Each content pack (CP) for API Security contains a new or refactored set of Queries targeting API-related vulnerabilities. It aims at reducing the number of false negative results in API Projects while keeping the general accuracy of the queries.
This content pack uses the unified installer and includes all previous content packs published for version 8.9. It includes updates for Java, C# and JavaScript.
Improvements for reducing the amount of false positive findings in C#, OWASP TOP 10 API support in Java.
The changes provided can be found in the next section.
Tip |
---|
|
Info |
---|
Installation order Dependencies |
This content pack includes improvements in the OWASP TOP 10 API queries.
API Security Content
The following improvements have been made for Java queries (even though not all are related to the API Security Preset):
Java_High_Risk.Reflected_XSS_All_Clients
Updated to remove FP results that appear on API code. It was also updated to make its sanitizers match the JSF framework support.Java_Low_Visibility.Stored_Absolute_Path_Traversal
Updated to consider file read APIs rather than file stream.Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm
Updated to find results associated with weak types like RC2, RC4, ARCFOUR or Blowfish.
Expand | ||
---|---|---|
| ||
The following queries were added to the Java set of queries. For details on each query, refer to their specific description in the CxSAST Portal. Java_Best_Coding_Practice.Spring_Missing_Object_Level_Authorization |
Expand | ||
---|---|---|
| ||
The following is a list of queries with changes in order to improve relevant results for API Security in general. Java_High_Risk.Reflected_XSS_All_Clients - although not related to API Security, this query was updated to remove FP results that appear on API code. It was also updated to make its sanitizers match the JSF framework support. Several general queries were also changed that may have affected other API Security related queries. |
API1 - Broken Object Level Authorization
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
API2 - Broken Authentication
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
API3 - Excessive Data Exposure
Status | ||||
---|---|---|---|---|
|
API4 - Lack of Resources and Rate Limiting
No Updates
API5 - Broken Function Level Authentication
Status | ||||
---|---|---|---|---|
|
API6 - Mass Assignment
No Updates
API7 - Security Misconfiguration
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
API8 - Injection
Java_High_Risk.Xpath_Injection
API9 - Improper Assets Management
No Updates
API10 - Insufficient Logging and Monitoring
No Updates
Version Upgrade
When upgrading CxSAST, for example 8.9 → 9.0, you have to install at least the same content pack for the newer version, for example v9.0 CP13 → v9.2 CP13.
This step ensures that the accuracy of obtained results is maintained while upgrading.
Expand | ||
---|---|---|
| ||
Which CxSAST version is this Content Pack for? Which languages were targeted in this Content Pack? Can this Content Pack be installed on top of other Content Packs? Does this Content Pack depend on other Content Packs? Can this Content Pack be used with Content Pack 9 (multilanguage, C#)? Is there any order of installation between this Content Pack and Content Pack 9 (multilanguage, C#)? Can this Content Pack be installed in further versions, like CxSAST 9.0? Does this Content Pack depend on any HotFix? |