Классификация предупреждений PVS-Studio согласно OWASP Top 10 Web Application Security Risks
OWASP Top 10 — это рейтинг десяти наиболее опасных угроз защищённости Web-приложений, основанный на общем мнении экспертов по вопросам безопасности со всего мира. Ранжирование в рейтинге основано на степени серьёзности описанных потенциальных угроз, частоте их выявления и величине потенциального урона, которые они могут нанести. Целью проекта OWASP Top 10 является предоставление разработчикам и экспертам по безопасности информации для обнаружения, противодействия и своевременного устранения рисков безопасности разрабатываемых ими приложений.
Каждые несколько лет рейтинг OWASP Top 10 пересматривается, чтобы отражать наиболее актуальные для данного момента угрозы защищённости приложений. PVS-Studio поддерживает классификацию своих диагностических правил согласно редакции рейтинга OWASP Top 10 версии 2021.
PVS-Studio имеет диагностики для обнаружения 10/10 (100%) приведенных категорий уязвимостей.
Category |
CWE |
Rules |
---|---|---|
A01.Broken Access Control Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. |
CWE-22, CWE-23, CWE-35, CWE-59, CWE-200, CWE-201, CWE-219, CWE-264, CWE-275, CWE-276, CWE-284, CWE-285, CWE-352, CWE-359, CWE-377, CWE-402, CWE-425, CWE-441, CWE-497, CWE-538, CWE-540, CWE-548, CWE-552, CWE-566, CWE-601, CWE-639, CWE-651, CWE-668, CWE-706, CWE-862, CWE-863, CWE-913, CWE-922, CWE-1275 |
V5609 - Possible path traversal vulnerability. Potentially tainted data is used as a path. - CWE-22 V5623 - Possible open redirect vulnerability. Potentially tainted data is used in the URL. - CWE-601 |
A02.Cryptographic Failures Data in transit and at rest — such as passwords, credit card numbers, health records, personal information, and business secrets — require extra protection due to the potential for cryptographic failures (sensitive data exposures). This is especially true if the data falls under any of the privacy laws such as GDPR, CCPA, and others. |
CWE-261, CWE-296, CWE-310, CWE-319, CWE-321, CWE-322, CWE-323, CWE-324, CWE-325, CWE-326, CWE-327, CWE-328, CWE-329, CWE-330, CWE-331, CWE-335, CWE-336, CWE-337, CWE-338, CWE-340, CWE-347, CWE-523, CWE-720, CWE-757, CWE-759, CWE-760, CWE-780, CWE-818, CWE-916 |
V1057 - Pseudo random sequence is the same at every program run. Consider assigning the seed to a value not known at compile-time. - CWE-337 V5014 - Cryptographic function is deprecated. Its use can lead to security issues. Consider switching to an equivalent newer function. - CWE-327 V5307 - Potentially predictable seed is used in pseudo-random number generator. - CWE-337,CWE-336 V5612 - Do not use old versions of SSL/TLS protocols as it may cause security issues. - CWE-326 V5613 - Use of outdated cryptographic algorithm is not recommended. - CWE-327,CWE-328 V6109 - Potentially predictable seed is used in pseudo-random number generator. - CWE-337,CWE-336 |
A03.Injection Injection vulnerabilities can occur when a query or command is used to insert untrusted data into the interpreter via SQL, OS, NoSQL, or LDAP injection. The hostile data injected through this attack vector tricks the interpreter to make the application do something it was not designed for, such as generating unintended commands or accessing data without proper authentication. |
CWE-20, CWE-74, CWE-75, CWE-77, CWE-78, CWE-79, CWE-80, CWE-83, CWE-87, CWE-88, CWE-89, CWE-90, CWE-91, CWE-93, CWE-94, CWE-95, CWE-96, CWE-97, CWE-98, CWE-99, CWE-100, CWE-113, CWE-116, CWE-138, CWE-184, CWE-470, CWE-471, CWE-564, CWE-610, CWE-643, CWE-644, CWE-652, CWE-917 |
V739 - EOF should not be compared with a value of the 'char' type. Consider using the 'int' type. - CWE-20 V781 - Value of a variable is checked after it is used. Possible error in program's logic. Check lines: N1, N2. - CWE-20 V1024 - Potential use of invalid data. The stream is checked for EOF before reading from it but is not checked after reading. - CWE-20 V1076 - Code contains invisible characters that may alter its logic. Consider enabling the display of invisible characters in the code editor. - CWE-94 V1111 - The index was used without check after it was checked in previous lines. - CWE-20 V5309 - Possible SQL injection. Potentially tainted data is used to create SQL command. - CWE-89 V5608 - Possible SQL injection. Potentially tainted data is used to create SQL command. - CWE-89 V5610 - Possible XSS vulnerability. Potentially tainted data might be used to execute a malicious script. - CWE-79 V5616 - Possible command injection. Potentially tainted data is used to create OS command. - CWE-77,CWE-78,CWE-88 V5620 - Possible LDAP injection. Potentially tainted data is used in a search filter. - CWE-90 V5622 - Possible XPath injection. Potentially tainted data is used in the XPath expression. - CWE-643 V5628 - Possible Zip Slip vulnerability. Potentially tainted data is used in the path to extract the file. - CWE-22,CWE-99 |
A04.Insecure Design Insecure design is a wide term that encompasses a variety of flaws and is defined as "missing or poor control design". Threat modeling, secure design patterns, and reference architectures are among the new categories for 2021, with a demand for increasing the usage of threat modeling, safe design patterns, and reference architectures. |
CWE-73, CWE-183, CWE-209, CWE-213, CWE-235, CWE-256, CWE-257, CWE-266, CWE-269, CWE-280, CWE-311, CWE-312, CWE-313, CWE-316, CWE-419, CWE-430, CWE-434, CWE-444, CWE-451, CWE-472, CWE-501, CWE-522, CWE-525, CWE-539, CWE-579, CWE-598, CWE-602, CWE-642, CWE-646, CWE-650, CWE-653, CWE-656, CWE-657, CWE-799, CWE-807, CWE-840, CWE-841, CWE-927, CWE-1021, CWE-1173 |
V504 - Semicolon ';' is probably missing after the 'return' keyword. - CWE-841 V5001 - It is highly probable that the semicolon ';' is missing after 'return' keyword. - CWE-841 V5621 - Error message contains potentially sensitive data that may be exposed. - CWE-209 |
A05.Security Misconfiguration Gartner estimates that up to 95% of cloud breaches are the result of human errors. Security setting misconfigurations are one of the prime drivers of that statistic, with OWASP noting that, of the top ten, this vulnerability is the most common. There are many types of misconfiguration that expose the company to cybersecurity risk, including accepting default settings that are insecure, overly accessible cloud storage resources, incomplete configurations, misconfigured HTTP headers, verbose error messages that contain sensitive information. |
CWE-2, CWE-11, CWE-13, CWE-15, CWE-16, CWE-260, CWE-315, CWE-520, CWE-526, CWE-537, CWE-541, CWE-547, CWE-611, CWE-614, CWE-756, CWE-776, CWE-942, CWE-1004, CWE-1032, CWE-1174 |
V624 - Use of constant NN. The resulting value may be inaccurate. Consider using the M_NN constant from <math.h>. - CWE-547 V5614 - Potential XXE vulnerability. Insecure XML parser is used to process potentially tainted data. - CWE-611 V5615 - Potential XEE vulnerability. Insecure XML parser is used to process potentially tainted data. - CWE-776 V5624 - Use of potentially tainted data in configuration may lead to security issues. - CWE-15 V6107 - The constant NN is being utilized. The resulting value could be inaccurate. Consider using the KK constant. - CWE-547 |
A06.Vulnerable and Outdated Components Modern distributed web applications often incorporate open source components such as libraries and frameworks. Any component with a known vulnerability becomes a weak link that can impact the security of the entire application. Although the use of open source components with known vulnerabilities ranks low in terms of security problem severity, it is #1 when ranking the OWASP Top 10 by how often a vulnerability was the root cause of an actual data breach. |
CWE-937, CWE-1035, CWE-1104 |
V5625 - Referenced package contains vulnerability. - CWE-1035 |
A07.Identification and Authentication Failures When applications incorrectly execute functions related to session management or user authentication, intruders may be able to compromise passwords, security keys, or session tokens and permanently or temporarily assume the identities and permissions of other users. This vulnerability poses a grave threat to the security of the application and the resources it accesses and can also severely compromise other assets connected to the same network. |
CWE-255, CWE-259, CWE-287, CWE-288, CWE-290, CWE-294, CWE-295, CWE-297, CWE-300, CWE-302, CWE-304, CWE-306, CWE-307, CWE-346, CWE-384, CWE-521, CWE-613, CWE-620, CWE-640, CWE-798, CWE-940, CWE-1216 |
V5013 - Storing credentials inside source code can lead to security issues. - CWE-798,CWE-259 V5305 - Storing credentials inside source code can lead to security issues. - CWE-798,CWE-259 V5601 - Storing credentials inside source code can lead to security issues. - CWE-798,CWE-259 V5617 - Assigning potentially negative or large value as timeout of HTTP session can lead to excessive session expiration time. - CWE-613 |
A08.Software and Data Integrity Failures Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. |
CWE-345, CWE-353, CWE-426, CWE-494, CWE-502, CWE-565, CWE-784, CWE-829, CWE-830, CWE-915 |
V5611 - Potential insecure deserialization vulnerability. Potentially tainted data is used to create an object using deserialization. - CWE-502 |
A09.Security Logging and Monitoring Failures This category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Studies indicate that the time from attack to detection can take up to 200 days, and often longer. This window gives cyber thieves plenty of time to tamper with servers, corrupt databases, steal confidential information, and plant malicious code. |
CWE-117, CWE-223, CWE-532, CWE-778 |
V1116 - Creating an exception object without an explanatory message may result in insufficient logging. - CWE-778 V5619 - Possible log injection. Potentially tainted data is written into logs. - CWE-117 |
A10.Server Side Request Forgery (SSRF) SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). |
CWE-918 |
V5618 - Possible server-side request forgery. Potentially tainted data is used in the URL. - CWE-918 |