Skip to content

pullrequests Search Results · language:Dune language:JavaScript language:Java language:Java language:HTML language:JavaScript

Filter by

155M results  (2 s)

155M results

SHREYANSH1814/WebGoat
Semgrep Finding: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly

Harness Pipeline 1. Locate where the cookie is created and added to the response (line 77 in SpoofCookieAssignment.java). 2. Add the HttpOnly flag by calling newCookie.setHttpOnly(true); before adding ...
  • SHREYANSH1814
  • Opened 
    12 minutes ago
  • #711

SHREYANSH1814/WebGoat
Semgrep Finding: java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect

Harness Pipeline 1. Validate the redirect URL against a whitelist of allowed URLs or domains. Reject or sanitize any URL not explicitly allowed. 2. Use relative paths instead of absolute URLs whenever ...
  • SHREYANSH1814
  • Opened 
    12 minutes ago
  • #715

SHREYANSH1814/WebGoat
Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection

Harness Pipeline 1. Avoid direct interpolation of ${{ github.* }} context variables inside run: shell commands. 2. Instead, assign the untrusted input to environment variables using the env: key. 3. ...
  • SHREYANSH1814
  • Opened 
    12 minutes ago
  • #701

SHREYANSH1814/WebGoat
Sensitive cookie in HTTPS session without 'Secure' attribute

Harness Pipeline 1. Locate where the access_token cookie is created (line 114). 2. Add cookie.setSecure(true); immediately after cookie creation to ensure it is only sent over HTTPS. 3. Optionally, ...
  • SHREYANSH1814
  • Opened 
    12 minutes ago
  • #705

SHREYANSH1814/WebGoat
Improper Input Validation

Harness Pipeline 1. Implement strict validation on all incoming parameters, especially those related to security questions: - Enforce expected data types (e.g., alphanumeric, length limits). ...
  • SHREYANSH1814
  • Opened 
    12 minutes ago
  • #706

SHREYANSH1814/WebGoat
Semgrep Finding: java.lang.security.audit.formatted-sql-string.formatted-sql-string

Harness Pipeline 1. Replace the concatenated SQL query string with a parameterized query using java.sql.PreparedStatement. 2. Use connection.prepareStatement() to create the query with placeholders ...
  • SHREYANSH1814
  • Opened 
    12 minutes ago
  • #703

SHREYANSH1814/WebGoat
Semgrep Finding: java.servlets.security.cookie-issecure-false.cookie-issecure-false

Harness Pipeline 1. Set the Secure flag on all cookies related to authentication or sensitive data. In the cleanup method (line 58), add cookie.setSecure(true); before response.addCookie(cookie);. ...
  • SHREYANSH1814
  • Opened 
    12 minutes ago
  • #704

SHREYANSH1814/WebGoat
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Harness Pipeline 1. Normalize and Canonicalize Paths: Use Java s File.getCanonicalPath() or Path.toRealPath() to resolve the absolute path of the constructed file. 2. Validate the Resolved Path: ...
  • SHREYANSH1814
  • Opened 
    12 minutes ago
  • #699

SHREYANSH1814/WebGoat
Improper Input Validation

Harness Pipeline 1. Strictly validate and sanitize the id parameter: Allow only expected values (e.g., numeric IDs 1-10) using whitelist validation. 2. Reject or normalize any input containing path ...
  • SHREYANSH1814
  • Opened 
    12 minutes ago
  • #700

SHREYANSH1814/WebGoat
Semgrep Finding: gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.…

Harness Pipeline 1. Use parameterized queries for all user inputs: Replace string concatenation with PreparedStatement bind variables for accountName. 2. Modify the SQL query string to use placeholders ...
  • SHREYANSH1814
  • Opened 
    12 minutes ago
  • #702