Versions Compared

Old Version 1

changes.mady.by.user Kiuwan Editor User

Saved on

compared with

New Version 13

changes.mady.by.user Giulia di Pietro

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This guide will show you how to review the status of defects. 

Contents

...

Table of Contents

...

absoluteUrltrue

 

CSRF-Protection for JSP

OPT.JSP.SEC_JSP.FileInclusionVulnerability

JSP technology provides the <jsp:include> action (or JSTL <c:import>) for including content in the current page, either from a local (web application) resource or from an URL, respectively.

When the page path or URL is formed using untrusted input, an attacker may provide the input in the HTTP request to force the J2EE application server to include an unintended resource, which opens the way to either sensitive local file disclosure (like a /WEB-INF configuration file), or catastrophic remote file injection (e.g. remote attacker-controlled content with embedded malicious JavaScript code for CSRF attacks, or Java code in scriptlet to execute unexpected server-side operations, including operating system commands).

Info

Kiuwan provides the rule OPT.JSP.SEC_JSP.FileInclusionVulnerability that avoids unintended leakage of sensitive local/remote files, or remote file include attacks, in JSP dynamic include actions.

Use the "compile-time" <%@ include %> directive, if the included page is local and non dynamic.

If included page should be dynamic, never let untrusted input to directly form part of the page path (for <jsp:include>) or page URL (for <c:import>). Better use a request attribute, set in the request processing server-side controller class, where the dynamic page is selected (but untrusted input should not be part of the page path/url anyway).

 

Review Status of Defects

After an analysis, some time needs to be dedicated to reviewing the defects found by Kiuwan before they are submitted to the developers. 

Reasons to review defects can be various, e.g. to confirm if it's a true or false positive.

For this process, Kiuwan has the option of setting a Status for every defect: 

Status nameDescription
To review

The defect is open for review.

ReviewedThe defect has been reviewed

It is also possible to add Notes to the review process. 

After the review:

  • Proceed to its remediation (for example by creating an Action Plan and Export it to Jira)
  • Or mute it (for any specific reason, see Muting Defects for further info)

 

Info
titleNote for the Kiuwan IDE Plug-In

Defects' Review Status is exported to the Kiuwan IDE Plug-In and displayed within Server Defects List.

This allows informing developers of those defects that should be reviewed.

How to set the Review Status of a Defect 

Select the concrete defect, open the menu at the right and select Status.

Image Added

The Defect Status window appears.

Image Added

Select the review status and add a note (if needed).

Click Apply. The defect status will be marked with a label on the Defects page. 


Image Added


 

How to find defects by Review Status

In the Defects page, open the Status filter and select the status to filter the defects with. 

 

Image Added


 




 

...