Classification of PVS-Studio warnings according to OWASP Top 10 Web Application Security Risks
OWASP Top 10 is the rating of ten most critical web application security risks that is based on a general consensus of security experts from around the world. The ranking in the rating is based on severity of listed potential security threats, the frequency of these threats and on the magnitude of potential damage that they can inflict. The goal of OWASP Top 10 project is to provide developers and security specialists with information that can help them identify, counteract and promptly rectify security risks to the applications they are developing.
Every few years OWASP Top 10 rating is updated to reflect the most relevant application security threats. PVS-Studio classifies its diagnostic rules in accordance with OWASP Top 10 version 2021.
PVS-Studio has diagnostic rules for detecting 10/10 (100%) of the listed categories of vulnerabilities.
Category |
PVS-Studio Rule |
---|---|
A1 Broken Access Control. Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. |
V5609 - Possible path traversal vulnerability. Potentially tainted data is used as a path. V5623 - Possible open redirect vulnerability. Potentially tainted data is used in the URL. V5628 - Possible Zip Slip vulnerability. Potentially tainted data is used in the path to extract the file. |
A2 Cryptographic Failures. Data in transit and at rest — such as passwords, credit card numbers, health records, personal information, and business secrets — require extra protection due to the potential for cryptographic failures (sensitive data exposures). This is especially true if the data falls under any of the privacy laws such as GDPR, CCPA, and others. |
V5612 - Do not use old versions of SSL/TLS protocols as it may cause security issues. V5613 - Use of outdated cryptographic algorithm is not recommended. |
A3 Injection. Injection vulnerabilities can occur when a query or command is used to insert untrusted data into the interpreter via SQL, OS, NoSQL, or LDAP injection. The hostile data injected through this attack vector tricks the interpreter to make the application do something it was not designed for, such as generating unintended commands or accessing data without proper authentication. |
V5009 - Unchecked tainted data is used in expression. V5608 - Possible SQL injection. Potentially tainted data is used to create SQL command. V5610 - Possible XSS vulnerability. Potentially tainted data might be used to execute a malicious script. V5616 - Possible command injection. Potentially tainted data is used to create OS command. V5620 - Possible LDAP injection. Potentially tainted data is used in a search filter. V5622 - Possible XPath injection. Potentially tainted data is used in the XPath expression. V5627 - Possible NoSQL injection. Potentially tainted data is used to create query. V5628 - Possible Zip Slip vulnerability. Potentially tainted data is used in the path to extract the file. |
A4 Insecure Design. Insecure design is a wide term that encompasses a variety of flaws and is defined as "missing or poor control design". Threat modeling, secure design patterns, and reference architectures are among the new categories for 2021, with a demand for increasing the usage of threat modeling, safe design patterns, and reference architectures. |
V5621 - Error message contains potentially sensitive data that may be exposed. |
A5 Security Misconfiguration. Gartner estimates that up to 95% of cloud breaches are the result of human errors. Security setting misconfigurations are one of the prime drivers of that statistic, with OWASP noting that, of the top ten, this vulnerability is the most common. There are many types of misconfiguration that expose the company to cybersecurity risk, including accepting default settings that are insecure, overly accessible cloud storage resources, incomplete configurations, misconfigured HTTP headers, verbose error messages that contain sensitive information. |
V5612 - Do not use old versions of SSL/TLS protocols as it may cause security issues. V5614 - Potential XXE vulnerability. Insecure XML parser is used to process potentially tainted data. V5615 - Potential XEE vulnerability. Insecure XML parser is used to process potentially tainted data. V5624 - Use of potentially tainted data in configuration may lead to security issues. |
A6 Vulnerable and Outdated Components. Modern distributed web applications often incorporate open source components such as libraries and frameworks. Any component with a known vulnerability becomes a weak link that can impact the security of the entire application. Although the use of open source components with known vulnerabilities ranks low in terms of security problem severity, it is #1 when ranking the OWASP Top 10 by how often a vulnerability was the root cause of an actual data breach. |
V5625 - Referenced package contains vulnerability. |
A7 Identification and Authentication Failures. When applications incorrectly execute functions related to session management or user authentication, intruders may be able to compromise passwords, security keys, or session tokens and permanently or temporarily assume the identities and permissions of other users. This vulnerability poses a grave threat to the security of the application and the resources it accesses and can also severely compromise other assets connected to the same network. |
V5013 - Storing credentials inside source code can lead to security issues. V5305 - Storing credentials inside source code can lead to security issues. V5601 - Storing credentials inside source code can lead to security issues. V5613 - Use of outdated cryptographic algorithm is not recommended. V5617 - Assigning potentially negative or large value as timeout of HTTP session can lead to excessive session expiration time. |
A8 Software and Data Integrity Failures. Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. |
V5611 - Potential insecure deserialization vulnerability. Potentially tainted data is used to create an object using deserialization. |
A9 Security Logging and Monitoring Failures. This category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Studies indicate that the time from attack to detection can take up to 200 days, and often longer. This window gives cyber thieves plenty of time to tamper with servers, corrupt databases, steal confidential information, and plant malicious code. |
V5002 - An empty exception handler. Silent suppression of exceptions can hide the presence of bugs in source code during testing. V5003 - The object was created but it is not being used. The 'throw' keyword could be missing. V5008 - Classes should always be derived from std::exception (and alike) as 'public'. V5301 - An exception handling block does not contain any code. V5302 - Exception classes should be publicly accessible. V5303 - The object was created but it is not being used. The 'throw' keyword could be missing. V5306 - The original exception object was swallowed. Cause of original exception could be lost. V5602 - The object was created but it is not being used. The 'throw' keyword could be missing. V5603 - The original exception object was swallowed. Stack of original exception could be lost. V5606 - An exception handling block does not contain any code. V5607 - Exception classes should be publicly accessible. V5619 - Possible log injection. Potentially tainted data is written into logs. |
A10 Server-Side Request Forgery. SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). |
V5618 - Possible server-side request forgery. Potentially tainted data is used in the URL. |