Symptom Code Databases
A symptom code database serves as an initial test plan at the start of each code review and can be continuously updated as new symptoms are discovered. How you construct symptom code depends on which static analysis tool you use and the programming languages it supports. Pattern-matching tools describe symptom code as a combination of regular expressions, and you can build custom regular expressions for any programming language (VBScript, C#, VB.NET, Java, PHP, etc.). Table 6-3 is an updated version of Table 6-2 that includes examples of Perl 5 regular expressions representing potential Java symptom code.
This is not a complete list of potential symptom code regular
expressions. In fact, some of these examples might produce false
positives, and others might produce false negatives. All special
characters that are to be treated as literals are escaped with the
\ character.
Table 6-3. Java symptom code
|
Symptom |
Perl 5 regexes for Java code |
Vulnerability/attack |
|---|---|---|
|
Dynamic SQL |
select.+from insert.+into update.+set |
SQL injection |
|
Methods for executing commands |
(Runtime|getRuntime\(\)){0,1}\.exec
|
Command injection |
|
File I/O methods |
new\s+(java\.io\.){0,1}File\s*\(
new\s+(java\.io\.){0,1}FileReader\s*\(
|
Arbitrary file creation, reading |
|
Writing inline request objects |
\<\s*%\s*=.+request |
Cross-site scripting |
|
Cookie access methods |
getCookies addCookie |
Broken access control |
|
Plaintext database connection strings |
jdbc\: |
Information leakage, unauthorized ... |
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
