Versions Compared

Old Version 20

changes.mady.by.user Johannes Stark

Saved on

compared with

New Version Current

changes.mady.by.user Nuno Oliveira

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Each content pack (CP) for API Security contains a new or refactored set of Queries targeting API-related vulnerabilities. It aims at reducing the number of false negative results in API Projects while keeping the general accuracy of the queries.

This content pack uses the unified installer and includes all previous content packs published for version 8.9. It includes updates for Java, C# and JavaScript.

  • Improvements for reducing the amount of false positive findings in C#, OWASP TOP 10 API support in Java.

    • The changes provided can be found in the next section.

Tip

  • This content pack includes OOTB Accuracy content. Checkmarx Express presets should be used to take full advantage of improvements performed by this project.

  • It includes API Security content. OWASP Top 10 API presets should be used to take full advantage of the content pack queries on Java for API Security.

  • As in any CxSAST product release, the content pack also resets the Checkmarx built-in presets to their default query set.

Info

Installation order
This is a cumulative content pack, it can be installed over any of the previous version 8.9 content packs and does not require other content packs.

Dependencies
HotFix 27 is required for this content pack. HF29 is optional.

This content pack includes improvements in the OWASP TOP 10 API queries.

API Security Content

The following improvements have been made for Java queries (even though not all are related to the API Security Preset):

  • Java_High_Risk.Reflected_XSS_All_Clients
    Updated to remove FP results that appear on API code. It was also updated to make its sanitizers match the JSF framework support.

  • Java_Low_Visibility.Stored_Absolute_Path_Traversal
    Updated to consider file read APIs rather than file stream.

  • Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm
    Updated to find results associated with weak types like RC2, RC4, ARCFOUR or Blowfish.

Expand
titleAdded queries

The following queries were added to the Java set of queries. For details on each query, refer to their specific description in the CxSAST Portal.

Java_Best_Coding_Practice.Spring_Missing_Object_Level_Authorization
Java_Best_Coding_Practice.Spring_Missing_Function_Level_Authorization
Java_Low_Visbility.Unrestricted_Read_S3
Java_Low_Visibility.Spring_Use_Of_Hardcoded_Password
Java_Low_Visibility.Spring_Use_of_Broken_or_Risky_Cryptographic_Primitive
Java_Low_Visibility.Spring_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy
Java_Low_Visibility.Spring_Missing_X_Content_Type_Options
Java_Low_Visibility.Spring_Missing_XSS_Protection_Header
Java_Low_Visibility.Spring_Missing_X_Frame_Options
Java_Low_Visibility.Spring_Missing_Content_Security_Policy
Java_Low_Visibility.Spring_Permissive_Content_Security_Policy
Java_Low_Visibility.Spring_Missing_Expect_CT_Header
Java_Medium_Threat.JWT_Use_Of_Hardcoded_Secret  
Java_Medium_Threat.Spring_SCrypt_Insecure_Parameters
Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters
Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters
Java_Medium_Threat.Spring_Argon2_Insecure_Parameters
Java_Medium_Threat.Spring_Comparison_Timing_Attack
Java_Medium_Threat.Excessive_Data_Exposure
Java_Medium_Threat.Spring_XSRF
Java_Medium_Threat.Spring_Missing_HSTS_Header

Expand
titleUpdated queries

The following is a list of queries with changes in order to improve relevant results for API Security in general.

Java_High_Risk.Reflected_XSS_All_Clients - although not related to API Security, this query was updated to remove FP results that appear on API code. It was also updated to make its sanitizers match the JSF framework support.
Java_Low_Visibility.Stored_Absolute_Path_Traversal - although not related with API Security, the query was updated to consider file read APIs rather than file stream.
Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm - the query was updated to find results associated with weak types like RC2, RC4, ARCFOUR, or Blowfish.

Several general queries were also changed that may have affected other API Security related queries.

API1 - Broken Object Level Authorization

Status
colourGreen
titleNEW
Java_Best_Coding_Practice.Spring_Missing_Object_Level_Authorization

Status
colourGreen
titleNEW
Java_Low_Visbility.Unrestricted_Read_S3

API2 - Broken Authentication

Status
colourGreen
titleNEW
Java_Medium_Threat.JWT_Use_Of_Hardcoded_Secret  

Status
colourGreen
titleNEW
Java_Low_Visibility.Spring_Use_Of_Hardcoded_Password

Status
colourGreen
titleNEW
Java_Medium_Threat.Spring_SCrypt_Insecure_Parameters

Status
colourGreen
titleNEW
Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters

Status
colourGreen
titleNEW
Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters

Status
colourGreen
titleNEW
Java_Medium_Threat.Spring_Argon2_Insecure_Parameters

Status
colourGreen
titleNEW
Java_Medium_Threat.Spring_Comparison_Timing_Attack

Status
colourGreen
titleNEW
Java_Low_Visibility.Spring_Use_of_Broken_or_Risky_Cryptographic_Primitive

API3 - Excessive Data Exposure

Status
colourGreen
titleNEW
Java_Medium_Threat.Excessive_Data_Exposure

API4 - Lack of Resources and Rate Limiting

No Updates

API5 - Broken Function Level Authentication

Status
colourGreen
titleNEW
Java_Best_Coding_Practice.Spring_Missing_Function_Level_Authorization

API6 - Mass Assignment

No Updates

API7 - Security Misconfiguration

Status
colourGreen
titleNEW
Java_Low_Visibility.Spring_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy

Status
colourGreen
titleNEW
Java_Medium_Threat.Spring_Missing_HSTS_Header

Status
colourGreen
titleNEW
Java_Low_Visibility.Spring_Missing_X_Content_Type_Options

Status
colourGreen
titleNEW
Java_Low_Visibility.Spring_Missing_XSS_Protection_Header

Status
colourGreen
titleNEW
Java_Low_Visibility.Spring_Missing_X_Frame_Options

Status
colourGreen
titleNEW
Java_Low_Visibility.Spring_Missing_Content_Security_Policy

Status
colourGreen
titleNEW
Java_Low_Visibility.Spring_Permissive_Content_Security_Policy

Status
colourGreen
titleNEW
Java_Low_Visibility.Spring_Missing_Expect_CT_Header

API8 - Injection

Java_High_Risk.Xpath_Injection

API9 - Improper Assets Management

No Updates

API10 - Insufficient Logging and Monitoring

No Updates

Version Upgrade
When upgrading CxSAST, for example 8.9 → 9.0, you have to install at least the same content pack for the newer version, for example v9.0 CP13 → v9.2 CP13.
This step ensures that the accuracy of obtained results is maintained while upgrading.

Expand
titleFAQ

Which CxSAST version is this Content Pack for?
As stated in the release notes, this content pack is only compatible with CxSAST v8.9.0.

Which languages were targeted in this Content Pack?
This content pack provides improvements for Java.

Can this Content Pack be installed on top of other Content Packs?
Yes. This content pack is a multi-language content pack. It is cumulative and therefore inherits all the characteristics of previous content packs.

Does this Content Pack depend on other Content Packs?
No. There are no dependencies on other content packs. All content packs are cumulative, meaning that it can be installed over existing content packs.

Can this Content Pack be used with Content Pack 9 (multilanguage, C#)?
Yes.It can. It will override CP9 content.

Is there any order of installation between this Content Pack and Content Pack 9 (multilanguage, C#)?
Yes. There is no need to install other content packs since this content pack includes all the previous ones.

Can this Content Pack be installed in further versions, like CxSAST 9.0?
No. CxSAST 9.0 has a content pack available.

Does this Content Pack depend on any HotFix?
Yes, The content pack requires HF27 or higher.