27 lines
1.6 KiB
Plaintext
27 lines
1.6 KiB
Plaintext
=== is duplicated by: S4066
|
||
|
||
=== on 19 Mar 2018, 11:18:13 Sébastien GIORIA - AppSecFR wrote:
|
||
Need Tag A8:2017
|
||
|
||
=== on 20 Mar 2018, 07:30:10 Freddy Mallet wrote:
|
||
Thanks [~SPoint] ! And I would even remove the A1 category [~alexandre.gigleux] to keep our referential orthogonal.
|
||
|
||
=== on 20 Mar 2018, 08:20:58 Alexandre Gigleux wrote:
|
||
\[~freddy.mallet] I agree the main problem here is the "Insecure Deserialization" that can lead to a potential "Injection". The "Injection" can't be performed easily, you need first to bypass the deserialization layer. So I removed OWASP A1.
|
||
|
||
=== on 7 Jul 2018, 15:28:25 Tibor Blenessy wrote:
|
||
Method ``++ObjectInputStream.readArray(boolean)++`` is private, so it can't be called. Why we should detect it?
|
||
|
||
=== on 9 Jul 2018, 13:27:12 Andrei Epure wrote:
|
||
@ [~alexandre.gigleux] , [~tibor.blenessy] Should we take into consideration ``++setObjectInputFilter++`` ?
|
||
|
||
=== on 9 Jul 2018, 15:56:04 Alexandre Gigleux wrote:
|
||
\[~andrei.epure] Hotspots rules are going to be revisited with "recommendations" that a Security Auditors should follow to be sure the code is safe. This ``++setObjectInputFilter]} will be part of them. Here we just want to raise a simple issue when the {{readObject++`` is called. Then up to the Security Auditor to look around this code and see if some sanitization of in the input is made.
|
||
|
||
=== on 23 Jul 2018, 17:14:26 Pierre-Yves Nicolas wrote:
|
||
\[~alexandre.gigleux] The current description is really specific to Java. Can it be adapted to PHP? Thanks.
|
||
|
||
=== on 27 May 2020, 16:48:46 Eric Therond wrote:
|
||
Deprecated because it overlaps with SonarSecurity
|
||
|