name", param, filterArgs, new javax.naming.directory.SearchControls());<br />
} catch (javax.naming.NamingException e) {<br />
throw new ServletException(e);<br />
}<br />
}<br />
}<br />
<br />
= Test Case Details =<br />
<br />
The following describes situations in the Benchmark that have come up for debate as to the validity/accuracy of the test cases in these scenarios. <br />
<br />
== Cookies as a Source of Attack for XSS ==<br />
<br />
Benchmark v1.1 and early versions of the 1.2beta included test cases that used cookies as a source of data that flowed into XSS vulnerabilities. The Benchmark treated these tests as False Positives because the Benchmark team figured that you'd have to use an XSS vulnerability in the first place to set the cookie value, and so it wasn't fair/reasonable to consider an XSS vulnerability whose data source was a cookie value as actually exploitable. However, we got feedback from some tool vendors, like Fortify, Burp, and Arachni, that they disagreed with this analysis and felt that, in fact, cookies were a valid source of attack against XSS vulnerabilities. Given that there are good arguments on both sides of this safe vs. unsafe question, we decided on Aug 25, 2015 to simply remove those test cases from the Benchmark. If, in the future, we decide who is right, we may add such test cases back in.<br />
<br />
== Headers as a Source of Attack for XSS ==<br />
<br />
Similarly, the Benchmark team believes that the names of headers aren't a valid source of XSS attack for the same reason we thought cookie values aren't a valid source. Because it would require an XSS vulnerability to be exploited in the first place to set them. In fact, we feel that this argument is much stronger for header names, than cookie values. Right now, the Benchmark doesn't include any header names as sources for XSS test cases, but we plan to add them, and mark them as false positive in the Benchmark.<br />
<br />
We do have header values as sources for some XSS test cases in the Benchmark and only 'referer' is treated as a valid XSS source (i.e., true positives) because other headers are not viable XSS sources. Other headers are, of course, valid sources for other attack vectors, like SQL injection or Command Injection.<br />
<br />
== False Positive Scenario: Static Values Passed to Unsafe (Weak) Sinks ==<br />
<br />
The Benchmark has MANY test cases where unsafe data flows in from the browser, but that data is replaced with static content as it goes through the propagators in the that specific test case. This static (safe) data then flows to the sink, which may be a weak/unsafe sink, like, for example, an unsafely constructed SQL statement. The Benchmark treats those test cases as false positives because there is absolutely no way for that weakness to be exploited. The NSA Juliet SAST benchmark treats such test cases exactly the same way, as false positives. We do recognize that there are weaknesses in those test cases, even though they aren't exploitable.<br />
<br />
Some SAST tool vendors feel it is appropriate to point out those weaknesses, and that's fine. However, if the tool points those weaknesses out, and does not distinguish them from truly exploitable vulnerabilities, then the Benchmark treats those findings as false positives. If the tool allows a user to differentiate these non-exploitable weaknesses from exploitable vulnerabilities, then the Benchmark scorecard generator can use that information to filter out these extra findings (along with any other similarly marked findings) so they don't count against that tool when calculating that tool's Benchmark score. In the real world, its important for analysts to be able to filter out such findings if they only have time to deal with the most critical, actually exploitable, vulnerabilities. If a tool doesn't make it easy for an analyst to distinguish the two situations, then they are providing a disservice to the analyst.<br />
<br />
This issue doesn't affect DAST tools. They only report what appears to be exploitable to them. So this has no affect on them.<br />
<br />
If you are a SAST tool vendor or user, and you believe the Benchmark scorecard generator is counting such findings against that tool, and there is a way to tell them apart, please let the project team know so the scorecard generator can be adjusted to not count those findings against the tool. The Benchmark project's goal is the generate the most fair and accurate results it can generate. If such an adjustment is made to how a scorecard is generated for that tool, we plan to document this was done for that tool, and explain how others could perform the same filtering within that tool in order to get the same focused set of results.<br />
<br />
== Dead Code ==<br />
<br />
Some SAST tools point out weaknesses in dead code because they might eventually end up being used, and serve as bad coding examples (think cut/paste of code). We think this is fine/appropriate. However, there is no dead code in the OWASP Benchmark (at least not intentionally). So dead code should not be causing any tool to report unnecessary false positives.<br />
<br />
= Tool Support/Results =<br />
<br />
The results for 5 free tools, PMD, FindBugs, FindBugs with the FindSecBugs plugin, SonarQube and OWASP ZAP are available here against version 1.2 of the Benchmark: https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html. We've included multiple versions of FindSecBugs' and ZAP's results so you can see the improvements they are making finding vulnerabilities in Benchmark.<br />
<br />
We have Benchmark results for all the following tools, but haven't publicly released the results for any commercial tools. However, we included a 'Commercial Average' page, which includes a summary of results for 6 commercial SAST tools along with anonymous versions of each SAST tool's scorecard.<br />
<br />
The Benchmark can generate results for the following tools: <br />
<br />
'''Free Static Application Security Testing (SAST) Tools:'''<br />
<br />
* [https://pmd.github.io/ PMD] (which really has no security rules) - .xml results file<br />
* [http://findbugs.sourceforge.net/ Findbugs] - .xml results file (Note: The 'new' Findbugs is now at: https://spotbugs.github.io/)<br />
* FindBugs with the [http://find-sec-bugs.github.io/ FindSecurityBugs plugin] - .xml results file<br />
* [https://www.sonarqube.org/downloads/ SonarQube] - .xml results file<br />
<br />
Note: We looked into supporting [http://checkstyle.sourceforge.net/ Checkstyle] but it has no security rules, just like PMD. The [http://fb-contrib.sourceforge.net/ fb-contrib] FindBugs plugin doesn't have any security rules either. We did test [http://errorprone.info/ Error Prone], and found that it does report some use of [http://errorprone.info/bugpattern/InsecureCipherMode) insecure ciphers (CWE-327)], but that's it.<br />
<br />
'''Commercial SAST Tools:'''<br />
<br />
* [http://www.castsoftware.com/products/application-intelligence-platform CAST Application Intelligence Platform (AIP)] - .xml results file<br />
* [https://www.checkmarx.com/products/static-application-security-testing/ Checkmarx CxSAST] - .xml results file<br />
* [https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/SAST-Coverity-datasheet.pdf Synopsys Static Analysis (Formerly Coverity Code Advisor) (On-Demand and stand-alone versions)] - .json results file (You can scan Benchmark w/Coverity for free. See: https://scan.coverity.com/)<br />
* [https://software.microfocus.com/en-us/products/static-code-analysis-sast/overview Micro Focus (Formally HPE) Fortify (On-Demand and stand-alone versions)] - .fpr results file<br />
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source IBM AppScan Source (Standalone and Cloud)] - .ozasmt or .xml results file<br />
* [https://juliasoft.com/solutions/julia-for-security/ Julia Analyzer] - .xml results file<br />
* [https://www.parasoft.com/products/jtest/ Parasoft Jtest] - .xml results file<br />
* [https://www.shiftleft.io/product/ ShiftLeft SAST] - .sl results file (Benchmark specific format. Ask vendor how to generate this)<br />
* [https://www.sourcemeter.com/features/ SourceMeter] - .txt results file of ALL results from VulnerabilityHunter<br />
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] - .xml results file<br />
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode SAST] - .xml results file<br />
* [https://www.rigs-it.com/xanitizer/ XANITIZER] - xml results file ([https://www.rigs-it.com/wp-content/uploads/2018/03/howtosetupxanitizerforowaspbenchmarkproject.pdf Their white paper on how to setup Xanitizer to scan Benchmark.]) (Free trial available)<br />
<br />
We are looking for results for other commercial static analysis tools like: [http://www.grammatech.com/codesonar Grammatech CodeSonar], [http://www.klocwork.com/products-services/klocwork Klocwork], etc. If you have a license for any static analysis tool not already listed above and can run it on the Benchmark and send us the results file that would be very helpful. <br />
<br />
The free SAST tools come bundled with the Benchmark so you can run them yourselves. If you have a license for any commercial SAST tool, you can also run them against the Benchmark. Just put your results files in the /results folder of the project, and then run the BenchmarkScore script for your platform (.sh / .bat) and it will generate a scorecard in the /scorecard directory for all the tools you have results for that are currently supported.<br />
<br />
'''Free Dynamic Application Security Testing (DAST) Tools:'''<br />
<br />
Note: While we support scorecard generators for these Free and Commercial DAST tools, we haven't been able to get a full/clean run against the Benchmark from most of these tools. As such, some of these scorecard generators might still need some work to properly reflect their results. If you notice any problems, let us know.<br />
<br />
* [http://www.arachni-scanner.com/ Arachni] - .xml results file<br />
** To generate .xml, run: ./bin/arachni_reporter "Your_AFR_Results_Filename.afr" --reporter=xml:outfile=Benchmark1.2-Arachni.xml<br />
* [https://www.owasp.org/index.php/ZAP OWASP ZAP] - .xml results file. To generate a complete ZAP XML results file so you can generate a valid scorecard, make sure you:<br />
** Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
** Then: Report > Generate XML Report...<br />
<br />
'''Commercial DAST Tools:'''<br />
<br />
* [https://www.acunetix.com/vulnerability-scanner/ Acunetix Web Vulnerability Scanner (WVS)] - .xml results file (Generated using [https://www.acunetix.com/resources/wvs7manual.pdf command line interface (see Chapter 10.)] /ExportXML switch)<br />
* [https://portswigger.net/burp/ Burp Pro] - .xml results file<br />
**You must use Burp Pro v1.6.30+ to scan the Benchmark due to a limitation fixed in v1.6.30.<br />
* [https://software.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/overview Micro Focus (Formally HPE) WebInspect] - .xml results file<br />
* [http://www-03.ibm.com/software/products/en/appscan This was IBM AppScan (but I believe IBM sold this product off. To whom?] - .xml results file<br />
* [https://www.netsparker.com/web-vulnerability-scanner/ Netsparker] - .xml results file<br />
* [https://www.rapid7.com/products/appspider/ Rapid7 AppSpider] - .xml results file<br />
<br />
* Qualys - We ran Qualys against v1.2 of the Benchmark and it found none of the vulnerabilities we test for as far as we could tell. So we haven't implemented a scorecard generator for it. If you get results where you think it does find some real issues, send us the results file and, if confirmed, we'll produce a scorecard generator for it.<br />
<br />
If you have access to other DAST Tools, PLEASE RUN THEM FOR US against the Benchmark, and send us the results file so we can build a scorecard generator for that tool.<br />
<br />
'''Commercial Interactive Application Security Testing (IAST) Tools:'''<br />
<br />
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] - .zip results file (You can scan Benchmark w/Contrast for free. See: https://www.contrastsecurity.com/contrast-community-edition)<br />
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection (IAST)] - .hlg results file<br />
<br />
'''Commercial Hybrid Analysis Application Security Testing Tools:'''<br />
<br />
* [http://www.iappsecure.com/products.html Fusion Lite Insight] - .xml results file<br />
<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It may be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.'''<br />
<br />
The project has automated test harnesses for these vulnerability detection tools, so we can repeatably run the tools against each version of the Benchmark and automatically produce scorecards in our desired format.<br />
<br />
We want to test as many tools as possible against the Benchmark. If you are:<br />
<br />
* A tool vendor and want to participate in the project<br />
* Someone who wants to help score a free tool against the project<br />
* Someone who has a license to a commercial tool and the terms of the license allow you to publish tool results, and you want to participate<br />
<br />
please let [mailto:dave.wichers@owasp.org me] know!<br />
<br />
= Quick Start =<br />
<br />
==What is in the Benchmark?==<br />
The Benchmark is a Java Maven project. Its primary component is thousands of test cases (e.g., BenchmarkTest00001.java) , each of which is a single Java servlet that contains a single vulnerability (either a true positive or false positive). The vulnerabilities span about a dozen different types currently and are expected to expand significantly in the future.<br />
<br />
An expectedresults.csv is published with each version of the Benchmark (e.g., expectedresults-1.1.csv) and it specifically lists the expected results for each test case. Here’s what the first two rows in this file looks like for version 1.1 of the Benchmark:<br />
<br />
# test name category real vulnerability CWE Benchmark version: 1.1 2015-05-22<br />
BenchmarkTest00001 crypto TRUE 327<br />
<br />
This simply means that the first test case is a crypto test case (use of weak cryptographic algorithms), this is a real vulnerability (as opposed to a false positive), and this issue maps to CWE 327. It also indicates this expected results file is for Benchmark version 1.1 (produced May 22, 2015). There is a row in this file for each of the tens of thousands of test cases in the Benchmark. Each time a new version of the Benchmark is published, a new corresponding results file is generated and each test case can be completely different from one version to the next.<br />
<br />
The Benchmark also comes with a bunch of different utilities, commands, and prepackaged open source security analysis tools, all of which can be executed through Maven goals, including:<br />
<br />
* Open source vulnerability detection tools to be run against the Benchmark<br />
* A scorecard generator, which computes a scorecard for each of the tools you have results files for.<br />
<br />
==What Can You Do With the Benchmark?==<br />
* Compile all the software in the Benchmark project (e.g., mvn compile)<br />
* Run a static vulnerability analysis tool (SAST) against the Benchmark test case code<br />
<br />
* Scan a running version of the Benchmark with a dynamic application security testing tool (DAST)<br />
** Instructions on how to run it are provided below<br />
<br />
* Generate scorecards for each of the tools you have results files for<br />
** See the Tool Support/Results page for the list of tools the Benchmark supports generating scorecards for<br />
<br />
==Getting Started==<br />
Before downloading or using the Benchmark make sure you have the following installed and configured properly:<br />
<br />
GIT: http://git-scm.com/ or https://github.com/<br />
Maven: https://maven.apache.org/ (Version: 3.2.3 or newer works. We heard that 3.0.5 throws an error.)<br />
Java: http://www.oracle.com/technetwork/java/javase/downloads/index.html (Java 7 or 8) (64-bit) - Takes ALOT of memory to compile the Benchmark.<br />
<br />
==Getting, Building, and Running the Benchmark==<br />
<br />
To download and build everything:<br />
<br />
$ git clone https://github.com/OWASP/benchmark <br />
$ cd benchmark<br />
$ mvn compile (This compiles it)<br />
$ runBenchmark.sh/.bat - This compiles and runs it.<br />
<br />
Then navigate to: https://localhost:8443/benchmark/ to go to its home page. It uses a self signed SSL certificate, so you'll get a security warning when you hit the home page.<br />
<br />
Note: We have set the Benchmark app to use up to 6 Gig of RAM, which it may need when it is fully scanned by a DAST scanner. The DAST tool probably also requires 3+ Gig of RAM. As such, we recommend having a 16 Gig machine if you are going to try to run a full DAST scan. And at least 4 or ideally 8 Gig if you are going to play around with the running Benchmark app.<br />
<br />
== Using a VM instead ==<br />
We have several preconstructed VMs or instructions on how to build one that you can use instead:<br />
<br />
* Docker: A Dockerfile is checked into the project [https://github.com/OWASP/Benchmark/blob/master/VMs/Dockerfile here]. This Docker file should automatically produce a Docker VM with the latest Benchmark project files. After you have Docker installed, run: <br />
scripts/buildDockerImage.sh --> This builds the Docker Benchmark VM (This will take a WHILE)<br />
docker images --> You should see the new benchmark:latest image in the list provided<br />
# The Benchmark Docker Image only has to be created once. <br />
<br />
To run the Benchmark in your Docker VM, just run:<br />
scripts/runDockerImage.sh --> This clones the latest Benchmark from github, builds everything, and starts a remotely accessible Benchmark web app.<br />
If successful, you should see this at the end:<br />
[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]<br />
[INFO] Press Ctrl-C to stop the container...<br />
Then simply navigate to: https://localhost:8443/benchmark from the machine you are running Docker<br />
<br />
Or if you want to access from a different machine:<br />
run: docker-machine ls (in a different window) --> To get IP Docker VM is exporting (e.g., tcp://192.168.99.100:2376)<br />
Navigate to: https://192.168.99.100:8443/benchmark (using the above IP as an example)<br />
<br />
* Amazon Web Services (AWS) - Here's how you set up the Benchmark on an AWS VM:<br />
sudo yum install git<br />
sudo yum install maven<br />
sudo yum install mvn<br />
sudo wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo sed -i s/\$releasever/6/g /etc/yum.repos.d/epel-apache-maven.repo<br />
sudo yum install -y apache-maven<br />
git clone https://github.com/OWASP/benchmark<br />
cd benchmark<br />
chmod 755 *.sh<br />
./runBenchmark.sh -- to run it locally on the VM.<br />
./runRemoteAccessibleBenchmark.sh -- to run it so it can be accessed outside the VM (on port 8443).<br />
<br />
==Running Free Static Analysis Tools Against the Benchmark==<br />
There are scripts for running each of the free SAST vulnerability detection tools included with the Benchmark against the Benchmark test cases. On Linux, you might have to make them executable (e.g., chmod 755 *.sh) before you can run them.<br />
<br />
Generating Test Results for PMD:<br />
<br />
$ ./scripts/runPMD.sh (Linux) or .\scripts\runPMD.bat (Windows)<br />
<br />
Generating Test Results for FindBugs:<br />
<br />
$ ./scripts/runFindBugs.sh (Linux) or .\scripts\runFindBugs.bat (Windows)<br />
<br />
Generating Test Results for FindBugs with the FindSecBugs plugin:<br />
<br />
$ ./scripts/runFindSecBugs.sh (Linux) or .\scripts\runFindSecBugs.bat (Windows)<br />
<br />
In each case, the script will generate a results file and put it in the /results directory. For example: <br />
<br />
Benchmark_1.2-findbugs-v3.0.1-1026.xml<br />
<br />
This results file name is carefully constructed to mean the following: It's a results file against the OWASP Benchmark version 1.2, FindBugs was the analysis tool, it was version 3.0.1 of FindBugs, and it took 1026 seconds to run the analysis.<br />
<br />
NOTE: If you create a results file yourself, by running a commercial tool for example, you can add the version # and the compute time to the filename just like this and the Benchmark Scorecard generator will pick this information up and include it in the generated scorecard. If you don't, depending on what metadata is included in the tool results, the Scorecard generator might do this automatically anyway.<br />
<br />
==Generating Scorecards==<br />
The scorecard generation application BenchmarkScore is included with the Benchmark. It parses the output files generated by any of the supported security tools run against the Benchmark and compares them against the expected results, and produces a set of web pages that detail the accuracy and speed of the tools involved. For the list of currently supported tools, check out the: Tools Support/Results tab. If you are using a tool that is not yet supported, simply send us a results file from that tool and we'll write a parser for that tool and add it to the supported tools list.<br />
<br />
The following command will compute a Benchmark scorecard for all the results files in the '''/results''' directory. The generated scorecard is put into the '''/scorecard''' directory.<br />
<br />
createScorecard.sh (Linux) or createScorecard.bat (Windows)<br />
<br />
An example of a real scorecard for some open source tools is provided at the top of the Tool Support/Results tab so you can see what one looks like.<br />
<br />
We recommend including the Benchmark version number in any results file name, in order to help prevent mismatches between the expected results and the actual results files. A tool will not score well against the wrong expected results.<br />
<br />
===Customizing Your Scorecard Generation===<br />
<br />
The createScorecard scripts are very simple. They only have one line. Here's what the 1.2 version looks like:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv results"<br />
<br />
This Maven command simply says to run the BenchmarkScore application, passing in two parameters. The 1st is the Benchmark expected results file to compare the tool results against. And the 2nd is the name of the directory that contains all the results from tools run against that version of the Benchmark. If you have tool results older than the current version of the Benchmark, like 1.1 results for example, then you would do something like this instead:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.1.csv 1.1_results"<br />
<br />
To keep things organized, we actually put the expected results file inside the same results folder for that version of the Benchmark, so our command looks like this:<br />
<br />
mvn validate -Pbenchmarkscore -Dexec.args="1.1_results/expectedresults-1.1.csv 1.1_results"<br />
<br />
In all cases, the generated scorecard is put in the /scorecard folder.<br />
<br />
'''WARNING: If you generate results for a commercial tool, be careful who you distribute it to. Each tool has its own license defining when any results it produces can be released/made public. It is likely to be against the terms of a commercial tool's license to publicly release that tool's score against the OWASP Benchmark. The OWASP Benchmark project takes no responsibility if someone else releases such results.''' It is for just this reason that the Benchmark project isn't releasing such results itself.<br />
<br />
= Tool Scanning Tips =<br />
<br />
People frequently have difficulty scanning the Benchmark with various tools due to many reasons, including size of the Benchmark app and its codebase, and complexity of the tools used. Here is some guidance for some of the tools we have used to scan the Benchmark. If you've learned any tricks on how to get better or easier results for a particular tool against the Benchmark, let us know or update this page directly.<br />
<br />
== Generic Tips ==<br />
<br />
Because of the size of the Benchmark, you may need to give your tool more memory before it starts the scan. If its a Java based tool, you may want to pass more memory to it like this:<br />
<br />
-Xmx4G (This gives the Java application 4 Gig of memory)<br />
<br />
== SAST Tools ==<br />
<br />
=== Checkmarx ===<br />
<br />
The Checkmarx SAST Tool (CxSAST) is ready to scan the OWASP Benchmark out-of-the-box. <br />
Please notice that the OWASP Benchmark “hides” some vulnerabilities in dead code areas, for example:<br />
<syntaxhighlight lang="java"><br />
if (0>1)<br />
{<br />
//vulnerable code<br />
}</syntaxhighlight><br />
By default, CxSAST will find these vulnerabilities since Checkmarx believes that including dead code in the scan results is a SAST best practice. <br />
<br />
Checkmarx's experience shows that security experts expect to find these types of code vulnerabilities, and demand that their developers fix them. However, OWASP Benchmark considers the flagging of these vulnerabilities as False Positives, as a result lowering Checkmarx's overall score. <br />
<br />
Therefore, in order to receive an OWASP score untainted by dead code, re-configure CxSAST as follows:<br />
# Open the CxAudit client for editing Java queries.<br />
# Override the "Find_Dead_Code" query.<br />
# Add the commented text of the original query to the new override query.<br />
# Save the queries.<br />
<br />
=== FindBugs ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindBugs.(sh or bat). If you want to run a different version of FindBugs, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== FindBugs with FindSecBugs ===<br />
<br />
[http://h3xstream.github.io/find-sec-bugs/ FindSecurityBugs] is a great plugin for FindBugs that significantly increases the ability for FindBugs to find security issues. We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runFindSecBugs.(sh or bat). If you want to run a different version of FindSecBugs, just change the version number of the findsecbugs-plugin artifact in the Benchmark pom.xml file.<br />
<br />
=== Micro Focus (Formally HP) Fortify ===<br />
<br />
If you are using the Audit Workbench, you can give it more memory and make sure you invoke it in 64-bit mode by doing this:<br />
<br />
set AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
export AWB_VM_OPTS="-Xmx2G -XX:MaxPermSize=256m"<br />
auditworkbench -64<br />
<br />
We found it was easier to use the Maven support in Fortify to scan the Benchmark and to do it in 2 phases, translate, and then scan. We did something like this:<br />
<br />
Translate Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_17.10/bin<br />
export SCA_VM_OPTS="-Xmx2G -version 1.7"<br />
mvn sca:clean<br />
mvn sca:translate<br />
<br />
Scan Phase:<br />
export JAVA_HOME=$(/usr/libexec/java_home)<br />
export PATH=$PATH:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_4.10/bin<br />
export SCA_VM_OPTS="-Xmx10G -version 1.7"<br />
mvn sca:scan<br />
<br />
=== PMD ===<br />
<br />
We include this free tool in the Benchmark and its all dialed in. Simply run the script: ./script/runPMD.(sh or bat). If you want to run a different version of PMD, just change its version number in the Benchmark pom.xml file. (NOTE: PMD doesn't find any security issues. We include it because its interesting to know that it doesn't.)<br />
<br />
=== SonarQube ===<br />
<br />
We include this free tool in the Benchmark and its mostly dialed in. But its a bit tricky because SonarQube requires two parts. There is a stand alone scanner for Java. And then there is a web application that accepts the results, and in turn can then produce the results file required by the Benchmark scorecard generator for SonarQube. Running the script runSonarQube.(sh or bat) will generate the results, but if the SonarQube Web Application isn't running where the runSonarQube script expects it to be, then the script will fail.<br />
<br />
If you want to run a different version of SonarQube, just change its version number in the Benchmark pom.xml file.<br />
<br />
=== Xanitizer ===<br />
<br />
The vendor has written their own guide to [http://www.rigs-it.net/opendownloads/whitepapers/HowToSetUpXanitizerForOWASPBenchmarkProject.pdf How to Set Up Xanitizer for OWASP Benchmark].<br />
<br />
== DAST Tools ==<br />
<br />
=== Burp Pro ===<br />
<br />
You must use Burp Pro v1.6.29 or greater to scan the Benchmark due to a previous limitation in Burp Pro related to ensuring the path attribute for cookies was honored. This issue was fixed in the v1.6.29 release.<br />
<br />
To scan, first spider the entire Benchmark, and then select the /Benchmark URL and actively scan that branch. You can skip all the .html pages and any other pages that Burp says have no parameters.<br />
<br />
NOTE: We have been unable to simply run Burp Pro against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get Burp Pro to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
=== OWASP ZAP ===<br />
<br />
ZAP may require additional memory to be able to scan the Benchmark. To configure the amount of memory:<br />
* Tools --> Options --> JVM: Recommend setting to: -Xmx2048m (or larger). (Then restart ZAP).<br />
<br />
To run ZAP against Benchmark:<br />
# Because Benchmark uses Cookies and Headers as sources of attack for many test cases: Tools --> Options --> Active Scan Input Vectors: Then check the HTTP Headers, All Requests, and Cookie Data checkboxes and hit OK<br />
# Click on Show All Tabs button (if spider tab isn't visible)<br />
# Go to Spider tab (the black spider) and click on New Scan button<br />
# Enter: https://localhost:8443/benchmark/ into the 'Starting Point' box and hit 'Start Scan'<br />
#* Do this again. For some reason it takes 2 passes with the Spider before it stops finding more Benchmark endpoints.<br />
# When Spider completes, click on 'benchmark' folder in Site Map, right click and select: 'Attack --> Active Scan'<br />
#* It will take several hours, like 3+ to complete (it's actually likely to simply freeze before completing the scan - see NOTE: below)<br />
<br />
For faster active scan you can<br />
* Disable the ZAP DB log (in ZAP 2.5.0+):<br />
** Disable it via Options / Database / Recover Log<br />
** Set it on the command line using "-config database.recoverylog=false"<br />
* Disable unnecessary plugins / Technologies: When you launch the Active Scan<br />
** On the Policy tab, disable all plugins except: XSS (Reflected), Path Traversal, SQLi, OS Command Injection<br />
** Go the Technology Tab, disable everything and only enable: MySQL, YOUR_OS, Tomcat<br />
** Note: This 2nd performance improvement step is a bit like cheating as you wouldn't do this for a normal site scan. You'd want to leave all this on in case these other plugins/technologies are helpful in finding more issues. So a fair performance comparison of ZAP to other tools would leave all this on.<br />
<br />
To generate the ZAP XML results file so you can generate its scorecard:<br />
* Tools > Options > Alerts - And set the Max alert instances to like 500.<br />
* Then: Report > Generate XML Report...<br />
<br />
NOTE: Similar to Burp, we can't simply run ZAP against the entire Benchmark in one shot. In our experience, it eventually freezes/stops scanning. We've had to run it against each test area one at a time. If you figure out how to get ZAP to scan all of Benchmark in one shot, let us know how you did it!<br />
<br />
Things we tried that didn't improve the score:<br />
* AJAX Spider - the traditional spider appears to find all (or 99%) of the test cases so the AJAX Spider does not appear to be needed against Benchmark v1.2<br />
* XSS (Persistent) - There are 3 of these plugins that run by default. There aren't any stored XSS in Benchmark, so you can disable these plugins for a faster scan.<br />
* DOM XSS Plugin - This is an optional plugin that didn't seem to find any additional XSS issues. There aren't an DOM specific XSS issues in Benchmark v1.2, so not surprising.<br />
<br />
== IAST Tools ==<br />
<br />
Interactive Application Security Testing (IAST) tools work differently than scanners. IAST tools monitor an application as it runs to identify application vulnerabilities using context from inside the running application. Typically these tools run continuously, immediately notifying users of vulnerabilities, but you can also get a full report of an entire application. To do this, we simply run the Benchmark application with an IAST agent and use a crawler to hit all the pages.<br />
<br />
=== Contrast Assess ===<br />
<br />
To use Contrast Assess, we simply add the Java agent to the Benchmark environment and run the BenchmarkCrawler. The entire process should only take a few minutes. We provided a few scripts, which simply add the -javaagent:contrast.jar flag to the Benchmark launch configuration. We have tested on MacOS, Ubuntu, and Windows. Be sure your VM has at least 4M of memory.<br />
<br />
* Ensure your environment has Java, Maven, and git installed, then build the Benchmark project<br />
'''$ git clone https://github.com/OWASP/Benchmark.git'''<br />
'''$ cd Benchmark'''<br />
'''$ mvn compile'''<br />
<br />
* Download a licensed copy of the Contrast Assess Java Agent (contrast.jar) from your Contrast TeamServer account and put it in the /Benchmark/tools/Contrast directory.<br />
'''$ cp ~/Downloads/contrast.jar tools/Contrast'''<br />
<br />
* In Terminal 1, launch the Benchmark application and wait until it starts<br />
'''$ ./runBenchmark_wContrast.sh''' (.bat on Windows)<br />
'''[INFO] Scanning for projects...<br />
'''[INFO] <br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] Building OWASP Benchmark Project 1.2<br />
'''[INFO] ------------------------------------------------------------------------<br />
'''[INFO] <br />
'''...<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]'''<br />
'''[INFO] Press Ctrl-C to stop the container...'''<br />
<br />
* In Terminal 2, launch the crawler and wait a minute or two for the crawl to complete.<br />
'''$ ./runCrawler.sh''' (.bat on Windows)<br />
<br />
* A Contrast report has been generated in /Benchmark/tools/Contrast/working/contrast.log. This report will be automatically copied (and renamed with version number) to /Benchmark/results directory.<br />
'''$ more tools/Contrast/working/contrast.log'''<br />
'''2016-04-22 12:29:29,716 [main b] INFO - Contrast Runtime Engine<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Copyright (C) 2012<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Pat. 8,458,789 B2<br />
'''2016-04-22 12:29:29,717 [main b] INFO - Contrast Security, Inc.<br />
'''2016-04-22 12:29:29,717 [main b] INFO - All Rights Reserved<br />
'''2016-04-22 12:29:29,717 [main b] INFO - https://www.contrastsecurity.com/<br />
'''...'''<br />
<br />
* Press Ctrl-C to stop the Benchmark in Terminal 1. Note: on Windows, select "N" when asked Terminate batch job (Y/N))<br />
'''[INFO] [talledLocalContainer] Tomcat 8.x is stopped'''<br />
'''Copying Contrast report to results directory'''<br />
<br />
* Generate scorecards in /Benchmark/scorecard<br />
'''$ ./createScorecards.sh''' (.bat on Windows)<br />
'''Analyzing results from Benchmark_1.2-Contrast.log<br />
'''Actual results file generated: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.csv<br />
'''Report written to: /Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html<br />
<br />
* Open the Benchmark Scorecard in your browser<br />
'''/Users/owasp/Projects/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_Contrast.html'''<br />
<br />
=== Hdiv Detection ===<br />
<br />
Hdiv has written their own instructions on how to run the detection component of their product on the Benchmark here: https://hdivsecurity.com/docs/features/benchmark/#how-to-run-hdiv-in-owasp-benchmark-project. You'll see that these instructions involve using the same crawler used to exercise all the test cases in the Benchmark, just like Contrast above.<br />
<br />
= RoadMap =<br />
<br />
Benchmark v1.0 - Released April 15, 2015 - This initial release included over 20,000 test cases in 11 different vulnerability categories. As this initial version was not a runnable application, it was only suitable for assessing static analysis tools (SAST).<br />
<br />
Benchmark v1.1 - Released May 23, 2015 - This update fixed some inaccurate test cases, and made sure that every vulnerability area included both True Positives and False Positives.<br />
<br />
Benchmark Scorecard Generator - Released July 10, 2015 - The ability to automatically and repeatably produce a scorecard of how well tools do against the Benchmark was released for most of the SAST tools supported by the Benchmark. Scorecards present graphical as well as statistical data on how well a tool does against the Benchmark down to the level of detail of how exactly it did against each individual test in the Benchmark. [https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html Here are the latest public scorecards]. Support for producing scorecards for additional tools is being added all the time and the current full set is documented on the '''Tool Support/Results''' and '''Quick Start''' tabs of this wiki.<br />
<br />
Benchmark v1.2beta - Released Aug 15, 2015 - The 1st release of a fully runnable version of the Benchmark to support assessing all types of vulnerability detection and prevention technologies, including DAST, IAST, RASP, WAFs, etc. This involved creating a user interface for every test case, and enhancing each test case to make sure its actually exploitable, not just uses something that is theoretically weak. This release is under 3,000 test cases to make it practical to scan the entire Benchmark with a DAST tool in a reasonable amount of time, with commodity hardware specs.<br />
<br />
Benchmark 1.2 - Released June 5, 2016 - Based on feedback from a number of DAST tool developers, and other vendors as well, we made the Benchmark more realistic in a number of ways to facilitate external DAST scanning, and also made the Benchmark more resilient against attack so it could properly survive various DAST vulnerability detection and exploit verification techniques.<br />
<br />
Plans for Benchmark 1.3:<br />
<br />
While we don't have hard and fast rules of exactly what we are going to do next, enhancements in the following areas are planned for the next release:<br />
<br />
* Add new vulnerability categories (e.g., Hibernate Injection)<br />
* Add support for popular server side Java frameworks (e.g., Spring)<br />
* Add web services test cases<br />
<br />
We are also starting to work on the ability to score WAFs/RASPs and other defensive technology against Benchmark.<br />
<br />
= FAQ =<br />
<br />
==1. How are the scores computed for the Benchmark?==<br />
<br />
Each test case has a single vulnerability of a specific type. Its either a real vulnerability (True Positive) or not (a False Positive). We document all the test cases for each version of the Benchmark in the expectedresults-VERSION#.csv file (e.g., expectedresults-1.1.csv). This file lists the test case name, the CWE type of the vulnerability, and whether it is a True Positive or not. The Benchmark supports scorecard generators for computing exactly how a tool did when analyzing a version of the Benchmark. The full list of supported tools is on the Tools Support/Results tab. For each tool there is a parser that can parse the native results format for that tool (usually XML). This parser simply, for each test case, looks to see if that tool reported a vulnerability of the type expected in the test case source code file (for SAST) or the test case URL (for DAST/IAST). If it did, and the test case was a True Positive, the tool gets credit for finding it. If it is a False Positive test, and the tool reports that type of finding, then its recorded as a False Positive. If the tool didn't report that type of vulnerability for a test case, then they get either a False Negative, or a True Negative as appropriate. After calculating all of the individual test case results, a scorecard is generated providing a chart and statistics for that tool across all the vulnerability categories, and pages are also created comparing different tools to each other in each vulnerability category (if multiple tools are being scored together).<br />
<br />
A detailed file explaining exactly how that tool did against each individual test case in that version of the Benchmark is produced as part of scorecard generation, and is available via the Actual Results link on each tool's scorecard page. (e.g., Benchmark_v1.1_Scorecard_for_FindBugs.csv).<br />
<br />
==2. What if the tool I'm using doesn't have a scorecard generator for it?==<br />
<br />
Send us the results file! We'll be happy to create a parser for that tool so its now supported.<br />
<br />
==3. What if a tool finds other unexpected vulnerabilities?==<br />
<br />
We are sure there are vulnerabilities we didn't intend to be there and we are eliminating them as we find them. If you find some, let us know and we'll fix them too. We are primarily focused on unintentional vulnerabilities in the categories of vulnerabilities the Benchmark currently supports, since that is what is actually measured.<br />
<br />
Right now, two types of vulnerabilities that get reported are ignored by the scorecard generator:<br />
# Vulnerabilities in categories not yet supported<br />
# Vulnerabilities of a type that is supported, but reported in test cases not of that type<br />
<br />
In the case of #2, false positives reported in unexpected areas are also ignored, which is primarily a DAST problem. Right now those false positives are completely ignored, but we are thinking about including them in the false positive score in some fashion. We just haven't decided how yet.<br />
<br />
==4. How should I configure my tool to scan the Benchmark?==<br />
<br />
All tools support various levels of configuration in order to improve their results. The Benchmark project, in general, is trying to '''compare out of the box capabilities of tools'''. However, if a few simple tweaks to a tool can be done to improve that tool's score, that's fine. We'd like to understand what those simple tweaks are, and document them here, so others can repeat those tests in exactly the same way. For example, just turn on the 'test cookies and headers' flag, which is off by default. Or turn on the 'advanced' scan, so it will work harder, find more vulnerabilities. Its simple things like this we are talking about, not an extensive effort to teach the tool about the app, or perform 'expert' configuration of the tool.<br />
<br />
So, if you know of some simple tweaks to improve a tool's results, let us know what they are and we'll document them here so everyone can benefit and make it easier to do apples to apples comparisons. And we'll link to that guidance once we start documenting it, but we don't have any such guidance right now.<br />
<br />
==5. I'm having difficulty scanning the Benchmark with a DAST tool. How can I get it to work?==<br />
<br />
We've run into 2 primary issues giving DAST tools problems.<br />
<br />
a) The Benchmark Generates Lots of Cookies<br />
<br />
The Burp team pointed out a cookies bug in the 1.2beta Benchmark. Each Weak Randomness test case generates its own cookie, 1 per test case. This caused the creation of so many cookies that servers would eventually start returning 400 errors because there were simply too many cookies being submitted in a request. This was fixed in the Aug 27, 2015 update to the Benchmark by setting the path attribute for each of these cookies to be the path to that individual test case. Now, only at most one of these cookies should be submitted with each request, eliminating this 'too many cookies' problem. However, if a DAST tool doesn't honor this path attribute, it may continue to send too many cookies, making the Benchmark unscannable for that tool. Burp Pro prior to 1.6.29 had this issue, but it was fixed in the 1.6.29 release.<br />
<br />
b) The Benchmark is a BIG Application<br />
<br />
Yes. It is, so you might have to give your scanner more memory than it normally uses by default in order to successfully scan the entire Benchmark. Please consult your tool vendor's documentation on how to give it more memory.<br />
<br />
Your machine itself might not have enough memory in the first place. For example, we were not able to successfully scan the 1.2beta with OWASP ZAP with only 8 Gig of RAM. So, you might need a more powerful machine or use a cloud provided machine to successfully scan the Benchmark with certain DAST tools. You may have similar problems with SAST tools against large versions of the Benchmark, like the 1.1 release.<br />
<br />
= Acknowledgements =<br />
<br />
The following people, organizations, and many others, have contributed to this project and their contributions are much appreciated!<br />
<br />
* Lots of Vendors - Many vendors have provided us with either trial licenses we can use, or they have run their tools themselves and either sent us results files, or written and contributed scorecard generators for their tool. Many have also provided valuable feedback so we can make the Benchmark more accurate and more realistic.<br />
* Juan Gama - Development of initial release and continued support<br />
* Ken Prole - Assistance with automated scorecard development using CodeDx<br />
* Nick Sanidas - Development of initial release<br />
* Denim Group - Contribution of scan results to facilitate scorecard development<br />
* Tasos Laskos - Significant feedback on the DAST version of the Benchmark<br />
* Ann Campbell - From SonarSource - for fixing our SonarQube results parser<br />
* Dhiraj Mishra - OWASP Member - contributed SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring<br />
<br />
[[File:CWE_Logo.jpeg|link=https://cwe.mitre.org/]] - The CWE project for providing a mapping mechanism to easily map test cases to issues found by vulnerability detection tools.<br />
<br />
We are looking for volunteers. Please contact [mailto:dave.wichers@owasp.org Dave Wichers] if you are interested in contributing new test cases, tool results run against the benchmark, or anything else.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]]</div>Wichershttps://wiki.owasp.org/index.php?title=Free_for_Open_Source_Application_Security_Tools&diff=244572Free for Open Source Application Security Tools2018-10-23T21:56:57Z<p>Wichers: /* Detecting Known Vulnerable Components */</p>
<hr />
<div>__NOTOC__<br />
== Introduction ==<br />
OWASP's mission is to help the world improve the security of its software. One of the best ways OWASP can do that is to help Open Source developers improve the software they are producing that everyone else relies on. As such, the following lists of '''automated vulnerability detection tools''' that are '''free for open source''' projects have been gathered together here to raise awareness of their availability.<br />
<br />
We would encourage open source projects to use the following types of tools to improve the security and quality of their code:<br />
* Static Application Security Testing ([[SAST]]) Tools <br />
* Dynamic Application Security Testing ([[DAST]]) Tools - (Primarily for web apps)<br />
* Interactive Application Security Testing (IAST) Tools - (Primarily for web apps and web APIs)<br />
* Keeping Open Source libraries up-to-date (to avoid [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]])<br />
* Static Code Quality Tools<br />
<br />
<br> '''Disclaimer:''' <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them below. They are simply listed if we believe they are free for use by open source projects. We have made every effort to provide this information as accurately as possible. If you are the vendor of a free for open source tool and think this information is incomplete or incorrect, please send an e-mail to dave.wichers (at) owasp.org and we will make every effort to correct this information.</b><br />
<br />
== Free for Open Source Tools ==<br />
Tools that are free for open source projects in each of the above categories are listed below.<br />
<br />
=== SAST Tools ===<br />
OWASP already maintains a page of known SAST tools: [[Source Code Analysis Tools]], which includes a list of those that are "Open Source or Free Tools Of This Type". Any such tools could certainly be used.<br />
<br />
In addition, we are aware of the following commercial SAST tools that are free for Open Source projects:<br />
* [https://scan.coverity.com/ Coverity Scan Static Analysis] - Can be lashed into Travis-CI so it's done automatically with online resources. Supports over a dozen programming languages as documented here in the section [https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html Comprehensive support for these programming languages and frameworks].<br />
<br />
=== DAST Tools ===<br />
If your project has a web application component, we recommend running automated scans against it to look for vulnerabilities. OWASP maintains a page of known DAST Tools: [[:Category:Vulnerability Scanning Tools|Vulnerability Scanning Tools]], and the '''Licence''' column on this page indicates which of those tools have free capabilities. Our primary recommendation is to use one of these:<br />
* [[OWASP Zed Attack Proxy Project|OWASP ZAP]] - A full featured free and open source DAST tool that includes both automated scanning for vulnerabilities and tools to assist expert manual web app pen testing.<br />
** The ZAP team has also been working hard to make it easier to integrate ZAP into your CI/CD pipeline. (e.g., here's a [https://www.we45.com/blog/how-to-integrate-zap-into-jenkins-ci-pipeline-we45-blog blog post on how to integrate ZAP with Jenkins]).<br />
* [http://www.arachni-scanner.com/ Arachni] - Arachni is a commercially supported scanner, but its free for most use cases, including scanning open source projects.<br />
We are not aware of any other commercial grade tools that offer their full featured DAST product free for open source projects.<br />
<br />
=== IAST Tools ===<br />
IAST tools are typically geared to analyze Web Applications and Web APIs, but that is vendor specific. There may be IAST products that can perform good security analysis on non-web applications as well.<br />
<br />
We are aware of only one IAST Tool that is free for open source at this time:<br />
* [https://www.contrastsecurity.com/contrast-community-edition Contrast Community Edition (CE)] - Fully featured version for 1 app and up to 5 users (some Enterprise features disabled). Contrast CE supports Java only.<br />
<br />
=== Open Source Software (OSS) Security Tools ===<br />
OSS refers to the open source libraries or components that application developers leverage to quickly develop new applications and add features to existing apps. Gartner refers to the analysis of the security of these components as software composition analysis (SCA). So OSS Analysis and SCA are the same thing.<br />
<br />
OWASP recommends that all software projects generally try to keep the libraries they use as up-to-date as possible to reduce the likelihood of [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]]. There are two recommended approaches for this:<br />
<br />
==== Keeping Your Libraries Updated ====<br />
Using the latest version of each library is recommended because security issues are frequently fixed 'silently' by the component maintainer. By silently, we mean without publishing a [https://cve.mitre.org/ CVE] for the security fix.<br />
* [https://www.mojohaus.org/versions-maven-plugin/ Maven Versions plugin]<br />
** For Maven projects, can be used to generate a report of all dependencies used and when upgrades are available for them. Either a direct report, or part of the overall project documentation using: mvn site.<br />
* Dependabot - https://dependabot.com/<br />
** A GitHub only service that creates pull requests to keep your dependencies up-to-date. It automatically generates a pull request for each dependency you can upgrade, which you can then ignore, or accept, as you like. It supports tons of languages.<br />
** Recommended for all open source projects maintained on GitHub!<br />
<br />
==== Detecting Known Vulnerable Components ====<br />
As an alternative, or in addition to, trying to keep all your components up-to-date, a project can specifically monitor whether any of the components they use have known vulnerable components.<br />
<br />
Free tools of this type:<br />
* OWASP has its own free open source tool [[OWASP Dependency Check]] that is free for anyone to use.<br />
* GitHub: Security alerts for vulnerable dependencies - https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/<br />
** A native GitHub feature that reports known vulnerable dependencies in your GitHub projects. Supports: Java, .NET, JavaScript, Ruby, and Python. Your GitHub projects are automatically signed up for this service.<br />
Commercial tools of this type that are free for open source:<br />
* Contrast Community Edition (CE) (mentioned earlier) also has both Known Vulnerable Component detection and Available Updates reporting for OSS. CE supports Java only.<br />
* Snyk - https://www.snyk.io - Supports Node.js, Ruby, Java, Python, Scala, Golang, .NET, PHP - Latest list here: https://snyk.io/docs<br />
** A Commercial tool that identifies vulnerable components and integrates with numerous CI/CD pipelines. It is free for open source: https://snyk.io/plans<br />
** If you don't want to grant Snyk write access to your repo (see it can auto-create pull requests) you can use the Command Line Interface (CLI) instead. See: https://snyk.io/docs/using-snyk. If you do this and want it to be free, you have to configure Snyk so it know its open source: https://support.snyk.io/snyk-cli/how-can-i-set-a-snyk-cli-project-as-open-source<br />
*** Another benefit of using the Snyk CLI is that it won't auto create Pull requests for you (which makes these 'issues' more public than you might prefer)<br />
** They also provide detailed information and remediation guidance for known vulnerabilities here: https://snyk.io/vuln<br />
* SourceClear - https://www.sourceclear.com/ - Supports: Java, Ruby, JavaScript, Python, Objective C, GO, PHP<br />
** They have a free trial right from their [https://www.sourceclear.com/ home page]. When the 30 day trial expires, it converts into a free "Personal Account" per: "Upgrade at any time to get the features that matter most to you, or choose the Personal plan when your trial ends." Personal Account described here: https://www.sourceclear.com/pricing/<br />
** They also make their component vulnerability data (for publicly known vulns) free to search: https://www.sourceclear.com/vulnerability-database/search#_ (Very useful when trying to research a particular library)<br />
* WhiteSource Bolt - Supports 200+ programming languages. https://www.whitesourcesoftware.com/<br />
** Azure version: https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt<br />
** GitHub version: https://github.com/apps/whitesource-bolt-for-github Available starting in Nov. 2018.<br />
<br />
=== Code Quality tools ===<br />
Quality has a significant correlation to security. As such, we recommend open source projects also consider using good code quality tools. A few that we are aware of are:<br />
* SpotBugs (https://github.com/spotbugs/spotbugs) - Open source code quality tool for Java<br />
** This is the active fork for FindBugs, so if you use Findbugs, you should switch to this.<br />
** SpotBugs users should add the FindSecBugs plugin (http://find-sec-bugs.github.io/) to their SpotBugs setup, as it significantly improves on the very basic security checking native to SpotBugs.<br />
<br />
* SonarQube (https://www.sonarqube.org/)<br />
** This is a commercially supported, very popular, free (and commercial) code quality tool. It includes most if not all the FindSecBugs security rules plus lots more for quality, including a free, internet online CI setup to run it against your open source projects. SonarQube supports numerous languages: https://www.sonarqube.org/features/multi-languages/<br />
<br />
Please let us know if you are aware of any other high quality application security tools that are free for open source (or simply add them to this page). We are particularly interested in identifying and listing commercial tools that are free for open source, as they tend to be better and easier to use than open source (free) tools. If you are aware of any missing from this list, please add them, or let us know (dave.wichers (at) owasp.org) and we'll confirm they are free, and add them for you. Please encourage your favorite commercial tool vendor to make their tool free for open source projects as well!!<br />
<br />
Finally, please forward this page to the open source projects you rely on and encourage them to use these free tools!</div>Wichershttps://wiki.owasp.org/index.php?title=Free_for_Open_Source_Application_Security_Tools&diff=244571Free for Open Source Application Security Tools2018-10-23T21:42:40Z<p>Wichers: Add SourceClear to list of Detecting Vulnerable Components Tools</p>
<hr />
<div>__NOTOC__<br />
== Introduction ==<br />
OWASP's mission is to help the world improve the security of its software. One of the best ways OWASP can do that is to help Open Source developers improve the software they are producing that everyone else relies on. As such, the following lists of '''automated vulnerability detection tools''' that are '''free for open source''' projects have been gathered together here to raise awareness of their availability.<br />
<br />
We would encourage open source projects to use the following types of tools to improve the security and quality of their code:<br />
* Static Application Security Testing ([[SAST]]) Tools <br />
* Dynamic Application Security Testing ([[DAST]]) Tools - (Primarily for web apps)<br />
* Interactive Application Security Testing (IAST) Tools - (Primarily for web apps and web APIs)<br />
* Keeping Open Source libraries up-to-date (to avoid [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]])<br />
* Static Code Quality Tools<br />
<br />
<br> '''Disclaimer:''' <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them below. They are simply listed if we believe they are free for use by open source projects. We have made every effort to provide this information as accurately as possible. If you are the vendor of a free for open source tool and think this information is incomplete or incorrect, please send an e-mail to dave.wichers (at) owasp.org and we will make every effort to correct this information.</b><br />
<br />
== Free for Open Source Tools ==<br />
Tools that are free for open source projects in each of the above categories are listed below.<br />
<br />
=== SAST Tools ===<br />
OWASP already maintains a page of known SAST tools: [[Source Code Analysis Tools]], which includes a list of those that are "Open Source or Free Tools Of This Type". Any such tools could certainly be used.<br />
<br />
In addition, we are aware of the following commercial SAST tools that are free for Open Source projects:<br />
* [https://scan.coverity.com/ Coverity Scan Static Analysis] - Can be lashed into Travis-CI so it's done automatically with online resources. Supports over a dozen programming languages as documented here in the section [https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html Comprehensive support for these programming languages and frameworks].<br />
<br />
=== DAST Tools ===<br />
If your project has a web application component, we recommend running automated scans against it to look for vulnerabilities. OWASP maintains a page of known DAST Tools: [[:Category:Vulnerability Scanning Tools|Vulnerability Scanning Tools]], and the '''Licence''' column on this page indicates which of those tools have free capabilities. Our primary recommendation is to use one of these:<br />
* [[OWASP Zed Attack Proxy Project|OWASP ZAP]] - A full featured free and open source DAST tool that includes both automated scanning for vulnerabilities and tools to assist expert manual web app pen testing.<br />
** The ZAP team has also been working hard to make it easier to integrate ZAP into your CI/CD pipeline. (e.g., here's a [https://www.we45.com/blog/how-to-integrate-zap-into-jenkins-ci-pipeline-we45-blog blog post on how to integrate ZAP with Jenkins]).<br />
* [http://www.arachni-scanner.com/ Arachni] - Arachni is a commercially supported scanner, but its free for most use cases, including scanning open source projects.<br />
We are not aware of any other commercial grade tools that offer their full featured DAST product free for open source projects.<br />
<br />
=== IAST Tools ===<br />
IAST tools are typically geared to analyze Web Applications and Web APIs, but that is vendor specific. There may be IAST products that can perform good security analysis on non-web applications as well.<br />
<br />
We are aware of only one IAST Tool that is free for open source at this time:<br />
* [https://www.contrastsecurity.com/contrast-community-edition Contrast Community Edition (CE)] - Fully featured version for 1 app and up to 5 users (some Enterprise features disabled). Contrast CE supports Java only.<br />
<br />
=== Open Source Software (OSS) Security Tools ===<br />
OSS refers to the open source libraries or components that application developers leverage to quickly develop new applications and add features to existing apps. Gartner refers to the analysis of the security of these components as software composition analysis (SCA). So OSS Analysis and SCA are the same thing.<br />
<br />
OWASP recommends that all software projects generally try to keep the libraries they use as up-to-date as possible to reduce the likelihood of [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]]. There are two recommended approaches for this:<br />
<br />
==== Keeping Your Libraries Updated ====<br />
Using the latest version of each library is recommended because security issues are frequently fixed 'silently' by the component maintainer. By silently, we mean without publishing a [https://cve.mitre.org/ CVE] for the security fix.<br />
* [https://www.mojohaus.org/versions-maven-plugin/ Maven Versions plugin]<br />
** For Maven projects, can be used to generate a report of all dependencies used and when upgrades are available for them. Either a direct report, or part of the overall project documentation using: mvn site.<br />
* Dependabot - https://dependabot.com/<br />
** A GitHub only service that creates pull requests to keep your dependencies up-to-date. It automatically generates a pull request for each dependency you can upgrade, which you can then ignore, or accept, as you like. It supports tons of languages.<br />
** Recommended for all open source projects maintained on GitHub!<br />
<br />
==== Detecting Known Vulnerable Components ====<br />
As an alternative, or in addition to, trying to keep all your components up-to-date, a project can specifically monitor whether any of the components they use have known vulnerable components.<br />
<br />
Free tools of this type:<br />
* OWASP has its own free open source tool [[OWASP Dependency Check]] that is free for anyone to use.<br />
* GitHub: Security alerts for vulnerable dependencies - https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/<br />
** A native GitHub feature that reports known vulnerable dependencies in your GitHub projects. Supports: Java, .NET, JavaScript, Ruby, and Python. Your GitHub projects are automatically signed up for this service.<br />
Commercial tools of this type that are free for open source:<br />
* Contrast Community Edition (CE) (mentioned earlier) also has both Known Vulnerable Component detection and Available Updates reporting for OSS. CE supports Java only.<br />
* Snyk - https://www.snyk.io - Supports Node.js, Ruby, Java, Python, Scala, Golang, .NET, PHP - Latest list here: https://snyk.io/docs<br />
** A Commercial tool that identifies vulnerable components and integrates with numerous CI/CD pipelines. It is free for open source: https://snyk.io/plans<br />
** If you don't want to grant Snyk write access to your repo (see it can auto-create pull requests) you can use the Command Line Interface (CLI) instead. See: https://snyk.io/docs/using-snyk. If you do this and want it to be free, you have to configure Snyk so it know its open source: https://support.snyk.io/snyk-cli/how-can-i-set-a-snyk-cli-project-as-open-source<br />
*** Another benefit of using the Snyk CLI is that it won't auto create Pull requests for you (which makes these 'issues' more public than you might prefer)<br />
* SourceClear - https://www.sourceclear.com/ - Supports: Java, Ruby, JavaScript, Python, Objective C, GO, PHP<br />
** They have a free trial right from their [https://www.sourceclear.com/ home page]. When the 30 day trial expires, it converts into a free "Personal Account" per: "Upgrade at any time to get the features that matter most to you, or choose the Personal plan when your trial ends." Personal Account described here: https://www.sourceclear.com/pricing/<br />
** They also make their component vulnerability data free to search: https://www.sourceclear.com/vulnerability-database/search#_ (Very useful when trying to research a particular library)<br />
* WhiteSource Bolt - Supports 200+ programming languages. https://www.whitesourcesoftware.com/<br />
** Azure version: https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt<br />
** GitHub version: https://github.com/apps/whitesource-bolt-for-github Available starting in Nov. 2018.<br />
<br />
=== Code Quality tools ===<br />
Quality has a significant correlation to security. As such, we recommend open source projects also consider using good code quality tools. A few that we are aware of are:<br />
* SpotBugs (https://github.com/spotbugs/spotbugs) - Open source code quality tool for Java<br />
** This is the active fork for FindBugs, so if you use Findbugs, you should switch to this.<br />
** SpotBugs users should add the FindSecBugs plugin (http://find-sec-bugs.github.io/) to their SpotBugs setup, as it significantly improves on the very basic security checking native to SpotBugs.<br />
<br />
* SonarQube (https://www.sonarqube.org/)<br />
** This is a commercially supported, very popular, free (and commercial) code quality tool. It includes most if not all the FindSecBugs security rules plus lots more for quality, including a free, internet online CI setup to run it against your open source projects. SonarQube supports numerous languages: https://www.sonarqube.org/features/multi-languages/<br />
<br />
Please let us know if you are aware of any other high quality application security tools that are free for open source (or simply add them to this page). We are particularly interested in identifying and listing commercial tools that are free for open source, as they tend to be better and easier to use than open source (free) tools. If you are aware of any missing from this list, please add them, or let us know (dave.wichers (at) owasp.org) and we'll confirm they are free, and add them for you. Please encourage your favorite commercial tool vendor to make their tool free for open source projects as well!!<br />
<br />
Finally, please forward this page to the open source projects you rely on and encourage them to use these free tools!</div>Wichershttps://wiki.owasp.org/index.php?title=Free_for_Open_Source_Application_Security_Tools&diff=244570Free for Open Source Application Security Tools2018-10-23T21:03:23Z<p>Wichers: Add Snyk CLI instructions</p>
<hr />
<div>__NOTOC__<br />
== Introduction ==<br />
OWASP's mission is to help the world improve the security of its software. One of the best ways OWASP can do that is to help Open Source developers improve the software they are producing that everyone else relies on. As such, the following lists of '''automated vulnerability detection tools''' that are '''free for open source''' projects have been gathered together here to raise awareness of their availability.<br />
<br />
We would encourage open source projects to use the following types of tools to improve the security and quality of their code:<br />
* Static Application Security Testing ([[SAST]]) Tools <br />
* Dynamic Application Security Testing ([[DAST]]) Tools - (Primarily for web apps)<br />
* Interactive Application Security Testing (IAST) Tools - (Primarily for web apps and web APIs)<br />
* Keeping Open Source libraries up-to-date (to avoid [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]])<br />
* Static Code Quality Tools<br />
<br />
<br> '''Disclaimer:''' <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them below. They are simply listed if we believe they are free for use by open source projects. We have made every effort to provide this information as accurately as possible. If you are the vendor of a free for open source tool and think this information is incomplete or incorrect, please send an e-mail to dave.wichers (at) owasp.org and we will make every effort to correct this information.</b><br />
<br />
== Free for Open Source Tools ==<br />
Tools that are free for open source projects in each of the above categories are listed below.<br />
<br />
=== SAST Tools ===<br />
OWASP already maintains a page of known SAST tools: [[Source Code Analysis Tools]], which includes a list of those that are "Open Source or Free Tools Of This Type". Any such tools could certainly be used.<br />
<br />
In addition, we are aware of the following commercial SAST tools that are free for Open Source projects:<br />
* [https://scan.coverity.com/ Coverity Scan Static Analysis] - Can be lashed into Travis-CI so it's done automatically with online resources. Supports over a dozen programming languages as documented here in the section [https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html Comprehensive support for these programming languages and frameworks].<br />
<br />
=== DAST Tools ===<br />
If your project has a web application component, we recommend running automated scans against it to look for vulnerabilities. OWASP maintains a page of known DAST Tools: [[:Category:Vulnerability Scanning Tools|Vulnerability Scanning Tools]], and the '''Licence''' column on this page indicates which of those tools have free capabilities. Our primary recommendation is to use one of these:<br />
* [[OWASP Zed Attack Proxy Project|OWASP ZAP]] - A full featured free and open source DAST tool that includes both automated scanning for vulnerabilities and tools to assist expert manual web app pen testing.<br />
** The ZAP team has also been working hard to make it easier to integrate ZAP into your CI/CD pipeline. (e.g., here's a [https://www.we45.com/blog/how-to-integrate-zap-into-jenkins-ci-pipeline-we45-blog blog post on how to integrate ZAP with Jenkins]).<br />
* [http://www.arachni-scanner.com/ Arachni] - Arachni is a commercially supported scanner, but its free for most use cases, including scanning open source projects.<br />
We are not aware of any other commercial grade tools that offer their full featured DAST product free for open source projects.<br />
<br />
=== IAST Tools ===<br />
IAST tools are typically geared to analyze Web Applications and Web APIs, but that is vendor specific. There may be IAST products that can perform good security analysis on non-web applications as well.<br />
<br />
We are aware of only one IAST Tool that is free for open source at this time:<br />
* [https://www.contrastsecurity.com/contrast-community-edition Contrast Community Edition (CE)] - Fully featured version for 1 app and up to 5 users (some Enterprise features disabled). Contrast CE supports Java only.<br />
<br />
=== Open Source Software (OSS) Security Tools ===<br />
OSS refers to the open source libraries or components that application developers leverage to quickly develop new applications and add features to existing apps. Gartner refers to the analysis of the security of these components as software composition analysis (SCA). So OSS Analysis and SCA are the same thing.<br />
<br />
OWASP recommends that all software projects generally try to keep the libraries they use as up-to-date as possible to reduce the likelihood of [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]]. There are two recommended approaches for this:<br />
<br />
==== Keeping Your Libraries Updated ====<br />
Using the latest version of each library is recommended because security issues are frequently fixed 'silently' by the component maintainer. By silently, we mean without publishing a [https://cve.mitre.org/ CVE] for the security fix.<br />
* [https://www.mojohaus.org/versions-maven-plugin/ Maven Versions plugin]<br />
** For Maven projects, can be used to generate a report of all dependencies used and when upgrades are available for them. Either a direct report, or part of the overall project documentation using: mvn site.<br />
* Dependabot - https://dependabot.com/<br />
** A GitHub only service that creates pull requests to keep your dependencies up-to-date. It automatically generates a pull request for each dependency you can upgrade, which you can then ignore, or accept, as you like. It supports tons of languages.<br />
** Recommended for all open source projects maintained on GitHub!<br />
<br />
==== Detecting Known Vulnerable Components ====<br />
As an alternative, or in addition to, trying to keep all your components up-to-date, a project can specifically monitor whether any of the components they use have known vulnerable components.<br />
<br />
Free tools of this type:<br />
* OWASP has its own free open source tool [[OWASP Dependency Check]] that is free for anyone to use.<br />
* GitHub: Security alerts for vulnerable dependencies - https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/<br />
** A native GitHub feature that reports known vulnerable dependencies in your GitHub projects. Supports: Java, .NET, JavaScript, Ruby, and Python. Your GitHub projects are automatically signed up for this service.<br />
Commercial tools of this type that are free for open source:<br />
* Contrast Community Edition (CE) (mentioned earlier) also has both Known Vulnerable Component detection and Available Updates reporting for OSS. CE supports Java only.<br />
* Snyk - https://www.snyk.io - Supports Node.js, Ruby, Java, Python, Scala, Golang, .NET, PHP - Latest list here: https://snyk.io/docs<br />
** A Commercial tool that identifies vulnerable components and integrates with numerous CI/CD pipelines. It is free for open source: https://snyk.io/plans<br />
** If you don't want to grant Snyk write access to your repo (see it can auto-create pull requests) you can use the Command Line Interface (CLI) instead. See: https://snyk.io/docs/using-snyk. If you do this and want it to be free, you have to configure Snyk so it know its open source: https://support.snyk.io/snyk-cli/how-can-i-set-a-snyk-cli-project-as-open-source<br />
*** Another benefit of using the Snyk CLI is that it won't auto create Pull requests for you (which makes these 'issues' more public than you might prefer)<br />
* WhiteSource Bolt - Supports 200+ programming languages. https://www.whitesourcesoftware.com/<br />
** Azure version: https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt<br />
** GitHub version: https://github.com/apps/whitesource-bolt-for-github Available starting in Nov. 2018.<br />
<br />
=== Code Quality tools ===<br />
Quality has a significant correlation to security. As such, we recommend open source projects also consider using good code quality tools. A few that we are aware of are:<br />
* SpotBugs (https://github.com/spotbugs/spotbugs) - Open source code quality tool for Java<br />
** This is the active fork for FindBugs, so if you use Findbugs, you should switch to this.<br />
** SpotBugs users should add the FindSecBugs plugin (http://find-sec-bugs.github.io/) to their SpotBugs setup, as it significantly improves on the very basic security checking native to SpotBugs.<br />
<br />
* SonarQube (https://www.sonarqube.org/)<br />
** This is a commercially supported, very popular, free (and commercial) code quality tool. It includes most if not all the FindSecBugs security rules plus lots more for quality, including a free, internet online CI setup to run it against your open source projects. SonarQube supports numerous languages: https://www.sonarqube.org/features/multi-languages/<br />
<br />
Please let us know if you are aware of any other high quality application security tools that are free for open source (or simply add them to this page). We are particularly interested in identifying and listing commercial tools that are free for open source, as they tend to be better and easier to use than open source (free) tools. If you are aware of any missing from this list, please add them, or let us know (dave.wichers (at) owasp.org) and we'll confirm they are free, and add them for you. Please encourage your favorite commercial tool vendor to make their tool free for open source projects as well!!<br />
<br />
Finally, please forward this page to the open source projects you rely on and encourage them to use these free tools!</div>Wichershttps://wiki.owasp.org/index.php?title=Free_for_Open_Source_Application_Security_Tools&diff=244358Free for Open Source Application Security Tools2018-10-18T14:55:19Z<p>Wichers: /* Detecting Known Vulnerable Components */</p>
<hr />
<div>__NOTOC__<br />
== Introduction ==<br />
OWASP's mission is to help the world improve the security of its software. One of the best ways OWASP can do that is to help Open Source developers improve the software they are producing that everyone else relies on. As such, the following lists of '''automated vulnerability detection tools''' that are '''free for open source''' projects have been gathered together here to raise awareness of their availability.<br />
<br />
We would encourage open source projects to use the following types of tools to improve the security and quality of their code:<br />
* Static Application Security Testing ([[SAST]]) Tools <br />
* Dynamic Application Security Testing ([[DAST]]) Tools - (Primarily for web apps)<br />
* Interactive Application Security Testing (IAST) Tools - (Primarily for web apps and web APIs)<br />
* Keeping Open Source libraries up-to-date (to avoid [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]])<br />
* Static Code Quality Tools<br />
<br />
<br> '''Disclaimer:''' <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them below. They are simply listed if we believe they are free for use by open source projects. We have made every effort to provide this information as accurately as possible. If you are the vendor of a free for open source tool and think this information is incomplete or incorrect, please send an e-mail to dave.wichers (at) owasp.org and we will make every effort to correct this information.</b><br />
<br />
== Free for Open Source Tools ==<br />
Tools that are free for open source projects in each of the above categories are listed below.<br />
<br />
=== SAST Tools ===<br />
OWASP already maintains a page of known SAST tools: [[Source Code Analysis Tools]], which includes a list of those that are "Open Source or Free Tools Of This Type". Any such tools could certainly be used.<br />
<br />
In addition, we are aware of the following commercial SAST tools that are free for Open Source projects:<br />
* [https://scan.coverity.com/ Coverity Scan Static Analysis] - Can be lashed into Travis-CI so it's done automatically with online resources. Supports over a dozen programming languages as documented here in the section [https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html Comprehensive support for these programming languages and frameworks].<br />
<br />
=== DAST Tools ===<br />
If your project has a web application component, we recommend running automated scans against it to look for vulnerabilities. OWASP maintains a page of known DAST Tools: [[:Category:Vulnerability Scanning Tools|Vulnerability Scanning Tools]], and the '''Licence''' column on this page indicates which of those tools have free capabilities. Our primary recommendation is to use one of these:<br />
* [[OWASP Zed Attack Proxy Project|OWASP ZAP]] - A full featured free and open source DAST tool that includes both automated scanning for vulnerabilities and tools to assist expert manual web app pen testing.<br />
** The ZAP team has also been working hard to make it easier to integrate ZAP into your CI/CD pipeline. (e.g., here's a [https://www.we45.com/blog/how-to-integrate-zap-into-jenkins-ci-pipeline-we45-blog blog post on how to integrate ZAP with Jenkins]).<br />
* [http://www.arachni-scanner.com/ Arachni] - Arachni is a commercially supported scanner, but its free for most use cases, including scanning open source projects.<br />
We are not aware of any other commercial grade tools that offer their full featured DAST product free for open source projects.<br />
<br />
=== IAST Tools ===<br />
IAST tools are typically geared to analyze Web Applications and Web APIs, but that is vendor specific. There may be IAST products that can perform good security analysis on non-web applications as well.<br />
<br />
We are aware of only one IAST Tool that is free for open source at this time:<br />
* [https://www.contrastsecurity.com/contrast-community-edition Contrast Community Edition (CE)] - Fully featured version for 1 app and up to 5 users (some Enterprise features disabled). Contrast CE supports Java only.<br />
<br />
=== Open Source Software (OSS) Security Tools ===<br />
OSS refers to the open source libraries or components that application developers leverage to quickly develop new applications and add features to existing apps. Gartner refers to the analysis of the security of these components as software composition analysis (SCA). So OSS Analysis and SCA are the same thing.<br />
<br />
OWASP recommends that all software projects generally try to keep the libraries they use as up-to-date as possible to reduce the likelihood of [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]]. There are two recommended approaches for this:<br />
<br />
==== Keeping Your Libraries Updated ====<br />
Using the latest version of each library is recommended because security issues are frequently fixed 'silently' by the component maintainer. By silently, we mean without publishing a [https://cve.mitre.org/ CVE] for the security fix.<br />
* [https://www.mojohaus.org/versions-maven-plugin/ Maven Versions plugin]<br />
** For Maven projects, can be used to generate a report of all dependencies used and when upgrades are available for them. Either a direct report, or part of the overall project documentation using: mvn site.<br />
* Dependabot - https://dependabot.com/<br />
** A GitHub only service that creates pull requests to keep your dependencies up-to-date. It automatically generates a pull request for each dependency you can upgrade, which you can then ignore, or accept, as you like. It supports tons of languages.<br />
** Recommended for all open source projects maintained on GitHub!<br />
<br />
==== Detecting Known Vulnerable Components ====<br />
As an alternative, or in addition to, trying to keep all your components up-to-date, a project can specifically monitor whether any of the components they use have known vulnerable components.<br />
<br />
Free tools of this type:<br />
* OWASP has its own free open source tool [[OWASP Dependency Check]] that is free for anyone to use.<br />
* GitHub: Security alerts for vulnerable dependencies - https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/<br />
** A native GitHub feature that reports known vulnerable dependencies in your GitHub projects. Supports: Java, .NET, JavaScript, Ruby, and Python. Your GitHub projects are automatically signed up for this service.<br />
Commercial tools of this type that are free for open source:<br />
* Contrast Community Edition (CE) (mentioned earlier) also has both Known Vulnerable Component detection and Available Updates reporting for OSS. CE supports Java only.<br />
* Snyk - https://www.snyk.io <br />
** A Commercial tool that identifies vulnerable components and integrates with numerous CI/CD pipelines. It is free for open source: https://snyk.io/plans<br />
** Supports Node.js, Ruby, Java, Python, Scala, Golang, .NET, PHP - Latest list here: https://snyk.io/docs<br />
* WhiteSource Bolt - Supports 200+ programming languages. https://www.whitesourcesoftware.com/<br />
** Azure version: https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt<br />
** GitHub version: https://github.com/apps/whitesource-bolt-for-github Available starting in Nov. 2018.<br />
<br />
=== Code Quality tools ===<br />
Quality has a significant correlation to security. As such, we recommend open source projects also consider using good code quality tools. A few that we are aware of are:<br />
* SpotBugs (https://github.com/spotbugs/spotbugs) - Open source code quality tool for Java<br />
** This is the active fork for FindBugs, so if you use Findbugs, you should switch to this.<br />
** SpotBugs users should add the FindSecBugs plugin (http://find-sec-bugs.github.io/) to their SpotBugs setup, as it significantly improves on the very basic security checking native to SpotBugs.<br />
<br />
* SonarQube (https://www.sonarqube.org/)<br />
** This is a commercially supported, very popular, free (and commercial) code quality tool. It includes most if not all the FindSecBugs security rules plus lots more for quality, including a free, internet online CI setup to run it against your open source projects. SonarQube supports numerous languages: https://www.sonarqube.org/features/multi-languages/<br />
<br />
Please let us know if you are aware of any other high quality application security tools that are free for open source (or simply add them to this page). We are particularly interested in identifying and listing commercial tools that are free for open source, as they tend to be better and easier to use than open source (free) tools. If you are aware of any missing from this list, please add them, or let us know (dave.wichers (at) owasp.org) and we'll confirm they are free, and add them for you. Please encourage your favorite commercial tool vendor to make their tool free for open source projects as well!!<br />
<br />
Finally, please forward this page to the open source projects you rely on and encourage them to use these free tools!</div>Wichershttps://wiki.owasp.org/index.php?title=Category:Vulnerability_Scanning_Tools&diff=244320Category:Vulnerability Scanning Tools2018-10-17T15:27:20Z<p>Wichers: /* References */</p>
<hr />
<div>== Description ==<br />
<br />
Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as [[Cross-site scripting]], [[SQL Injection]], [[Command Injection]], [[Path Traversal]] and insecure server configuration. This category of tools is frequently referred to as [https://www.techopedia.com/definition/30958/dynamic-application-security-testing-dast Dynamic Application Security Testing] (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP [[Benchmark]] project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.<br />
<br />
Here we provide a list of vulnerability scanning tools currently available in the market.<br />
<br />
<br> '''Disclaimer:''' The tools listing in the table below are presented in an alphabetical order. <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think this information is incomplete or incorrect, please send an e-mail to our [mailto:owasp_ha_vulnerability_scanner_project@lists.owasp.org mailing list] and we will make every effort to correct this information.</b><br />
<br />
OWASP is aware of the [http://sectooladdict.blogspot.com/ '''Web Application Vulnerability Scanner Evaluation Project (WAVSEP)'''. WAVSEP] is completely unrelated to OWASP and we do not endorse its results, nor any of the DAST tools it evaluates. However, the results provided by WAVSEP may be helpful to someone interested in researching or selecting free and/or commercial DAST tools for their projects. This project has far more detail on DAST tools and their features than this OWASP DAST page.<br />
<br />
== Tools Listing ==<br />
<br />
{{:Template:OWASP Tool Headings}}<br />
{{OWASP Tool Info || tool_name = [http://www.acunetix.com/ Acunetix WVS] || tool_owner = Acunetix || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] || tool_owner = IBM || tool_licence = Commercial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www-03.ibm.com/software/products/en/appscan-standard AppScan] || tool_owner = IBM || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/Products/Application-Security/App-Scanner-Family/App-Scanner-Enterprise/ App Scanner] || tool_owner = Trustwave || tool_licence = Commercial || tool_platforms = Windows }}<br />
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/appspider/ AppSpider] || tool_owner = Rapid7 || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://apptrana.indusface.com/basic/ AppTrana Basic] || tool_owner = AppTrana || tool_licence = Free (Limited Capability) || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www.arachni-scanner.com/ Arachni] || tool_owner = Arachni|| tool_licence = Free for most use cases || tool_platforms = Most platforms supported}}<br />
{{OWASP Tool Info || tool_name = [https://www.scanmyserver.com/ AVDS] || tool_owner = Beyond Security || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = SaaS }}<br />
{{OWASP Tool Info || tool_name = [https://www.blueclosure.com BlueClosure BC Detect] || tool_owner = BlueClosure || tool_licence = Commercial, 2 weeks trial || tool_platforms = Most platforms supported}}<br />
{{OWASP Tool Info || tool_name = [http://www.portswigger.net/ Burp Suite] || tool_owner = PortSwiger || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Most platforms supported }}<br />
{{OWASP Tool Info || tool_name = [https://contrastsecurity.com Contrast] || tool_owner = Contrast Security || tool_licence = Commercial / Free (Full featured for 1 App) || tool_platforms = SaaS or On-Premises }}<br />
{{OWASP Tool Info || tool_name = [https://detectify.com/ Detectify] || tool_owner = Detectify || tool_licence = Commercial || tool_platforms = SaaS }}<br />
{{OWASP Tool Info || tool_name = [http://www.digifort.se/en/scanner Digifort- Inspect] || tool_owner = Digifort|| tool_licence = Commercial || tool_platforms = SaaS }}<br />
{{OWASP Tool Info || tool_name = [https://www.edgescan.com/ edgescan] || tool_owner = edgescan|| tool_licence = Commercial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www.gamasec.com/Gamascan.aspx GamaScan] || tool_owner = GamaSec || tool_licence = Commercial || tool_platforms = Windows }}<br />
{{OWASP Tool Info || tool_name = [http://rgaucher.info/beta/grabber/ Grabber] || tool_owner = Romain Gaucher || tool_licence = Open Source || tool_platforms = Python 2.4, BeautifulSoup and PyXML}}<br />
{{OWASP Tool Info || tool_name = [https://gravityscan.com/ Gravityscan] || tool_owner = Defiant, Inc. || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://sourceforge.net/p/grendel/code/ci/c59780bfd41bdf34cc13b27bc3ce694fd3cb7456/tree/ Grendel-Scan] || tool_owner = David Byrne || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.golismero.com GoLismero] || tool_owner = GoLismero Team || tool_licence = GPLv2.0 || tool_platforms = Windows, Linux and Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.ikare-monitoring.com/ IKare] || tool_owner = ITrust || tool_licence = Commercial || tool_platforms = N/A }}<br />
{{OWASP Tool Info || tool_name = [https://www.htbridge.com/immuniweb/ ImmuniWeb] || tool_owner = High-Tech Bridge || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [https://www.indusface.com/index.php/products/web-application-scanning Indusface Web Application Scanning] || tool_owner = Indusface || tool_licence = Commercial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www.nstalker.com/ N-Stealth] || tool_owner = N-Stalker || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://www.tenable.com/products/tenable-io/web-application-scanning/ Nessus] || tool_owner = Tenable || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.mavitunasecurity.com/ Netsparker] || tool_owner = MavitunaSecurity || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/nexpose-community-edition.jsp Nexpose] || tool_owner = Rapid7 || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Windows/Linux}}<br />
{{OWASP Tool Info || tool_name = [http://www.cirt.net/nikto2 Nikto] || tool_owner = CIRT || tool_licence = Open Source|| tool_platforms = Unix/Linux}}<br />
{{OWASP Tool Info || tool_name = [http://www.milescan.com/ ParosPro] || tool_owner = MileSCAN || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://probely.com Probe.ly] || tool_owner = Probe.ly || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/proxy.html Proxy.app] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.qualys.com/products/qg_suite/was/ QualysGuard] || tool_owner = Qualys || tool_licence = Commercial || tool_platforms = N/A}}<br />
{{OWASP Tool Info || tool_name = [http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ Retina] || tool_owner = BeyondTrust || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.orvant.com Securus] || tool_owner = Orvant, Inc || tool_licence = Commercial || tool_platforms = N/A}}<br />
{{OWASP Tool Info || tool_name = [http://www.whitehatsec.com/home/services/services.html Sentinel] || tool_owner = WhiteHat Security || tool_licence = Commercial || tool_platforms = N/A}}<br />
{{OWASP Tool Info || tool_name = [http://www.parasoft.com/products/article.jsp?articleId=3169&redname=webtesting&referred=webtesting SOATest] || tool_owner = Parasoft || tool_licence = Commercial || tool_platforms = Windows / Linux / Solaris}}<br />
{{OWASP Tool Info || tool_name = [https://www.tinfoilsecurity.com Tinfoil Security] || tool_owner = Tinfoil Security, Inc. || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS or On-Premises}}<br />
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/external-vulnerability-scanning.php Trustkeeper Scanner] || tool_owner = Trustwave SpiderLabs || tool_licence = Commercial || tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [https://subgraph.com/vega/ Vega] || tool_owner = Subgraph || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://wapiti.sourceforge.net/ Wapiti] || tool_owner = Informática Gesfor || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}<br />
{{OWASP Tool Info || tool_name = [https://www.defensecode.com/webscanner.php Web Security Scanner] || tool_owner = DefenseCode || tool_licence = Commercial || tool_platforms = On-Premises}}<br />
{{OWASP Tool Info || tool_name = [http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/web-application-vulnerability-scanning/ WebApp360] || tool_owner = TripWire || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://webcookies.org WebCookies] || tool_owner = WebCookies || tool_licence = Free|| tool_platforms = SaaS}}<br />
{{OWASP Tool Info || tool_name = [http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991#.Uuf0KBAo4iw WebInspect] || tool_owner = HP || tool_licence = Commercial || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/webreaver.html WebReaver] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.german-websecurity.com/en/products/webscanservice/product-details/overview/ WebScanService] || tool_owner = German Web Security || tool_licence = Commercial || tool_platforms = N/A}}<br />
{{OWASP Tool Info || tool_name = [https://suite.websecurify.com/ Websecurify Suite] || tool_owner = Websecurify || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows, Linux, Macintosh}}<br />
{{OWASP Tool Info || tool_name = [http://www.sensepost.com/research/wikto/ Wikto] || tool_owner = Sensepost || tool_licence = Open Source || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [http://www.w3af.org/ w3af] || tool_owner = w3af.org || tool_licence = GPLv2.0 || tool_platforms = Linux and Mac}}<br />
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Xenotix XSS Exploit Framework] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows}}<br />
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Zed Attack Proxy] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}<br />
|}<br />
<br />
== References ==<br />
<br />
*[[Source_Code_Analysis_Tools | SAST Tools]] - OWASP page with similar information on Static Application Security Testing (SAST) Tools<br />
*http://sectooladdict.blogspot.com/ - Web Application Vulnerability Scanner Evaluation Project (WAVSEP)<br />
*http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria - v1.0 (2009)<br />
*http://www.slideshare.net/lbsuto/accuracy-and-timecostsofwebappscanners - White Paper: Analyzing the Accuracy and Time Costs of WebApplication Security Scanners - By Larry Suto (2010)<br />
*http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html - NIST home page which links to: NIST Special Publication 500-269: Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 (21 August, 2007)<br />
*http://www.softwareqatest.com/qatweb1.html#SECURITY - A list of Web Site Security Test Tools. (Has both DAST and SAST tools)<br />
<br />
[[Category:OWASP_Tools_Project]]</div>Wichers