No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitattributes
README.md
generic_scanner_JTH.xsd
transform2F5.xslt

README.md

veracode-2-F5

The F5 Big-IP WAF is able to import XML files with flaws from dynamic scans of different vendors like Qualys, Rapid 7, White Hat or Trustwave. The solution I build is making use of their generic scanner import plugin. It's a fairly simple process, download the Veracode Dynamic scan detailed XML report and transform it using a XSLT transformation template. Please refer to the generic_scanner.xsd

The F5 possible values to identify flaws are named as following and I mapped to the Veracode CWE's accordingly.

F5 Flaw Category CWE ID Veracode CWE Name
Other Application Attacks 296 Improper Following of Chain of Trust for Certificate Validation
Other Application Attacks 297 Improper Validation of Host-specific Certificate Data
Other Application Attacks 298 Improper Validation of Certificate Expiration
Other Application Attacks 321 Use of Hard-coded Cryptographic Key
Other Application Attacks 326 Inadequate Encryption Strength
Other Application Attacks 327 Use of a Broken or Risky Cryptographic Algorithm
Other Application Attacks 530 Exposure of Backup File to an Unauthorized Control Sphere
Other Application Attacks 16 Configuration
Other Application Attacks 642 External Control of Critical State Data
Other Application Attacks 757 Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade)
Authentication/Authorization Attacks 287 Improper Authentication
Authentication/Authorization Attacks 285 Improper Authorization
Authentication/Authorization Attacks 259 Use of Hard-coded Password
Authentication/Authorization Attacks 522 Insufficiently Protected Credentials
Clickjacking 693 Clickjacking/Content Security Policy insecure unsafe-inline directive used/Content Security Policy insecure unsafe-eval directive used
Command Execution 78 Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
Command Execution 78 Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
Cross Site Scripting (XSS) 79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
Cross Site Scripting (XSS) 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Cross Site Scripting (XSS) 83 Improper Neutralization of Script in Attributes in a Web Page
Cross-site Request Forgery 352 Cross-Site Request Forgery (CSRF)
Directory Indexing 548 Information Exposure Through Directory Listing
Forceful Browsing 538 File and Directory Information Exposure
HTTP Response Splitting 113 Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting)
Information Leakage 200 Information Exposure
Information Leakage 209 Information Exposure Through an Error Message
Information Leakage 215 Information Exposure Through Debug Information
Information Leakage 526 Information Exposure Through Environmental Variables
Malicious File Upload 434 Unrestricted Upload of File with Dangerous Type
Mixed content found 830 Inclusion of Web Functionality from an Untrusted Source
Open redirect 601 URL Redirection to Untrusted Site (Open Redirect)
Path Traversal 22 Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
Remote File Include 98 Improper Control of Filename for Include/Require Statement in PHP Program (PHP File Inclusion)
Session Hijacking 384 Session Fixation
Set-Cookie doesn't use HTTPOnly keyword 402 Transmission of Private Resources into a New Sphere (Resource Leak)
Set-Cookie doesn't use Secure keyword 614 Sensitive Cookie in HTTPS Session Without Secure Attribute
SQL-Injection 89 Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
Unsafe CORS configuration 668 Exposure of Resource to Wrong Sphere

The XSLT template will transform the Veracode Dynamic scan results detailed xml report to F5's generic scanner format. The template is transform2F5.xslt.

The command to run the transformation is (on a mac)

xsltproc -o output.xml transform2F5.xslt detailedreport-xml-report.xml and will produce a file that can easily be uploaded to the F5 Big-IP user interface and virtually patch the dynamic findings.