1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
java.util.Random
new[[:space:]]*(Secure)?Random[[:space:]]*\(
MessageDigest\.getInstance[[:space:]]*\([\"\']([Mm][Dd]5|[Ss][Hh][Aa]-?(1|256)|[Rr][Ss][Aa]\/[Nn][Oo][Nn][Ee]|DES.*|AES\/(CBC|ECB)\/.*)[\"\']\)
\.digest[[:space:]]*\(
extends[[:space:]]*MessageDigest
# Java Specific Security Related Exceptions
AccessControlException
BindException
ConcurrentModificationException
DigestException
FileNotFoundException
GeneralSecurityException
InsufficientResourcesException
InvalidAlgorithmParameterException
InvalidKeyException
InvalidParameterException
JarException
KeyException
KeyManagementException
KeyStoreException
NoSuchAlgorithmException
NoSuchProviderException
NotOwnerException
NullPointerException
OutOfMemoryError
PriviledgedActionException
ProviderException
SignatureException
SQLException
StackOverflowError
UnrecoverableEntryException
UnrecoverableKeyException
response.sendRedirect[[:space:]]*\(.*([Rr]eq(uest)?|\.[Gg]et[Pp]aram).*\)
out\.print(ln)?.*([Rr]eq(uest)?|\.[Gg]et[Pp]aram)
<%=([Rr]equest|\.[Gg]et[Pp]aram)
\.exec[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+.*
(execute|create|new)Query[[:space:]]*\(.*[\"\'][[:space:]]*\+[[:space:]]*[^\"\']+
queryforObject[[:space:]]*\(.*[\"\'][[:space:]]*\+[[:space:]]*[^\"\']+
eval[[:space:]]*\([^\)\;\"]*([Rr]eq(uest)?[\.\)]|\.[Gg]et[Pp]aram[[:space:]]*[\[\(]).*\)
\.getDocument[[:space:]]*\([^\)\;]+([Rr]eq(uest)?|\.g[Gg]et[Pp]aram).*\)
(WHERE|where)[[:space:]]+[^;]+=[[:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']+
[\'\" ]+AND[[:space:]]+.*=[[:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
(LIKE|like)[[:space:]]+[\'\"A-Za-z0-9%]+[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
(ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+[A-Za-z0-9_, -]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
(LIMIT|limit)[[:space:]]+([0-9,]+)?[;:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
AccessController
addHeader
CallableStatement
Cipher
controller
createRequest
doPrivileged
exec[[:space:]]*\(
executeQuery[[:space:]]*\(
executeUpdate
\.getHeader[[:space:]]*\(
\.getParameter[[:space:]]*\(
\.getProperty[[:space:]]*\(
\.getQueryString[[:space:]]*\(
\.getSession[[:space:]]\(
\.getRequestedSessionId[[:space:]]*\(
\.getServerName[[:space:]]*\(
HTTPCookie
HttpServletRequest
HttpServletResponse
HttpsURLConnection
invalidate
IS_SUPPORTING_EXTERNAL_ENTITIES
KeyManagerFactory
PreparedStatement
\.PathParam[[:space:]]*\(
SecurityException
SecurityManager
sendRedirect
setAllowFileAccess
setHeader
setJavaScriptEnabled
setPluginState
setStatus
SSLContext
SSLSocketFactory
Statement
SUPPORT_DTD
suppressAccessChecks
TrustManager
XMLReader
ObjectInputStream
readObject[[:space:]]*\(
resolveClass[[:space:]]*\(
\.createValueExpression[[:space:]]*\(
printStackTrace[[:space:]]\(
SecretKeySpec
\.csrf\(\)\.disable\(\)
new[[:space:]]+URL[[:space:]]*\(.*\)\.(open(Stream|Connection)|getContent)
request.getQueryString
exec[[:space:]]*\(.*\)
Runtime\.
getRuntime[[:space:]]*\(.*\)(\.|\s*;)
getRequest
[Rr]equest.getParameter
getProperty[[:space:]]*\(
java.security.acl.acl
response.sendRedirect[[:space:]]*\(.*(Request|request).*\)
print[Ss]tack[Tt]race
out\.print(ln)?.*[Rr]equest\.
# Database rules
jdbc:.*;
createStatement[[:space:]]*\(.*\)
executeQuery[[:space:]]*\(.*\)
# Network
Socket[[:space:]]*\(
<jsp:include page=\".*\$\{.*\}
<spring:eval expression=\".*\$\{.*\}
Algorithm\.HMAC256[[:space:]]*\([[:space:]]*"[^"]*"
Algorithm\.none[[:space:]]*\([[:space:]]*\)
A[Ll][Ll][Oo][Ww]_?A[Ll][Ll]_?H[Oo][Ss][Tt][Nn][Aa][Mm][Ee]_?V[Ee][Rr][Ii][Ff][Ii][Ee][Rr]
SSLSocketFactory
is[Tt]rusted
trustmanager
checkClientTrusted[[:space:]]*\(
checkServerTrusted[[:space:]]*\(
getAcceptedIssuers[[:space:]]*\(
public[[:space:]]+boolean[[:space:]]+verify
# Expression Language detection
<spr(ing)?:(message|theme|transform|eval|hasBindErrors|bind|nestedpath)[^\>]+\$\{param
# Java xss signatures
<%=.*[Rr]equest\.
response.sendRedirect[[:space:]]*\(.*[Rr]equest.*\)
<c:out.*\$\{param
SAXParserFactory
DOM4J
DocumentBuilderFactory
XMLInputFactory
TransformerFactory
javax.xml.validation.Validator
SchemaFactory
SAXTransformerFactory
XMLReader
SAXBuilder
SAXReader
javax.xml.bind.Unmarshaller
XPathExpression
DOMSource
StAXSource
\.getDocument[[:space:]]*\(
|
