Code Security Report: 24 high severity findings, 41 total findings

[mend-for-github-com]

Code Security Report

Scan Metadata

Latest Scan: 2023-11-20 07:14pm
Total Findings: 41 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 135
Detected Programming Languages: 2 (JavaScript / Node.js, Java*)

• Check this box to manually trigger a scan

Most Relevant Findings

The below list presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	Command Injection	CWE-78	index.jsp:65	2	2023-11-20 03:20pm
Vulnerable Code AltoroJ/WebContent/index.jsp Lines 60 to 65 in 8993e54 shell = "bash"; shellarg = "-c"; command = "cat '" + path + "/" + content +"'"; } Process proc = Runtime.getRuntime().exec(new String[] {shell, shellarg, command}); 2 Data Flow/s detected View Data Flow 1 AltoroJ/WebContent/index.jsp Line 38 in 8993e54 content = request.getParameter("content"); AltoroJ/WebContent/index.jsp Line 62 in 8993e54 command = "cat '" + path + "/" + content +"'"; AltoroJ/WebContent/index.jsp Line 65 in 8993e54 Process proc = Runtime.getRuntime().exec(new String[] {shell, shellarg, command}); AltoroJ/WebContent/index.jsp Line 65 in 8993e54 Process proc = Runtime.getRuntime().exec(new String[] {shell, shellarg, command}); View Data Flow 2 AltoroJ/WebContent/index.jsp Line 38 in 8993e54 content = request.getParameter("content"); AltoroJ/WebContent/index.jsp Line 62 in 8993e54 command = "cat '" + path + "/" + content +"'"; AltoroJ/WebContent/index.jsp Line 65 in 8993e54 Process proc = Runtime.getRuntime().exec(new String[] {shell, shellarg, command}); AltoroJ/WebContent/index.jsp Line 65 in 8993e54 Process proc = Runtime.getRuntime().exec(new String[] {shell, shellarg, command}); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Command Injection Training ● Videos    ▪ Secure Code Warrior Command Injection Video ● Further Reading    ▪ OWASP testing for Command Injection    ▪ OWASP Command Injection
High	SQL Injection	CWE-89	DBUtil.java:494	2	2023-11-20 03:20pm
Vulnerable Code AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Lines 489 to 494 in 8993e54 public static String addUser(String username, String password, String firstname, String lastname) { try { Connection connection = getConnection(); Statement statement = connection.createStatement(); statement.execute("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')"); 2 Data Flow/s detected View Data Flow 1 AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java Line 59 in 8993e54 String username = request.getParameter("username"); AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java Line 80 in 8993e54 String error = DBUtil.addUser(username, password1, firstname, lastname); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 490 in 8993e54 public static String addUser(String username, String password, String firstname, String lastname) { AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 494 in 8993e54 statement.execute("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')"); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 494 in 8993e54 statement.execute("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')"); View Data Flow 2 AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 67 in 8993e54 public Response addUser(String bodyJSON, @Context HttpServletRequest request) throws IOException{ AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 80 in 8993e54 bodyJson =new JSONObject(bodyJSON); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 80 in 8993e54 bodyJson =new JSONObject(bodyJSON); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 83 in 8993e54 lastname = bodyJson.get("lastname").toString(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 83 in 8993e54 lastname = bodyJson.get("lastname").toString(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 83 in 8993e54 lastname = bodyJson.get("lastname").toString(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 83 in 8993e54 lastname = bodyJson.get("lastname").toString(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 103 in 8993e54 error = DBUtil.addUser(username, password1, firstname, lastname); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 490 in 8993e54 public static String addUser(String username, String password, String firstname, String lastname) { AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 494 in 8993e54 statement.execute("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')"); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 494 in 8993e54 statement.execute("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')"); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	DBUtil.java:471	1	2023-11-20 03:20pm
Vulnerable Code AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Lines 466 to 471 in 8993e54 public static String addAccount(String username, String acctType) { try { Connection connection = getConnection(); Statement statement = connection.createStatement(); statement.execute("INSERT INTO ACCOUNTS (USERID,ACCOUNT_NAME,BALANCE) VALUES ('"+username+"','"+acctType+"', 0)"); 1 Data Flow/s detected AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java Line 44 in 8993e54 String username = request.getParameter("username"); AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java Line 49 in 8993e54 String error = DBUtil.addAccount(username, acctType); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 467 in 8993e54 public static String addAccount(String username, String acctType) { AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 471 in 8993e54 statement.execute("INSERT INTO ACCOUNTS (USERID,ACCOUNT_NAME,BALANCE) VALUES ('"+username+"','"+acctType+"', 0)"); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 471 in 8993e54 statement.execute("INSERT INTO ACCOUNTS (USERID,ACCOUNT_NAME,BALANCE) VALUES ('"+username+"','"+acctType+"', 0)"); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	Code Injection	CWE-94	serverStatusCheck.html:41	1	2023-11-20 03:20pm
Vulnerable Code AltoroJ/WebContent/util/serverStatusCheck.html Lines 36 to 41 in 8993e54 } function StateChangeForJSON() { if(xmlHttp.readyState == 4 && xmlHttp.status == 200) { var jsonObj = eval('('+ xmlHttp.responseText + ')'); 1 Data Flow/s detected AltoroJ/WebContent/util/serverStatusCheck.html Line 41 in 8993e54 var jsonObj = eval('('+ xmlHttp.responseText + ')'); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Code Injection Training ● Videos    ▪ Secure Code Warrior Code Injection Video ● Further Reading    ▪ OWASP Command Injection
High	SQL Injection	CWE-89	DBUtil.java:219	3	2023-11-19 11:34pm
Vulnerable Code AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Lines 214 to 219 in 8993e54 return false; Connection connection = getConnection(); Statement statement = connection.createStatement(); ResultSet resultSet =statement.executeQuery("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = '"+ user +"' AND PASSWORD='" + password + "'"); /* BAD - user input should always be sanitized */ 3 Data Flow/s detected View Data Flow 1 AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/CCApplyServlet.java Line 47 in 8993e54 String passwd = request.getParameter("passwd"); AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/CCApplyServlet.java Line 51 in 8993e54 if (DBUtil.isValidUser(user.getUsername(), passwd.trim())) { AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/CCApplyServlet.java Line 51 in 8993e54 if (DBUtil.isValidUser(user.getUsername(), passwd.trim())) { AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/CCApplyServlet.java Line 51 in 8993e54 if (DBUtil.isValidUser(user.getUsername(), passwd.trim())) { AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 212 in 8993e54 public static boolean isValidUser(String user, String password) throws SQLException{ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 219 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = '"+ user +"' AND PASSWORD='" + password + "'"); /* BAD - user input should always be sanitized */ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 219 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = '"+ user +"' AND PASSWORD='" + password + "'"); /* BAD - user input should always be sanitized */ View Data Flow 2 AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java Line 79 in 8993e54 String password = request.getParameter("passw"); AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java Line 80 in 8993e54 password = password.trim().toLowerCase(); //in real life the password usually is case sensitive and this cast would not be done AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java Line 80 in 8993e54 password = password.trim().toLowerCase(); //in real life the password usually is case sensitive and this cast would not be done AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java Line 80 in 8993e54 password = password.trim().toLowerCase(); //in real life the password usually is case sensitive and this cast would not be done AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java Line 80 in 8993e54 password = password.trim().toLowerCase(); //in real life the password usually is case sensitive and this cast would not be done AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java Line 82 in 8993e54 if (!DBUtil.isValidUser(username, password)){ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 212 in 8993e54 public static boolean isValidUser(String user, String password) throws SQLException{ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 219 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = '"+ user +"' AND PASSWORD='" + password + "'"); /* BAD - user input should always be sanitized */ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 219 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = '"+ user +"' AND PASSWORD='" + password + "'"); /* BAD - user input should always be sanitized */ View Data Flow 3 AltoroJ/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java Line 31 in 8993e54 public Response login(String bodyJSON, @Context HttpServletRequest request) throws JSONException { AltoroJ/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java Line 35 in 8993e54 myJson =new JSONObject(bodyJSON); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java Line 35 in 8993e54 myJson =new JSONObject(bodyJSON); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java Line 52 in 8993e54 password = myJson.get("password").toString().toLowerCase(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java Line 52 in 8993e54 password = myJson.get("password").toString().toLowerCase(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java Line 52 in 8993e54 password = myJson.get("password").toString().toLowerCase(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java Line 52 in 8993e54 password = myJson.get("password").toString().toLowerCase(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java Line 52 in 8993e54 password = myJson.get("password").toString().toLowerCase(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java Line 52 in 8993e54 password = myJson.get("password").toString().toLowerCase(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java Line 57 in 8993e54 if (!DBUtil.isValidUser(username, password)) { AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 212 in 8993e54 public static boolean isValidUser(String user, String password) throws SQLException{ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 219 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = '"+ user +"' AND PASSWORD='" + password + "'"); /* BAD - user input should always be sanitized */ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 219 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = '"+ user +"' AND PASSWORD='" + password + "'"); /* BAD - user input should always be sanitized */ Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	DBUtil.java:506	2	2023-11-19 11:34pm
Vulnerable Code AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Lines 501 to 506 in 8993e54 public static String changePassword(String username, String password) { try { Connection connection = getConnection(); Statement statement = connection.createStatement(); statement.execute("UPDATE PEOPLE SET PASSWORD = '"+ password +"' WHERE USER_ID = '"+username+"'"); 2 Data Flow/s detected View Data Flow 1 AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java Line 91 in 8993e54 String password1 = request.getParameter("password1"); AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java Line 103 in 8993e54 String error = DBUtil.changePassword(username, password1); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 502 in 8993e54 public static String changePassword(String username, String password) { AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 506 in 8993e54 statement.execute("UPDATE PEOPLE SET PASSWORD = '"+ password +"' WHERE USER_ID = '"+username+"'"); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 506 in 8993e54 statement.execute("UPDATE PEOPLE SET PASSWORD = '"+ password +"' WHERE USER_ID = '"+username+"'"); View Data Flow 2 AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 22 in 8993e54 public Response changePassword(String bodyJSON, @Context HttpServletRequest request) throws IOException{ AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 32 in 8993e54 bodyJson =new JSONObject(bodyJSON); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 32 in 8993e54 bodyJson =new JSONObject(bodyJSON); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 35 in 8993e54 username = bodyJson.get("username").toString(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 35 in 8993e54 username = bodyJson.get("username").toString(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 35 in 8993e54 username = bodyJson.get("username").toString(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 35 in 8993e54 username = bodyJson.get("username").toString(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java Line 56 in 8993e54 error = DBUtil.changePassword(username, password1); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 502 in 8993e54 public static String changePassword(String username, String password) { AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 506 in 8993e54 statement.execute("UPDATE PEOPLE SET PASSWORD = '"+ password +"' WHERE USER_ID = '"+username+"'"); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 506 in 8993e54 statement.execute("UPDATE PEOPLE SET PASSWORD = '"+ password +"' WHERE USER_ID = '"+username+"'"); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	DBUtil.java:242	2	2023-11-19 11:34pm
Vulnerable Code AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Lines 237 to 242 in 8993e54 if (username == null || username.trim().length() == 0) return null; Connection connection = getConnection(); Statement statement = connection.createStatement(); ResultSet resultSet =statement.executeQuery("SELECT FIRST_NAME,LAST_NAME,ROLE FROM PEOPLE WHERE USER_ID = '"+ username +"' "); /* BAD - user input should always be sanitized */ 2 Data Flow/s detected View Data Flow 1 AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java Line 75 in 8993e54 username = request.getParameter("uid"); AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java Line 94 in 8993e54 Cookie accountCookie = ServletUtil.establishSession(username,session); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java Line 340 in 8993e54 public static Cookie establishSession(String username, HttpSession session){ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java Line 342 in 8993e54 User user = DBUtil.getUserInfo(username); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 236 in 8993e54 public static User getUserInfo(String username) throws SQLException{ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 242 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT FIRST_NAME,LAST_NAME,ROLE FROM PEOPLE WHERE USER_ID = '"+ username +"' "); /* BAD - user input should always be sanitized */ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 242 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT FIRST_NAME,LAST_NAME,ROLE FROM PEOPLE WHERE USER_ID = '"+ username +"' "); /* BAD - user input should always be sanitized */ View Data Flow 2 AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 136 in 8993e54 String accessToken = request.getHeader("Authorization").replaceAll("Bearer ", ""); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 136 in 8993e54 String accessToken = request.getHeader("Authorization").replaceAll("Bearer ", ""); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 136 in 8993e54 String accessToken = request.getHeader("Authorization").replaceAll("Bearer ", ""); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 139 in 8993e54 String decodedToken = new String(Base64.decodeBase64(accessToken)); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 139 in 8993e54 String decodedToken = new String(Base64.decodeBase64(accessToken)); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 139 in 8993e54 String decodedToken = new String(Base64.decodeBase64(accessToken)); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 139 in 8993e54 String decodedToken = new String(Base64.decodeBase64(accessToken)); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 140 in 8993e54 StringTokenizer tokenizer = new StringTokenizer(decodedToken,":"); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 140 in 8993e54 StringTokenizer tokenizer = new StringTokenizer(decodedToken,":"); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 141 in 8993e54 String username = new String(Base64.decodeBase64(tokenizer.nextToken())); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 141 in 8993e54 String username = new String(Base64.decodeBase64(tokenizer.nextToken())); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 141 in 8993e54 String username = new String(Base64.decodeBase64(tokenizer.nextToken())); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 141 in 8993e54 String username = new String(Base64.decodeBase64(tokenizer.nextToken())); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 141 in 8993e54 String username = new String(Base64.decodeBase64(tokenizer.nextToken())); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 141 in 8993e54 String username = new String(Base64.decodeBase64(tokenizer.nextToken())); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 142 in 8993e54 return DBUtil.getUserInfo(username); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 236 in 8993e54 public static User getUserInfo(String username) throws SQLException{ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 242 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT FIRST_NAME,LAST_NAME,ROLE FROM PEOPLE WHERE USER_ID = '"+ username +"' "); /* BAD - user input should always be sanitized */ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 242 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT FIRST_NAME,LAST_NAME,ROLE FROM PEOPLE WHERE USER_ID = '"+ username +"' "); /* BAD - user input should always be sanitized */ Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	DBUtil.java:519	1	2023-11-19 11:34pm
Vulnerable Code AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Lines 514 to 519 in 8993e54 public static long storeFeedback(String name, String email, String subject, String comments) { try{ Connection connection = getConnection(); Statement statement = connection.createStatement(); statement.execute("INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES ('"+name+"', '"+email+"', '"+subject+"', '"+comments+"')", Statement.RETURN_GENERATED_KEYS); 1 Data Flow/s detected AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/FeedbackServlet.java Line 49 in 8993e54 String name = request.getParameter("name"); AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/FeedbackServlet.java Line 57 in 8993e54 String feedbackId = OperationsUtil.sendFeedback(name, email, subject, comments); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 119 in 8993e54 public static String sendFeedback(String name, String email, AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 127 in 8993e54 long id = DBUtil.storeFeedback(name, email, subject, comments); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 515 in 8993e54 public static long storeFeedback(String name, String email, String subject, String comments) { AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 519 in 8993e54 statement.execute("INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES ('"+name+"', '"+email+"', '"+subject+"', '"+comments+"')", Statement.RETURN_GENERATED_KEYS); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 519 in 8993e54 statement.execute("INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES ('"+name+"', '"+email+"', '"+subject+"', '"+comments+"')", Statement.RETURN_GENERATED_KEYS); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	DBUtil.java:403	1	2023-11-20 03:20pm
Vulnerable Code AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Lines 398 to 403 in 8993e54 String query = "SELECT * FROM TRANSACTIONS WHERE (" + acctIds.toString() + ") " + ((dateString==null)?"": "AND (" + dateString + ") ") + "ORDER BY DATE DESC" ; ResultSet resultSet = null; try { resultSet = statement.executeQuery(query); 1 Data Flow/s detected AltoroJ/WebContent/bank/transaction.jsp Line 41 in 8993e54 String endString = request.getParameter("endTime"); AltoroJ/WebContent/bank/transaction.jsp Line 47 in 8993e54 transactions = user.getUserTransactions(startString, endString, user.getAccounts()); AltoroJ/src/com/ibm/security/appscan/altoromutual/model/User.java Line 101 in 8993e54 public Transaction[] getUserTransactions(String startDate, String endDate, Account[] accounts) throws SQLException { AltoroJ/src/com/ibm/security/appscan/altoromutual/model/User.java Line 104 in 8993e54 transactions = DBUtil.getTransactions(startDate, endDate, accounts, -1); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 370 in 8993e54 public static Transaction[] getTransactions(String startDate, String endDate, Account[] accounts, int rowCount) throws SQLException { AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 396 in 8993e54 dateString = "DATE < '" + endDate + " 23:59:59'"; AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 399 in 8993e54 String query = "SELECT * FROM TRANSACTIONS WHERE (" + acctIds.toString() + ") " + ((dateString==null)?"": "AND (" + dateString + ") ") + "ORDER BY DATE DESC" ; AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 399 in 8993e54 String query = "SELECT * FROM TRANSACTIONS WHERE (" + acctIds.toString() + ") " + ((dateString==null)?"": "AND (" + dateString + ") ") + "ORDER BY DATE DESC" ; AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 403 in 8993e54 resultSet = statement.executeQuery(query); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	DBUtil.java:276	2	2023-11-19 11:34pm
Vulnerable Code AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Lines 271 to 276 in 8993e54 if (username == null || username.trim().length() == 0) return null; Connection connection = getConnection(); Statement statement = connection.createStatement(); ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = '"+ username +"' "); /* BAD - user input should always be sanitized */ 2 Data Flow/s detected View Data Flow 1 AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java Line 75 in 8993e54 username = request.getParameter("uid"); AltoroJ/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java Line 94 in 8993e54 Cookie accountCookie = ServletUtil.establishSession(username,session); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java Line 340 in 8993e54 public static Cookie establishSession(String username, HttpSession session){ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java Line 342 in 8993e54 User user = DBUtil.getUserInfo(username); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 236 in 8993e54 public static User getUserInfo(String username) throws SQLException{ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 256 in 8993e54 User user = new User(username, firstName, lastName); AltoroJ/src/com/ibm/security/appscan/altoromutual/model/User.java Line 41 in 8993e54 public User(String username, String firstName, String lastName) { AltoroJ/src/com/ibm/security/appscan/altoromutual/model/User.java Line 42 in 8993e54 this.username = username; AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 256 in 8993e54 User user = new User(username, firstName, lastName); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java Line 342 in 8993e54 User user = DBUtil.getUserInfo(username); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java Line 343 in 8993e54 Account[] accounts = user.getAccounts(); AltoroJ/src/com/ibm/security/appscan/altoromutual/model/User.java Line 76 in 8993e54 public Account[] getAccounts(){ AltoroJ/src/com/ibm/security/appscan/altoromutual/model/User.java Line 78 in 8993e54 return DBUtil.getAccounts(username); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 270 in 8993e54 public static Account[] getAccounts(String username) throws SQLException{ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 276 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = '"+ username +"' "); /* BAD - user input should always be sanitized */ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 276 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = '"+ username +"' "); /* BAD - user input should always be sanitized */ View Data Flow 2 AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 136 in 8993e54 String accessToken = request.getHeader("Authorization").replaceAll("Bearer ", ""); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 136 in 8993e54 String accessToken = request.getHeader("Authorization").replaceAll("Bearer ", ""); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 136 in 8993e54 String accessToken = request.getHeader("Authorization").replaceAll("Bearer ", ""); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 139 in 8993e54 String decodedToken = new String(Base64.decodeBase64(accessToken)); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 139 in 8993e54 String decodedToken = new String(Base64.decodeBase64(accessToken)); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 139 in 8993e54 String decodedToken = new String(Base64.decodeBase64(accessToken)); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 139 in 8993e54 String decodedToken = new String(Base64.decodeBase64(accessToken)); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 140 in 8993e54 StringTokenizer tokenizer = new StringTokenizer(decodedToken,":"); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 140 in 8993e54 StringTokenizer tokenizer = new StringTokenizer(decodedToken,":"); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 141 in 8993e54 String username = new String(Base64.decodeBase64(tokenizer.nextToken())); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 141 in 8993e54 String username = new String(Base64.decodeBase64(tokenizer.nextToken())); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 141 in 8993e54 String username = new String(Base64.decodeBase64(tokenizer.nextToken())); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 141 in 8993e54 String username = new String(Base64.decodeBase64(tokenizer.nextToken())); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 141 in 8993e54 String username = new String(Base64.decodeBase64(tokenizer.nextToken())); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 141 in 8993e54 String username = new String(Base64.decodeBase64(tokenizer.nextToken())); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 142 in 8993e54 return DBUtil.getUserInfo(username); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 236 in 8993e54 public static User getUserInfo(String username) throws SQLException{ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 256 in 8993e54 User user = new User(username, firstName, lastName); AltoroJ/src/com/ibm/security/appscan/altoromutual/model/User.java Line 41 in 8993e54 public User(String username, String firstName, String lastName) { AltoroJ/src/com/ibm/security/appscan/altoromutual/model/User.java Line 42 in 8993e54 this.username = username; AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 256 in 8993e54 User user = new User(username, firstName, lastName); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java Line 142 in 8993e54 return DBUtil.getUserInfo(username); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AccountAPI.java Line 35 in 8993e54 Account[] account = (OperationsUtil.getUser(request)).getAccounts(); AltoroJ/src/com/ibm/security/appscan/altoromutual/api/AccountAPI.java Line 35 in 8993e54 Account[] account = (OperationsUtil.getUser(request)).getAccounts(); AltoroJ/src/com/ibm/security/appscan/altoromutual/model/User.java Line 76 in 8993e54 public Account[] getAccounts(){ AltoroJ/src/com/ibm/security/appscan/altoromutual/model/User.java Line 78 in 8993e54 return DBUtil.getAccounts(username); AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 270 in 8993e54 public static Account[] getAccounts(String username) throws SQLException{ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 276 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = '"+ username +"' "); /* BAD - user input should always be sanitized */ AltoroJ/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java Line 276 in 8993e54 ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = '"+ username +"' "); /* BAD - user input should always be sanitized */ Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Cross-Site Scripting	CWE-79	Java*	11
High	Command Injection	CWE-78	Java*	1
High	SQL Injection	CWE-89	Java*	8
High	DOM Based Cross-Site Scripting	CWE-79	JavaScript / Node.js	3
High	Code Injection	CWE-94	JavaScript / Node.js	1
Medium	Trust Boundary Violation	CWE-501	Java*	2
Medium	Error Messages Information Exposure	CWE-209	Java*	10
Medium	Hardcoded Password/Credentials	CWE-798	JavaScript / Node.js	1
Low	Unvalidated/Open Redirect	CWE-601	JavaScript / Node.js	4