The vulnerability that consistently ranks first in the OWASP (Open Web Application Security Project) Top Ten between 2010 and 2017 is "Injection". All vulnerabilities listed hereunder (Path Traversal, SQL Injection and Cross-site Scripting) illustrate a kind of injection technique. Between 2002 and 2017, there were 4695 reported vulnerabilities in well-known projects, and only accounting for SQL Injections alone. This averages to 294 reported vulnerabilities per year (4695 / 16), but, just in 2017, there were 353 new vulnerabilities reported. This means that this is still very much a relevant issue today. See CVEDetails.com.
At their heart, all injection vulnerabilities are caused by unintentionally allowing unvalidated, potentially malicious and tainted user input to flow to sink functions such as database query or filesystem ones.
Java and C# are both popular for writing web applications back-ends, and at the same time also are two languages that we already cover pretty well. In particular, we already have all the semantic information at our disposal to be able to track method calls with their definitions, which is a prerequisite for taint analysis.
PHP is also extremely popular for web applications, and many of its most popular projects have had countless of injection vulnerabilities in the past (e.g. Joomla). Even if our support of it is not at the same level as for Java or C#, we nevertheless would like to be able to detect some kind of vulnerabilities, even if the scope has to be reduced significantly.
We want to deliver rules to detect the following vulnerabilities in Java, C# and PHP:
- CWE-22 & RSPEC-2083: Path Traversal
- CWE-78 & RSPEC-2076: OS Command Injection
- CWE-89 & RSPEC-3649: SQL Injection
- CWE-90 & RSPEC-2078: LDAP Injection
- CWE-643 & RSPEC-2091: XPath Injection
- CWE-79 &
RSPEC-2576: Cross-Site Scripting
- ReDoS & RSPEC-2631: Regular Expression Denial of Service
For Java and C#, we want to be able to track taint across any number of method calls.
In the case of PHP, we want to provide some initial coverage, limited to detecting vulnerabilities within a single function.