Page tree
Skip to end of metadata
Go to start of metadata

This step is necessary if the analyzed project contains specific frameworks either related to data input from the user or related to the target methods. Target methods are the methods that will be attacked by hackers looking to exploit:

  • SQL Injection (CWE-89)
  • Cross-Site Scripting (CWE-79)
  • LDAP Injection (CWE-90)
  • OS Command Injection (CWE-78)
  • XPath Injection (CWE-91)
  • Path Manipulation (CWE-99)
  • Avoid Log forging vulnerabilities (CWE-117)

You can add the project specific methods via the CAST Management Studio:

Please note that if you intend to use the User Input Security feature with the .NET technology, CAST highly recommends that you reduce the default Execution Unit max size (MB) value in the .NET Technology options (Production tab) from the default value to 30MB. This is to reduce the risk of the analyzer crashing during an analysis and to improve performance. You should be aware, however, that doing so does have some side effects (loss of links primarily). This is explained in more detail in the CAST Management Studio help.

Specific Sanitization Methods

If you use specific sanitization methods in your code to clean user input, then you can specify them in this section. During the code analysis process, CAST will consider the data passing via any of these sanitization methods as "clean" and will not trigger a violation.

Please note that only sanitization methods that modify the string (cleaners) are supported. Verification methods which test the string (checkers, i.e "if(verifyString(x))" ) are not supported and will be ignored during the analysis.

Specific User Input Methods

AlAlthough there are many known user input methods (data originating on the internet or from an exterior source etc.), there may also be methods that are specific to your environment. If this is the case, you can specify these methods in this section. During the code analysis process CAST will consider the data originating from any of these methods as potentially "unsafe" and flag them as violations.

Specific Target Methods

Although there are many known target methods (data base access, hard disk access etc.), there may also be methods that are specific to your environment. If this is the case, you can specify these methods in this section. During the code analysis process CAST will consider these methods as sink flaws (the targets) and will attempt to identify whether any unsafe data actually arrives in these targets - if it does, it will be flagged as a violation.

 

Which methods should I add?

CAST recommends adding the the top method in the inheritance hierarchy (either the top interface or the top class method) because the CAST Management Studio (via the Inference Engine) will automatically add the methods that override it.

For input methods:

  • You need to identify all the source code that allows user input (i.e. data originating on the internet or from an exterior source etc.) and then find the corresponding .NET or Java method that captures the user entry. This method is the "input method" and should be added in the Specific User Input Methods section.

For target methods:

  • This depends on the type of flaw you want to identify. For example, for SQL injection flaws, all the methods that use a character string to send information as a query to the databases must be added as "target methods" in the Specific Target Methods section.

Predefined methods

Some well known Input Methods/Target Methods are already pre-defined and taken into account by CAST. Please see the CAST Management Studio help (page User Input Security tab) for more information about these methods.

J2EE example code

The following is an example of code to help explain what you need to enter for the Specific User Input Methods and Specific Target Methods options. In the example below:

Specific User Input Methods

  • the Full Qualified Name = javax.servlet.ServletRequest.getParameter

Specific Target Methods

  • the Target method's full qualified name = java.io.PrintWriter.println
  • the Class used to create target object = javax.servlet.ServletResponse

Note that javax.servlet.ServletRequest.getParameter is already a default input method.

  • No labels