In User Input Security tab of CAST-MS, we activate user Input Data Flow Security Analysis (.NET or J2EE), and we add specific method (sanitization, user input method or target method), for more information, please visit the page User Input Security - Adding Application Specific Input or Target Methods
In Dashboard the specific method appear as violation (security vulnerabilities) while it's should not.
That can be due to the fact that analyzer have not detect an external method on the data flow engine's deductions. An external code is unknown and cannot be accessed by the analyzer, and as such is not taken into account by the User Input feature.
Release | Yes/No |
|---|---|
| 8.3.x |  |
RDBMS | Yes/No |
|---|---|
| CSS | |
Step by Step scenario
- In User Input Security tab of CAST-MS, activate User Input Data Flow Security Analysis (.NET or J2EE)
- Add sanitization or user input method or target method
- Take a snapshot of the application
Action Plan
Perform the below actions:
Edit "SecurityAnalyzer.log.secondary" (refer to the page CAST Management Studio - Information - How to find logs)
If you find the error "Unresolved value at ", then there is an error in the analysis step. You must fix the error and re-analyze.
- If you find the error "No Implementation found", then there is no source code for the corresponding method. You must to blackbox this method, for doing this please visit the page described in the Technical Knowledge Base CAST Management Studio - Information - User Input Security - How to blackbox a method
- Run "runSecurityAnalyzer.bat" (refer to the page CAST Management Studio - Information - How to find logs)
- If "SecurityAnalyzer.log.secondary" is empty than take snapshot by skipping analysis, else go-back to step 1.
- If problem still occur, please contact CAST Support with Relevant input
Relevant input
- Lisa folder (refer to the page CAST Management Studio - Information - How to find logs)
- Custom Blackboxe, if you are using one
