CxSASTReport 21 12 2022-11 51 28

ASWS-Repair_Order_Claim_Service_APP_QA-33514 Scan Report
Project Name ASWS-Repair_Order_Claim_Service_APP_QA-33514

Scan Start Wednesday, December 21, 2022 11:47:55 AM
Preset OWASP TOP 10 - 2021
Scan Time 00h:02m:51s
Lines Of Code Scanned 53855
Files Scanned 432
Report Creation Time Wednesday, December 21, 2022 11:51:20 AM
Online Results https://cx.mbusa.com/CxWebClient/ViewerMain.aspx?scanid=183636&projectid=12452
Team After Sales Systems
Checkmarx Version 9.4.2
Scan Type Incremental
Source Origin LocalPath
Density 2/1000 (Vulnerabilities/LOC)
Visibility Public
Filter Settings
Severity
Included: High, Medium, Low, Information
Excluded: None
Result State
Included: To Verify, Not Exploitable, Confirmed, Urgent, Proposed Not Exploitable
Excluded: None
Assigned to
Included: All
Categories
Included:
Uncategorized All
Custom All
PCI DSS v3.2.1 All
OWASP Top 10 2013 All
FISMA 2014 All
NIST SP 800-53 All
OWASP Mobile Top 10 All
2016
ASD STIG 4.10 All
OWASP Top 10 API All
Excluded:
Uncategorized None
Custom None
PCI DSS v3.2.1 None
OWASP Top 10 2013 None
FISMA 2014 None
NIST SP 800-53 None
PAGE 1 OF 153
OWASP Mobile Top 10 None
2016
ASD STIG 4.10 None
OWASP Top 10 API None
Results Limit
Results limit per query was set to 50
Selected Queries
Selected queries are listed in Result Summary
PAGE 2 OF 153
Result Summary Most Vulnerable Files
ReimbursementController.
java
ReimbursementServiceIm
High pl.java
Medium
Low ESAPIUtil.java
LocalEditServiceTest.java
LocalEditServiceImpl.java
Top 5 Vulnerabilities
PAGE 3 OF 153
Scan Summary - OWASP Top 10 2017
Further details and elaboration about vulnerabilities and risks can be found at: OWASP Top 10 2017
Threat Weakness Weakness Technical Business Issues Best Fix

Category Exploitability
Agent Prevalence Detectability Impact Impact Found Locations
App.
A1-Injection* EASY COMMON EASY SEVERE App. Specific 0 0
Specific
A2-Broken App.
EASY COMMON AVERAGE SEVERE App. Specific 0 0
Authentication* Specific
A3-Sensitive App.
AVERAGE WIDESPREAD AVERAGE SEVERE App. Specific 24 0
Data Exposure* Specific
A4-XML
App.
External Entities AVERAGE COMMON EASY SEVERE App. Specific 0 0
Specific
(XXE)
A5-Broken App.
AVERAGE COMMON AVERAGE SEVERE App. Specific 1 0
Access Control* Specific
A6-Security App.
EASY WIDESPREAD EASY MODERATE App. Specific 0 0
Misconfiguration Specific
A7-Cross-Site App.
EASY WIDESPREAD EASY MODERATE App. Specific 1 0
Scripting (XSS)* Specific
A8-Insecure App.
DIFFICULT COMMON AVERAGE SEVERE App. Specific 0 0
Deserialization Specific
A9-Using
Components with App.
AVERAGE WIDESPREAD AVERAGE MODERATE App. Specific 0 0
Known Specific
Vulnerabilities
A10-Insufficient
App.
Logging & AVERAGE WIDESPREAD DIFFICULT MODERATE App. Specific 0 0
Specific
Monitoring
* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant standard queries.
PAGE 4 OF 153
Best Fix
Category Issues Found
Locations
A1-Broken Access Control* 32 0
A2-Cryptographic Failures* 0 0
A3-Injection* 1 0
A4-Insecure Design* 55 0
A5-Security Misconfiguration* 1 0
A6-Vulnerable and Outdated Components 0 0
A7-Identification and Authentication Failures* 39 0
A8-Software and Data Integrity Failures 22 0
A9-Security Logging and Monitoring Failures 26 0
A10-Server-Side Request Forgery* 0 0
PAGE 5 OF 153
Further details and elaboration about vulnerabilities and risks can be found at: OWASP Top 10 2013
Threat Attack Weakness Weakness Technical Business Issues Best Fix

Category
Agent Vectors Prevalence Detectability Impact Impact Found Locations
EXTERNAL,
INTERNAL,
A1-Injection* EASY COMMON AVERAGE SEVERE ALL DATA 0 0
ADMIN
USERS
A2-Broken
EXTERNAL, AFFECTED
Authentication
INTERNAL AVERAGE WIDESPREAD AVERAGE SEVERE DATA AND 18 0
and Session
USERS FUNCTIONS
Management*
EXTERNAL,
AFFECTED
A3-Cross-Site INTERNAL, VERY
AVERAGE EASY MODERATE DATA AND 1 0
Scripting (XSS)* ADMIN WIDESPREAD
SYSTEM
USERS
A4-Insecure
SYSTEM EXPOSED
Direct Object EASY COMMON EASY MODERATE 0 0
USERS DATA
References*
EXTERNAL,
ALL DATA
A5-Security INTERNAL,
EASY COMMON EASY MODERATE AND 0 0
Misconfiguration ADMIN
SYSTEM
USERS
EXTERNAL,
INTERNAL,
A6-Sensitive ADMIN EXPOSED
DIFFICULT UNCOMMON AVERAGE SEVERE 24 0
Data Exposure* USERS, DATA
USERS
BROWSERS
A7-Missing EXTERNAL, EXPOSED
Function Level INTERNAL EASY COMMON AVERAGE MODERATE DATA AND 1 0
Access Control USERS FUNCTIONS
A8-Cross-Site AFFECTED
USERS
Request Forgery AVERAGE COMMON EASY MODERATE DATA AND 0 0
BROWSERS
(CSRF)* FUNCTIONS
A9-Using EXTERNAL
AFFECTED
Components with USERS,
AVERAGE WIDESPREAD DIFFICULT MODERATE DATA AND 0 0
Known AUTOMATED
FUNCTIONS
Vulnerabilities TOOLS
A10-Unvalidated AFFECTED
USERS
Redirects and AVERAGE WIDESPREAD DIFFICULT MODERATE DATA AND 0 0
BROWSERS
Forwards* FUNCTIONS
PAGE 6 OF 153
Scan Summary - PCI DSS v3.2.1
Best Fix
Locations
PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection* 5 0
PCI DSS (3.2.1) - 6.5.2 - Buffer overflows 0 0
PCI DSS (3.2.1) - 6.5.3 - Insecure cryptographic storage 1 0
PCI DSS (3.2.1) - 6.5.4 - Insecure communications* 0 0
PCI DSS (3.2.1) - 6.5.5 - Improper error handling* 3 0
PCI DSS (3.2.1) - 6.5.7 - Cross-site scripting (XSS)* 1 0
PCI DSS (3.2.1) - 6.5.8 - Improper access control* 19 0
PCI DSS (3.2.1) - 6.5.9 - Cross-site request forgery* 0 0
PCI DSS (3.2.1) - 6.5.10 - Broken authentication and session management* 0 0
PAGE 7 OF 153
Scan Summary - FISMA 2014
Issues Best Fix

Category Description
Found Locations
Organizations must limit information system access to
authorized users, processes acting on behalf of authorized
Access Control* users, or devices (including other information systems) 0 0
and to the types of transactions and functions that
authorized users are permitted to exercise.
Organizations must: (i) create, protect, and retain
information system audit records to the extent needed to
enable the monitoring, analysis, investigation, and
reporting of unlawful, unauthorized, or inappropriate
Audit And Accountability* 0 0
information system activity; and (ii) ensure that the
actions of individual information system users can be
uniquely traced to those users so they can be held
accountable for their actions.
Organizations must: (i) establish and maintain baseline
configurations and inventories of organizational
information systems (including hardware, software,
firmware, and documentation) throughout the respective
Configuration Management* 0 0
system development life cycles; and (ii) establish and
enforce security configuration settings for information
technology products employed in organizational
information systems.
Organizations must identify information system users,
processes acting on behalf of users, or devices and
Identification And Authentication* authenticate (or verify) the identities of those users, 56 0
processes, or devices, as a prerequisite to allowing access
to organizational information systems.
Organizations must: (i) protect information system
media, both paper and digital; (ii) limit access to
Media Protection* information on information system media to authorized 0 0
users; and (iii) sanitize or destroy information system
media before disposal or release for reuse.
Organizations must: (i) monitor, control, and protect
organizational communications (i.e., information
transmitted or received by organizational information
systems) at the external boundaries and key internal
System And Communications Protection boundaries of the information systems; and (ii) employ 0 0
architectural designs, software development techniques,
and systems engineering principles that promote effective
information security within organizational information
systems.
Organizations must: (i) identify, report, and correct
information and information system flaws in a timely
manner; (ii) provide protection from malicious code at
System And Information Integrity* appropriate locations within organizational information 1 0
systems; and (iii) monitor information system security
alerts and advisories and take appropriate actions in
response.
PAGE 8 OF 153
Scan Summary - NIST SP 800-53
Best Fix
Locations
AC-12 Session Termination (P2) 0 0
AC-3 Access Enforcement (P1)* 18 0
AC-4 Information Flow Enforcement (P1) 0 0
AC-6 Least Privilege (P1) 0 0
AU-9 Protection of Audit Information (P1) 0 0
CM-6 Configuration Settings (P2) 0 0
IA-5 Authenticator Management (P1) 0 0
IA-6 Authenticator Feedback (P2) 0 0
IA-8 Identification and Authentication (Non-Organizational Users) (P1) 0 0
SC-12 Cryptographic Key Establishment and Management (P1) 0 0
SC-13 Cryptographic Protection (P1) 0 0
SC-17 Public Key Infrastructure Certificates (P1) 0 0
SC-18 Mobile Code (P2) 0 0
SC-23 Session Authenticity (P1)* 33 0
SC-28 Protection of Information at Rest (P1)* 0 0
SC-4 Information in Shared Resources (P1)* 5 0
SC-5 Denial of Service Protection (P1)* 3 0
SC-8 Transmission Confidentiality and Integrity (P1)* 0 0
SI-10 Information Input Validation (P1)* 0 0
SI-11 Error Handling (P2)* 0 0
SI-15 Information Output Filtering (P0)* 1 0
SI-16 Memory Protection (P1)* 0 0
PAGE 9 OF 153
Scan Summary - OWASP Mobile Top 10 2016
Issues Best Fix

Category Description
Found Locations
This category covers misuse of a platform feature or
failure to use platform security controls. It might include
Android intents, platform permissions, misuse of
M1-Improper Platform Usage* 0 0
TouchID, the Keychain, or some other security control
that is part of the mobile operating system. There are
several ways that mobile apps can experience this risk.
This category covers insecure data storage and
M2-Insecure Data Storage* 0 0
unintended data leakage.
This category covers poor handshaking, incorrect SSL
M3-Insecure Communication* versions, weak negotiation, cleartext communication of 0 0
sensitive assets, etc.
This category captures notions of authenticating the end
user or bad session management. This can include:
-Failing to identify the user at all when that should be
M4-Insecure Authentication* 0 0
required
-Failure to maintain the user's identity when it is required
-Weaknesses in session management
The code applies cryptography to a sensitive information
asset. However, the cryptography is insufficient in some
way. Note that anything and everything related to TLS or
M5-Insufficient Cryptography* SSL goes in M3. Also, if the app fails to use 0 0
cryptography at all when it should, that probably belongs
in M2. This category is for issues where cryptography
was attempted, but it wasnt done correctly.
This is a category to capture any failures in authorization
(e.g., authorization decisions in the client side, forced
browsing, etc.). It is distinct from authentication issues
(e.g., device enrolment, user identification, etc.).
M6-Insecure Authorization* If the app does not authenticate users at all in a situation 0 0
where it should (e.g., granting anonymous access to some
resource or service when authenticated and authorized
access is required), then that is an authentication failure
not an authorization failure.
This category is the catch-all for code-level
implementation problems in the mobile client. That's
distinct from server-side coding mistakes. This would
M7-Client Code Quality* capture things like buffer overflows, format string 0 0
vulnerabilities, and various other code-level mistakes
where the solution is to rewrite some code that's running
on the mobile device.
This category covers binary patching, local resource
modification, method hooking, method swizzling, and
dynamic memory modification. Once the application is
delivered to the mobile device, the code and data
resources are resident there. An attacker can either
M8-Code Tampering* directly modify the code, change the contents of memory 0 0
dynamically, change or replace the system APIs that the
application uses, or modify the application's data and
resources. This can provide the attacker a direct method
of subverting the intended use of the software for
personal or monetary gain.
This category includes analysis of the final core binary to
determine its source code, libraries, algorithms, and other
assets. Software such as IDA Pro, Hopper, otool, and
other binary inspection tools give the attacker insight into
M9-Reverse Engineering* the inner workings of the application. This may be used 0 0
to exploit other nascent vulnerabilities in the application,
as well as revealing information about back end servers,
cryptographic constants and ciphers, and intellectual
property.
Often, developers include hidden backdoor functionality
M10-Extraneous Functionality* 0 0
or other internal development security controls that are
PAGE 10 OF 153
not intended to be released into a production
environment. For example, a developer may accidentally
include a password as a comment in a hybrid app.
Another example includes disabling of 2-factor
authentication during testing.
PAGE 11 OF 153
Scan Summary - Custom
Best Fix
Locations
Must audit* 0 0
Check 0 0
Optional 0 0
PAGE 12 OF 153
Scan Summary - ASD STIG 4.10
Best Fix
Locations
APSC-DV-000640 - CAT II The application must provide audit record generation capability for the renewal of
0 0
session IDs.
APSC-DV-000650 - CAT II The application must not write sensitive data into the application logs. 0 0
APSC-DV-000660 - CAT II The application must provide audit record generation capability for session timeouts. 0 0
APSC-DV-000670 - CAT II The application must record a time stamp indicating when the event occurred. 0 0
APSC-DV-000680 - CAT II The application must provide audit record generation capability for HTTP headers
0 0
including User-Agent, Referer, GET, and POST.
APSC-DV-000690 - CAT II The application must provide audit record generation capability for connecting system
0 0
IP addresses.
APSC-DV-000700 - CAT II The application must record the username or user ID of the user associated with the
0 0
event.
APSC-DV-000710 - CAT II The application must generate audit records when successful/unsuccessful attempts to
0 0
grant privileges occur.
0 0
access security objects occur.
0 0
access security levels occur.
0 0
access categories of information (e.g., classification levels) occur.
0 0
modify privileges occur.
0 0
modify security objects occur.
0 0
modify security levels occur.
0 0
modify categories of information (e.g., classification levels) occur.
0 0
delete privileges occur.
0 0
delete security levels occur.
0 0
delete application database security objects occur.
0 0
delete categories of information (e.g., classification levels) occur.
APSC-DV-000830 - CAT II The application must generate audit records when successful/unsuccessful logon
0 0
attempts occur.
APSC-DV-000840 - CAT II The application must generate audit records for privileged activities or other system-
0 0
level access.
APSC-DV-000850 - CAT II The application must generate audit records showing starting and ending time for user
0 0
access to the system.
APSC-DV-000860 - CAT II The application must generate audit records when successful/unsuccessful accesses to
0 0
objects occur.
APSC-DV-000870 - CAT II The application must generate audit records for all direct access to the information
0 0
system.
APSC-DV-000880 - CAT II The application must generate audit records for all account creations, modifications,
0 0
disabling, and termination events.
APSC-DV-000910 - CAT II The application must initiate session auditing upon startup. 0 0
APSC-DV-000940 - CAT II The application must log application shutdown events. 0 0
PAGE 13 OF 153
APSC-DV-000950 - CAT II The application must log destination IP addresses. 0 0
APSC-DV-000960 - CAT II The application must log user actions involving access to data. 0 0
APSC-DV-000970 - CAT II The application must log user actions involving changes to data. 0 0
APSC-DV-000980 - CAT II The application must produce audit records containing information to establish when
0 0
(date and time) the events occurred.
APSC-DV-000990 - CAT II The application must produce audit records containing enough information to establish
0 0
which component, feature or function of the application triggered the audit event.
APSC-DV-001000 - CAT II When using centralized logging; the application must include a unique identifier in
0 0
order to distinguish itself from other application logs.
APSC-DV-001010 - CAT II The application must produce audit records that contain information to establish the
0 0
outcome of the events.
APSC-DV-001020 - CAT II The application must generate audit records containing information that establishes the
0 0
identity of any individual or process associated with the event.
APSC-DV-001030 - CAT II The application must generate audit records containing the full-text recording of
0 0
privileged commands or the individual identities of group account users.
APSC-DV-001040 - CAT II The application must implement transaction recovery logs when transaction based. 0 0
APSC-DV-001050 - CAT II The application must provide centralized management and configuration of the content
0 0
to be captured in audit records generated by all application components.
APSC-DV-001070 - CAT II The application must off-load audit records onto a different system or media than the
0 0
system being audited.
APSC-DV-001080 - CAT II The application must be configured to write application logs to a centralized log
0 0
repository.
APSC-DV-001090 - CAT II The application must provide an immediate warning to the SA and ISSO (at a
minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage 0 0
capacity.
APSC-DV-001100 - CAT II Applications categorized as having a moderate or high impact must provide an
0 0
immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events.
APSC-DV-001110 - CAT II The application must alert the ISSO and SA (at a minimum) in the event of an audit
0 0
processing failure.
APSC-DV-001120 - CAT II The application must shut down by default upon audit failure (unless availability is an
0 0
overriding concern).
APSC-DV-001130 - CAT II The application must provide the capability to centrally review and analyze audit
0 0
records from multiple components within the system.
APSC-DV-001140 - CAT II The application must provide the capability to filter audit records for events of interest
0 0
based upon organization-defined criteria.
APSC-DV-001150 - CAT II The application must provide an audit reduction capability that supports on-demand
0 0
reporting requirements.
APSC-DV-001160 - CAT II The application must provide an audit reduction capability that supports on-demand
0 0
audit review and analysis.
APSC-DV-001170 - CAT II The application must provide an audit reduction capability that supports after-the-fact
0 0
investigations of security incidents.
APSC-DV-001180 - CAT II The application must provide a report generation capability that supports on-demand
0 0
audit review and analysis.
APSC-DV-001190 - CAT II The application must provide a report generation capability that supports on-demand
0 0
reporting requirements.
APSC-DV-001200 - CAT II The application must provide a report generation capability that supports after-the-fact
0 0
investigations of security incidents.
APSC-DV-001210 - CAT II The application must provide an audit reduction capability that does not alter original
0 0
content or time ordering of audit records.
APSC-DV-001220 - CAT II The application must provide a report generation capability that does not alter original
0 0
content or time ordering of audit records.
APSC-DV-001250 - CAT II The applications must use internal system clocks to generate time stamps for audit
0 0
records.
APSC-DV-001260 - CAT II The application must record time stamps for audit records that can be mapped to
0 0
Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
APSC-DV-001270 - CAT II The application must record time stamps for audit records that meet a granularity of one 0 0
PAGE 14 OF 153
second for a minimum degree of precision.
APSC-DV-001280 - CAT II The application must protect audit information from any type of unauthorized read
0 0
access.
APSC-DV-001290 - CAT II The application must protect audit information from unauthorized modification. 0 0
APSC-DV-001300 - CAT II The application must protect audit information from unauthorized deletion. 0 0
APSC-DV-001310 - CAT II The application must protect audit tools from unauthorized access. 0 0
APSC-DV-001320 - CAT II The application must protect audit tools from unauthorized modification. 0 0
APSC-DV-001330 - CAT II The application must protect audit tools from unauthorized deletion. 0 0
APSC-DV-001340 - CAT II The application must back up audit records at least every seven days onto a different
0 0
system or system component than the system or component being audited.
APSC-DV-001570 - CAT II The application must electronically verify Personal Identity Verification (PIV)
0 0
credentials.
APSC-DV-001350 - CAT II The application must use cryptographic mechanisms to protect the integrity of audit
0 0
information.
APSC-DV-001360 - CAT II Application audit tools must be cryptographically hashed. 0 0
APSC-DV-001370 - CAT II The integrity of the audit tools must be validated by checking the files for changes in
0 0
the cryptographic hash value.
APSC-DV-001390 - CAT II The application must prohibit user installation of software without explicit privileged
0 0
status.
APSC-DV-001410 - CAT II The application must enforce access restrictions associated with changes to application
0 0
configuration.
APSC-DV-001420 - CAT II The application must audit who makes configuration changes to the application. 0 0
APSC-DV-001430 - CAT II The application must have the capability to prevent the installation of patches, service
packs, or application components without verification the software component has been digitally signed using a 0 0
certificate that is recognized and approved by the orga
APSC-DV-001440 - CAT II The applications must limit privileges to change the software resident within software
0 0
libraries.
APSC-DV-001460 - CAT II An application vulnerability assessment must be conducted. 0 0
APSC-DV-001480 - CAT II The application must prevent program execution in accordance with organization-
defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions 0 0
of software program usage.
APSC-DV-001490 - CAT II The application must employ a deny-all, permit-by-exception (whitelist) policy to allow
0 0
the execution of authorized software programs.
APSC-DV-001500 - CAT II The application must be configured to disable non-essential capabilities. 0 0
APSC-DV-001510 - CAT II The application must be configured to use only functions, ports, and protocols permitted
0 0
to it in the PPSM CAL.
APSC-DV-001520 - CAT II The application must require users to reauthenticate when organization-defined
0 0
circumstances or situations require reauthentication.
APSC-DV-001530 - CAT II The application must require devices to reauthenticate when organization-defined
0 0
circumstances or situations requiring reauthentication.
APSC-DV-001540 - CAT I The application must uniquely identify and authenticate organizational users (or
0 0
processes acting on behalf of organizational users).
APSC-DV-001550 - CAT II The application must use multifactor (Alt. Token) authentication for network access to
0 0
privileged accounts.
APSC-DV-001560 - CAT II The application must accept Personal Identity Verification (PIV) credentials. 0 0
APSC-DV-001580 - CAT II The application must use multifactor (e.g., CAC, Alt. Token) authentication for network
0 0
access to non-privileged accounts.
APSC-DV-001590 - CAT II The application must use multifactor (Alt. Token) authentication for local access to
0 0
privileged accounts.
APSC-DV-001600 - CAT II The application must use multifactor (e.g., CAC, Alt. Token) authentication for local
0 0
access to non-privileged accounts.
APSC-DV-001610 - CAT II The application must ensure users are authenticated with an individual authenticator
0 0
prior to using a group authenticator.
APSC-DV-001620 - CAT II The application must implement replay-resistant authentication mechanisms for
0 0
network access to privileged accounts.
PAGE 15 OF 153
APSC-DV-001630 - CAT II The application must implement replay-resistant authentication mechanisms for
0 0
network access to non-privileged accounts.
APSC-DV-001640 - CAT II The application must utilize mutual authentication when endpoint device non-
0 0
repudiation protections are required by DoD policy or by the data owner.
APSC-DV-001650 - CAT II The application must authenticate all network connected endpoint devices before
0 0
establishing any connection.
APSC-DV-001660 - CAT II Service-Oriented Applications handling non-releasable data must authenticate endpoint
0 0
devices via mutual SSL/TLS.
APSC-DV-001670 - CAT II The application must disable device identifiers after 35 days of inactivity unless a
0 0
cryptographic certificate is used for authentication.
APSC-DV-001680 - CAT I The application must enforce a minimum 15-character password length. 0 0
APSC-DV-001690 - CAT II The application must enforce password complexity by requiring that at least one upper-
0 0
case character be used.
APSC-DV-001700 - CAT II The application must enforce password complexity by requiring that at least one lower-
0 0
case character be used.
APSC-DV-001710 - CAT II The application must enforce password complexity by requiring that at least one
0 0
numeric character be used.
APSC-DV-001720 - CAT II The application must enforce password complexity by requiring that at least one special
0 0
character be used.
APSC-DV-001730 - CAT II The application must require the change of at least 8 of the total number of characters
0 0
when passwords are changed.
APSC-DV-001740 - CAT I The application must only store cryptographic representations of passwords. 0 0
APSC-DV-001850 - CAT I The application must not display passwords/PINs as clear text. 0 0
APSC-DV-001750 - CAT I The application must transmit only cryptographically-protected passwords. 0 0
APSC-DV-001760 - CAT II The application must enforce 24 hours/1 day as the minimum password lifetime. 0 0
APSC-DV-001770 - CAT II The application must enforce a 60-day maximum password lifetime restriction. 0 0
APSC-DV-001780 - CAT II The application must prohibit password reuse for a minimum of five generations. 0 0
APSC-DV-001790 - CAT II The application must allow the use of a temporary password for system logons with an
0 0
immediate change to a permanent password.
APSC-DV-001795 - CAT II The application password must not be changeable by users other than the administrator
0 0
or the user with which the password is associated.
APSC-DV-001800 - CAT II The application must terminate existing user sessions upon account deletion. 0 0
APSC-DV-001820 - CAT I The application, when using PKI-based authentication, must enforce authorized access
0 0
to the corresponding private key.
APSC-DV-001830 - CAT II The application must map the authenticated identity to the individual user or group
0 0
account for PKI-based authentication.
APSC-DV-001870 - CAT II The application must uniquely identify and authenticate non-organizational users (or
0 0
processes acting on behalf of non-organizational users).
APSC-DV-001810 - CAT I The application, when utilizing PKI-based authentication, must validate certificates by
0 0
constructing a certification path (which includes status information) to an accepted trust anchor.
APSC-DV-001840 - CAT II The application, for PKI-based authentication, must implement a local cache of
revocation data to support path discovery and validation in case of the inability to access revocation information via 0 0
the network.
APSC-DV-001860 - CAT II The application must use mechanisms meeting the requirements of applicable federal
laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a 0 0
cryptographic module.
APSC-DV-001880 - CAT II The application must accept Personal Identity Verification (PIV) credentials from other
0 0
federal agencies.
APSC-DV-001890 - CAT II The application must electronically verify Personal Identity Verification (PIV)
0 0
credentials from other federal agencies.
APSC-DV-002050 - CAT II Applications making SAML assertions must use FIPS-approved random numbers in the
0 0
generation of SessionIndex in the SAML element AuthnStatement.
APSC-DV-001900 - CAT II The application must accept FICAM-approved third-party credentials. 0 0
APSC-DV-001910 - CAT II The application must conform to FICAM-issued profiles. 0 0
APSC-DV-001930 - CAT II Applications used for non-local maintenance sessions must audit non-local maintenance 0 0
PAGE 16 OF 153
and diagnostic sessions for organization-defined auditable events.
APSC-DV-000310 - CAT III The application must have a process, feature or function that prevents removal or
0 0
disabling of emergency accounts.
APSC-DV-001940 - CAT II Applications used for non-local maintenance sessions must implement cryptographic
0 0
mechanisms to protect the integrity of non-local maintenance and diagnostic communications.
APSC-DV-001950 - CAT II Applications used for non-local maintenance sessions must implement cryptographic
0 0
mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications.
APSC-DV-001960 - CAT II Applications used for non-local maintenance sessions must verify remote disconnection
0 0
at the termination of non-local maintenance and diagnostic sessions.
APSC-DV-001970 - CAT II The application must employ strong authenticators in the establishment of non-local
0 0
maintenance and diagnostic sessions.
APSC-DV-001980 - CAT II The application must terminate all sessions and network connections when non-local
0 0
maintenance is completed.
APSC-DV-001995 - CAT II The application must not be vulnerable to race conditions. 0 0
APSC-DV-002000 - CAT II The application must terminate all network connections associated with a
0 0
communications session at the end of the session.
APSC-DV-002010 - CAT II The application must implement NSA-approved cryptography to protect classified
information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and 0 0
standards.
APSC-DV-002020 - CAT II The application must utilize FIPS-validated cryptographic modules when signing
0 0
application components.
APSC-DV-002030 - CAT II The application must utilize FIPS-validated cryptographic modules when generating
0 0
cryptographic hashes.
APSC-DV-002040 - CAT II The application must utilize FIPS-validated cryptographic modules when protecting
0 0
unclassified information that requires cryptographic protection.
APSC-DV-002150 - CAT II The application user interface must be either physically or logically separated from data
0 0
storage and management interfaces.
APSC-DV-002210 - CAT II The application must set the HTTPOnly flag on session cookies.* 0 0
APSC-DV-002220 - CAT II The application must set the secure flag on session cookies. 0 0
APSC-DV-002230 - CAT I The application must not expose session IDs. 0 0
APSC-DV-002240 - CAT I The application must destroy the session ID value and/or cookie on logoff or browser
0 0
close.
APSC-DV-002250 - CAT II Applications must use system-generated session identifiers that protect against session
0 0
fixation.
APSC-DV-002260 - CAT II Applications must validate session identifiers.* 0 0
APSC-DV-002270 - CAT II Applications must not use URL embedded session IDs. 0 0
APSC-DV-002280 - CAT II The application must not re-use or recycle session IDs. 0 0
APSC-DV-002290 - CAT II The application must use the Federal Information Processing Standard (FIPS) 140-2-
validated cryptographic modules and random number generator if the application implements encryption, key 0 0
exchange, digital signature, and hash functionality.
APSC-DV-002300 - CAT II The application must only allow the use of DoD-approved certificate authorities for
0 0
verification of the establishment of protected sessions.
APSC-DV-002310 - CAT I The application must fail to a secure state if system initialization fails, shutdown fails, or
0 0
aborts fail.
APSC-DV-002320 - CAT II In the event of a system failure, applications must preserve any information necessary
to determine cause of failure and any information necessary to return to operations with least disruption to mission 0 0
processes.
APSC-DV-002330 - CAT II The application must protect the confidentiality and integrity of stored information
5 0
when required by DoD policy or the information owner.*
APSC-DV-002340 - CAT II The application must implement approved cryptographic mechanisms to prevent
unauthorized modification of organization-defined information at rest on organization-defined information system 0 0
components.
APSC-DV-002350 - CAT II The application must use appropriate cryptography in order to protect stored DoD
0 0
information when required by the information owner or DoD policy.
APSC-DV-002360 - CAT II The application must isolate security functions from non-security functions.* 0 0
APSC-DV-002370 - CAT II The application must maintain a separate execution domain for each executing process. 0 0
PAGE 17 OF 153
APSC-DV-002380 - CAT II Applications must prevent unauthorized and unintended information transfer via shared
0 0
system resources.
APSC-DV-002390 - CAT II XML-based applications must mitigate DoS attacks by using XML filters, parser
0 0
options, or gateways.
APSC-DV-002400 - CAT II The application must restrict the ability to launch Denial of Service (DoS) attacks
0 0
against itself or other information systems.*
APSC-DV-002410 - CAT II The web service design must include redundancy mechanisms when used with high-
0 0
availability systems.
APSC-DV-002420 - CAT II An XML firewall function must be deployed to protect web services when exposed to
0 0
untrusted networks.
APSC-DV-002610 - CAT II The application must remove organization-defined software components after updated
0 0
versions have been installed.
APSC-DV-002440 - CAT I The application must protect the confidentiality and integrity of transmitted
0 0
information.*
APSC-DV-002450 - CAT II The application must implement cryptographic mechanisms to prevent unauthorized
disclosure of information and/or detect changes to information during transmission unless otherwise protected by 0 0
alternative physical safeguards, such as, at a minimum, a Prot
APSC-DV-002460 - CAT II The application must maintain the confidentiality and integrity of information during
0 0
preparation for transmission.*
APSC-DV-002470 - CAT II The application must maintain the confidentiality and integrity of information during
0 0
reception.
APSC-DV-002480 - CAT II The application must not disclose unnecessary information to users. 0 0
APSC-DV-002485 - CAT I The application must not store sensitive information in hidden fields. 0 0
APSC-DV-002490 - CAT I The application must protect from Cross-Site Scripting (XSS) vulnerabilities.* 1 0
APSC-DV-002500 - CAT II The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.* 0 0
APSC-DV-002510 - CAT I The application must protect from command injection. 0 0
APSC-DV-002520 - CAT II The application must protect from canonical representation vulnerabilities.* 0 0
APSC-DV-002530 - CAT II The application must validate all input.* 0 0
APSC-DV-002540 - CAT I The application must not be vulnerable to SQL Injection.* 0 0
APSC-DV-002550 - CAT I The application must not be vulnerable to XML-oriented attacks. 0 0
APSC-DV-002560 - CAT I The application must not be subject to input handling vulnerabilities.* 33 0
APSC-DV-002570 - CAT II The application must generate error messages that provide information necessary for
3 0
corrective actions without revealing information that could be exploited by adversaries.*
APSC-DV-002580 - CAT II The application must reveal error messages only to the ISSO, ISSM, or SA.* 0 0
APSC-DV-002590 - CAT I The application must not be vulnerable to overflow attacks.* 0 0
APSC-DV-002630 - CAT II Security-relevant software updates and patches must be kept up to date. 0 0
APSC-DV-002760 - CAT II The application performing organization-defined security functions must verify correct
0 0
operation of security functions.
APSC-DV-002900 - CAT II The ISSO must ensure application audit trails are retained for at least 1 year for
0 0
applications without SAMI data, and 5 years for applications including SAMI data.
APSC-DV-002770 - CAT II The application must perform verification of the correct operation of security functions:
0 0
upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days.
APSC-DV-002780 - CAT III The application must notify the ISSO and ISSM of failed security verification tests. 0 0
APSC-DV-002870 - CAT II Unsigned Category 1A mobile code must not be used in the application in accordance
0 0
with DoD policy.
APSC-DV-002880 - CAT II The ISSO must ensure an account management process is implemented, verifying only
authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or 0 0
terminated are promptly removed.
APSC-DV-002890 - CAT I Application web servers must be on a separate network segment from the application
0 0
and database servers if it is a tiered application operating in the DoD DMZ.
APSC-DV-002910 - CAT II The ISSO must review audit trails periodically based on system documentation
0 0
recommendations or immediately upon system security events.
APSC-DV-002920 - CAT II The ISSO must report all suspected violations of IA policies in accordance with DoD
0 0
information system IA procedures.
PAGE 18 OF 153
APSC-DV-002930 - CAT II The ISSO must ensure active vulnerability testing is performed. 0 0
APSC-DV-002980 - CAT II New IP addresses, data services, and associated ports used by the application must be
submitted to the appropriate approving authority for the organization, which in turn will be submitted through the 0 0
DoD Ports, Protocols, and Services Management (DoD PPS
APSC-DV-002950 - CAT II Execution flow diagrams and design documents must be created to show how deadlock
0 0
and recursion issues in web services are being mitigated.
APSC-DV-002960 - CAT II The designer must ensure the application does not store configuration and control files
0 0
in the same directory as user data.
APSC-DV-002970 - CAT II The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party
0 0
product will be configured by following available guidance.
APSC-DV-002990 - CAT II The application must be registered with the DoD Ports and Protocols Database. 0 0
APSC-DV-002990 - CAT II The application must be registered with the DoD Ports and Protocols Database. 0 0
APSC-DV-002995 - CAT II The Configuration Management (CM) repository must be properly patched and STIG
0 0
compliant.
APSC-DV-003000 - CAT II Access privileges to the Configuration Management (CM) repository must be reviewed
0 0
every three months.
APSC-DV-003010 - CAT II A Software Configuration Management (SCM) plan describing the configuration
control and change management process of application objects developed by the organization and the roles and 0 0
responsibilities of the organization must be created and maintained.
APSC-DV-003020 - CAT II A Configuration Control Board (CCB) that meets at least every release cycle, for
0 0
managing the Configuration Management (CM) process must be established.
APSC-DV-003030 - CAT II The application services and interfaces must be compatible with and ready for IPv6
0 0
networks.
APSC-DV-003040 - CAT II The application must not be hosted on a general purpose machine if the application is
0 0
designated as critical or high availability by the ISSO.
APSC-DV-003050 - CAT II A disaster recovery/continuity plan must exist in accordance with DoD policy based on
0 0
the applications availability requirements.
APSC-DV-003060 - CAT II Recovery procedures and technical system features must exist so recovery is performed
0 0
in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted recovery.
APSC-DV-003070 - CAT II Data backup must be performed at required intervals in accordance with DoD policy. 0 0
APSC-DV-003080 - CAT II Back-up copies of the application software or source code must be stored in a fire-rated
0 0
container or stored separately (offsite).
APSC-DV-003090 - CAT II Procedures must be in place to assure the appropriate physical and technical protection
0 0
of the backup and restoration of the application.
APSC-DV-003100 - CAT II The application must use encryption to implement key exchange and authenticate
0 0
endpoints prior to establishing a communication channel for key exchange.
APSC-DV-003110 - CAT I The application must not contain embedded authentication data. 0 0
APSC-DV-003120 - CAT I The application must have the capability to mark sensitive/classified output when
0 0
required.
APSC-DV-003130 - CAT III Prior to each release of the application, updates to system, or applying patches; tests
0 0
plans and procedures must be created and executed.
APSC-DV-003150 - CAT II At least one tester must be designated to test for security flaws in addition to functional
0 0
testing.
APSC-DV-003140 - CAT II Application files must be cryptographically hashed prior to deploying to DoD
0 0
operational networks.
APSC-DV-003160 - CAT III Test procedures must be created and at least annually executed to ensure system
0 0
initialization, shutdown, and aborts are configured to verify the system remains in a secure state.
APSC-DV-003170 - CAT II An application code review must be performed on the application. 0 0
APSC-DV-003180 - CAT III Code coverage statistics must be maintained for each release of the application. 0 0
APSC-DV-003190 - CAT II Flaws found during a code review must be tracked in a defect tracking system. 0 0
APSC-DV-003200 - CAT II The changes to the application must be assessed for IA and accreditation impact prior to
0 0
implementation.
APSC-DV-003210 - CAT II Security flaws must be fixed or addressed in the project plan. 0 0
APSC-DV-003215 - CAT III The application development team must follow a set of coding standards. 0 0
APSC-DV-003220 - CAT III The designer must create and update the Design Document for each release of the 0 0
PAGE 19 OF 153
application.
APSC-DV-003230 - CAT II Threat models must be documented and reviewed for each application release and
0 0
updated as required by design and functionality changes or when new threats are discovered.
APSC-DV-003235 - CAT II The application must not be subject to error handling vulnerabilities.* 0 0
APSC-DV-003250 - CAT I The application must be decommissioned when maintenance or support is no longer
0 0
available.
APSC-DV-003236 - CAT II The application development team must provide an application incident response plan. 0 0
APSC-DV-003240 - CAT I All products must be supported by the vendor or the development team. 0 0
APSC-DV-003260 - CAT III Procedures must be in place to notify users when an application is decommissioned. 0 0
APSC-DV-003270 - CAT II Unnecessary built-in application accounts must be disabled. 0 0
APSC-DV-003280 - CAT I Default passwords must be changed. 0 0
APSC-DV-003330 - CAT II The system must alert an administrator when low resource conditions are encountered. 0 0
APSC-DV-003285 - CAT II An Application Configuration Guide must be created and included with the application. 0 0
APSC-DV-003290 - CAT II If the application contains classified data, a Security Classification Guide must exist
0 0
containing data elements and their classification.
APSC-DV-003300 - CAT II The designer must ensure uncategorized or emerging mobile code is not used in
0 0
applications.
APSC-DV-003310 - CAT II Production database exports must have database administration credentials and sensitive
0 0
data removed before releasing the export.
APSC-DV-003320 - CAT II Protections against DoS attacks must be implemented. 0 0
APSC-DV-003340 - CAT III At least one application administrator must be registered to receive update
0 0
notifications, or security alerts, when automated alerts are available.
APSC-DV-003360 - CAT III The application must generate audit records when concurrent logons from different
0 0
workstations occur.
APSC-DV-003345 - CAT III The application must provide notifications or alerts when product update and security
0 0
related patches are available.
APSC-DV-003350 - CAT II Connections between the DoD enclave and the Internet or other public or commercial
0 0
wide area networks must require a DMZ.
APSC-DV-003400 - CAT II The Program Manager must verify all levels of program management, designers,
0 0
developers, and testers receive annual security training pertaining to their job function.
APSC-DV-000010 - CAT II The application must provide a capability to limit the number of logon sessions per
0 0
user.
APSC-DV-000060 - CAT II The application must clear temporary storage and cookies when the session is
0 0
terminated.
APSC-DV-000070 - CAT II The application must automatically terminate the non-privileged user session and log
0 0
off non-privileged users after a 15 minute idle time period has elapsed.
APSC-DV-000080 - CAT II The application must automatically terminate the admin user session and log off admin
0 0
users after a 10 minute idle time period is exceeded.
APSC-DV-000090 - CAT II Applications requiring user access authentication must provide a logoff capability for
0 0
user initiated communication session.
APSC-DV-000100 - CAT III The application must display an explicit logoff message to users indicating the reliable
0 0
termination of authenticated communications sessions.
APSC-DV-000110 - CAT II The application must associate organization-defined types of security attributes having
0 0
organization-defined security attribute values with information in storage.
0 0
organization-defined security attribute values with information in process.
0 0
organization-defined security attribute values with information in transmission.
APSC-DV-000160 - CAT II The application must implement DoD-approved encryption to protect the confidentiality
0 0
of remote access sessions.
APSC-DV-000170 - CAT II The application must implement cryptographic mechanisms to protect the integrity of
0 0
remote access sessions.
APSC-DV-000190 - CAT I Messages protected with WS_Security must use time stamps with creation and
0 0
expiration times.
PAGE 20 OF 153
APSC-DV-000180 - CAT II Applications with SOAP messages requiring integrity must include the following
message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in messages) and 0 0
all elements of the message must be digitally signed.
APSC-DV-000200 - CAT I Validity periods must be verified on all application messages using WS-Security or
0 0
SAML assertions.
APSC-DV-000210 - CAT II The application must ensure each unique asserting party provides unique assertion ID
0 0
references for each SAML assertion.
APSC-DV-000220 - CAT II The application must ensure encrypted assertions, or equivalent confidentiality
protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data 0 0
is required when passing through the intermediary.
APSC-DV-000230 - CAT I The application must use the NotOnOrAfter condition when using the
0 0
SubjectConfirmation element in a SAML assertion.
APSC-DV-000240 - CAT I The application must use both the NotBefore and NotOnOrAfter elements or
0 0
OneTimeUse element when using the Conditions element in a SAML assertion.
APSC-DV-000250 - CAT II The application must ensure if a OneTimeUse element is used in an assertion, there is
0 0
only one of the same used in the Conditions element portion of an assertion.
APSC-DV-000260 - CAT II The application must ensure messages are encrypted when the SessionIndex is tied to
0 0
privacy data.
APSC-DV-000290 - CAT II Shared/group account credentials must be terminated when members leave the group. 0 0
APSC-DV-000280 - CAT II The application must provide automated mechanisms for supporting account
0 0
management functions.
APSC-DV-000300 - CAT II The application must automatically remove or disable temporary user accounts 72 hours
0 0
after account creation.
APSC-DV-000320 - CAT III The application must automatically disable accounts after a 35 day period of account
0 0
inactivity.
APSC-DV-000330 - CAT II Unnecessary application accounts must be disabled, or deleted. 0 0
APSC-DV-000420 - CAT II The application must automatically audit account enabling actions. 0 0
APSC-DV-000340 - CAT II The application must automatically audit account creation. 0 0
APSC-DV-000350 - CAT II The application must automatically audit account modification. 0 0
APSC-DV-000360 - CAT II The application must automatically audit account disabling actions. 0 0
APSC-DV-000370 - CAT II The application must automatically audit account removal actions. 0 0
APSC-DV-000380 - CAT III The application must notify System Administrators and Information System Security
0 0
Officers when accounts are created.
0 0
Officers when accounts are modified.
0 0
Officers of account disabling actions.
0 0
Officers of account removal actions.
0 0
Officers of account enabling actions.
APSC-DV-000440 - CAT II Application data protection requirements must be identified and documented. 0 0
APSC-DV-000520 - CAT II The application must audit the execution of privileged functions. 0 0
APSC-DV-000450 - CAT II The application must utilize organization-defined data mining detection techniques for
0 0
organization-defined data storage objects to adequately detect data mining attempts.
APSC-DV-000460 - CAT I The application must enforce approved authorizations for logical access to information
0 0
and system resources in accordance with applicable access control policies.*
APSC-DV-000470 - CAT II The application must enforce organization-defined discretionary access control policies
18 0
over defined subjects and objects.*
APSC-DV-000480 - CAT II The application must enforce approved authorizations for controlling the flow of
0 0
information within the system based on organization-defined information flow control policies.
APSC-DV-000490 - CAT II The application must enforce approved authorizations for controlling the flow of
0 0
information between interconnected systems based on organization-defined information flow control policies.
APSC-DV-000500 - CAT II The application must prevent non-privileged users from executing privileged functions
0 0
to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
PAGE 21 OF 153
APSC-DV-000510 - CAT I The application must execute without excessive account permissions. 0 0
APSC-DV-000530 - CAT I The application must enforce the limit of three consecutive invalid logon attempts by a
0 0
user during a 15 minute time period.
APSC-DV-000560 - CAT III The application must retain the Standard Mandatory DoD Notice and Consent Banner
0 0
on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
APSC-DV-000540 - CAT II The application administrator must follow an approved process to unlock locked user
0 0
accounts.
APSC-DV-000550 - CAT III The application must display the Standard Mandatory DoD Notice and Consent Banner
0 0
before granting access to the application.
APSC-DV-000570 - CAT III The publicly accessible application must display the Standard Mandatory DoD Notice
0 0
and Consent Banner before granting access to the application.
APSC-DV-000580 - CAT III The application must display the time and date of the users last successful logon. 0 0
APSC-DV-000630 - CAT II The application must provide audit record generation capability for the destruction of
0 0
session IDs.
APSC-DV-000590 - CAT II The application must protect against an individual (or process acting on behalf of an
0 0
individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
APSC-DV-000600 - CAT II For applications providing audit record aggregation, the application must compile audit
records from organization-defined information system components into a system-wide audit trail that is time- 0 0
correlated with an organization-defined level of tolerance
APSC-DV-000610 - CAT II The application must provide the capability for organization-identified individuals or
roles to change the auditing to be performed on all application components, based on all selectable event criteria 0 0
within organization-defined time thresholds.
APSC-DV-000620 - CAT II The application must provide audit record generation capability for the creation of
0 0
session IDs.
PAGE 22 OF 153
Scan Summary - OWASP Top 10 API
Best Fix
Locations
API1-Broken Object Level Authorization 0 0
API2-Broken Authentication* 0 0
API3-Excessive Data Exposure 8 0
API4-Lack of Resources and Rate Limiting* 0 0
API5-Broken Function Level Authorization 18 0
API6-Mass Assignment 22 0
API7-Security Misconfiguration* 19 0
API8-Injection* 0 0
API9-Improper Assets Management* 0 0
API10-Insufficient Logging and Monitoring 26 0
PAGE 23 OF 153
Best Fix
Locations
A1-Injection* 0 0
A2-Cross-Site Scripting (XSS) 0 0
A3-Broken Authentication and Session Management* 0 0
A4-Insecure Direct Object References* 18 0
A5-Cross-Site Request Forgery (CSRF) 0 0
A6-Security Misconfiguration* 0 0
A7-Insecure Cryptographic Storage 0 0
A8-Failure to Restrict URL Access 0 0
A9-Insufficient Transport Layer Protection 0 0
A10-Unvalidated Redirects and Forwards 0 0
PAGE 24 OF 153
Results Distribution By Status Compared to project scan from 8/31/2022 5:23 PM
High Medium Low Information Total

New Issues 1 0 0 0 1
Recurrent Issues 0 35 79 61 175
Total 1 35 79 61 176
Fixed Issues 27 4 174 14 219
New Scan
Previous Scan
Results Distribution By State

High Medium Low Information Total
To Verify 1 25 70 61 157
Not Exploitable 0 10 9 0 19
Confirmed 0 0 0 0 0
Urgent 0 0 0 0 0
Proposed Not 0 0 0 0 0
Exploitable
Total 1 35 79 61 176
Result Summary
Vulnerability Type Occurrences Severity
Reflected XSS All Clients 1 High
Unsafe Object Binding 22 Medium
Excessive Data Exposure 8 Medium
Privacy Violation 5 Medium
TruffleHog HighEntropy Strings 20 Low
Improper Resource Access Authorization 18 Low
Serializable Class Containing Sensitive Data 18 Low
Spring Overly Permissive Cross Origin Resource Sharing Policy 18 Low
Improper Exception Handling 3 Low
PAGE 25 OF 153
Spring Missing Content Security Policy 1 Low
Use Of Hardcoded Password In Config 1 Low
Reliance On Untrusted Inputs In Security Decision 33 Information
Insufficient Logging of Exceptions 26 Information
Exposure of Resource to Wrong Sphere 1 Information
Potentially Serializable Class With Sensitive Data 1 Information
10 Most Vulnerable Files

High and Medium Vulnerabilities
File Name Issues Found

src/main/java/com/mbusa/raps/controller/ReimbursementController.java 30
src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java 27
src/main/java/com/mbusa/raps/dto/RODiscrepancyDto.java 2
src/main/java/com/mbusa/raps/util/RapsUtil.java 2
src/main/java/com/mbusa/raps/util/ESAPIUtil.java 2
src/main/java/com/mbusa/raps/controller/ClaimsDamageSearchController.java 2
src/main/java/com/mbusa/raps/controller/LocalEditController.java 1
src/main/java/com/mbusa/raps/service/LocalEditServiceImpl.java 1
src/main/java/com/mbusa/raps/entity/RODiscrepancyEntity.java 1
PAGE 26 OF 153
Scan Results Details
Reflected XSS All Clients

Query Path:
Java\Cx\Java High Risk\Reflected XSS All Clients Version:8
Categories
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.7 - Cross-site scripting (XSS)
OWASP Top 10 2013: A3-Cross-Site Scripting (XSS)
FISMA 2014: System And Information Integrity
NIST SP 800-53: SI-15 Information Output Filtering (P0)
OWASP Top 10 2017: A7-Cross-Site Scripting (XSS)
ASD STIG 4.10: APSC-DV-002490 - CAT I The application must protect from Cross-Site Scripting (XSS)
vulnerabilities.
OWASP Top 10 2021: A3-Injection
Description
Reflected XSS All Clients\Path 1:
Severity High
Result State To Verify
Online Results https://cx.mbusa.com/CxWebClient/ViewerMain.aspx?scanid=183636&projectid=12452&pathid=
1
Status New
Detection Date 12/21/2022 11:50:33 AM
The application's fillErrorCodeForL65 embeds untrusted data in the generated output with setWsCpDataFnd, at line 1240
of src/main/java/com/mbusa/raps/service/LocalEditServiceImpl.java. This untrusted data is embedded straight into the
output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
The attacker would be able to alter the returned web page by simply providing modified data in the user input localEdit,
which is read by the localEdit method at line 76 of src/main/java/com/mbusa/raps/controller/LocalEditController.java.
This input then flows through the code straight to the output web page, without sanitization.
This can enable a Reflected Cross-Site Scripting (XSS) attack.
Source Destination
File src/main/java/com/mbusa/raps/controller/LocalEdit src/main/java/com/mbusa/raps/service/LocalEditSer
Controller.java viceImpl.java
Line 76 1279
Object localEdit setWsCpDataFnd
Code Snippet
File Name src/main/java/com/mbusa/raps/controller/LocalEditController.java
Method public ResponseEntity<LocalEditResponse> localEdit(@Valid @RequestBody LocalEditRequest
localEdit) throws JsonProcessingException {
....
76. public ResponseEntity<LocalEditResponse> localEdit(@Valid
@RequestBody LocalEditRequest localEdit) throws JsonProcessingException
{
File Name src/main/java/com/mbusa/raps/service/LocalEditServiceImpl.java

Method private int fillErrorCodeForL65(LocalEditRequest localEdit, int errorCount, LocalEditResponse
response,
PAGE 27 OF 153
....
1279.
response.setWsCpDataFnd(HtmlUtils.htmlEscape(wsCpDataFnd));
Unsafe Object Binding

Query Path:
Java\Cx\Java Medium Threat\Unsafe Object Binding Version:3
Categories
OWASP Top 10 API: API6-Mass Assignment
OWASP Top 10 2021: A8-Software and Data Integrity Failures
Description
Unsafe Object Binding\Path 1:
Severity Medium
Result State Not Exploitable
7
Status Recurrent
Detection Date 11/11/2022 3:23:26 PM
The roDiscrepancyRequestModel at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 206

may unintentionally allow setting the value of save in submitMileageDiscrepancy, in the object
src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java at line 403.
Source Destination
File src/main/java/com/mbusa/raps/controller/Reimburs src/main/java/com/mbusa/raps/service/Reimbursem
ementController.java entServiceImpl.java
Line 207 422
Object roDiscrepancyRequestModel save
Code Snippet
File Name src/main/java/com/mbusa/raps/controller/ReimbursementController.java
Method public ResponseEntity<RODiscrepancyResponseDto> submitMileageDiscrepancy(
....
207. @Valid @RequestBody RODiscrepancyRequestModel
roDiscrepancyRequestModel)
File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Method public RODiscrepancyResponseDto submitMileageDiscrepancy(RODiscrepancyRequestModel
....
422.
roDiscrepancyDetailsRepository.save(roDiscrepancyEntity);

Severity Medium
8
PAGE 28 OF 153
Status Recurrent
The submitModels at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 245 may

unintentionally allow setting the value of save in updateRapsRoDcsn, in the object
Source Destination
Line 246 2197
Object submitModels save
Code Snippet
Method public ResponseEntity<UpdateReimbursementStatusResponse> submitReimbursmentStatus(
....
246. @Valid @RequestBody List<SubmitModel>
submitModels) throws CustomAPIException, SQLException,
JsonProcessingException{

Method private void updateRapsRoDcsn(boolean localL90Exists, String countryCode,
....
2197. rapsRoDcsnRepository.save(rapsRoDcsnEntity);

Severity Medium
9
Status Recurrent

unintentionally allow setting the value of save in insertRapsRoDcsn, in the object
Source Destination
Line 246 2091
Code Snippet
PAGE 29 OF 153
....

Method private void insertRapsRoDcsn(boolean localL90Exists, String countryCode,
....
2091. rapsRoDcsnRepository.save(rapsRoDcsnEntity);

Severity Medium
10
Status Recurrent

unintentionally allow setting the value of save in updateRoLineItem, in the object
Source Destination
Line 246 1988
Code Snippet
....

Method private void updateRoLineItem(ROLineItem roLineItem, String localItemCodeStatus, String
localDecisionStatus,
....
1988. roLineItemRepository.save(roLineItem);

Severity Medium
PAGE 30 OF 153
11
Status Recurrent

unintentionally allow setting the value of save in updateRoOneLine, in the object
Source Destination
Line 246 2017
Code Snippet
....

Method private void updateRoOneLine(String countryCode, String dealerCode, String roNumber, String
lineNumber,
....
2017. roOneLineRepository.save(roOneLineEntity);

Severity Medium
12
Status Recurrent
The parkReimbursements at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 308 may

unintentionally allow setting the value of save in commonStepCForParkAndUnpark, in the object
Source Destination
Line 309 2403
Object parkReimbursements save
Code Snippet
Method public ResponseEntity<UpdateReimbursementStatusResponse> parkReimbursmentStatus(
PAGE 31 OF 153
....
309. @Valid @RequestBody List<ParkReimbursementModel>
parkReimbursements) throws CustomAPIException, SQLException,
JsonProcessingException {

Method private boolean commonStepCForParkAndUnpark(String delerCode, String roNumber, String
roLineNumber,
....
2403. roLineItemSuccessFlag =
roLineItemRepository.save(roLineItem) != null;

Severity Medium
13
Status Recurrent
The unparkReimbursements at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 370 may

Source Destination
Line 371 2403
Object unparkReimbursements save
Code Snippet
Method public ResponseEntity<UpdateReimbursementStatusResponse> unparkReimbursmentStatus(
....
371. @Valid @RequestBody
List<UnparkReimbursementModel> unparkReimbursements) throws
CustomAPIException, SQLException, JsonProcessingException {

roLineNumber,
....
2403. roLineItemSuccessFlag =
roLineItemRepository.save(roLineItem) != null;
PAGE 32 OF 153
Severity Medium
14
Status Recurrent
The parkReimbursements at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 308 may

Source Destination
Line 309 2419
Object parkReimbursements save
Code Snippet
....

roLineNumber,
....
2419. roOneLineSuccessFlag =
roOneLineRepository.save(roOneLineEntity) != null;

Severity Medium
15
Status Recurrent
The unparkReimbursements at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 370 may

Source Destination
Line 371 2419
Object unparkReimbursements save
PAGE 33 OF 153
Code Snippet
....

roLineNumber,
....
2419. roOneLineSuccessFlag =
roOneLineRepository.save(roOneLineEntity) != null;

Severity Medium
16
Status Recurrent
The deleteReimbursementModel at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 422

may unintentionally allow setting the value of save in updateRoOneLineAfterDelete, in the object
Source Destination
Line 423 1133
Object deleteReimbursementModel save
Code Snippet
Method public ResponseEntity<UpdateReimbursementStatusResponse> deleteReimbursment(
....
423. @Valid @RequestBody DeleteReimbursementModel
deleteReimbursementModel)

Method private void updateRoOneLineAfterDelete(String countryCode, String dealerCode, String roNumber,
String lineNumber) {
....
PAGE 34 OF 153
Severity Medium
17
Status Recurrent
The forcesubmitModels at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 472 may

unintentionally allow setting the value of save in forceSubmitReimbursement, in the object
Source Destination
Line 473 1302
Object forcesubmitModels save
Code Snippet
Method public ResponseEntity<UpdateReimbursementStatusResponse> forceSubmitReimbursment(
....
List<ForceSubmitReimbursementModel> forcesubmitModels)

Method public UpdateReimbursementStatusResponse forceSubmitReimbursement(
....
1302.
roLineItemRepository.save(roLineItem);

Severity Medium
18
Status Recurrent

unintentionally allow setting the value of save in performOneLineOperation, in the object
Source Destination
Line 473 1763
Code Snippet
PAGE 35 OF 153
....

Method private void performOneLineOperation(String countryCode, String dealerCode, String roNumber,
String lineNumber,
....

Severity Medium
19
Status Recurrent

unintentionally allow setting the value of save in forceSubmitReimbursement, in the object
Source Destination
Line 473 1317
Code Snippet
....

....
1317.
roOneLineRepository.save(roOneLineEntity);

Severity Medium
PAGE 36 OF 153
20
Status Recurrent

unintentionally allow setting the value of save in createForceErrorCode500, in the object
Source Destination
Line 473 1643
Code Snippet
....

Method private void createForceErrorCode500(String dealerCode, String roNumber, String lineNumber, String
seqNo,
....
1643. roErrorRepository.save(errorEntityInsert);

Severity Medium
21
Status Recurrent

unintentionally allow setting the value of save in createForceErrorCode500, in the object
Source Destination
Line 473 1620
Code Snippet
PAGE 37 OF 153
....

Method private void createForceErrorCode500(String dealerCode, String roNumber, String lineNumber, String
seqNo,
....
1620. roErrorRepository.save(errorEntity);

Severity Medium
22
Status Recurrent
The approve at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 686 may unintentionally

allow setting the value of save in processorForce, in the object
Source Destination
Line 689 3586
Object approve save
Code Snippet
Method public ResponseEntity<ApproveReimbursementResponse> approveReimbursement(
....
689. @Valid @RequestBody ApproveReimbursementModel
approve) throws CustomAPIException, SQLException,

Method private ApproveReimbursementResponse processorForce(String operationIndicator, String
dealerCode, String roNumber,
....
3586.
roExecuteApproveRepository.save(roExecuteApproveEntity);

Severity Medium
PAGE 38 OF 153
23
Status Recurrent

allow setting the value of save in updateRoOneLineAndRoLineItemForApproveAPI, in the object
Source Destination
Line 689 3983
Object approve save
Code Snippet
....

Method private void updateRoOneLineAndRoLineItemForApproveAPI(String dealerCode, String roNumber,
....
3983. roLineItemRepository.save(roLineItem);

Severity Medium
24
Status Recurrent

allow setting the value of save in updateRoOneLineAndRoLineItemForApproveAPI, in the object
Source Destination
Line 689 3966
Object approve save
Code Snippet
PAGE 39 OF 153
....

Method private void updateRoOneLineAndRoLineItemForApproveAPI(String dealerCode, String roNumber,
....
3966. roOneLineRepository.save(roOneLineEntityUpdate);

Severity Medium
25
Status Recurrent

allow setting the value of save in updateRoErrorForApproveAPI, in the object
Source Destination
Line 689 3837
Object approve save
Code Snippet
....

Method private void updateRoErrorForApproveAPI(String dealerCode, String roNumber,
....
3837. roErrorRepository.save(errorEntityUpdate);

Severity Medium
26
PAGE 40 OF 153
Status Recurrent
The submitAppealModel at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 732 may

unintentionally allow setting the value of save in populateRoOneLineAndRoLineItem, in the object
Source Destination
Line 732 5716
Object submitAppealModel save
Code Snippet
Method public ResponseEntity<SubmitAppealResponse> submitAppeal(@Valid @RequestBody
SubmitAppealModel submitAppealModel)
....
732. public ResponseEntity<SubmitAppealResponse>
submitAppeal(@Valid @RequestBody SubmitAppealModel submitAppealModel)

Method private void populateRoOneLineAndRoLineItem(SubmitAppealModel submitAppealModel,
Timestamp currentTimeStamp,
....
5716.
roOneLineRepository.save(roOneLineEntityUpdate);

Severity Medium
27
Status Recurrent

unintentionally allow setting the value of save in populateRoOneLineAndRoLineItem, in the object
Source Destination
Line 732 5698
Code Snippet
PAGE 41 OF 153
....

Method private void populateRoOneLineAndRoLineItem(SubmitAppealModel submitAppealModel,
Timestamp currentTimeStamp,
....
5698. roLineItem =
roLineItemRepository.save(roLineItem);

Severity Medium
28
Status Recurrent

unintentionally allow setting the value of save in submitAppeal, in the object
Source Destination
Line 732 5630
Code Snippet
....

Method public SubmitAppealResponse submitAppeal(SubmitAppealModel submitAppealModel) throws
CustomUnprocessableEnityException, SQLException {
....
5630.
rapsRoAplRepository.save(roAplEntity);
Excessive Data Exposure

Query Path:
PAGE 42 OF 153
Java\Cx\Java Medium Threat\Excessive Data Exposure Version:6
Categories
OWASP Top 10 API: API3-Excessive Data Exposure
OWASP Top 10 2021: A1-Broken Access Control
Description
Excessive Data Exposure\Path 1:
Severity Medium
150
Status Recurrent
The data in claimsDamageSearchDtos at src/main/java/com/mbusa/raps/controller/ClaimsDamageSearchController.java

in line 89 may be sensitive, and it is exposed by an API at claimsDamageSearchDtos in
src/main/java/com/mbusa/raps/controller/ClaimsDamageSearchController.java at line 89.
Source Destination
File src/main/java/com/mbusa/raps/controller/ClaimsDa src/main/java/com/mbusa/raps/controller/ClaimsDa
mageSearchController.java mageSearchController.java
Line 151 151
Object claimsDamageSearchDtos claimsDamageSearchDtos
Code Snippet
File Name src/main/java/com/mbusa/raps/controller/ClaimsDamageSearchController.java
Method public ResponseEntity<List<ClaimsDamageSearchDto>>
getClaimsDamageSearchDetails(@NotBlank @Size(min = 5, max = 5, message =
ValidationMessages.DEALER_CODE_SIZE) @PathVariable(name = "dealerCode", required = true)
String dealerCode, @RequestBody @Valid ClaimsDamageSearchRequest request) throws
PersistenceException, CustomUnprocessableEnityException
....
151. return new ResponseEntity<>(claimsDamageSearchDtos
, HttpStatus.OK);

Severity Medium
151
Status Recurrent
The data in roDiscrepancyDtoList at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 158

may be sensitive, and it is exposed by an API at roDiscrepancyDtoList in
src/main/java/com/mbusa/raps/controller/ReimbursementController.java at line 158.
Source Destination
File src/main/java/com/mbusa/raps/controller/Reimburs src/main/java/com/mbusa/raps/controller/Reimburs
ementController.java ementController.java
Line 183 183
Object roDiscrepancyDtoList roDiscrepancyDtoList
PAGE 43 OF 153
Code Snippet
Method public ResponseEntity<List<RODiscrepancyDto>> getMileageDiscrepancyDetails(
....
183. return new ResponseEntity<>(roDiscrepancyDtoList,
HttpStatus.OK);

Severity Medium
152
Status Recurrent
The data in roDiscrepancyResponseDto at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in

line 206 may be sensitive, and it is exposed by an API at roDiscrepancyResponseDto in
Source Destination
Line 222 222
Object roDiscrepancyResponseDto roDiscrepancyResponseDto
Code Snippet
....
222. return new ResponseEntity<>(roDiscrepancyResponseDto,
HttpStatus.OK);

Severity Medium
153
Status Recurrent
The data in readClaimsResponse at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 562

may be sensitive, and it is exposed by an API at readClaimsResponse in
Source Destination
Line 598 598
Object readClaimsResponse readClaimsResponse
Code Snippet
PAGE 44 OF 153
Method public ResponseEntity<ReadClaimsResponse> readReimbursement(
....
598. return new ResponseEntity<>((readClaimsResponse),
HttpStatus.OK);

Severity Medium
154
Status Recurrent
The data in claimsDamageSearchDtos at src/main/java/com/mbusa/raps/controller/ClaimsDamageSearchController.java

in line 89 may be sensitive, and it is exposed by an API at claimsDamageSearchDtos in
src/main/java/com/mbusa/raps/controller/ClaimsDamageSearchController.java at line 89.
Source Destination
Line 148 148
Object claimsDamageSearchDtos claimsDamageSearchDtos
Code Snippet
....
148. return new
ResponseEntity<>(claimsDamageSearchDtos , HttpStatus.NO_CONTENT);

Severity Medium
155
Status Recurrent
The data in roDiscrepancyDtoList at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 158

may be sensitive, and it is exposed by an API at roDiscrepancyDtoList in
Source Destination
Line 179 179
Object roDiscrepancyDtoList roDiscrepancyDtoList
PAGE 45 OF 153
Code Snippet
....
179. return new
ResponseEntity<>(roDiscrepancyDtoList, HttpStatus.NO_CONTENT);

Severity Medium
156
Status Recurrent
The data in roDiscrepancyResponseDto at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in

line 206 may be sensitive, and it is exposed by an API at roDiscrepancyResponseDto in
Source Destination
Line 218 218
Object roDiscrepancyResponseDto roDiscrepancyResponseDto
Code Snippet
....
218. return new
ResponseEntity<>(roDiscrepancyResponseDto, HttpStatus.NO_CONTENT);

Severity Medium
157
Status Recurrent
The data in readClaimsResponse at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 562

may be sensitive, and it is exposed by an API at readClaimsResponse in
Source Destination
Line 583 583
Object readClaimsResponse readClaimsResponse
PAGE 46 OF 153
Code Snippet
....
583. return new
ResponseEntity<>((readClaimsResponse), HttpStatus.NO_CONTENT);
Privacy Violation
Query Path:
Java\Cx\Java Medium Threat\Privacy Violation Version:11
Categories
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection
OWASP Top 10 2013: A6-Sensitive Data Exposure
FISMA 2014: Identification And Authentication
NIST SP 800-53: SC-4 Information in Shared Resources (P1)
ASD STIG 4.10: APSC-DV-002330 - CAT II The application must protect the confidentiality and integrity of stored
information when required by DoD policy or the information owner.
Description
Privacy Violation\Path 1:
Severity Medium
2
Status Recurrent
Method extractedEntity at line 91 of src/main/java/com/mbusa/raps/dto/RODiscrepancyDto.java sends user information

outside the application. This may constitute a Privacy Violation.
Source Destination
File src/main/java/com/mbusa/raps/dto/RODiscrepancy src/main/java/com/mbusa/raps/controller/Reimburs
Dto.java ementController.java
Line 100 178
Object getPhone info
Code Snippet
File Name src/main/java/com/mbusa/raps/dto/RODiscrepancyDto.java
Method private void extractedEntity(RODiscrepancyEntity entity) {
....
100. this.phone =
RapsUtil.validateStringForNull(entity.getPhone());

PAGE 47 OF 153
....
178.
log.info(ESAPIUtil.encodeLogForg(CommonConstant.NO_CONTENT_RESPONS
E + RapsUtil.getJsonBody(roDiscrepancyDtoList)));
Severity Medium
3
Status Recurrent
Method extractedEntity at line 91 of src/main/java/com/mbusa/raps/dto/RODiscrepancyDto.java sends user information

outside the application. This may constitute a Privacy Violation.
Source Destination
File src/main/java/com/mbusa/raps/dto/RODiscrepancy src/main/java/com/mbusa/raps/controller/Reimburs
Dto.java ementController.java
Line 100 182
Object getPhone info
Code Snippet
File Name src/main/java/com/mbusa/raps/dto/RODiscrepancyDto.java
Method private void extractedEntity(RODiscrepancyEntity entity) {
....
100. this.phone =
RapsUtil.validateStringForNull(entity.getPhone());

....
182.
log.info(ESAPIUtil.encodeLogForg(CommonConstant.SUCCESS_RESPONSE_D
ATA + RapsUtil.getJsonBody(roDiscrepancyDtoList)));
Severity Medium
4
Status Recurrent
Method populateMileageAndMileValue at line 5442 of

src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java sends user information outside the application.
This may constitute a Privacy Violation.
Source Destination
File src/main/java/com/mbusa/raps/service/Reimbursem src/main/java/com/mbusa/raps/service/Reimbursem
PAGE 48 OF 153
entServiceImpl.java entServiceImpl.java
Line 5473 5474
Object getPhone setMileageAppEmail
Code Snippet
Method private void populateMileageAndMileValue(String dealerCode, String roNumber,
ReadClaimsResponse readClaimsResponse, String numVin) {
....
5473.
readClaimsResponse.setMileageAppPhone(roDiscrepancyEntityByDealerC
ode.getPhone());
5474.
readClaimsResponse.setMileageAppEmail(roDiscrepancyEntityByDealerC
ode.getNotificationEmailId());
Severity Medium
5
Status Recurrent

Source Destination
Line 5479 5480
Object setMileageAppPhone setMileageAppEmail
Code Snippet
....
5479. readClaimsResponse.setMileageAppPhone(" ");
5480. readClaimsResponse.setMileageAppEmail(" ");
Severity Medium
6
Status Recurrent
PAGE 49 OF 153
Source Destination
Line 5479 5479
Object setMileageAppPhone setMileageAppPhone
Code Snippet
....
5479. readClaimsResponse.setMileageAppPhone(" ");
TruffleHog HighEntropy Strings

Query Path:
Java\Cx\Java Low Visibility\TruffleHog HighEntropy Strings Version:1
Categories
OWASP Top 10 2021: A7-Identification and Authentication Failures
Description
TruffleHog HighEntropy Strings\Path 1:
Severity Low
43
Status Recurrent
The application uses the hard-coded password

findByIdCountryCodeAndFnActiveAndNumBaum1To3AndNumBaum4To6AndCdeHybRprTypAndTxtHybRprTypStar
tsWith for authentication purposes, either using it to verify users' identities, or to access another remote system. This
password at line 3716 of src/main/java/com/mbusa/raps/service/LocalEditServiceImpl.java appears in the code, implying
it is accessible to anyone with source code access, and cannot be changed without rebuilding the application.
Source Destination
File src/main/java/com/mbusa/raps/service/LocalEditSer src/main/java/com/mbusa/raps/service/LocalEditSer
viceImpl.java viceImpl.java
Line 3716 3716
Object findByIdCountryCodeAndFnActiveAndNumBaum findByIdCountryCodeAndFnActiveAndNumBaum
1To3AndNumBaum4To6AndCdeHybRprTypAndT 1To3AndNumBaum4To6AndCdeHybRprTypAndT
xtHybRprTypStartsWith xtHybRprTypStartsWith
Code Snippet
Method .findByIdCountryCodeAndFnActiveAndNumBaum1To3AndNumBaum4To6AndCdeHybRprTypAnd
TxtHybRprTypStartsWith(
PAGE 50 OF 153
....
3716.
.findByIdCountryCodeAndFnActiveAndNumBaum1To3AndNumBaum4To6AndCdeH
ybRprTypAndTxtHybRprTypStartsWith(

Severity Low
44
Status Recurrent

password at line 3728 of src/main/java/com/mbusa/raps/service/LocalEditServiceImpl.java appears in the code, implying
it is accessible to anyone with source code access, and cannot be changed without rebuilding the application.
Source Destination
Line 3728 3728
Code Snippet
Method .findByIdCountryCodeAndFnActiveAndNumBaum1To3AndNumBaum4To6AndCdeHybRprTypAnd
TxtHybRprTypStartsWith(
....
3728.
.findByIdCountryCodeAndFnActiveAndNumBaum1To3AndNumBaum4To6AndCdeH
ybRprTypAndTxtHybRprTypStartsWith(

Severity Low
45
Status Recurrent

findByFnActiveAndCountryCodeAndCdeOperAndRprTrnReqEffDateLessThanEqualAndCdeBaumAndIndInclExcl for
authentication purposes, either using it to verify users' identities, or to access another remote system. This password at
line 4225 of src/main/java/com/mbusa/raps/service/LocalEditServiceImpl.java appears in the code, implying it is
accessible to anyone with source code access, and cannot be changed without rebuilding the application.
Source Destination
PAGE 51 OF 153
Line 4225 4225
Object findByFnActiveAndCountryCodeAndCdeOperAnd findByFnActiveAndCountryCodeAndCdeOperAnd
RprTrnReqEffDateLessThanEqualAndCdeBaumAn RprTrnReqEffDateLessThanEqualAndCdeBaumAn
dIndInclExcl dIndInclExcl
Code Snippet
Method .findByFnActiveAndCountryCodeAndCdeOperAndRprTrnReqEffDateLessThanEqualAndCdeBaumA
ndIndInclExcl(CommonConstant.ONE,
....
4225.
.findByFnActiveAndCountryCodeAndCdeOperAndRprTrnReqEffDateLessThan
EqualAndCdeBaumAndIndInclExcl(CommonConstant.ONE,

Severity Low
46
Status Recurrent

line 517 of src/test/java/com/mbusa/raps/service/LocalEditServiceTest.java appears in the code, implying it is accessible
to anyone with source code access, and cannot be changed without rebuilding the application.
Source Destination
File src/test/java/com/mbusa/raps/service/LocalEditServ src/test/java/com/mbusa/raps/service/LocalEditServ
iceTest.java iceTest.java
Line 517 517
Code Snippet
File Name src/test/java/com/mbusa/raps/service/LocalEditServiceTest.java
Method Mockito.when(rprTrnReqCrseParmRepository.findByFnActiveAndCountryCodeAndCdeOperAndRpr
TrnReqEffDateLessThanEqualAndCdeBaumAndIndInclExcl("1", "70531", "00****",
RapsUtil.getSQLDate(RapsUtil.getParsedDate("2022-07-17")), "907155",
"1")).thenReturn(crseParmEntityList);
....
517.
Mockito.when(rprTrnReqCrseParmRepository.findByFnActiveAndCountryC
odeAndCdeOperAndRprTrnReqEffDateLessThanEqualAndCdeBaumAndIndInclExcl("1
", "70531", "00****", RapsUtil.getSQLDate(RapsUtil.getParsedDate("2022-
07-17")), "907155", "1")).thenReturn(crseParmEntityList);

Severity Low
PAGE 52 OF 153
47
Status Recurrent

password at line 524 of src/test/java/com/mbusa/raps/service/LocalEditServiceTest.java appears in the code, implying it
is accessible to anyone with source code access, and cannot be changed without rebuilding the application.
Source Destination
Line 524 524
Code Snippet
Method Mockito.when(hybAuthRstrcRepository.findByIdCountryCodeAndFnActiveAndNumBaum1To3And
NumBaum4To6AndCdeHybRprTypAndTxtHybRprTypStartsWith(null, null, null, null, null,
null)).thenReturn(authRstrcEntity);
....
524.
Mockito.when(hybAuthRstrcRepository.findByIdCountryCodeAndFnActive
AndNumBaum1To3AndNumBaum4To6AndCdeHybRprTypAndTxtHybRprTypStartsWith(nul
l, null, null, null, null, null)).thenReturn(authRstrcEntity);

Severity Low
48
Status Recurrent

line 828 of src/test/java/com/mbusa/raps/service/LocalEditServiceTest.java appears in the code, implying it is accessible
to anyone with source code access, and cannot be changed without rebuilding the application.
Source Destination
Line 828 828
Code Snippet
PAGE 53 OF 153
....
828.

Severity Low
49
Status Recurrent

Source Destination
Line 835 835
Code Snippet
....
835.

Severity Low
50
Status Recurrent

PAGE 54 OF 153
line 1141 of src/test/java/com/mbusa/raps/service/LocalEditServiceTest.java appears in the code, implying it is
Source Destination
Line 1141 1141
Code Snippet
....
1141.

Severity Low
51
Status Recurrent

Source Destination
Line 1148 1148
Code Snippet
PAGE 55 OF 153
....
1148.

Severity Low
52
Status Recurrent

Source Destination
Line 1454 1454
Code Snippet
....
1454.

Severity Low
53
Status Recurrent

PAGE 56 OF 153
Source Destination
Line 1461 1461
Code Snippet
....
1461.

Severity Low
54
Status Recurrent

Source Destination
Line 1763 1763
Code Snippet
PAGE 57 OF 153
....
1763.

Severity Low
55
Status Recurrent

Source Destination
Line 1772 1772
Code Snippet
....
1772.

Severity Low
56
Status Recurrent

PAGE 58 OF 153
Source Destination
Line 2074 2074
Code Snippet
....
2074.

Severity Low
57
Status Recurrent

Source Destination
Line 2083 2083
Code Snippet
PAGE 59 OF 153
....
2083.

Severity Low
58
Status Recurrent

Source Destination
Line 2385 2385
Code Snippet
....
2385.

Severity Low
59
Status Recurrent

PAGE 60 OF 153
Source Destination
Line 2394 2394
Code Snippet
....
2394.

Severity Low
174
Status Recurrent
The application uses the hard-coded password 659cf140-2724-4775-86f6-18091018666b for authentication purposes,
either using it to verify users' identities, or to access another remote system. This password at line 62 of
src/main/resources/application.properties appears in the code, implying it is accessible to anyone with source code
access, and cannot be changed without rebuilding the application.
Source Destination
File src/main/resources/application.properties src/main/resources/application.properties
Line 62 62
Object 659cf140-2724-4775-86f6-18091018666b 659cf140-2724-4775-86f6-18091018666b
Code Snippet
File Name src/main/resources/application.properties
Method client-after-sales-service.client-id= 659cf140-2724-4775-86f6-18091018666b
....
62. client-after-sales-service.client-id= 659cf140-2724-4775-86f6-
18091018666b

Severity Low
175
Status Recurrent
PAGE 61 OF 153
LncrZIHpAjemzhCnrFYbwDlCFrrCiVfTeyPTkVOXoiGbZeVybpGNmfvTWrqfbuOv for authentication purposes,
src/main/resources/application.properties appears in the code, implying it is accessible to anyone with source code
access, and cannot be changed without rebuilding the application.
Source Destination
File src/main/resources/application.properties src/main/resources/application.properties
Line 63 63
Object LncrZIHpAjemzhCnrFYbwDlCFrrCiVfTeyPTkVO LncrZIHpAjemzhCnrFYbwDlCFrrCiVfTeyPTkVO
XoiGbZeVybpGNmfvTWrqfbuOv XoiGbZeVybpGNmfvTWrqfbuOv
Code Snippet
File Name src/main/resources/application.properties
Method client-after-sales-service.client-secret=
LncrZIHpAjemzhCnrFYbwDlCFrrCiVfTeyPTkVOXoiGbZeVybpGNmfvTWrqfbuOv
....
63. client-after-sales-service.client-secret=
LncrZIHpAjemzhCnrFYbwDlCFrrCiVfTeyPTkVOXoiGbZeVybpGNmfvTWrqfbuOv

Severity Low
176
Status Recurrent
The application uses the hard-coded password 0x000102030405060708090a0b0c0d0e0f for authentication purposes,
src/main/resources/ESAPI.properties appears in the code, implying it is accessible to anyone with source code access,
and cannot be changed without rebuilding the application.
Source Destination
File src/main/resources/ESAPI.properties src/main/resources/ESAPI.properties
Line 260 260
Object 0x000102030405060708090a0b0c0d0e0f 0x000102030405060708090a0b0c0d0e0f
Code Snippet
File Name src/main/resources/ESAPI.properties
Method Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f
....
260. Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f
Improper Resource Access Authorization

Query Path:
Java\Cx\Java Low Visibility\Improper Resource Access Authorization Version:10
Categories
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.8 - Improper access control
PAGE 62 OF 153
OWASP Top 10 2013: A2-Broken Authentication and Session Management
NIST SP 800-53: AC-3 Access Enforcement (P1)
ASD STIG 4.10: APSC-DV-000470 - CAT II The application must enforce organization-defined discretionary access
control policies over defined subjects and objects.
OWASP Top 10 API: API5-Broken Function Level Authorization
OWASP Top 10 2010: A4-Insecure Direct Object References
Description
Improper Resource Access Authorization\Path 1:
Severity Low
29
Status Recurrent
An I\O action occurs at src/main/java/com/mbusa/raps/service/LocalEditServiceImpl.java in 1052 without authorization

checks.
Source Destination
Line 1056 1056
Object getRoCustPayPartDetailTest getRoCustPayPartDetailTest
Code Snippet
Method private List<RoCustPayPartEntity> callCustPayPartRepository(String dealerCode, String reapirOrder,
String vinId,
....
1056. .getRoCustPayPartDetailTest(dealerCode,
sqlRepairDate, reapirOrder, vinId);

Severity Low
30
Status Recurrent
An I\O action occurs at src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java in 403 without

authorization checks.
Source Destination
Line 454 454
Object updateRoCustPay updateRoCustPay
Code Snippet
PAGE 63 OF 153
....
454.
roPayCustPayRepository.updateRoCustPay(corRepDate,
roDiscrepancyRequestModel.getDealerCode(),

Severity Low
31
Status Recurrent

Source Destination
Line 461 461
Object insertRoCustPay insertRoCustPay
Code Snippet
....
461.
roPayCustPayRepository.insertRoCustPay(corRepDate,

Severity Low
32
Status Recurrent

Source Destination
Line 465 465
Object updateRoCustPayLbr updateRoCustPayLbr
Code Snippet
PAGE 64 OF 153
....
465.
roPayCustPayRepository.updateRoCustPayLbr(corRepDate,

Severity Low
33
Status Recurrent

Source Destination
Line 468 468
Object updateRoCustPayPart updateRoCustPayPart
Code Snippet
....
468.
roPayCustPayRepository.updateRoCustPayPart(corRepDate,

Severity Low
34
Status Recurrent

Source Destination
Line 471 471
Object deleteRoCustPay deleteRoCustPay
Code Snippet
PAGE 65 OF 153
....
471.
roPayCustPayRepository.deleteRoCustPay(subRepDate,

Severity Low
35
Status Recurrent

Source Destination
Line 475 475
Object updateRoOneLine updateRoOneLine
Code Snippet
....
475.
roPayCustPayRepository.updateRoOneLine(corRepDate,

Severity Low
36
Status Recurrent

Source Destination
Line 478 478
Object updateRoLineItem updateRoLineItem
Code Snippet
PAGE 66 OF 153
....
478.
roPayCustPayRepository.updateRoLineItem(corRepDate,

Severity Low
37
Status Recurrent

checks.
Source Destination
Line 1564 1564
Object getRapsPpmPkgOperDetails getRapsPpmPkgOperDetails
Code Snippet
Method private RapsPpmPkgOper callRapsPpmPkgOperDetailsRepo(String d385NumOpCode, String
d385DamageCode,
....
1564. return
rapsPpmPkgOperRepository.getRapsPpmPkgOperDetails(d385DamageCode,

Severity Low
38
Status Recurrent

checks.
Source Destination
Line 1995 1995
Object getRapsDmgCovrRuleDetails getRapsDmgCovrRuleDetails
Code Snippet
PAGE 67 OF 153
Method private RapsDmgCovrRuleEntity callRapsDmgCovrRuleRepository(String d388CdeDmg, String
d388NumModlYrFr,
....
1995. return
rapsDmgCovrRuleRepository.getRapsDmgCovrRuleDetails(countryCode,
cdeVehCatg, d388CdeDmg, cdeDmgTyp,

Severity Low
39
Status Recurrent

checks.
Source Destination
Line 4060 4060
Object updateRsastClmTck updateRsastClmTck
Code Snippet
Method private String fillStepF(LocalEditRequest localEdit, RsastClmTckt rsastClmTckt, String d406ErrorInd,
....
4060.
rsastClmTcktRepository.updateRsastClmTck(RapsUtil.getSQLDate(new
Date()), idFinVin, dteRepair,

Severity Low
40
Status Recurrent

checks.
Source Destination
Line 3324 3324
Object updateRsastClmTckDetails updateRsastClmTckDetails
Code Snippet
PAGE 68 OF 153
Method private int fillErrorCodeForL30(LocalEditRequest localEdit, Integer errorCount, LocalEditResponse
response,
....
3324.
rsastClmTcktRepository.updateRsastClmTckDetails(RapsUtil.getSQLDat
e(new Date()),

Severity Low
41
Status Recurrent

Source Destination
Line 408 408
Object getMaxRODiscrepancyEntityId getMaxRODiscrepancyEntityId
Code Snippet
....
408. int localRequestNumber =
roDiscrepancyDetailsRepository.getMaxRODiscrepancyEntityId() != null

Severity Low
42
Status Recurrent

Source Destination
Line 435 435
Object updateWrntyClmMilDscr updateWrntyClmMilDscr
Code Snippet
PAGE 69 OF 153
....
435.
roDiscrepancyDetailsRepository.updateWrntyClmMilDscr(localStatusCo
de, localMbusaComments,

Severity Low
136
Status Recurrent
An I\O action occurs at src/main/java/com/mbusa/raps/service/MasterServiceImpl.java in 84 without authorization

checks.
Source Destination
File src/main/java/com/mbusa/raps/service/MasterServi src/main/java/com/mbusa/raps/service/MasterServi
ceImpl.java ceImpl.java
Line 85 85
Object getCostCarrier getCostCarrier
Code Snippet
File Name src/main/java/com/mbusa/raps/service/MasterServiceImpl.java
Method public List<CostCarrierDetailsDto> getCostCarrier() {
....
85. return
modelMapper.map(costCarrierRepository.getCostCarrier(), new
TypeToken<List<CostCarrierDetailsDto>>() {

Severity Low
137
Status Recurrent
An I\O action occurs at src/main/java/com/mbusa/raps/service/RapsIndividualDecisionServiceImpl.java in 72 without

Source Destination
File src/main/java/com/mbusa/raps/service/RapsIndivid src/main/java/com/mbusa/raps/service/RapsIndivid
ualDecisionServiceImpl.java ualDecisionServiceImpl.java
Line 89 89
Object getChatHistory getChatHistory
Code Snippet
File Name src/main/java/com/mbusa/raps/service/RapsIndividualDecisionServiceImpl.java
PAGE 70 OF 153
Method public List<RapsIndividualDecisionDataModel>
getInidividulaDecisionDetails(RapsIndividualDecisionRequest request)
....
89. chatHistDto =
chatHistRepo.getChatHistory(request.getDealerCode(), request.getRo(),
request.getRoLine())

Severity Low
138
Status Recurrent

checks.
Source Destination
Line 91 91
Object getStateData getStateData
Code Snippet
Method public List<StateDetailsDto> getStatDropDown() {
....
91. return modelMapper.map(stateDetailRepository.getStateData(),
new TypeToken<List<StateDetailsDto>>() {

Severity Low
139
Status Recurrent

checks.
Source Destination
Line 79 79
Object getSystemName getSystemName
Code Snippet
Method public List<SystemNameDetailsDto> getSystemNames() {
PAGE 71 OF 153
....
79. return modelMapper.map(masterDataRepository.getSystemName(),
new TypeToken<List<SystemNameDetailsDto>>() {
Spring Overly Permissive Cross Origin Resource Sharing Policy

Query Path:
Java\Cx\Java Spring\Spring Overly Permissive Cross Origin Resource Sharing Policy Version:1
Categories
OWASP Top 10 API: API7-Security Misconfiguration
Description
Spring Overly Permissive Cross Origin Resource Sharing Policy\Path 1:
Severity Low
61
Status Recurrent
The method evaLocalEdits found at line 71 in src/main/java/com/mbusa/raps/controller/EvaLocalEditController.java sets

an overly permissive CORS access control origin header.
Source Destination
File src/main/java/com/mbusa/raps/controller/EvaLocal src/main/java/com/mbusa/raps/controller/EvaLocal
EditController.java EditController.java
Line 71 71
Object evaLocalEdits evaLocalEdits
Code Snippet
File Name src/main/java/com/mbusa/raps/controller/EvaLocalEditController.java
Method public ResponseEntity<List<EvaResponseDto>> evaLocalEdits(@Valid @RequestBody EvaModel
eva)
....
71. public ResponseEntity<List<EvaResponseDto>> evaLocalEdits(@Valid
@RequestBody EvaModel eva)

Severity Low
62
Status Recurrent
The method localEdit found at line 76 in src/main/java/com/mbusa/raps/controller/LocalEditController.java sets an

overly permissive CORS access control origin header.
Source Destination
File src/main/java/com/mbusa/raps/controller/LocalEdit src/main/java/com/mbusa/raps/controller/LocalEdit
Controller.java Controller.java
PAGE 72 OF 153
Line 76 76
Object localEdit localEdit
Code Snippet
....
76. public ResponseEntity<LocalEditResponse> localEdit(@Valid
@RequestBody LocalEditRequest localEdit) throws JsonProcessingException
{

Severity Low
158
Status Recurrent
The method getLaborDetails found at line 148 in

src/main/java/com/mbusa/raps/controller/ClaimCommonController.java sets an overly permissive CORS access control
origin header.
Source Destination
File src/main/java/com/mbusa/raps/controller/ClaimCo src/main/java/com/mbusa/raps/controller/ClaimCo
mmonController.java mmonController.java
Line 148 148
Object getLaborDetails getLaborDetails
Code Snippet
File Name src/main/java/com/mbusa/raps/controller/ClaimCommonController.java
Method public ResponseEntity<List<LaborDto>> getLaborDetails(@Valid LaborModel labor) throws
....
148. public ResponseEntity<List<LaborDto>>
getLaborDetails(@Valid LaborModel labor) throws JsonProcessingException{

Severity Low
159
Status Recurrent
The method getPartDetails found at line 239 in src/main/java/com/mbusa/raps/controller/ClaimCommonController.java

sets an overly permissive CORS access control origin header.
Source Destination
PAGE 73 OF 153
Line 239 239
Object getPartDetails getPartDetails
Code Snippet
Method public ResponseEntity<List<PartDto>> getPartDetails(@Valid PartModel part) throws
....
239. public ResponseEntity<List<PartDto>> getPartDetails(@Valid
PartModel part) throws JsonProcessingException{

Severity Low
160
Status Recurrent
The method getErrorCodes found at line 330 in src/main/java/com/mbusa/raps/controller/ClaimCommonController.java

Source Destination
Line 330 330
Object getErrorCodes getErrorCodes
Code Snippet
Method public ResponseEntity<List<ErrorCodesEntity>> getErrorCodes(@Valid ErrorCodesModel
errorCodesModel) throws JsonProcessingException{
....
330. public ResponseEntity<List<ErrorCodesEntity>>
getErrorCodes(@Valid ErrorCodesModel errorCodesModel) throws

Severity Low
161
Status Recurrent
The method getSubletsDetails found at line 369 in

src/main/java/com/mbusa/raps/controller/ClaimCommonController.java sets an overly permissive CORS access control
origin header.
Source Destination
PAGE 74 OF 153
Line 369 369
Object getSubletsDetails getSubletsDetails
Code Snippet
Method public ResponseEntity<List<SubletDto>> getSubletsDetails(@Valid SubletModel sublet) throws
....
369. public ResponseEntity<List<SubletDto>>
getSubletsDetails(@Valid SubletModel sublet) throws

Severity Low
162
Status Recurrent
The method getClaimsDamageSearchDetails found at line 89 in

src/main/java/com/mbusa/raps/controller/ClaimsDamageSearchController.java sets an overly permissive CORS access
control origin header.
Source Destination
Line 89 89
Object getClaimsDamageSearchDetails getClaimsDamageSearchDetails
Code Snippet
....
89. public ResponseEntity<List<ClaimsDamageSearchDto>>
ValidationMessages.DEALER_CODE_SIZE) @PathVariable(name = "dealerCode",
required = true) String dealerCode, @RequestBody @Valid
ClaimsDamageSearchRequest request) throws PersistenceException,
CustomUnprocessableEnityException

Severity Low
163
Status Recurrent
PAGE 75 OF 153
The method getSystemNames found at line 57 in src/main/java/com/mbusa/raps/controller/MasterController.java sets an
Source Destination
File src/main/java/com/mbusa/raps/controller/MasterCo src/main/java/com/mbusa/raps/controller/MasterCo
ntroller.java ntroller.java
Line 57 57
Object getSystemNames getSystemNames
Code Snippet
File Name src/main/java/com/mbusa/raps/controller/MasterController.java
....
57. public List<SystemNameDetailsDto> getSystemNames() {

Severity Low
164
Status Recurrent
The method getCostCarrier found at line 69 in src/main/java/com/mbusa/raps/controller/MasterController.java sets an

Source Destination
Line 69 69
Code Snippet
....
69. public List<CostCarrierDetailsDto> getCostCarrier() {

Severity Low
165
Status Recurrent
The method getStateDetails found at line 81 in src/main/java/com/mbusa/raps/controller/MasterController.java sets an

Source Destination
PAGE 76 OF 153
Line 81 81
Object getStateDetails getStateDetails
Code Snippet
Method public List<StateDetailsDto> getStateDetails() {
....
81. public List<StateDetailsDto> getStateDetails() {

Severity Low
166
Status Recurrent
The method readReimbursement found at line 562 in

src/main/java/com/mbusa/raps/controller/ReimbursementController.java sets an overly permissive CORS access control
origin header.
Source Destination
Line 562 562
Object readReimbursement readReimbursement
Code Snippet
....
562. public ResponseEntity<ReadClaimsResponse> readReimbursement(

Severity Low
167
Status Recurrent
The method reworkReimbursement found at line 622 in

origin header.
Source Destination
PAGE 77 OF 153
Line 622 622
Object reworkReimbursement reworkReimbursement
Code Snippet
Method public ResponseEntity<ReworkClaimsResponse> reworkReimbursement(
....
622. public ResponseEntity<ReworkClaimsResponse>
reworkReimbursement(

Severity Low
168
Status Recurrent
The method approveReimbursement found at line 686 in

origin header.
Source Destination
Line 686 686
Object approveReimbursement approveReimbursement
Code Snippet
....
686. public ResponseEntity<ApproveReimbursementResponse>
approveReimbursement(

Severity Low
169
Status Recurrent
The method submitAppeal found at line 732 in src/main/java/com/mbusa/raps/controller/ReimbursementController.java

Source Destination
Line 732 732
PAGE 78 OF 153
Object submitAppeal submitAppeal
Code Snippet
....

Severity Low
170
Status Recurrent
The method testFunction found at line 18 in src/main/java/com/mbusa/raps/controller/TestController.java sets an overly

permissive CORS access control origin header.
Source Destination
File src/main/java/com/mbusa/raps/controller/TestContr src/main/java/com/mbusa/raps/controller/TestContr
oller.java oller.java
Line 18 18
Object testFunction testFunction
Code Snippet
File Name src/main/java/com/mbusa/raps/controller/TestController.java
Method public String testFunction() {
....
18. public String testFunction() {

Severity Low
171
Status Recurrent
The method getCampaignDetails found at line 17 in

src/main/java/com/mbusa/raps/rest/client/CampaignInfoDetailsClient.java sets an overly permissive CORS access
control origin header.
Source Destination
File src/main/java/com/mbusa/raps/rest/client/Campaign src/main/java/com/mbusa/raps/rest/client/Campaign
InfoDetailsClient.java InfoDetailsClient.java
Line 17 17
Object getCampaignDetails getCampaignDetails
PAGE 79 OF 153
Code Snippet
File Name src/main/java/com/mbusa/raps/rest/client/CampaignInfoDetailsClient.java
Method CampaignDeatilsInfo getCampaignDetails(@RequestHeader(HttpHeaders.CONTENT_TYPE) String
contentType,
....
17. CampaignDeatilsInfo
getCampaignDetails(@RequestHeader(HttpHeaders.CONTENT_TYPE) String
contentType,

Severity Low
172
Status Recurrent
The method getElcDetails found at line 27 in src/main/java/com/mbusa/raps/rest/client/ElcPkgInfoClient.java sets an

Source Destination
File src/main/java/com/mbusa/raps/rest/client/ElcPkgInf src/main/java/com/mbusa/raps/rest/client/ElcPkgInf
oClient.java oClient.java
Line 27 27
Object getElcDetails getElcDetails
Code Snippet
File Name src/main/java/com/mbusa/raps/rest/client/ElcPkgInfoClient.java
Method ElcPkgInfo getElcDetails(@RequestHeader(HttpHeaders.CONTENT_TYPE) String contentType,
....
27. ElcPkgInfo getElcDetails(@RequestHeader(HttpHeaders.CONTENT_TYPE)
String contentType,

Severity Low
173
Status Recurrent
The method getLaborRateDetails found at line 29 in

src/main/java/com/mbusa/raps/rest/client/LaborRateDetailsClient.java sets an overly permissive CORS access control
origin header.
Source Destination
File src/main/java/com/mbusa/raps/rest/client/LaborRat src/main/java/com/mbusa/raps/rest/client/LaborRat
eDetailsClient.java eDetailsClient.java
Line 29 29
Object getLaborRateDetails getLaborRateDetails
Code Snippet
PAGE 80 OF 153
File Name src/main/java/com/mbusa/raps/rest/client/LaborRateDetailsClient.java
Method List<LaborRateInfo> getLaborRateDetails(@RequestHeader(HttpHeaders.CONTENT_TYPE) String
contentType,
....
29. List<LaborRateInfo>
getLaborRateDetails(@RequestHeader(HttpHeaders.CONTENT_TYPE) String
contentType,
Serializable Class Containing Sensitive Data

Query Path:
Java\Cx\Java Low Visibility\Serializable Class Containing Sensitive Data Version:2
Categories
OWASP Top 10 2021: A4-Insecure Design
Description
Serializable Class Containing Sensitive Data\Path 1:
Severity Low
89
Status Recurrent
The field serviceAdvisorSSN in src/main/java/com/mbusa/raps/entity/ROLineItem.java in line 161, which contains

sensitive data, is inserted into a Serializable object, src/main/java/com/mbusa/raps/entity/ROLineItem.java, in line 39,
into the field ROLineItem.
Source Destination
File src/main/java/com/mbusa/raps/entity/ROLineItem.j src/main/java/com/mbusa/raps/entity/ROLineItem.j
ava ava
Line 161 39
Object serviceAdvisorSSN ROLineItem
Code Snippet
File Name src/main/java/com/mbusa/raps/entity/ROLineItem.java
Method private String serviceAdvisorSSN;
....
161. private String serviceAdvisorSSN;

Method @Entity
....
39. @Entity

Severity Low
PAGE 81 OF 153
90
Status Recurrent
The field technicianSSN in src/main/java/com/mbusa/raps/entity/ROLineItem.java in line 164, which contains sensitive

data, is inserted into a Serializable object, src/main/java/com/mbusa/raps/entity/ROLineItem.java, in line 39, into
the field ROLineItem.
Source Destination
File src/main/java/com/mbusa/raps/entity/ROLineItem.j src/main/java/com/mbusa/raps/entity/ROLineItem.j
ava ava
Line 164 39
Object technicianSSN ROLineItem
Code Snippet
Method private String technicianSSN;
....
164. private String technicianSSN;

Method @Entity
....
39. @Entity

Severity Low
91
Status Recurrent
The field creditNoteNo in src/main/java/com/mbusa/raps/dto/ReadClaimsResponse.java in line 189, which contains

sensitive data, is inserted into a Serializable object, src/main/java/com/mbusa/raps/dto/ReadClaimsResponse.java, in
line 30, into the field ReadClaimsResponse.
Source Destination
File src/main/java/com/mbusa/raps/dto/ReadClaimsRes src/main/java/com/mbusa/raps/dto/ReadClaimsRes
ponse.java ponse.java
Line 189 30
Object creditNoteNo ReadClaimsResponse
Code Snippet
File Name src/main/java/com/mbusa/raps/dto/ReadClaimsResponse.java
Method private String creditNoteNo;
PAGE 82 OF 153
....
189. private String creditNoteNo;

Method @Getter
....
30. @Getter

Severity Low
92
Status Recurrent
The field mileageAppPhone in src/main/java/com/mbusa/raps/dto/ReadClaimsResponse.java in line 223, which contains

sensitive data, is inserted into a Serializable object, src/main/java/com/mbusa/raps/dto/ReadClaimsResponse.java, in
line 30, into the field ReadClaimsResponse.
Source Destination
File src/main/java/com/mbusa/raps/dto/ReadClaimsRes src/main/java/com/mbusa/raps/dto/ReadClaimsRes
ponse.java ponse.java
Line 223 30
Object mileageAppPhone ReadClaimsResponse
Code Snippet
Method private String mileageAppPhone;
....
223. private String mileageAppPhone;

Method @Getter
....
30. @Getter

Severity Low
93
Status Recurrent
PAGE 83 OF 153
The field telephone in src/main/java/com/mbusa/raps/model/DealerInformation.java in line 61, which contains sensitive
data, is inserted into a Serializable object, src/main/java/com/mbusa/raps/model/DealerInformation.java, in line 11, into
the field DealerInformation.
Source Destination
File src/main/java/com/mbusa/raps/model/DealerInform src/main/java/com/mbusa/raps/model/DealerInform
ation.java ation.java
Line 61 11
Object telephone DealerInformation
Code Snippet
File Name src/main/java/com/mbusa/raps/model/DealerInformation.java
Method private String telephone;
....
61. private String telephone;
File Name src/main/java/com/mbusa/raps/model/DealerInformation.java

Method @Data
....
11. @Data

Severity Low
94
Status Recurrent
The field telephoneNumber in src/main/java/com/mbusa/raps/model/MbUserInformation.java in line 117, which contains

sensitive data, is inserted into a Serializable object, src/main/java/com/mbusa/raps/model/MbUserInformation.java, in
line 13, into the field MbUserInformation.
Source Destination
File src/main/java/com/mbusa/raps/model/MbUserInfor src/main/java/com/mbusa/raps/model/MbUserInfor
mation.java mation.java
Line 117 13
Object telephoneNumber MbUserInformation
Code Snippet
File Name src/main/java/com/mbusa/raps/model/MbUserInformation.java
Method private String telephoneNumber;
....
117. private String telephoneNumber;
File Name src/main/java/com/mbusa/raps/model/MbUserInformation.java
PAGE 84 OF 153
Method @JsonInclude(JsonInclude.Include.NON_NULL)
....
13. @JsonInclude(JsonInclude.Include.NON_NULL)

Severity Low
95
Status Recurrent
The field chatText in src/main/java/com/mbusa/raps/dto/RapsAppealChatHistoryDto.java in line 18, which contains

sensitive data, is inserted into a Serializable
object, src/main/java/com/mbusa/raps/dto/RapsAppealChatHistoryDto.java, in line 9, into the field
RapsAppealChatHistoryDto.
Source Destination
File src/main/java/com/mbusa/raps/dto/RapsAppealChat src/main/java/com/mbusa/raps/dto/RapsAppealChat
HistoryDto.java HistoryDto.java
Line 18 9
Object chatText RapsAppealChatHistoryDto
Code Snippet
File Name src/main/java/com/mbusa/raps/dto/RapsAppealChatHistoryDto.java
Method private String chatText;
....
18. private String chatText;

Method @AllArgsConstructor
....
9. @AllArgsConstructor

Severity Low
96
Status Recurrent
The field chatDate in src/main/java/com/mbusa/raps/dto/RapsAppealChatHistoryDto.java in line 20, which contains

Source Destination
PAGE 85 OF 153
Line 20 9
Object chatDate RapsAppealChatHistoryDto
Code Snippet
Method private String chatDate;
....
20. private String chatDate;

....

Severity Low
97
Status Recurrent
The field chatTime in src/main/java/com/mbusa/raps/dto/RapsAppealChatHistoryDto.java in line 22, which contains

Source Destination
Line 22 9
Object chatTime RapsAppealChatHistoryDto
Code Snippet
Method private String chatTime;
....
22. private String chatTime;

....
PAGE 86 OF 153
Severity Low
98
Status Recurrent
The field chatHoFlag in src/main/java/com/mbusa/raps/dto/RapsAppealChatHistoryDto.java in line 24, which contains

Source Destination
Line 24 9
Object chatHoFlag RapsAppealChatHistoryDto
Code Snippet
Method private String chatHoFlag;
....
24. private String chatHoFlag;

....

Severity Low
99
Status Recurrent
The field chatText in src/main/java/com/mbusa/raps/entity/RapsAppealChatHistory.java in line 29, which contains

object, src/main/java/com/mbusa/raps/entity/RapsAppealChatHistory.java, in line 13, into the field
RapsAppealChatHistory.
Source Destination
File src/main/java/com/mbusa/raps/entity/RapsAppealC src/main/java/com/mbusa/raps/entity/RapsAppealC
hatHistory.java hatHistory.java
Line 29 13
Object chatText RapsAppealChatHistory
PAGE 87 OF 153
Code Snippet
File Name src/main/java/com/mbusa/raps/entity/RapsAppealChatHistory.java
Method private String chatText;
....
29. private String chatText;

Method @Data
....
13. @Data

Severity Low
100
Status Recurrent
The field chatDate in src/main/java/com/mbusa/raps/entity/RapsAppealChatHistory.java in line 32, which contains

Source Destination
Line 32 13
Object chatDate RapsAppealChatHistory
Code Snippet
Method private String chatDate;
....
32. private String chatDate;

Method @Data
....
13. @Data

Severity Low
101
PAGE 88 OF 153
Status Recurrent
The field chatTime in src/main/java/com/mbusa/raps/entity/RapsAppealChatHistory.java in line 35, which contains

Source Destination
Line 35 13
Object chatTime RapsAppealChatHistory
Code Snippet
Method private String chatTime;
....
35. private String chatTime;

Method @Data
....
13. @Data

Severity Low
102
Status Recurrent
The field chatHoFlag in src/main/java/com/mbusa/raps/entity/RapsAppealChatHistory.java in line 38, which contains

Source Destination
Line 38 13
Object chatHoFlag RapsAppealChatHistory
Code Snippet
Method private String chatHoFlag;
PAGE 89 OF 153
....
38. private String chatHoFlag;

Method @Data
....
13. @Data

Severity Low
103
Status Recurrent
The field creditNote in src/main/java/com/mbusa/raps/model/RapsIndividualDecisionDataModel.java in line 57, which

contains sensitive data, is inserted into a Serializable
object, src/main/java/com/mbusa/raps/model/RapsIndividualDecisionDataModel.java, in line 12, into the field
RapsIndividualDecisionDataModel.
Source Destination
File src/main/java/com/mbusa/raps/model/RapsIndividu src/main/java/com/mbusa/raps/model/RapsIndividu
alDecisionDataModel.java alDecisionDataModel.java
Line 57 12
Object creditNote RapsIndividualDecisionDataModel
Code Snippet
File Name src/main/java/com/mbusa/raps/model/RapsIndividualDecisionDataModel.java
Method private Integer creditNote;
....
57. private Integer creditNote;

Method @Data
....
12. @Data

Severity Low
104
Status Recurrent
PAGE 90 OF 153
The field appealChatHist in src/main/java/com/mbusa/raps/model/RapsIndividualDecisionDataModel.java in line 71,
which contains sensitive data, is inserted into a Serializable
object, src/main/java/com/mbusa/raps/model/RapsIndividualDecisionDataModel.java, in line 12, into the field
RapsIndividualDecisionDataModel.
Source Destination
File src/main/java/com/mbusa/raps/model/RapsIndividu src/main/java/com/mbusa/raps/model/RapsIndividu
alDecisionDataModel.java alDecisionDataModel.java
Line 71 12
Object appealChatHist RapsIndividualDecisionDataModel
Code Snippet
Method private List<RapsAppealChatHistoryDto> appealChatHist;
....
71. private List<RapsAppealChatHistoryDto> appealChatHist;

Method @Data
....
12. @Data

Severity Low
105
Status Recurrent
The field creditNote in src/main/java/com/mbusa/raps/entity/RapsSearchClaims.java in line 86, which contains sensitive

data, is inserted into a Serializable object, src/main/java/com/mbusa/raps/entity/RapsSearchClaims.java, in line 17, into
the field RapsSearchClaims.
Source Destination
File src/main/java/com/mbusa/raps/entity/RapsSearchCl src/main/java/com/mbusa/raps/entity/RapsSearchCl
aims.java aims.java
Line 86 17
Object creditNote RapsSearchClaims
Code Snippet
File Name src/main/java/com/mbusa/raps/entity/RapsSearchClaims.java
Method private Integer creditNote;
....
86. private Integer creditNote;
File Name src/main/java/com/mbusa/raps/entity/RapsSearchClaims.java
PAGE 91 OF 153
Method @Data
....
17. @Data

Severity Low
106
Status Recurrent
The field creditNote in src/main/java/com/mbusa/raps/entity/V3CRDSCIEntity.java in line 52, which contains sensitive

data, is inserted into a Serializable object, src/main/java/com/mbusa/raps/entity/V3CRDSCIEntity.java, in line 36, into
the field V3CRDSCIEntity.
Source Destination
File src/main/java/com/mbusa/raps/entity/V3CRDSCIE src/main/java/com/mbusa/raps/entity/V3CRDSCIE
ntity.java ntity.java
Line 52 36
Object creditNote V3CRDSCIEntity
Code Snippet
File Name src/main/java/com/mbusa/raps/entity/V3CRDSCIEntity.java
Method private Date creditNote;
....
52. private Date creditNote;
File Name src/main/java/com/mbusa/raps/entity/V3CRDSCIEntity.java

Method @Data
....
36. @Data
Improper Exception Handling

Query Path:
Java\Cx\Java Low Visibility\Improper Exception Handling Version:1
Categories
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.5 - Improper error handling
NIST SP 800-53: SC-5 Denial of Service Protection (P1)
ASD STIG 4.10: APSC-DV-002570 - CAT II The application must generate error messages that provide information
necessary for corrective actions without revealing information that could be exploited by adversaries.
Description
Improper Exception Handling\Path 1:
Severity Low
PAGE 92 OF 153
86
Status Recurrent
The method getCostCarrier at line 84 of src/main/java/com/mbusa/raps/service/MasterServiceImpl.java performs an

operation that could be expected to throw an exception, and is not properly wrapped in a try-catch block. This constitutes
Improper Exception Handling.
Source Destination
Line 85 85
Code Snippet
....
85. return
modelMapper.map(costCarrierRepository.getCostCarrier(), new
TypeToken<List<CostCarrierDetailsDto>>() {

Severity Low
87
Status Recurrent
The method getStatDropDown at line 90 of src/main/java/com/mbusa/raps/service/MasterServiceImpl.java performs an

Source Destination
Line 91 91
Object getStateData getStateData
Code Snippet
Method public List<StateDetailsDto> getStatDropDown() {
....
91. return modelMapper.map(stateDetailRepository.getStateData(),
new TypeToken<List<StateDetailsDto>>() {

Severity Low
88
PAGE 93 OF 153
Status Recurrent
The method getSystemNames at line 78 of src/main/java/com/mbusa/raps/service/MasterServiceImpl.java performs an

Source Destination
Line 79 79
Object getSystemName getSystemName
Code Snippet
....
79. return modelMapper.map(masterDataRepository.getSystemName(),
new TypeToken<List<SystemNameDetailsDto>>() {
Spring Missing Content Security Policy

Query Path:
Java\Cx\Java Spring\Spring Missing Content Security Policy Version:1
Categories
OWASP Top 10 API: API7-Security Misconfiguration
Description
Spring Missing Content Security Policy\Path 1:
Severity Low
60
Status Recurrent
A Content Security Policy is not explicitly defined within the web-application.

Source Destination
Line 21 21
Object annotation annotation
Code Snippet
Method import org.springframework.beans.factory.annotation.Autowired;
....
21. import org.springframework.beans.factory.annotation.Autowired;
PAGE 94 OF 153
Use Of Hardcoded Password In Config
Query Path:
Java\Cx\Java Low Visibility\Use Of Hardcoded Password In Config Version:3
Categories
OWASP Top 10 2021: A5-Security Misconfiguration
Description
Use Of Hardcoded Password In Config\Path 1:
Severity Low
149
Status Recurrent
The configuration file src/main/resources/application-qa.properties contains a hardcoded password in line 1

Source Destination
File src/main/resources/application-qa.properties src/main/resources/application-qa.properties
Line 25 25
Object password password
Code Snippet
File Name src/main/resources/application-qa.properties
Method # Server properties
....
25. spring.datasource.password=${DATABASE_PASSWORD}
Reliance On Untrusted Inputs In Security Decision

Query Path:
Java\Cx\Java Best Coding Practice\Reliance On Untrusted Inputs In Security Decision Version:9
Categories
NIST SP 800-53: SC-23 Session Authenticity (P1)
ASD STIG 4.10: APSC-DV-002560 - CAT I The application must not be subject to input handling vulnerabilities.
Description
Reliance On Untrusted Inputs In Security Decision\Path 1:
Severity Information
80
Status Recurrent
In line 370, the input is influencing directly a sink. This is not a best practice and may lead to unintended behavior.
Source Destination
Line 371 2467
PAGE 95 OF 153
Object unparkReimbursements info
Code Snippet
....

Method public UpdateReimbursementStatusResponse
unparkReimbursmentStatus(List<UnparkReimbursementModel> unparkReimbursementList)
....
2467.
log.info(ESAPIUtil.encodeLogForg(CommonConstant.DATA_NOT_AVAILABLE
_IN_RO_ONE_LINE));

81
Status Recurrent
Source Destination
Line 473 1390
Object forcesubmitModels info
Code Snippet
....

PAGE 96 OF 153
....
1390.
_IN_RO_LINE_ITEM));

82
Status Recurrent
Source Destination
Line 473 1418
Code Snippet
....

....
1418.
_IN_RO_ONE_LINE));

83
Status Recurrent
Source Destination
Line 473 1383
PAGE 97 OF 153
Code Snippet
....

....
1383.
_IN_RO_ONE_LINE));

84
Status Recurrent
Source Destination
Line 473 1378
Code Snippet
....

....
1378.
_IN_RO_LINE_ITEM));
PAGE 98 OF 153
108
Status Recurrent
Source Destination
Line 100 113
Object countryCode info
Code Snippet
Method public ResponseEntity<List<AttachementsListResponseDto>> getAttachements(
....
100. @RequestParam(name = "countryCode", required =
true) @Valid @NotBlank @Pattern(regexp =
CommonConstant.REGEXP_ATTACHEMENTS_CTRY_OR_DLR_CDE, message =
CommonConstant.VALIDATION_CTRY_CDE_MSG) String countryCode,
....
113. log.info(ESAPIUtil.encodeLogForg(countryCode + "
: " + CommonConstant.INVALID_COUNTRY_CODE));

109
Status Recurrent
Source Destination
Line 148 186
Object labor info
Code Snippet
PAGE 99 OF 153
....
....
186.
ATA + RapsUtil.getJsonBody(labors)));

110
Status Recurrent
Source Destination
Line 148 154
Object labor info
Code Snippet
....
....
154.
log.info(ESAPIUtil.encodeLogForg(labor.getCountryCode() + " : " +
CommonConstant.INVALID_COUNTRY_CODE));

111
Status Recurrent
Source Destination
Line 148 182
Object labor info
Code Snippet
PAGE 100 OF 153

....
....
182.
E + RapsUtil.getJsonBody(labors)));

112
Status Recurrent
Source Destination
Line 239 277
Object part info
Code Snippet
....
....
277.
ATA + RapsUtil.getJsonBody(parts)));

113
Status Recurrent
Source Destination
Line 239 245
PAGE 101 OF 153

Object part info
Code Snippet
....
....
245.
log.info(ESAPIUtil.encodeLogForg(part.getCountryCode() + " : " +

114
Status Recurrent
Source Destination
Line 239 273
Object part info
Code Snippet
....
....
273.
E + RapsUtil.getJsonBody(parts)));

115
Status Recurrent
Source Destination
PAGE 102 OF 153

Line 330 336
Object errorCodesModel info
Code Snippet
Method public ResponseEntity<List<ErrorCodesEntity>> getErrorCodes(@Valid ErrorCodesModel
errorCodesModel) throws JsonProcessingException{
....
330. public ResponseEntity<List<ErrorCodesEntity>>
getErrorCodes(@Valid ErrorCodesModel errorCodesModel) throws
....
336.
log.info(ESAPIUtil.encodeLogForg(errorCodesModel.getCountryCode()
+ " : " + CommonConstant.INVALID_COUNTRY_CODE));

116
Status Recurrent
Source Destination
Line 369 407
Object sublet info
Code Snippet
....
....
407.
ATA + RapsUtil.getJsonBody(sublets)));

117
PAGE 103 OF 153

Status Recurrent
Source Destination
Line 369 375
Object sublet info
Code Snippet
....
....
375.
log.info(ESAPIUtil.encodeLogForg(sublet.getCountryCode() + " : " +

118
Status Recurrent
Source Destination
Line 369 403
Object sublet info
Code Snippet
....
....
403.
E + RapsUtil.getJsonBody(sublets)));
PAGE 104 OF 153

119
Status Recurrent
Source Destination
Line 116 122
Object activityNum info
Code Snippet
Method public ResponseEntity<List<ActivityDetailsDto>> getActivityDetails(
....
116. @RequestParam(name = "activityNum", required =
true) String activityNum) throws CustomAPIException,
....
122. log.info(ESAPIUtil.encodeLogForg("The input
parameter activityNum is not valid."));

120
Status Recurrent
Source Destination
Line 159 170
Object requestNum info
Code Snippet
....
159. @NotBlank @PathVariable(name = "requestNum",
required = true) String requestNum,
....
170. log.info(ESAPIUtil.encodeLogForg("The input
parameter requestNum is not valid."));
PAGE 105 OF 153

121
Status Recurrent
Source Destination
Line 246 265
Object submitModels info
Code Snippet
....
....
265.
ATA + RapsUtil.getJsonBody(updateReimbursementStatusResponse)));

122
Status Recurrent
Source Destination
Line 246 283
Code Snippet
PAGE 106 OF 153

....
....
283.
log.info(ESAPIUtil.encodeLogForg(CommonConstant.FAILURE_RESPONSE_D

123
Status Recurrent
Source Destination
Line 246 272
Code Snippet
....
....
272.

124
Status Recurrent
Source Destination
Line 246 259
PAGE 107 OF 153

Code Snippet
....
....
259.
log.info(ESAPIUtil.encodeLogForg(submitModel.getCountryCode() + "

125
Status Recurrent
Source Destination
Line 309 320
Object parkReimbursements info
Code Snippet
....
....
320.
log.info(ESAPIUtil.encodeLogForg(parkReimbursement.getCountryCode(
) + " : " + CommonConstant.INVALID_COUNTRY_CODE));

126
Status Recurrent
Source Destination
PAGE 108 OF 153

Line 371 382
Object unparkReimbursements info
Code Snippet
....
....
382.
log.info(ESAPIUtil.encodeLogForg(unParkReimbursement.getCountryCod
e() + " : " + CommonConstant.INVALID_COUNTRY_CODE));

127
Status Recurrent
Source Destination
Line 423 433
Object deleteReimbursementModel info
Code Snippet
Method public ResponseEntity<UpdateReimbursementStatusResponse> deleteReimbursment(
....
423. @Valid @RequestBody DeleteReimbursementModel
deleteReimbursementModel)
....
433.
log.info(ESAPIUtil.encodeLogForg(deleteReimbursementModel.getCount
ryCode() + " : " + CommonConstant.INVALID_COUNTRY_CODE));

128
Status Recurrent
Source Destination
PAGE 109 OF 153

Line 473 484
Code Snippet
....
....
484.

129
Status Recurrent
Source Destination
Line 473 502
Code Snippet
....
....
502.

130
Status Recurrent
PAGE 110 OF 153

Source Destination
Line 473 491
Code Snippet
....
....
491.

131
Status Recurrent
Source Destination
Line 527 533
Object countryCode info
Code Snippet
Method public ResponseEntity<ReimbursementClaimsCountDto> getReimbursementClaimsCounts(
....
527. @NotBlank @Pattern(regexp =
CommonConstant.REGEXP_ATTACHEMENTS_CTRY_OR_DLR_CDE, message =
CommonConstant.VALIDATION_CTRY_CDE_MSG) @RequestParam(name =
"countryCode", required = true) String countryCode) {
....
533. log.info(ESAPIUtil.encodeLogForg(countryCode + "

132
Status Recurrent
PAGE 111 OF 153

Source Destination
Line 624 642
Object reworkModel info
Code Snippet
....
624. @NotBlank @PathVariable(name = "roNumber",
required = true) String roNumber, @Valid ReworkModel reworkModel)
....
642. log.info(ESAPIUtil.encodeLogForg("INVALID
METHOD HAS BEEN ENTERED : " + reworkModel.getReworkType()));

133
Status Recurrent
Source Destination
Line 624 636
Object reworkModel info
Code Snippet
....
624. @NotBlank @PathVariable(name = "roNumber",
required = true) String roNumber, @Valid ReworkModel reworkModel)
....
636.
log.info(ESAPIUtil.encodeLogForg(reworkModel.getCountryCode() + "
: COUNTRY CODE IS NOT VALID FOR REWORK."));

134
Status Recurrent
PAGE 112 OF 153

Source Destination
Line 689 698
Object approve info
Code Snippet
....
....
698.
log.info(ESAPIUtil.encodeLogForg(approve.getCountryCode() + " : "
+ CommonConstant.INVALID_COUNTRY_CODE));

135
Status Recurrent
Source Destination
Line 732 741
Object submitAppealModel info
Code Snippet
....
....
741.
log.info(ESAPIUtil.encodeLogForg(submitAppealModel.getCountryCode(
) + " : " + CommonConstant.INVALID_COUNTRY_CODE));
Insufficient Logging of Exceptions

Query Path:
PAGE 113 OF 153

Java\Cx\Java Best Coding Practice\Insufficient Logging of Exceptions Version:4
Categories
OWASP Top 10 API: API10-Insufficient Logging and Monitoring
OWASP Top 10 2021: A9-Security Logging and Monitoring Failures
Description
Insufficient Logging of Exceptions\Path 1:
63
Status Recurrent
Source Destination
Line 79 79
Object catch catch
Code Snippet
Method public ResponseEntity<List<EvaResponseDto>> evaLocalEdits(@Valid @RequestBody EvaModel
eva)
....
79. } catch (CustomUnprocessableEnityException e) {

64
Status Recurrent
Source Destination
File src/main/java/com/mbusa/raps/controller/LocalEdit src/main/java/com/mbusa/raps/controller/LocalEdit
Controller.java Controller.java
Line 83 83
Object catch catch
Code Snippet
....
PAGE 114 OF 153

65
Status Recurrent
Source Destination
Line 470 470
Object catch catch
Code Snippet
Method public LocalEditResponse localEditErrorCheckOperation(LocalEditRequest localEdit) {
....
470. } catch (CustomAPIException e) {

66
Status Recurrent
Source Destination
Line 3163 3163
Object catch catch
Code Snippet
Method private BigDecimal stepCForL32(LocalEditRequest localEdit, String wsDiscCd, String
z204ModelYear,
....
3163. } catch (Exception e) {

67
Status Recurrent
PAGE 115 OF 153

Source Destination
Line 3502 3502
Object catch catch
Code Snippet
Method private Integer fillErrorConditionsFor28(LocalEditRequest localEdit, Integer errorCount,
LocalEditResponse response,
....

68
Status Recurrent
Source Destination
Line 3544 3544
Object catch catch
Code Snippet
Method elcPkgInfoContent = elcPkgInfo.getContent().stream().filter(elcInfoData -> {
....
3544. } catch (ParseException e) {

69
Status Recurrent
Source Destination
Line 5340 5340
Object catch catch
PAGE 116 OF 153

Code Snippet
Method private Integer fillConditionsForL8AndL9(LocalEditRequest localEdit, Integer errorCount,
LocalEditResponse response,
....

70
Status Recurrent
Source Destination
Line 5790 5790
Object catch catch
Code Snippet
Method private List<String> fillConditionsForWsA70Price(LocalEditRequest localEdit, String
d003CountryCd,
....

71
Status Recurrent
Source Destination
Line 3490 3490
Object catch catch
Code Snippet
Method private void viewReimbursementApprovalProfile(String dealerCode, String roNumber, String
roLineNumber,
PAGE 117 OF 153

....

72
Status Recurrent
Source Destination
File src/test/java/com/mbusa/raps/service/EvaServiceTe src/test/java/com/mbusa/raps/service/EvaServiceTe
st.java st.java
Line 169 169
Object catch catch
Code Snippet
File Name src/test/java/com/mbusa/raps/service/EvaServiceTest.java
Method void evaLocalEditErrorCodeTestPositive() {
....

73
Status Recurrent
Source Destination
Line 572 572
Object catch catch
Code Snippet
Method void localEditErrorCodeTest() throws CustomAPIException {
....

PAGE 118 OF 153

74
Status Recurrent
Source Destination
Line 883 883
Object catch catch
Code Snippet
Method void localEditErrorCodeTestSecondPhase() {
....

75
Status Recurrent
Source Destination
Line 1196 1196
Object catch catch
Code Snippet
Method void localEditErrorCodeTestThirdPhase() {
....

76
Status Recurrent
Source Destination
PAGE 119 OF 153

Line 1509 1509
Object catch catch
Code Snippet
Method void localEditErrorCodeTestFourthPhase() {
....

77
Status Recurrent
Source Destination
Line 1820 1820
Object catch catch
Code Snippet
Method void localEditErrorCodeTestFifthPhase() {
....

78
Status Recurrent
Source Destination
Line 2131 2131
Object catch catch
Code Snippet
Method void localEditErrorCodeTestSixthPhase() {
PAGE 120 OF 153

....

79
Status Recurrent
Source Destination
Line 2442 2442
Object catch catch
Code Snippet
Method void localEditErrorCodeTestSeventhPhase() {
....

140
Status Recurrent
Source Destination
File src/main/java/com/mbusa/raps/service/EvaLocalEdi src/main/java/com/mbusa/raps/service/EvaLocalEdi
tServiceImpl.java tServiceImpl.java
Line 85 85
Object catch catch
Code Snippet
File Name src/main/java/com/mbusa/raps/service/EvaLocalEditServiceImpl.java
Method public List<EvaResponseDto> evaService(EvaModel eva) {
....

PAGE 121 OF 153

141
Status Recurrent
Source Destination
File src/test/java/com/mbusa/raps/service/Reimburseme src/test/java/com/mbusa/raps/service/Reimburseme
ntServiceTest.java ntServiceTest.java
Line 1220 1220
Object catch catch
Code Snippet
File Name src/test/java/com/mbusa/raps/service/ReimbursementServiceTest.java
Method void submitMileageDiscrepancyDetailsTestNegative() throws Exception {
....

142
Status Recurrent
Source Destination
File src/main/java/com/mbusa/raps/util/ESAPIUtil.java src/main/java/com/mbusa/raps/util/ESAPIUtil.java
Line 42 42
Object catch catch
Code Snippet
File Name src/main/java/com/mbusa/raps/util/ESAPIUtil.java
Method public static final String encodeStoredBoundary(String strValue) {
....
42. } catch (ValidationException | IntrusionException e) {

143
Status Recurrent
Source Destination
Line 69 69
Object catch catch
PAGE 122 OF 153

Code Snippet
Method public static String encodeLogForg(String message) {
....

144
Status Recurrent
Source Destination
Line 85 85
Object catch catch
Code Snippet
Method public static String encodeUrl(String strValue) {
....
85. } catch (EncodingException e) {

145
Status Recurrent
Source Destination
Line 104 104
Object catch catch
Code Snippet
Method public static String encodeFilePath(String strValue) {
....

PAGE 123 OF 153

146
Status Recurrent
Source Destination
Line 123 123
Object catch catch
Code Snippet
Method public static String encodeJson(String strValue) {
....

147
Status Recurrent
Source Destination
Line 143 143
Object catch catch
Code Snippet
Method public static String encodeSpecialCharRequest(String strValue) {
....

148
Status Recurrent
Source Destination
File src/main/java/com/mbusa/raps/util/RapsUtil.java src/main/java/com/mbusa/raps/util/RapsUtil.java
Line 111 111
PAGE 124 OF 153

Object catch catch
Code Snippet
File Name src/main/java/com/mbusa/raps/util/RapsUtil.java
Method public static java.util.Date getParsedDateFromSlashFormat(String stringDate) {
....
111. } catch (ParseException e) {
Exposure of Resource to Wrong Sphere

Query Path:
Java\Cx\Java Best Coding Practice\Exposure of Resource to Wrong Sphere Version:3
Categories
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.8 - Improper access control
OWASP Top 10 2013: A7-Missing Function Level Access Control
Description
Exposure of Resource to Wrong Sphere\Path 1:
85
Status Recurrent
The application exposes a public field, env, in src/main/java/com/mbusa/raps/controller/TestController.java line 15.

Source Destination
File src/main/java/com/mbusa/raps/controller/TestContr src/main/java/com/mbusa/raps/controller/TestContr
oller.java oller.java
Line 15 15
Object env env
Code Snippet
File Name src/main/java/com/mbusa/raps/controller/TestController.java
Method Environment env;
....
15. Environment env;
Potentially Serializable Class With Sensitive Data

Query Path:
Java\Cx\Java Best Coding Practice\Potentially Serializable Class With Sensitive Data Version:6
Categories
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.3 - Insecure cryptographic storage
Description
PAGE 125 OF 153

Potentially Serializable Class With Sensitive Data\Path 1:
107
Status Recurrent
Source Destination
File src/main/java/com/mbusa/raps/service/OneAPIInte src/main/java/com/mbusa/raps/service/OneAPIInte
grationService.java grationService.java
Line 51 44
Object secretKey OneAPIIntegrationService
Code Snippet
File Name src/main/java/com/mbusa/raps/service/OneAPIIntegrationService.java
Method private String secretKey;
....
51. private String secretKey;
File Name src/main/java/com/mbusa/raps/service/OneAPIIntegrationService.java

Method @Service
....
44. @Service
Reflected XSS All Clients

Risk
What might happen
A successful XSS exploit would allow an attacker to rewrite web pages and insert malicious scripts which would alter the intended
output. This could include HTML fragments, CSS styling rules, arbitrary JavaScript, or references to third party code. An attacker
could use this to steal users' passwords, collect personal data such as credit card details, provide false information, or run malware.
From the victim’s point of view, this is performed by the genuine website, and the victim would blame the site for incurred damage.
The attacker could use social engineering to cause the user to send the website modified input, which will be returned in the
requested web page.
Cause
How does it happen
The application creates web pages that include untrusted data, whether from user input, the application’s database, or from other
external sources. The untrusted data is embedded directly in the page's HTML, causing the browser to display it as part of the web
page. If the input includes HTML fragments or JavaScript, these are displayed too, and the user cannot tell that this is not the
intended page. The vulnerability is the result of directly embedding arbitrary data without first encoding it in a format that would
prevent the browser from treating it like HTML or code instead of plain text.
Note that an attacker can exploit this vulnerability either by modifying the URL, or by submitting malicious data in the user input or
other request fields.
General Recommendations
How to avoid it
 Fully encode all dynamic data, regardless of source, before embedding it in output.
PAGE 126 OF 153

 Encoding should be context-sensitive. For example:
o HTML encoding for HTML content
o HTML Attribute encoding for data output to attribute values
o JavaScript encoding for server-generated JavaScript
 It is recommended to use the platform-provided encoding functionality, or known security libraries for encoding output.
 Implement a Content Security Policy (CSP) with explicit whitelists for the application's resources only.
 As an extra layer of protection, validate all untrusted data, regardless of source (note this is not a replacement for encoding).
Validation should be based on a whitelist: accept only data fitting a specified structure, rather than reject bad patterns.
Check for:
o Data type
o Size
o Range
o Format
o Expected values
 In the Content-Type HTTP response header, explicitly define character encoding (charset) for the entire page.
 Set the HTTPOnly flag on the session cookie for "Defense in Depth", to prevent any successful XSS exploits from stealing
the cookie.
Source Code Examples
Java
Returning Data To Clients Without Encoding
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws

ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();

String loc = request.getParameter("location");
out.println("<h1> Location: " + loc + "<h1>");

}
Returning Data to Clients After Encoding The User Input
// Using HtmlEscapers by Google Guava
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws

response.setContentType("text/html;charset=UTF-8");

String loc = request.getParameter("location");
String escapedLocation = HtmlEscapers.htmlEscaper().escape(loc);
out.println("<h1> Location: " + escapedLocation + "<h1>");

}
PAGE 127 OF 153

Privacy Violation
Risk
What might happen
A user’s personal information could be stolen by a malicious programmer, or an attacker that intercepts the data.
Cause
How does it happen
The application sends user information, such as passwords, account information, or credit card numbers, outside the application, such
as writing it to a local text or log file or sending it to an external web service.
How to avoid it
1. Personal data should be removed before writing to logs or other files.
2. Review the need and justification of sending personal data to remote web services.
Java
Leaking a Password Back to the User Constitutes a Privacy Violation
public void doPost (HttpServletRequest request, HttpServletResponse response) throws

HttpSession session = request.getSession();
boolean isAuthenticated = session.getAttribute("isAuthenticated");
if (isAuthenticated) {
byte[] password = request.getParameter("password").getBytes();
updatePassword(session, password);
out.println("New password is " + (new String(password));
} else {
out.println("Authentication Failed");
}
}
PAGE 128 OF 153

Unsafe Object Binding
Risk
What might happen
Unsafe binding of objects to requests may expose unintended setters to remote attackers, allowing them to directly access objects,
attributes and even objects within objects via broadly binding setters to an incoming request.
Cause
How does it happen
Using object binding methods, built into MVC controllers, exposes all public setters to allow easily wiring values submitted by users
in forms, to the objects and attributes they are intended to create or alter. This approach allows application code to skip the
boilerplate code of having to parse requests for user values, and manually setting them individually into objects being created.
However, this may also pose a significant risk to application logic and flow - naively mass binding objects in such a manner may also
accidentally expose unintended objects or attributes, which could then be tampered with by an attacker.
How to avoid it
 Review all mass-assigned objects to ensure no unintended public setters or constructors are unintentionally exposed by this
approach.
 Ensure that, where required, access to attributes and objects is correctly restricted by application code.
 Consider transitioning away from object binding methods to a more granular approach where values are only ever explicitly
set, to prevent accidentally exposing unintended values to being implicitly altered.
Java
Unsafe Object Binding via Spring ModelAttribute
//Item Bean:
public class Item {
private String id;
private String itemName;
private String price;
private String shippingAddress;
private User buyer;
//Public setters/getters:
[..]
}
//User Bean:
public class User {
private String id;
private String userName;
private String password;
//Public setters/getters:
[..]
}
//Item Controller:
@Controller
public class ItemController {
@RequestMapping(value="saveItem", method = RequestMethod.POST)
public String saveItem(@ModelAttribute("item") Item item, ModelMap model) {
db.save(item); //If the parameter "user.password=hacked!!" is added, the password
for the user is changed to "hacked!!".
return "saveItemView";
}
}
PAGE 129 OF 153

PAGE 130 OF 153
Excessive Data Exposure
Risk
What might happen
APIs often respond with objects for a client to consume and, at times, these objects may contain more information than the client
requires or intends to use. If the object returned to the client has this excess data, and that data is sensitive, it would be exposed to
potentially malicious clients of the API.
Cause
How does it happen
The API returns an object with potentially sensitive data-fields, without excluding, filtering or nullifying said sensitive data - thus
exposing it in an API response.
How to avoid it
 When returning objects that hold data from an API, always consider the types and contexts of data being returned - such as
whether or not it is required by the API's consumers, and whether or not it is sensitive
 Opt to white-list allowed data to be in control of data flow and remove excess
Java
Exposing a Sensitive Field in a Spring REST API Response
// POJO with Sensitive Data

@Entity
public class User {
@Id
@GeneratedValue
private Long id;
private String username;
// Field will be exposed if User object is returned as-is from API:
private String encryptedPassword;
// ... public constructors getters and setters ... //
}
// Spring REST Controller Mapped Method

@GetMapping("/users/{id}")
User findOne(@PathVariable Long id) {
User user = repository.findById(id).orElseThrow(() -> new UserNotFoundException(id));
return user;
}
Using a DTO and ModelMapper To Whitelist Desired Output Fields in a Spring REST API

@Entity
public class User {
@Id
@GeneratedValue
private Long id;
PAGE 131 OF 153

}
// DTO without Sensitive Data

public class UserDTO {
private Long id;
}
// Spring REST Controller Mapped Method

@GetMapping("/users/{id}")
User findOne(@PathVariable Long id) {
User user = repository.findById(id).orElseThrow(() -> new UserNotFoundException(id));
UserDTO userDTO = modelMapper.map(user, UserDTO.class);
return userDTO;
}
Spring Annotation Used to Exclude A Field from JSON Entirely - Can Also Be Set on Getter Individually to Allow Setting a
Value While Preventing Exposure

@Entity
public class User {
@Id
@GeneratedValue
private Long id;
@JsonIgnore
}
PAGE 132 OF 153

Improper Resource Access Authorization
Risk
What might happen
Unauthorized actions may allow attackers to write malicious content or code to files, databases and other I\Os or read sensitive I\O
contents. Impact of this issue varies, depending on implementation, but may allow:
 Remote code execution, in case an attacker is able to inject malicious data into a writable I\O, which would then be
interpreted or compiled as code
 Overwriting or leaking of configuration files
 Compromising confidentiality or integrity of stored data
Cause
How does it happen
A logic flow in code triggers I/O and is not authorized. If an attacker can trigger it, it may leave it vulnerable to attack.
How to avoid it
When logic flows are affected by user input or behavior, always ensure the user is authorized to trigger them.
Java
Writing to File Without Any Authorization Checks
Part filePart = request.getPart("file");

if (filePart != null) {
InputStream filecontent = null;
filecontent = filePart.getInputStream();
Path path = Paths.get(filename);
byte[] contentByteArray = new byte[filecontent.available()];
filecontent.read(contentByteArray);
Files.write(path, contentByteArray);
}
Using a Basic Authorization Check Based on Session Variables
HttpSession session = request.getSession();

String role = (String)session.getAttribute("role");
if (role.equals(ADMIN)) {
Part filePart = request.getPart("file");
if (filePart != null) {
InputStream filecontent = null;
filecontent = filePart.getInputStream();
Path path = Paths.get(filename);
byte[] contentByteArray = new byte[filecontent.available()];
filecontent.read(contentByteArray);
Files.write(path, contentByteArray);
}
}
PAGE 133 OF 153

TruffleHog HighEntropy Strings
Risk
What might happen
Hardcoded passwords expose the application to password leakage. If an attacker gains access to the source code, she will be able to
steal the embedded passwords, and use them to impersonate a valid user. This could include impersonating end users to the
application, or impersonating the application to a remote system, such as a database or a remote web service.
Once the attacker succeeds in impersonating the user or application, she will have full access to the system, and be able to do
anything the impersonated identity could do.
Cause
How does it happen
The application codebase has string literal passwords embedded in the source code. This hardcoded value is used either to compare to
user-provided credentials, or to authenticate downstream to a remote system (such as a database or a remote web service).
An attacker only needs to gain access to the source code to reveal the hardcoded password. Likewise, the attacker can reverse
engineer the compiled application binaries, and easily retrieve the embedded password. Once found, the attacker can easily use the
password in impersonation attacks, either directly on the application or to the remote system.
Furthermore, once stolen, this password cannot be easily changed to prevent further misuse, unless a new version of the application is
compiled. Moreover, if this application is distributed to numerous systems, stealing the password from one system automatically
allows a class break in to all the deployed systems.
How to avoid it
 Do not hardcode any secret data in source code, especially not passwords.
 In particular, user passwords should be stored in a database or directory service, and protected with a strong password hash
(e.g. bcrypt, scrypt, PBKDF2, or Argon2). Do not compare user passwords with a hardcoded value.
 Sytem passwords should be stored in a configuration file or the database, and protected with strong encryption (e.g. AES-
256). Encryption keys should be securely managed, and not hardcoded.
Java
Hardcoded Admin Password
bool isAdmin(String username, String password) {

bool isMatch = false;
if (username.equals("admin")) {
if (password.equals("P@ssw0rd"))
return isMatch = true;
}
return isMatch;
}
No Hardcoded Credentials
bool isAdmin(String username, String password) {

bool adminPrivs = false;
if (authenticateUser(username, password)) {
UserPrivileges privs = getUserPrivileges(username);
PAGE 134 OF 153

if (privs.isAdmin)
adminPrivs = true;
}
return adminPrivs;
}
PAGE 135 OF 153

Spring Missing Content Security Policy
Risk
What might happen
The Content-Security-Policy header enforces that the source of content, such as the origin of a script, embedded (child) frame,
embedding (parent) frame or image, are trusted and allowed by the current web-page; if, within the web-page, a content's source does
not adhere to a strict Content Security Policy, it is promptly rejected by the browser. Failure to define a policy may leave the
application's users exposed to Cross-Site Scripting (XSS) attacks, Clickjacking attacks, content forgery and more.
Cause
How does it happen
The Content-Security-Policy header is used by modern browsers as an indicator for trusted sources of content, including media,
images, scripts, frames and more. If these policies are not explicitly defined, default browser behavior would allow untrusted content.
The application creates web responses, but does not properly set a Content-Security-Policy header.
How to avoid it
Explicitly set the Content-Security-Policy headers for all applicable policy types (frame, script, form, script, media, img etc.)
according to business requirements and deployment layout of external file hosting services. Specifically, do not use a wildcard, '*', to
specify these policies, as this would allow content from any external resource.
The Content-Security-Policy can be explicitly defined within web-application code, as a header managed by web-server
configurations, or within <meta> tags in the HTML <head> section.
Java
Adding CSP Header Using Spring Security Java Configuration
@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// Add CSP headers
http.headers()
.contentSecurityPolicy("script-src 'self' https://example.com; object-src
https://example.com; report-uri /csp-report-endpoint/");
}
}
HTTP Response With CSP Header Set
protected void processRequest(HttpServletRequest request, HttpServletResponse response)

throws ServletException, IOException {
// handle request
response.setHeader("Content-Security-Policy", "default-src 'self'"); // default-src is the
most restric mode of CSP and covers all applicable policy types
}
HTTP Response with CSP Header in Spring
PAGE 136 OF 153

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
http
.headers()
.contentSecurityPolicy("default-src 'self'"); // default-src is the most restric mode of
CSP and covers all applicable policy types
}
}
XML
Adding CSP Header Using Spring Security XML Configuration
<http>

<headers>
<content-security-policy policy-directives="script-src 'self' https://apis.example.com">
</content-security-policy>
</headers>
</http>
PAGE 137 OF 153

Spring Overly Permissive Cross Origin Resource Sharing Policy
Risk
What might happen
A Cross-Origin Resource Sharing (CORS) header, "Access-Control-Allow-Origin", that is overly permissive may allow scripts from
other web-sites to access, and often manipulate, resources on the affected web-application. These resources may include page
contents, tokens and more, allowing potential Cross-Site Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks, performing
actions on a user's behalf such as changing their password, or allow breach of user privacy.
Cause
How does it happen
Modern browsers, by default, disallow resource sharing between different domains from accessing one another's DOM contents,
cookie jars and other resources, specifically to prevent malicious web-applications from attacking legitimate web-applications and
their users as part of the Same-Origin Policy (SOP). For example - website A cannot retrieve contents of website B by default, as that
is a breach of the SOP. The Cross-Origin Resource Sharing (CORS) policy, defined by specific headers, allows loosening this strict
default behavior to enable cross-site communications. However, when used incorrectly, CORS may enable unintended and
potentially malicious behavior by allowing an overly broad trust of web-applications that may submit requests and retrieve responses
from the web-application.
The Access-Control-Allow-Origin is incorrectly set to an unsafe value in code.
How to avoid it
Where not explicitly required, do not set any CORS headers. Where required, consider business needs for setting these headers, and
opt for the most restrictive configuration possible, such as white-listing trusted, secure and allowed domains access, while utilizing
other CORS headers to strictly provide required and expected functionality.
Spring Security has a built-in mechanism to configure the CORS header using the @CrossOrigin annotation.
Spring's default allowed origin is overly permissive and it is recommended to manually specify the allowed origins.
Java
Default 'origins' Parameter Allowing All Origins in a Specific Endpoint
@RestController
@RequestMapping("/resource")
public class ResourceController {
@CrossOrigin
@GetMapping("/{id}")
public Resource retrieve(@PathVariable Long id) {
// ...
}
}
Setting an 'origins' Parameter on a Specific Controller
@CrossOrigin(origins = "https://example.com", maxAge = 3600)

@RestController
@RequestMapping("/resource")
public class ResourceController {
@GetMapping("/{id}")
public Resource retrieve(@PathVariable Long id) {
PAGE 138 OF 153

// ...
}
}
Applying the CORS Header to Every Endpoint Using Spring Security's Java Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
http
// by default uses a Bean by the name of corsConfigurationSource
.cors();
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
// Applying the CORS to all endpoints
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
Wildcard Access-Control-Allow-Origin
response.addHeader("Access-Control-Allow-Origin", "*");
Access-Control-Allow-Origin Being Set for a Trusted Domain
// Assuming https://www.example.com is a trusted domain

response.addHeader("Access-Control-Allow-Origin", "https://www.example.com");
Dynamically Determine Access-Control-Allow-Origin from Origin Header
String origin = request.getHeader("Origin");

response.addHeader("Access-Control-Allow-Origin", origin);
XML
Applying Spring Security's Default CORS with an Overly Permissive Configuration
<http>
<cors />
PAGE 139 OF 153

</http>
PAGE 140 OF 153

Improper Exception Handling
Risk
What might happen
An attacker could maliciously cause an exception that could crash the application, potentially resulting in a denial of service (DoS) or
unexpected behavior under certain erroneous conditions. Exceptions may also occur without any malicious intervention, resulting in
general instability.
Cause
How does it happen
The application performs some operation, such as database or file access, that could throw an exception. Since the application is not
designed to properly handle the exception, the application could crash.
How to avoid it
Any method that could cause an exception should be wrapped in a try-catch block that:
 Explicitly handles expected exceptions
 Includes a default solution to explicitly handle unexpected exceptions
Java
Loading a Library without Catching
public static void loadLib() {

System.loadLibrary(LIB_NAME); // If LIB_NAME does not exist, an unhandled exception will
be thrown
}
Handle All Possible Exceptions within the Error-Prone Method
public static void loadLib() {

try {
System.loadLibrary(LIB_NAME);
} catch (SecurityException se) {
// Handle SecurityException
} catch (UnsatisfiedLinkError sle) {
// Handle UnsatisfiedLinkError
} catch (NullPointerException npe) {
// Handle NullPointerException
}
}
Aggregate Potential Exceptions to Calling Code
public static void loadLib() throws UnsatisfiedLinkError, NullPointerException,

SecurityException {
System.loadLibrary(LIB_NAME);
PAGE 141 OF 153

}
PAGE 142 OF 153

Risk
What might happen
Sensitive data may leak via a Serializable object.
Cause
How does it happen
Serialization is the process of converting an object in memory into a serialized form, such as bytestreams, XMLs, JSONs and more. It
is intended for either transmission or storage, which would likely expose its contents at some point. It is discouraged to save any
sensitive data into Serialized objects, as by their very definition it is implicit that they will, at some point, store or transmit this data
in a recoverable and possibly readable format.
How to avoid it
 Do not store sensitive data inside serialized objects
 If absolutely required - do not store or transmit serialized objects containing sensitive data in a way that may jeopardize their
contents. Always consider data-at-rest and data-in-transit principles when handling serialized objects containing sensitive
data
Java
"Purchase" Class Contains Credit Card Information, and Implements Serializable, Implying Credit Card will be
Transmitted or Stored
public class Purchase implements Serializable {

private String creditCard;
private Date expDate;
private int CCV;
// .. //
}
PAGE 143 OF 153

Use Of Hardcoded Password In Config
Risk
What might happen
Storing sensitive information in plain-text, such as in a configuration file, may allow anyone with local file access to trivially retrieve
it.
Cause
How does it happen
A password is stored in plain-text in a configuration file on the file system.
How to avoid it
 Do not store passwords in plain-text
 Use a secure storage solution, such as an encrypted container - ensure the key to this container is not stored, itself, in plain-
text
 Alternatively, use a different authentication mechanism, such as domain-based access-control and authentication
Java
Plain-Text Password in Configuration File
myapplication.datasource.username=root
myapplication.datasource.password=sup3rs3cr3tp455w0rd!!##%%
Base64-Encoded Password in Configuration File, Which Can Be Trivially Decoded
myservice.webservice.user=admin
myservice.webservice.password=c3VwM3JzM2NyM3RwNDU1dzByZCEhIyMlJQ==
PAGE 144 OF 153

Insufficient Logging
Weakness ID: 778 (Weakness Base) Status: Draft
Description
Description Summary
When a security-critical event occurs, the software either does not record the event or omits important details
about the event when logging it.
Extended Description
When security-critical events are not logged properly, such as a failed login attempt,
this can make malicious behavior more difficult to detect and may hinder forensic
analysis after an attack succeeds.
Time of Introduction
 Operation
Applicable Platforms
Languages
Language-independent
Common Consequences
Scope Effect
Accountability If security critical information is not recorded, there will be no

trail for forensic analysis and discovering the cause of problems
or the source of attacks may become more difficult or
impossible.
Likelihood of Exploit
Medium
Demonstrative Examples
Example 1
The example below shows a configuration for the service security audit feature in the
Windows Communication Foundation (WCF).
(Bad Code)
Example Language: XML
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="NewBehavior">
<serviceSecurityAudit auditLogLocation="Default"
suppressAuditFailure="false"
serviceAuthorizationAuditLevel="None"
messageAuthenticationAuditLevel="None" />
...
</system.serviceModel>
The previous configuration file has effectively disabled the recording of security-critical
events, which would force the administrator to look to other sources during debug or
recovery efforts.
Logging failed authentication attempts can warn administrators of potential brute force
attacks. Similarly, logging successful authentication events can provide a useful audit
trail when a legitimate account is compromised. The following configuration shows
appropriate settings, assuming that the site does not have excessive traffic, which could
fill the logs if there are a large number of success or failure events (CWE-779).
(Good Code)
Example Language: XML
PAGE 145 OF 153

<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="NewBehavior">
<serviceSecurityAudit auditLogLocation="Default"
suppressAuditFailure="false"
serviceAuthorizationAuditLevel="SuccessAndFailure"
messageAuthenticationAuditLevel="SuccessAndFailure" />
...
</system.serviceModel>
Observed Examples
Reference Description
CVE-2008-4315 server does not log failed authentication attempts, making it

easier for attackers to perform brute force password guessing
without being detected
CVE-2008-1203 admin interface does not log failed authentication attempts,

making it easier for attackers to perform brute force password
guessing without being detected
CVE-2007-3730 default configuration for POP server does not log source IP or
username for login attempts
CVE-2007-1225 proxy does not log requests without "http://" in the URL,
allowing web surfers to access restricted web content without
detection
CVE-2003-1566 web server does not log requests for a non-standard request
type
Potential Mitigations
Phase: Architecture and Design
Use a centralized logging mechanism that supports multiple levels of detail. Ensure that all security-related successes and failures
can be logged.
Phase: Operation
Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system
administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779)
can cause the same problems.
Relationships
Nature Type ID Name View(s) this
relationship pertains
to
ChildOf Weakness Base 223 Omission of Security- Development
relevant Information Concepts
(primary)699
Research Concepts
(primary)1000
ChildOf Category 254 Security Features Development
Concepts699
ChildOf Weakness Class 693 Protection Mechanism Research Concepts1000
Failure
Content History
Submissions
Submission Date Submitter Organization Source
2009-07-02 Internal CWE Team
Contributions
Contribution Date Contributor Organization Source
2009-07-02 Fortify Software Content
Provided code example and additional information for description and consequences.
BACK TO TOP
PAGE 146 OF 153

Reliance On Untrusted Inputs In Security Decision
Risk
What might happen
Whenever input is accepted from the user or the outside environment, it should be validated for type, length, format, and range before
it is used. Until properly validated, the data is said to be tainted. When security decisions such as authentication and authorization are
made based on the values of tainted data, attackers can bypass the security of the software. Without sufficient encryption, integrity
checking, or other mechanism, any input that originates from an outsider cannot be trusted.
Cause
How does it happen
Attackers can bypass the security decision to access whatever is being protected. The consequences will depend on the associated
functionality, but they can range from granting additional privileges to untrusted users to bypassing important security checks.
Ultimately, this weakness may lead to exposure or modification of sensitive data, system crash, or execution of arbitrary code.
How to avoid it
Any input should be validated with encryption, integrity checking, or other mechanism such as checking type, length, format, and
range before it is used.
CPP
Untrusted Input
#include <sys/socket.h>
#include <netdb.h>
#include <stdbool.h>
#include <string.h>
#include <arpa/inet.h>
//The following code samples use a DNS lookup in order to decide whether or not an inbound
request is from a trusted host.
//If an attacker can poison the DNS cache, they can gain trusted status.
void f(const char *ip_addr_string){
struct hostent *hp;struct in_addr myaddr;
char* tHost = "trustme.example.com";
myaddr.s_addr=inet_addr(ip_addr_string);
bool trusted = false;
hp = gethostbyaddr((char *) &myaddr, sizeof(struct in_addr), AF_INET);
if (hp && !strncmp(hp->h_name, tHost, sizeof(tHost))) {
trusted = true;
} else {
trusted = false;
}
}
Java
Untrusted Input
import java.io.*;
import java.net.*;
import javax.servlet.*;
PAGE 147 OF 153

public class Untrusted{
//In the following example, an authentication flag is read from a browser cookie, thus allowing
for external control of user state data.
public static List<String> functionExample2(HttpServletRequest request){
boolean authenticated = false;

Cookie[] cookies = request.getCookies();
List<String> resultsUnreliable = new List<String>();
for (int i =0; i< cookies.length; i++) {
Cookie c = cookies[i];
if (c.getName().equals("authenticated") &&
Boolean.TRUE.equals(c.getValue())) {
resultsUnreliable.Add(c.getName());
}
}
return resultsUnreliable;
}
}
Good practice
public String intercept(ActionInvocation next) throws Exception {
final ActionContext context = next.getInvocationContext ();
HttpServletRequest request = (HttpServletRequest) context.get(HTTP_REQUEST);
HttpSession session = request.getSession ();
if (next.getAction() instanceof com.accor.asa.rate.action.LoginAction) {
return next.invoke();
} else if(session!=null){
Contexte contexte = (Contexte)session.getAttribute(MainAction.CONTEXTE);
if (contexte!=null) {
//this REQUEST_LOCALE is an input
String codeLangue = request.getParameter (MainAction.REQUEST_LOCALE);
//validation performed
if(StringUtils.isNotBlank(codeLangue)) {
//setCodeLangue is not considered as an sink.
contexte.setCodeLangue(codeLangue);
}
}
}
}
PAGE 148 OF 153

Exposure of Resource to Wrong Sphere
Risk
What might happen
If a class exposes an internal variable as a public field, without constraining access, the variable can be modified in unexpected ways,
allowing an external consumer of the class to set arbitrary, unallowed values to the field. This could cause to unexpected behavior if
the class (or other consumers) make assumptions about the value of that variable. This could even lead to additional vulnerabilities,
depending on how this value is used.
Cause
How does it happen
One of the application's classes exposes an internal variable as a public field, without constraining access, by exposing it as a
property. Alternatively, public fields can be exposed without allowing their values to be externally modified.
How to avoid it
 Avoid exposing internal variables and specific implementation as public fields.
 Prefer exposing data as properties, and implement data validation and control in the property code as needed.
 When exposing a public field, constrain the value to be readonly via use of final modifier.
Java
Exposing Public Field
public class MyProduct {
// This value can be modified by any external code
public float price;
public MyProduct() {
this.price = ReadPriceFromDB("MyProduct");
}
}
Exposing Read-Only Field

// This value can be read by external code,
// but can only be modified by the constructor
public final float price;
}
}
Wrapping with Properties

// This value can only be accessed by the class itself
private float price;
// External code can only read the value by calling the accessor property
public float getPrice() {
return price;
PAGE 149 OF 153

}
}
}
PAGE 150 OF 153

Weakness ID: 499 (Weakness Variant) Status: Draft
Description
Description Summary
The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can
be accessed by serializing the class through another class.
Extended Description
Serializable classes are effectively open classes since data cannot be hidden in them.
Classes that do not explicitly deny serialization can be serialized by any other class,
which can then in turn use the data stored inside it.
Time of Introduction
 Implementation
Applicable Platforms
Languages
Java
Common Consequences
Scope Effect
Confidentiality an attacker can write out the class to a byte stream, then
extract the important data from it.
Likelihood of Exploit
High
Demonstrative Examples
Example 1
(Bad Code)
Example Language: Java
class Teacher {
private String name;
private String clas;
public Teacher(String name,String clas) {
//...
//Check the database for the name and address
this.SetName() = name;
this.Setclas() = clas;
}
}
Potential Mitigations
Phase: Implementation
In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject()
function to throw an exception explicitly denying serialization.
Phase: Implementation
Make sure to prevent serialization of your objects.
Relationships
Nature Type ID Name View(s) this
relationship pertains
to
ChildOf Weakness Class 485 Insufficient Development
Encapsulation Concepts
(primary)699
Research Concepts
(primary)1000
PAGE 151 OF 153

CanPrecede Weakness Class 200 Information Exposure Development
Concepts699
Research Concepts1000
Taxonomy Mappings
Mapped Taxonomy Name Node ID Fit Mapped Node Name
CLASP Information leak through

serialization
Content History
Submissions
Submission Date Submitter Organization Source
CLASP Externally Mined
Modifications
Modification Date Modifier Organization Source
2008-07-01 Eric Dalci Cigital External
updated Time of Introduction
2008-09-08 CWE Content Team MITRE Internal
updated Common Consequences, Description, Relationships, Taxonomy Mappings
2009-07-27 CWE Content Team MITRE Internal
updated Demonstrative Examples
Previous Entry Names
Change Date Previous Entry Name
2008-04-11 Information Leak through Serialization
BACK TO TOP
PAGE 152 OF 153

Scanned Languages
Language Hash Number Change Date
Java 8926407913942119 10/31/2021
PLSQL 7106116806807577 10/31/2021
Groovy 0635473483780935 10/31/2021
Common 1867855616463800 10/31/2021
PAGE 153 OF 153

CxSASTReport 21 12 2022-11 51 28

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CxSASTReport 21 12 2022-11 51 28

Uploaded by

Copyright:

Available Formats

ASWS-Repair_Order_Claim_Service_APP_QA-33514 Scan Report

Project Name ASWS-Repair_Order_Claim_Service_APP_QA-33514

Threat Weakness Weakness Technical Business Issues Best Fix

Threat Attack Weakness Weakness Technical Business Issues Best Fix

Issues Best Fix

Issues Best Fix

High Medium Low Information Total

Recurrent Issues 0 35 79 61 175

Fixed Issues 27 4 174 14 219

Results Distribution By State

10 Most Vulnerable Files

File Name Issues Found

Reflected XSS All Clients

File Name src/main/java/com/mbusa/raps/service/LocalEditServiceImpl.java

Unsafe Object Binding

The roDiscrepancyRequestModel at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 206

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 2:

The submitModels at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 245 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 3:

The submitModels at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 245 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 4:

The submitModels at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 245 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 5:

The submitModels at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 245 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 6:

The parkReimbursements at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 308 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 7:

The unparkReimbursements at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 370 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 8:

The parkReimbursements at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 308 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 9:

The unparkReimbursements at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 370 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 10:

The deleteReimbursementModel at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 422

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

The forcesubmitModels at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 472 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 12:

The forcesubmitModels at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 472 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 13:

The forcesubmitModels at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 472 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 14:

The forcesubmitModels at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 472 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 15:

The forcesubmitModels at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 472 may

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 16:

The approve at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 686 may unintentionally

File Name src/main/java/com/mbusa/raps/service/ReimbursementServiceImpl.java

Unsafe Object Binding\Path 17:

The approve at src/main/java/com/mbusa/raps/controller/ReimbursementController.java in line 686 may unintentionally