Release Announcement – September 23, 2020

September 23, 2020
Release Announcement – September 23, 2020

The Kiuwan team is excited to announce the availability of our latest release, featuring extended support for JSX React, the ability to check for dynamic components built using an Angular framework; and an updated plugin for Jenkins.

Angular dynamic components 

We’ve expanded our JavaScript support with this release. Now, Kiuwan is able to check for dynamic components built in an Angular framework.

The underlying vulnerability from using dynamic component construction is identical to other types of “eval injection” issues, as described in the description of CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’). Dynamic component construction makes it possible for an attacker to attacker to “execute arbitrary code, or at least modify what code can be executed,” potentially giving the attacker full control of the browser environment.

JSX React

Previously, Kiuwan’s JavaScript implementation provided partial support for React. Now, this support is extended with JSX technology.

JSX, or JavaScript XML, is an XML-like syntax extension to ECMAScript part of the React library. The complete specification is available at Draft: JSX Specification.

The following elements have been identified as potential security flaws and are detected by the existing JS rules:

  1. The dangerouslySetInnerHTML attribute acts as the entrance door to perform an XSS attack (See dangerouslySetInnerHTML).
  2. Server-side rendering attacker-controlled initial state XSS in React apps using Redux.
  3. XSS in explicit calls to React.createElement(…) with untrusted props or children (See Avoiding XSS in React is Still Hard).
  4. Attribute injection also leads to XSS.

In React, the HTML code is embedded into the JS code, so the HTML code must be checked to mark sources, sinks, or neutralization (For example: <input> elements).

Also, the embedded HTML code is analyzed by Kiuwan with the rules from the HTML technology. The following existing checks may be applied:

  • OPT.HTML.AutocompleteOnForSensitiveFields.
  • OPT.HTML.MissingPasswordFieldMasking.
  • OPT.HTML.TargetBlankVulnerability.
  • OPT.HTML.SandboxAllowScriptsAndSameOrigin.
  • OPT.HTML.SpecifyIntegrityAttribute.

Kiuwan plugin for Jenkins update

The Kiuwan Plugin for Jenkins allows you to execute a Kiuwan analysis as a Post-build action or as a Pipeline step.  For full documentation or to download the plugin, refer to the links below:

In this release, we’ve updated the Kiuwan plugin for Jenkins as described below:

  • Connection Profiles: Previously, Kiuwan Jenkins Plugin’s connection settings were limited to one configuration per Jenkins installation. Now, you can set several profiles, you can use multiple accounts, and Kiuwan On-Premises customers may use different environments. 
  • New analysis result dashboard.
  • Improved support for short-lived nodes.
  • Pipeline support.

Additional bug fixes and improvements

For a full list of additional bug fixes and improvements, refer to our Change Log.

Related Articles

Post-Pandemic Hybrid Office Models Bring New Security Concerns

Post-Pandemic Hybrid Office Models Bring New Security Concerns

As 2021 reaches its halfway point, many businesses are transitioning back toward more on-premises operations, but some analysts believe that a hybrid workforce will be the new normal. In a hybrid model, the workforce is made up of both on-premises and remote workers, with many of those workers splitting time between home and the office.

Release Announcement – July 14, 2021

Release Announcement – July 14, 2021

We are pleased to announce the availability of the latest Kiuwan update! Released on July 14, 2021. Underlying components In this release of Kiuwan On-Premise we have changed some of the underlying components. In particular we have updated the versions of the MySQL...

Release Announcement – July 14, 2021

Release Announcement – July 14, 2021

We are pleased to announce the availability of the latest Kiuwan update! Released on July 14, 2021. Underlying components In this release of Kiuwan On-Premise we have changed some of the underlying components. In particular we have updated the versions of the MySQL...