sast-scan dep-scan

SAST scan status

Report from the scan performed on   2020-03-15 at 21:48:07 for https://github.com/AppThreat/WebGoat

Repository Details
https://github.com/AppThreat/WebGoat
Branch develop
Commit 2edd84b77e39ae9e20dba319f64c6c9c42f4045e
Invocation Details
Security audit by Find Security Bugs
Run Id 85bd11a5-4d71-4bc3-ac78-b47d03762fd2
Directory file:///Users/prabhu/work/WebGoat
Executive Summary

This report was generated by AppThreat from the SAST scan invocation on 2020-03-15 at 21:48:07. The scan used the open source tool Security audit by Find Security Bugs to scan the source code repository https://github.com/AppThreat/WebGoat.

Below is a summary of the issues identified:

Severity Count
CRITICAL 44
HIGH 40
MEDIUM 0
LOW 0
TOTAL 84

 

  AppThreat recommends immediate remediation of the key issues identified before using this application in a live environment.

Key Issues 4 / 44

CWE-78

VulnerableTaskHolder.java

This usage of java/lang/Runtime.exec(Ljava/lang/String;)Ljava/lang/Process; can be vulnerable to Command Injection
FileVulnerableTaskHolder.java:[lines 19-68]
Class org.dummy.insecure.framework.VulnerableTaskHolder
Method org.dummy.insecure.framework.VulnerableTaskHolder.readObject(ObjectInputStream)
FileVulnerableTaskHolder.java:[line56]
Sink method java/lang/Runtime.exec(Ljava/lang/String;)Ljava/lang/Process;
Sink parameter 0
Unknown source org/dummy/insecure/framework/VulnerableTaskHolder.taskAction
FileVulnerableTaskHolder.java:[line56].

 55: try {
                    Process p = Runtime.getRuntime().exec(taskAction);

CWE-79

AjaxAuthenticationEntryPoint.java

This use of javax/servlet/http/HttpServletResponse.sendError(ILjava/lang/String;)V could be vulnerable to XSS in the Servlet
FileAjaxAuthenticationEntryPoint.java:[lines 48-57]
Class org.owasp.webgoat.AjaxAuthenticationEntryPoint
Method org.owasp.webgoat.AjaxAuthenticationEntryPoint.commence(HttpServletRequest, HttpServletResponse, AuthenticationException)
FileAjaxAuthenticationEntryPoint.java:[line53]
Sink method javax/servlet/http/HttpServletResponse.sendError(ILjava/lang/String;)V
Sink parameter 0
Unknown source org/springframework/security/core/AuthenticationException.getMessage()Ljava/lang/String;.

 52: if (request.getHeader("x-requested-with") != null) {
                    response.sendError(401, authException.getMessage());

CWE-259

CryptoTest.java

Hard coded password found
FileCryptoTest.java:[lines 22-132]
Class org.owasp.webgoat.CryptoTest
Method org.owasp.webgoat.CryptoTest.checkAssignment3()
FileCryptoTest.java:[line72]
Sink method java/util/Map.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
Sink parameter 0.

 71: params.clear();
        		params.put("answer_pwd1", answer_1);

CWE-352

HammerHead.java

Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileHammerHead.java:[lines 52-59]
Class org.owasp.webgoat.HammerHead
Method org.owasp.webgoat.HammerHead.attack(Authentication, HttpServletRequest, HttpServletResponse)
FileHammerHead.java:[line59].

 58: public ModelAndView attack(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
                return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink());

All Issues (84)

Rule Severity Source location Message
CWE-352 CRITICAL HammerHead.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileHammerHead.java:[lines 52-59]
Class org.owasp.webgoat.HammerHead
Method org.owasp.webgoat.HammerHead.attack(Authentication, HttpServletRequest, HttpServletResponse)
FileHammerHead.java:[line59]. 
public ModelAndView attack(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
        return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink());
CWE-352 CRITICAL WebSecurityConfig.java Disabling Spring Security's CSRF protection is unsafe for standard web applications
FileWebSecurityConfig.java:[lines 55-98]
Class org.owasp.webgoat.WebSecurityConfig
Method org.owasp.webgoat.WebSecurityConfig.configure(HttpSecurity)
FileWebSecurityConfig.java:[line72]. 
.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
        security.and().csrf().disable();
CWE-89 CRITICAL Assignment5.java This use of java/sql/Connection.prepareStatement(Ljava/lang/String;)Ljava/sql/PreparedStatement; can be vulnerable to SQL injection (with JDBC)
FileAssignment5.java:[lines 45-67]
Class org.owasp.webgoat.challenges.challenge5.Assignment5
Method org.owasp.webgoat.challenges.challenge5.Assignment5.login(String, String)
FileAssignment5.java:[line59]
Sink method java/sql/Connection.prepareStatement(Ljava/lang/String;)Ljava/sql/PreparedStatement;
Sink parameter 0
Tainted source org/owasp/webgoat/challenges/challenge5/Assignment5.login(Ljava/lang/String;Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult; parameter 0
Tainted source org/owasp/webgoat/challenges/challenge5/Assignment5.login(Ljava/lang/String;Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult; parameter 1
FileAssignment5.java:[line59]. 
try (var connection = dataSource.getConnection()) {
            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
CWE-89 CRITICAL Assignment5.java A prepared statement is generated from a nonconstant String in org.owasp.webgoat.challenges.challenge5.Assignment5.login(String, String)
FileAssignment5.java:[lines 45-67]
Class org.owasp.webgoat.challenges.challenge5.Assignment5
Method org.owasp.webgoat.challenges.challenge5.Assignment5.login(String, String)
FileAssignment5.java:[line59]. 
try (var connection = dataSource.getConnection()) {
            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
CWE-22 CRITICAL MD5.java This API (java/io/File.(Ljava/lang/String;)V) reads a file whose location might be specified by user input
FileMD5.java:[lines 38-688]
Class org.owasp.webgoat.challenges.challenge7.MD5
Method org.owasp.webgoat.challenges.challenge7.MD5.main(String[])
FileMD5.java:[line55]
Sink method java/io/File.(Ljava/lang/String;)V
Sink parameter 0
Tainted source org/owasp/webgoat/challenges/challenge7/MD5.main([Ljava/lang/String;)V parameter 0. 
try {
                    System.out.println(MD5.getHashString(new File(element)) + " " + element);
CWE-352 CRITICAL StartLesson.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileStartLesson.java:[lines 55-90]
Class org.owasp.webgoat.controller.StartLesson
Method org.owasp.webgoat.controller.StartLesson.lessonPage(HttpServletRequest)
FileStartLesson.java:[lines 78-90]. 
// I will set here the thymeleaf fragment location based on the resource requested.
        ModelAndView model = new ModelAndView();
CWE-352 CRITICAL StartLesson.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileStartLesson.java:[lines 55-90]
Class org.owasp.webgoat.controller.StartLesson
Method org.owasp.webgoat.controller.StartLesson.start()
FileStartLesson.java:[lines 67-72]. 
public ModelAndView start() {
        ModelAndView model = new ModelAndView();
CWE-352 CRITICAL HashingAssignment.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileHashingAssignment.java:[lines 44-108]
Class org.owasp.webgoat.crypto.HashingAssignment
Method org.owasp.webgoat.crypto.HashingAssignment.getMd5(HttpServletRequest)
FileHashingAssignment.java:[lines 52-65]. 

		String md5Hash = (String) request.getSession().getAttribute("md5Hash");
CWE-352 CRITICAL HashingAssignment.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileHashingAssignment.java:[lines 44-108]
Class org.owasp.webgoat.crypto.HashingAssignment
Method org.owasp.webgoat.crypto.HashingAssignment.getSha256(HttpServletRequest)
FileHashingAssignment.java:[lines 72-79]. 

		String sha256 = (String) request.getSession().getAttribute("sha256");
CWE-328 CRITICAL HashingAssignment.java This API MD5 (MDX) is not a recommended cryptographic hash function
FileHashingAssignment.java:[lines 44-108]
Class org.owasp.webgoat.crypto.HashingAssignment
Method org.owasp.webgoat.crypto.HashingAssignment.getMd5(HttpServletRequest)
FileHashingAssignment.java:[line57]
Value MD5. 

		    MessageDigest md = MessageDigest.getInstance("MD5");
CWE-352 CRITICAL SigningAssignment.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileSigningAssignment.java:[lines 48-75]
Class org.owasp.webgoat.crypto.SigningAssignment
Method org.owasp.webgoat.crypto.SigningAssignment.getPrivateKey(HttpServletRequest)
FileSigningAssignment.java:[lines 54-61]. 

		String privateKey = (String) request.getSession().getAttribute("privateKeyString");
CWE-502 CRITICAL InsecureDeserializationTask.java Object deserialization is used in org.owasp.webgoat.deserialization.InsecureDeserializationTask.completed(String)
FileInsecureDeserializationTask.java:[lines 42-79]
Class org.owasp.webgoat.deserialization.InsecureDeserializationTask
Method org.owasp.webgoat.deserialization.InsecureDeserializationTask.completed(String)
FileInsecureDeserializationTask.java:[line56]. 
before = System.currentTimeMillis();
            Object o = ois.readObject();
CWE-502 CRITICAL SerializationHelper.java Object deserialization is used in org.owasp.webgoat.deserialization.SerializationHelper.fromString(String)
FileSerializationHelper.java:[lines 12-51]
Class org.owasp.webgoat.deserialization.SerializationHelper
Method org.owasp.webgoat.deserialization.SerializationHelper.fromString(String)
FileSerializationHelper.java:[line21]. 
new ByteArrayInputStream(data));
        Object o = ois.readObject();
CWE-352 CRITICAL HttpBasicsInterceptRequest.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileHttpBasicsInterceptRequest.java:[lines 33-45]
Class org.owasp.webgoat.http_proxies.HttpBasicsInterceptRequest
Method org.owasp.webgoat.http_proxies.HttpBasicsInterceptRequest.completed(Boolean, String, HttpServletRequest)
FileHttpBasicsInterceptRequest.java:[lines 39-45]. 
@RequestParam(value = "changeMe", required = false) String paramValue, HttpServletRequest request) {
        if (HttpMethod.POST.matches(request.getMethod())) {
CWE-352 CRITICAL JWTSecretKeyEndpoint.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileJWTSecretKeyEndpoint.java:[lines 48-89]
Class org.owasp.webgoat.jwt.JWTSecretKeyEndpoint
Method org.owasp.webgoat.jwt.JWTSecretKeyEndpoint.getSecretToken()
FileJWTSecretKeyEndpoint.java:[line58]. 
public String getSecretToken() {
        return Jwts.builder()
CWE-352 CRITICAL LabelDebugService.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileLabelDebugService.java:[lines 55-99]
Class org.owasp.webgoat.service.LabelDebugService
Method org.owasp.webgoat.service.LabelDebugService.checkDebuggingStatus()
FileLabelDebugService.java:[line71]. 
ResponseEntity> checkDebuggingStatus() {
        log.debug("Checking label debugging, it is {}", labelDebugger.isEnabled());
CWE-352 CRITICAL LabelDebugService.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileLabelDebugService.java:[lines 55-99]
Class org.owasp.webgoat.service.LabelDebugService
Method org.owasp.webgoat.service.LabelDebugService.setDebuggingStatus(Boolean)
FileLabelDebugService.java:[line85]. 
ResponseEntity> setDebuggingStatus(@RequestParam("enabled") Boolean enabled) throws Exception {
        log.debug("Setting label debugging to {} ", labelDebugger.isEnabled());
CWE-352 CRITICAL LessonInfoService.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileLessonInfoService.java:[lines 22-33]
Class org.owasp.webgoat.service.LessonInfoService
Method org.owasp.webgoat.service.LessonInfoService.getLessonInfo()
FileLessonInfoService.java:[line33]. 
Lesson lesson = webSession.getCurrentLesson();
        return new LessonInfoModel(lesson.getTitle(), false, false, false);
CWE-352 CRITICAL LessonMenuService.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileLessonMenuService.java:[lines 64-109]
Class org.owasp.webgoat.service.LessonMenuService
Method org.owasp.webgoat.service.LessonMenuService.showLeftNav()
FileLessonMenuService.java:[line83]. 
LessonMenuItem categoryItem = new LessonMenuItem();
            categoryItem.setName(category.getName());
CWE-352 CRITICAL LessonProgressService.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileLessonProgressService.java:[lines 29-81]
Class org.owasp.webgoat.service.LessonProgressService
Method org.owasp.webgoat.service.LessonProgressService.lessonOverview()
FileLessonProgressService.java:[lines 43-50]. 
public List lessonOverview() {
        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
CWE-352 CRITICAL LessonTitleService.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileLessonTitleService.java:[lines 21-35]
Class org.owasp.webgoat.service.LessonTitleService
Method org.owasp.webgoat.service.LessonTitleService.showPlan()
FileLessonTitleService.java:[lines 34-35]. 
String showPlan() {
        Lesson lesson = webSession.getCurrentLesson();
CWE-352 CRITICAL RestartLessonService.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileRestartLessonService.java:[lines 44-52]
Class org.owasp.webgoat.service.RestartLessonService
Method org.owasp.webgoat.service.RestartLessonService.restartLesson()
FileRestartLessonService.java:[line52]. 
Lesson al = webSession.getCurrentLesson();
        log.debug("Restarting lesson: " + al);
CWE-352 CRITICAL SessionService.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileSessionService.java:[lines 28-60]
Class org.owasp.webgoat.service.SessionService
Method org.owasp.webgoat.service.SessionService.showSession(HttpServletRequest, HttpSession)
FileSessionService.java:[lines 40-60]. 
String showSession(HttpServletRequest request, HttpSession session) {
        StringBuilder sb = new StringBuilder();
CWE-89 CRITICAL SqlInjectionChallenge.java This use of java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet; can be vulnerable to SQL injection (with JDBC)
FileSqlInjectionChallenge.java:[lines 49-95]
Class org.owasp.webgoat.sql_injection.advanced.SqlInjectionChallenge
Method org.owasp.webgoat.sql_injection.advanced.SqlInjectionChallenge.registerNewUser(String, String, String)
FileSqlInjectionChallenge.java:[line65]
Sink method java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet;
Sink parameter 0
Tainted source org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.registerNewUser(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult; parameter 2
FileSqlInjectionChallenge.java:[line63]. 
Statement statement = connection.createStatement();
                ResultSet resultSet = statement.executeQuery(checkUserQuery);
CWE-89 CRITICAL SqlInjectionChallenge.java org.owasp.webgoat.sql_injection.advanced.SqlInjectionChallenge.registerNewUser(String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement
FileSqlInjectionChallenge.java:[lines 49-95]
Class org.owasp.webgoat.sql_injection.advanced.SqlInjectionChallenge
Method org.owasp.webgoat.sql_injection.advanced.SqlInjectionChallenge.registerNewUser(String, String, String)
FileSqlInjectionChallenge.java:[line65]. 
Statement statement = connection.createStatement();
                ResultSet resultSet = statement.executeQuery(checkUserQuery);
CWE-89 CRITICAL SqlInjectionLesson6a.java This use of java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet; can be vulnerable to SQL injection (with JDBC)
FileSqlInjectionLesson6a.java:[lines 45-96]
Class org.owasp.webgoat.sql_injection.advanced.SqlInjectionLesson6a
Method org.owasp.webgoat.sql_injection.advanced.SqlInjectionLesson6a.injectableQuery(String)
FileSqlInjectionLesson6a.java:[line67]
Sink method java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet;
Sink parameter 0
Unknown source org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.injectableQuery(Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult; parameter 0
Method usage with tainted arguments detected
FileSqlInjectionLesson6a.java:[line52]
FileSqlInjectionLesson6a.java:[line60]. 
ResultSet.CONCUR_READ_ONLY)) {
                ResultSet results = statement.executeQuery(query);
CWE-89 CRITICAL SqlInjectionLesson6a.java org.owasp.webgoat.sql_injection.advanced.SqlInjectionLesson6a.injectableQuery(String) passes a nonconstant String to an execute or addBatch method on an SQL statement
FileSqlInjectionLesson6a.java:[lines 45-96]
Class org.owasp.webgoat.sql_injection.advanced.SqlInjectionLesson6a
Method org.owasp.webgoat.sql_injection.advanced.SqlInjectionLesson6a.injectableQuery(String)
FileSqlInjectionLesson6a.java:[line67]. 
ResultSet.CONCUR_READ_ONLY)) {
                ResultSet results = statement.executeQuery(query);
CWE-89 CRITICAL SqlInjectionLesson10.java This use of java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet; can be vulnerable to SQL injection (with JDBC)
FileSqlInjectionLesson10.java:[lines 46-101]
Class org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson10
Method org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson10.injectableQueryAvailability(String)
FileSqlInjectionLesson10.java:[line63]
Sink method java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet;
Sink parameter 0
Unknown source org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.injectableQueryAvailability(Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult; parameter 0
Method usage with tainted arguments detected
FileSqlInjectionLesson10.java:[line53]
FileSqlInjectionLesson10.java:[line58]. 
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
                ResultSet results = statement.executeQuery(query);
CWE-89 CRITICAL SqlInjectionLesson2.java This use of java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet; can be vulnerable to SQL injection (with JDBC)
FileSqlInjectionLesson2.java:[lines 49-75]
Class org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson2
Method org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson2.injectableQuery(String)
FileSqlInjectionLesson2.java:[line62]
Sink method java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet;
Sink parameter 0
Unknown source org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.injectableQuery(Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult; parameter 0
Method usage with tainted arguments detected
FileSqlInjectionLesson2.java:[line56]. 
Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY);
            ResultSet results = statement.executeQuery(query);
CWE-89 CRITICAL SqlInjectionLesson3.java This use of java/sql/Statement.executeUpdate(Ljava/lang/String;)I can be vulnerable to SQL injection (with JDBC)
FileSqlInjectionLesson3.java:[lines 50-82]
Class org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson3
Method org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson3.injectableQuery(String)
FileSqlInjectionLesson3.java:[line65]
Sink method java/sql/Statement.executeUpdate(Ljava/lang/String;)I
Sink parameter 0
Unknown source org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.injectableQuery(Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult; parameter 0
Method usage with tainted arguments detected
FileSqlInjectionLesson3.java:[line57]. 
CONCUR_READ_ONLY);
                statement.executeUpdate(query);
CWE-89 CRITICAL SqlInjectionLesson4.java This use of java/sql/Statement.executeUpdate(Ljava/lang/String;)I can be vulnerable to SQL injection (with JDBC)
FileSqlInjectionLesson4.java:[lines 46-74]
Class org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson4
Method org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson4.injectableQuery(String)
FileSqlInjectionLesson4.java:[line59]
Sink method java/sql/Statement.executeUpdate(Ljava/lang/String;)I
Sink parameter 0
Unknown source org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.injectableQuery(Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult; parameter 0
Method usage with tainted arguments detected
FileSqlInjectionLesson4.java:[line53]. 
try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) {
                statement.executeUpdate(query);
CWE-89 CRITICAL SqlInjectionLesson5a.java This use of java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet; can be vulnerable to SQL injection (with JDBC)
FileSqlInjectionLesson5a.java:[lines 47-118]
Class org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson5a
Method org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson5a.injectableQuery(String)
FileSqlInjectionLesson5a.java:[line62]
Sink method java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet;
Sink parameter 0
Unknown source org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.injectableQuery(Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult; parameter 0
Method usage with tainted arguments detected
FileSqlInjectionLesson5a.java:[line54]
FileSqlInjectionLesson5a.java:[line60]. 
try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
                ResultSet results = statement.executeQuery(query);
CWE-89 CRITICAL SqlInjectionLesson5a.java org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson5a.injectableQuery(String) passes a nonconstant String to an execute or addBatch method on an SQL statement
FileSqlInjectionLesson5a.java:[lines 47-118]
Class org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson5a
Method org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson5a.injectableQuery(String)
FileSqlInjectionLesson5a.java:[line62]. 
try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
                ResultSet results = statement.executeQuery(query);
CWE-89 CRITICAL SqlInjectionLesson5b.java This use of java/sql/Connection.prepareStatement(Ljava/lang/String;II)Ljava/sql/PreparedStatement; can be vulnerable to SQL injection (with JDBC)
FileSqlInjectionLesson5b.java:[lines 45-95]
Class org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson5b
Method org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson5b.injectableQuery(String, String)
FileSqlInjectionLesson5b.java:[line58]
Sink method java/sql/Connection.prepareStatement(Ljava/lang/String;II)Ljava/sql/PreparedStatement;
Sink parameter 2
Unknown source org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.injectableQuery(Ljava/lang/String;Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult; parameter 0
Method usage with tainted arguments detected
FileSqlInjectionLesson5b.java:[line52]
FileSqlInjectionLesson5b.java:[line56]. 
try (Connection connection = dataSource.getConnection()) {
            PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
CWE-89 CRITICAL SqlInjectionLesson8.java This use of java/sql/Statement.executeUpdate(Ljava/lang/String;)I can be vulnerable to SQL injection (with JDBC)
FileSqlInjectionLesson8.java:[lines 47-141]
Class org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson8
Method org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson8.log(Connection, String)
FileSqlInjectionLesson8.java:[line137]
Sink method java/sql/Statement.executeUpdate(Ljava/lang/String;)I
Sink parameter 0
Unknown source org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.log(Ljava/sql/Connection;Ljava/lang/String;)V parameter 0
Unknown source java/text/SimpleDateFormat.format(Ljava/util/Date;)Ljava/lang/String;
Method usage with tainted arguments detected
FileSqlInjectionLesson8.java:[line54]
FileSqlInjectionLesson8.java:[line59]
FileSqlInjectionLesson8.java:[line64]
FileSqlInjectionLesson8.java:[line128]
FileSqlInjectionLesson8.java:[line133]
FileSqlInjectionLesson9.java:[line56]
FileSqlInjectionLesson9.java:[line61]
FileSqlInjectionLesson9.java:[line65]. 
Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
            statement.executeUpdate(logQuery);
CWE-89 CRITICAL SqlInjectionLesson8.java org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson8.injectableQueryConfidentiality(String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement
FileSqlInjectionLesson8.java:[lines 47-141]
Class org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson8
Method org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson8.injectableQueryConfidentiality(String, String)
FileSqlInjectionLesson8.java:[line65]. 
log(connection, query);
                ResultSet results = statement.executeQuery(query);
CWE-89 CRITICAL SqlInjectionLesson8.java org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson8.log(Connection, String) passes a nonconstant String to an execute or addBatch method on an SQL statement
FileSqlInjectionLesson8.java:[lines 47-141]
Class org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson8
Method org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson8.log(Connection, String)
FileSqlInjectionLesson8.java:[line137]. 
Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
            statement.executeUpdate(logQuery);
CWE-89 CRITICAL SqlInjectionLesson9.java org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson9.injectableQueryIntegrity(String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement
FileSqlInjectionLesson9.java:[lines 49-106]
Class org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson9
Method org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson9.injectableQueryIntegrity(String, String)
FileSqlInjectionLesson9.java:[line66]. 
SqlInjectionLesson8.log(connection, query);
                ResultSet results = statement.executeQuery(query);
CWE-918 CRITICAL SSRFTask2.java This web server request could be used by an attacker to expose internal services and filesystem.
FileSSRFTask2.java:[lines 41-79]
Class org.owasp.webgoat.ssrf.SSRFTask2
Method org.owasp.webgoat.ssrf.SSRFTask2.furBall(String)
FileSSRFTask2.java:[line55]
Sink method java/net/URL.openConnection()Ljava/net/URLConnection;
Sink parameter 0
Unknown source org/owasp/webgoat/ssrf/SSRFTask2.furBall(Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult; parameter 0
Unknown source java/net/URL.(Ljava/lang/String;)V
Method usage with tainted arguments detected
FileSSRFTask2.java:[line46]
FileSSRFTask2.java:[line54]. 
URL u = new URL(url);
                URLConnection urlConnection = u.openConnection();
CWE-352 CRITICAL SimpleXXE.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileSimpleXXE.java:[lines 49-98]
Class org.owasp.webgoat.xxe.SimpleXXE
Method org.owasp.webgoat.xxe.SimpleXXE.getSampleDTDFile()
FileSimpleXXE.java:[line98]. 
public String getSampleDTDFile() {
        return "\n"
CWE-352 CRITICAL SimpleXXE.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileSimpleXXE.java:[lines 49-98]
Class org.owasp.webgoat.xxe.SimpleXXE
Method org.owasp.webgoat.xxe.SimpleXXE.getWebGoatHomeDirectory()
FileSimpleXXE.java:[line92]. 
public String getWebGoatHomeDirectory() {
        return webGoatHomeDirectory;
CWE-352 CRITICAL FileServer.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileFileServer.java:[lines 53-113]
Class org.owasp.webwolf.FileServer
Method org.owasp.webwolf.FileServer.getFileLocation()
FileFileServer.java:[line65]. 
public String getFileLocation() {
        return fileLocation;
CWE-352 CRITICAL WebSecurityConfig.java Disabling Spring Security's CSRF protection is unsafe for standard web applications
FileWebSecurityConfig.java:[lines 47-87]
Class org.owasp.webwolf.WebSecurityConfig
Method org.owasp.webwolf.WebSecurityConfig.configure(HttpSecurity)
FileWebSecurityConfig.java:[line56]. 
.anyRequest().permitAll();
        security.and().csrf().disable().formLogin()
CWE-352 CRITICAL LandingPage.java Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks
FileLandingPage.java:[line42]
Class org.owasp.webwolf.requests.LandingPage
Method org.owasp.webwolf.requests.LandingPage.ok(HttpServletRequest)
FileLandingPage.java:[line42]. 
return () -> {
            log.trace("Incoming request for: {}", request.getRequestURL());
CWE-78 HIGH VulnerableTaskHolder.java This usage of java/lang/Runtime.exec(Ljava/lang/String;)Ljava/lang/Process; can be vulnerable to Command Injection
FileVulnerableTaskHolder.java:[lines 19-68]
Class org.dummy.insecure.framework.VulnerableTaskHolder
Method org.dummy.insecure.framework.VulnerableTaskHolder.readObject(ObjectInputStream)
FileVulnerableTaskHolder.java:[line56]
Sink method java/lang/Runtime.exec(Ljava/lang/String;)Ljava/lang/Process;
Sink parameter 0
Unknown source org/dummy/insecure/framework/VulnerableTaskHolder.taskAction
FileVulnerableTaskHolder.java:[line56]. 
try {
            Process p = Runtime.getRuntime().exec(taskAction);
CWE-79 HIGH AjaxAuthenticationEntryPoint.java This use of javax/servlet/http/HttpServletResponse.sendError(ILjava/lang/String;)V could be vulnerable to XSS in the Servlet
FileAjaxAuthenticationEntryPoint.java:[lines 48-57]
Class org.owasp.webgoat.AjaxAuthenticationEntryPoint
Method org.owasp.webgoat.AjaxAuthenticationEntryPoint.commence(HttpServletRequest, HttpServletResponse, AuthenticationException)
FileAjaxAuthenticationEntryPoint.java:[line53]
Sink method javax/servlet/http/HttpServletResponse.sendError(ILjava/lang/String;)V
Sink parameter 0
Unknown source org/springframework/security/core/AuthenticationException.getMessage()Ljava/lang/String;. 
if (request.getHeader("x-requested-with") != null) {
            response.sendError(401, authException.getMessage());
CWE-259 HIGH CryptoTest.java Hard coded password found
FileCryptoTest.java:[lines 22-132]
Class org.owasp.webgoat.CryptoTest
Method org.owasp.webgoat.CryptoTest.checkAssignment3()
FileCryptoTest.java:[line72]
Sink method java/util/Map.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
Sink parameter 0. 
params.clear();
		params.put("answer_pwd1", answer_1);
CWE-319 HIGH IntegrationTest.java Unencrypted socket to org.owasp.webgoat.IntegrationTest (instead of SSLSocket)
FileIntegrationTest.java:[lines 21-297]
Class org.owasp.webgoat.IntegrationTest
Method org.owasp.webgoat.IntegrationTest.isAlreadyRunning(int)
FileIntegrationTest.java:[line71]
Value 127.0.0.1. 
private static boolean isAlreadyRunning(int port) {
        try (var ignored = new Socket("127.0.0.1", port)) {
CWE-259 HIGH SqlInjectionAdvancedTest.java Hard coded password found
FileSqlInjectionAdvancedTest.java:[lines 8-48]
Class org.owasp.webgoat.SqlInjectionAdvancedTest
Method org.owasp.webgoat.SqlInjectionAdvancedTest.runTests()
FileSqlInjectionAdvancedTest.java:[line17]
Sink method java/util/Map.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
Sink parameter 0. 
params.put("username_reg", "tom' AND substring(password,1,1)='t");
        params.put("password_reg", "password");
CWE-259 HIGH SqlInjectionAdvancedTest.java Hard coded password found
FileSqlInjectionAdvancedTest.java:[lines 8-48]
Class org.owasp.webgoat.SqlInjectionAdvancedTest
Method org.owasp.webgoat.SqlInjectionAdvancedTest.runTests()
FileSqlInjectionAdvancedTest.java:[line19]
Sink method java/util/Map.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
Sink parameter 0. 
params.put("email_reg", "someone@microsoft.com");
        params.put("confirm_password", "password");
CWE-259 HIGH SqlInjectionAdvancedTest.java Hard coded password found
FileSqlInjectionAdvancedTest.java:[lines 8-48]
Class org.owasp.webgoat.SqlInjectionAdvancedTest
Method org.owasp.webgoat.SqlInjectionAdvancedTest.runTests()
FileSqlInjectionAdvancedTest.java:[line24]
Sink method java/util/Map.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
Sink parameter 0. 
params.put("username_login", "tom");
        params.put("password_login", "thisisasecretfortomonly");
CWE-22 HIGH WebGoat.java This API (java/io/File.(Ljava/lang/String;)V) reads a file whose location might be specified by user input
FileWebGoat.java:[lines 46-67]
Class org.owasp.webgoat.WebGoat
Method org.owasp.webgoat.WebGoat.pluginTargetDirectory(String)
FileWebGoat.java:[line50]
Sink method java/io/File.(Ljava/lang/String;)V
Sink parameter 0
Unknown source org/owasp/webgoat/WebGoat.pluginTargetDirectory(Ljava/lang/String;)Ljava/io/File; parameter 0
Method usage not detected. 
public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
        return new File(webgoatHome);
CWE-330 HIGH PasswordResetLink.java This random generator (java.util.Random) is predictable
FilePasswordResetLink.java:[lines 11-42]
Class org.owasp.webgoat.challenges.challenge7.PasswordResetLink
Method org.owasp.webgoat.challenges.challenge7.PasswordResetLink.createPasswordReset(String, String)
FilePasswordResetLink.java:[line14]
Value java.util.Random. 
public String createPasswordReset(String username, String key) {
        Random random = new Random();
CWE-22 HIGH Salaries.java This API (java/io/File.(Ljava/lang/String;Ljava/lang/String;)V) reads a file whose location might be specified by user input
FileSalaries.java:[lines 51-105]
Class org.owasp.webgoat.client_side_filtering.Salaries
Method org.owasp.webgoat.client_side_filtering.Salaries.copyFiles()
FileSalaries.java:[line59]
Sink method java/io/File.(Ljava/lang/String;Ljava/lang/String;)V
Sink parameter 1
Unknown source org/owasp/webgoat/client_side_filtering/Salaries.webGoatHomeDirectory
FileSalaries.java:[line59]. 
ClassPathResource classPathResource = new ClassPathResource("employees.xml");
        File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering");
CWE-22 HIGH Salaries.java This API (java/io/File.(Ljava/lang/String;Ljava/lang/String;)V) reads a file whose location might be specified by user input
FileSalaries.java:[lines 51-105]
Class org.owasp.webgoat.client_side_filtering.Salaries
Method org.owasp.webgoat.client_side_filtering.Salaries.invoke()
FileSalaries.java:[line74]
Sink method java/io/File.(Ljava/lang/String;Ljava/lang/String;)V
Sink parameter 1
Unknown source org/owasp/webgoat/client_side_filtering/Salaries.webGoatHomeDirectory
FileSalaries.java:[line74]. 
NodeList nodes = null;
        File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
CWE-330 HIGH EncodingAssignment.java This random generator (java.util.Random) is predictable
FileEncodingAssignment.java:[lines 40-71]
Class org.owasp.webgoat.crypto.EncodingAssignment
Method org.owasp.webgoat.crypto.EncodingAssignment.getBasicAuth(HttpServletRequest)
FileEncodingAssignment.java:[line53]
Value java.util.Random. 
if (basicAuth == null) {
			String password = HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)];
CWE-330 HIGH HashingAssignment.java This random generator (java.util.Random) is predictable
FileHashingAssignment.java:[lines 44-108]
Class org.owasp.webgoat.crypto.HashingAssignment
Method org.owasp.webgoat.crypto.HashingAssignment.getMd5(HttpServletRequest)
FileHashingAssignment.java:[line55]
Value java.util.Random. 

			String secret = SECRETS[new Random().nextInt(SECRETS.length)];
CWE-330 HIGH HashingAssignment.java This random generator (java.util.Random) is predictable
FileHashingAssignment.java:[lines 44-108]
Class org.owasp.webgoat.crypto.HashingAssignment
Method org.owasp.webgoat.crypto.HashingAssignment.getSha256(HttpServletRequest)
FileHashingAssignment.java:[line74]
Value java.util.Random. 
if (sha256 == null) {
			String secret = SECRETS[new Random().nextInt(SECRETS.length)];
CWE-203 HIGH HashingAssignment.java Unsafe comparison of hash that are susceptible to timing attack
FileHashingAssignment.java:[lines 44-108]
Class org.owasp.webgoat.crypto.HashingAssignment
Method org.owasp.webgoat.crypto.HashingAssignment.completed(HttpServletRequest, String, String)
FileHashingAssignment.java:[line90]
Sink method java/lang/String.equals(Ljava/lang/Object;)Z
Sink parameter 0
Unknown source javax/servlet/http/HttpSession.getAttribute(Ljava/lang/String;)Ljava/lang/Object;. 
if (answer_pwd1!=null && answer_pwd2 !=null) {
        	if (answer_pwd1.equals(md5Secret)
CWE-203 HIGH HashingAssignment.java Unsafe comparison of hash that are susceptible to timing attack
FileHashingAssignment.java:[lines 44-108]
Class org.owasp.webgoat.crypto.HashingAssignment
Method org.owasp.webgoat.crypto.HashingAssignment.completed(HttpServletRequest, String, String)
FileHashingAssignment.java:[line91]
Sink method java/lang/String.equals(Ljava/lang/Object;)Z
Sink parameter 0
Unknown source javax/servlet/http/HttpSession.getAttribute(Ljava/lang/String;)Ljava/lang/Object;. 
if (answer_pwd1.equals(md5Secret)
        		&& answer_pwd2.equals(sha256Secret)) {
CWE-203 HIGH HashingAssignment.java Unsafe comparison of hash that are susceptible to timing attack
FileHashingAssignment.java:[lines 44-108]
Class org.owasp.webgoat.crypto.HashingAssignment
Method org.owasp.webgoat.crypto.HashingAssignment.completed(HttpServletRequest, String, String)
FileHashingAssignment.java:[line95]
Sink method java/lang/String.equals(Ljava/lang/Object;)Z
Sink parameter 0
Unknown source javax/servlet/http/HttpSession.getAttribute(Ljava/lang/String;)Ljava/lang/Object;. 
.build();
        	} else if (answer_pwd1.equals(md5Secret)
CWE-203 HIGH HashingAssignment.java Unsafe comparison of hash that are susceptible to timing attack
FileHashingAssignment.java:[lines 44-108]
Class org.owasp.webgoat.crypto.HashingAssignment
Method org.owasp.webgoat.crypto.HashingAssignment.completed(HttpServletRequest, String, String)
FileHashingAssignment.java:[line96]
Sink method java/lang/String.equals(Ljava/lang/Object;)Z
Sink parameter 0
Unknown source javax/servlet/http/HttpSession.getAttribute(Ljava/lang/String;)Ljava/lang/Object;. 
} else if (answer_pwd1.equals(md5Secret)
            		|| answer_pwd2.equals(sha256Secret)) {
CWE-330 HIGH CSRFGetFlag.java This random generator (java.util.Random) is predictable
FileCSRFGetFlag.java:[lines 42-86]
Class org.owasp.webgoat.csrf.CSRFGetFlag
Method org.owasp.webgoat.csrf.CSRFGetFlag.invoke(HttpServletRequest)
FileCSRFGetFlag.java:[line62]
Value java.util.Random. 
if ("true".equals(req.getParameter("csrf"))) {
                Random random = new Random();
CWE-330 HIGH CSRFGetFlag.java This random generator (java.util.Random) is predictable
FileCSRFGetFlag.java:[lines 42-86]
Class org.owasp.webgoat.csrf.CSRFGetFlag
Method org.owasp.webgoat.csrf.CSRFGetFlag.invoke(HttpServletRequest)
FileCSRFGetFlag.java:[line68]
Value java.util.Random. 
} else {
                Random random = new Random();
CWE-330 HIGH CSRFGetFlag.java This random generator (java.util.Random) is predictable
FileCSRFGetFlag.java:[lines 42-86]
Class org.owasp.webgoat.csrf.CSRFGetFlag
Method org.owasp.webgoat.csrf.CSRFGetFlag.invoke(HttpServletRequest)
FileCSRFGetFlag.java:[line79]
Value java.util.Random. 
} else {
            Random random = new Random();
CWE-259 HIGH IDORLogin.java Hard coded password found
FileIDORLogin.java:[lines 37-72]
Class org.owasp.webgoat.idor.IDORLogin
Method org.owasp.webgoat.idor.IDORLogin.initIDORInfo()
FileIDORLogin.java:[line44]
Sink method java/util/Map.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
Sink parameter 0. 
idorUserInfo.put("tom", new HashMap());
        idorUserInfo.get("tom").put("password", "cat");
CWE-259 HIGH IDORLogin.java Hard coded password found
FileIDORLogin.java:[lines 37-72]
Class org.owasp.webgoat.idor.IDORLogin
Method org.owasp.webgoat.idor.IDORLogin.initIDORInfo()
FileIDORLogin.java:[line50]
Sink method java/util/Map.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
Sink parameter 0. 
idorUserInfo.put("bill", new HashMap());
        idorUserInfo.get("bill").put("password", "buffalo");
CWE-89 HIGH JWTFinalEndpoint.java This use of java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet; can be vulnerable to SQL injection (with JDBC)
FileJWTFinalEndpoint.java:[lines 89-101]
Class org.owasp.webgoat.jwt.JWTFinalEndpoint$1
Method org.owasp.webgoat.jwt.JWTFinalEndpoint$1.resolveSigningKeyBytes(JwsHeader, Claims)
FileJWTFinalEndpoint.java:[line94]
Sink method java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet;
Sink parameter 0
Unknown source io/jsonwebtoken/JwsHeader.get(Ljava/lang/Object;)Ljava/lang/Object;
FileJWTFinalEndpoint.java:[line94]. 
try (var connection = dataSource.getConnection()) {
                            ResultSet rs = connection.createStatement().executeQuery("SELECT key FROM jwt_keys WHERE id = '" + kid + "'");
CWE-89 HIGH JWTFinalEndpoint.java org.owasp.webgoat.jwt.JWTFinalEndpoint$1.resolveSigningKeyBytes(JwsHeader, Claims) passes a nonconstant String to an execute or addBatch method on an SQL statement
FileJWTFinalEndpoint.java:[lines 89-101]
Class org.owasp.webgoat.jwt.JWTFinalEndpoint$1
Method org.owasp.webgoat.jwt.JWTFinalEndpoint$1.resolveSigningKeyBytes(JwsHeader, Claims)
FileJWTFinalEndpoint.java:[line94]. 
try (var connection = dataSource.getConnection()) {
                            ResultSet rs = connection.createStatement().executeQuery("SELECT key FROM jwt_keys WHERE id = '" + kid + "'");
CWE-259 HIGH JWTRefreshEndpointTest.java Hard coded password found
FileJWTRefreshEndpointTest.java:[lines 48-215]
Class org.owasp.webgoat.jwt.JWTRefreshEndpointTest
Method org.owasp.webgoat.jwt.JWTRefreshEndpointTest.newTokenShouldWorkForJerry()
FileJWTRefreshEndpointTest.java:[line159]
Sink method java/util/Map.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
Sink parameter 0. 
loginJson.put("user", "Jerry");
        loginJson.put("password", PASSWORD);
CWE-259 HIGH JWTRefreshEndpointTest.java Hard coded password found
FileJWTRefreshEndpointTest.java:[lines 48-215]
Class org.owasp.webgoat.jwt.JWTRefreshEndpointTest
Method org.owasp.webgoat.jwt.JWTRefreshEndpointTest.unknownRefreshTokenShouldGiveUnauthorized()
FileJWTRefreshEndpointTest.java:[line182]
Sink method java/util/Map.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
Sink parameter 0. 
loginJson.put("user", "Jerry");
        loginJson.put("password", PASSWORD);
CWE-330 HIGH JWTSecretKeyEndpoint.java This random generator (java.util.Random) is predictable
FileJWTSecretKeyEndpoint.java:[lines 48-89]
Class org.owasp.webgoat.jwt.JWTSecretKeyEndpoint
Method org.owasp.webgoat.jwt.JWTSecretKeyEndpoint.()
FileJWTSecretKeyEndpoint.java:[line51]
Value java.util.Random. 
public static final String[] SECRETS = {"victory", "business", "available", "shipping", "washington"};
    public static final String JWT_SECRET = TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]);
HTTPONLY_COOKIE HIGH JWTVotesEndpoint.java Cookie without the HttpOnly flag could be read by a malicious script in the browser
FileJWTVotesEndpoint.java:[lines 61-173]
Class org.owasp.webgoat.jwt.JWTVotesEndpoint
Method org.owasp.webgoat.jwt.JWTVotesEndpoint.login(String, HttpServletResponse)
FileJWTVotesEndpoint.java:[line98]. 
.compact();
            Cookie cookie = new Cookie("access_token", token);
HTTPONLY_COOKIE HIGH JWTVotesEndpoint.java Cookie without the HttpOnly flag could be read by a malicious script in the browser
FileJWTVotesEndpoint.java:[lines 61-173]
Class org.owasp.webgoat.jwt.JWTVotesEndpoint
Method org.owasp.webgoat.jwt.JWTVotesEndpoint.login(String, HttpServletResponse)
FileJWTVotesEndpoint.java:[line103]. 
} else {
            Cookie cookie = new Cookie("access_token", "");
CWE-614 HIGH JWTVotesEndpoint.java Cookie without the secure flag could be sent in clear text if a HTTP URL is visited
FileJWTVotesEndpoint.java:[lines 61-173]
Class org.owasp.webgoat.jwt.JWTVotesEndpoint
Method org.owasp.webgoat.jwt.JWTVotesEndpoint.login(String, HttpServletResponse)
FileJWTVotesEndpoint.java:[line98]. 
.compact();
            Cookie cookie = new Cookie("access_token", token);
CWE-614 HIGH JWTVotesEndpoint.java Cookie without the secure flag could be sent in clear text if a HTTP URL is visited
FileJWTVotesEndpoint.java:[lines 61-173]
Class org.owasp.webgoat.jwt.JWTVotesEndpoint
Method org.owasp.webgoat.jwt.JWTVotesEndpoint.login(String, HttpServletResponse)
FileJWTVotesEndpoint.java:[line103]. 
} else {
            Cookie cookie = new Cookie("access_token", "");
CWE-212 HIGH MissingFunctionACUsers.java Unexpected property could be leaked because a persistence class is directly exposed to the client
FileMissingFunctionACUsers.java:[lines 44-93]
Class org.owasp.webgoat.missing_ac.MissingFunctionACUsers
Method org.owasp.webgoat.missing_ac.MissingFunctionACUsers.addUser(WebGoatUser)
FileMissingFunctionACUsers.java:[lines 84-93]. 
try {
            userService.addUser(newUser.getUsername(),newUser.getPassword(),newUser.getRole());
CWE-915 HIGH MissingFunctionACUsers.java The persistent objects could be exploited by attacker to read sensitive information.
FileMissingFunctionACUsers.java:[lines 44-93]
Class org.owasp.webgoat.missing_ac.MissingFunctionACUsers
Method org.owasp.webgoat.missing_ac.MissingFunctionACUsers.addUser(WebGoatUser)
FileMissingFunctionACUsers.java:[lines 84-93]. 
try {
            userService.addUser(newUser.getUsername(),newUser.getPassword(),newUser.getRole());
CWE-203 HIGH MissingFunctionACYourHash.java Unsafe comparison of hash that are susceptible to timing attack
FileMissingFunctionACYourHash.java:[lines 39-53]
Class org.owasp.webgoat.missing_ac.MissingFunctionACYourHash
Method org.owasp.webgoat.missing_ac.MissingFunctionACYourHash.completed(String)
FileMissingFunctionACYourHash.java:[line50]
Sink method java/lang/String.equals(Ljava/lang/Object;)Z
Sink parameter 0
Unknown source org/owasp/webgoat/missing_ac/DisplayUser.getUserHash()Ljava/lang/String;
Unknown source org/owasp/webgoat/missing_ac/DisplayUser.userHash
FileDisplayUser.java:[line82]
FileMissingFunctionACYourHash.java:[line50]. 
DisplayUser displayUser = new DisplayUser(user);
        if (userHash.equals(displayUser.getUserHash())) {
CWE-259 HIGH ResetLinkAssignment.java Hard coded password found
FileResetLinkAssignment.java:[lines 46-123]
Class org.owasp.webgoat.password_reset.ResetLinkAssignment
Method org.owasp.webgoat.password_reset.ResetLinkAssignment.login(String, String)
FileResetLinkAssignment.java:[line69]
Sink method java/lang/String.equals(Ljava/lang/Object;)Z
Sink parameter 0. 
String passwordTom = usersToTomPassword.getOrDefault(getWebSession().getUserName(), PASSWORD_TOM_9);
            if (passwordTom.equals(PASSWORD_TOM_9)) {
CWE-22 HIGH BlindSendFileAssignmentTest.java This API (java/io/File.(Ljava/lang/String;Ljava/lang/String;)V) reads a file whose location might be specified by user input
FileBlindSendFileAssignmentTest.java:[lines 35-142]
Class org.owasp.webgoat.xxe.BlindSendFileAssignmentTest
Method org.owasp.webgoat.xxe.BlindSendFileAssignmentTest.solve()
FileBlindSendFileAssignmentTest.java:[line79]
Sink method java/io/File.(Ljava/lang/String;Ljava/lang/String;)V
Sink parameter 1
Unknown source org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.webGoatHomeDirectory
FileBlindSendFileAssignmentTest.java:[line79]. 
public void solve() throws Exception {
        File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
CWE-22 HIGH BlindSendFileAssignmentTest.java This API (java/io/File.(Ljava/lang/String;Ljava/lang/String;)V) reads a file whose location might be specified by user input
FileBlindSendFileAssignmentTest.java:[lines 35-142]
Class org.owasp.webgoat.xxe.BlindSendFileAssignmentTest
Method org.owasp.webgoat.xxe.BlindSendFileAssignmentTest.solveOnlyParamReferenceEntityInExternalDTD()
FileBlindSendFileAssignmentTest.java:[line103]
Sink method java/io/File.(Ljava/lang/String;Ljava/lang/String;)V
Sink parameter 1
Unknown source org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.webGoatHomeDirectory
FileBlindSendFileAssignmentTest.java:[line103]. 
public void solveOnlyParamReferenceEntityInExternalDTD() throws Exception {
        File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
CWE-22 HIGH MvcConfiguration.java This API (java/io/File.(Ljava/lang/String;)V) reads a file whose location might be specified by user input
FileMvcConfiguration.java:[lines 44-66]
Class org.owasp.webwolf.MvcConfiguration
Method org.owasp.webwolf.MvcConfiguration.createDirectory()
FileMvcConfiguration.java:[line62]
Sink method java/io/File.(Ljava/lang/String;)V
Sink parameter 0
Unknown source org/owasp/webwolf/MvcConfiguration.fileLocatation
FileMvcConfiguration.java:[line62]. 
public void createDirectory() {
        File file = new File(fileLocatation);
CWE-915 HIGH MailboxController.java The persistent objects could be exploited by attacker to read sensitive information.
FileMailboxController.java:[lines 48-67]
Class org.owasp.webwolf.mailbox.MailboxController
Method org.owasp.webwolf.mailbox.MailboxController.sendEmail(Email)
FileMailboxController.java:[line65]. 
public Callable> sendEmail(@RequestBody Email email) {
        return () -> {

Thank you for supporting AppThreat