New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Cadet 3rd Class
Cadet 3rd Class
177 views

Classic ASP Custom Rule Ignored in SCA 19.1.0

We have a large Classic ASP/C# site which has a few custom rules to mark strings as XSS safe, etc. Lately the custom rules are being ignored. In particular, one ASP file includes a function defined in another, and that function was removing the taint beforehand, but now the Anaysis Evidence is coming back  with taint "DATABASE, XSS". I opened the FPR file in Audit Workbench and verified it was reading in the custom rule files. I then went to the offending function and said "Generate Rule For Function" and inserted it into the existing custom rule file. That new rule is also being ignored. What am I doing wrong here? New rule below. Note I change the default language from "dotnet" to "vb" by hand. Neither work.

<DataflowCleanseRule formatVersion="19.10" language="vb">
<RuleID>8E12C533-55BA-4919-B1C3-921F06143E8E</RuleID>
<TaintFlags>+VALIDATED_CROSS_SITE_SCRIPTING_REFLECTED,+VALIDATED_CROSS_SITE_SCRIPTING_PERSISTENT,+VALIDATED_CROSS_SITE_SCRIPTING_DOM,+VALIDATED_CROSS_SITE_SCRIPTING_POOR_VALIDATION</TaintFlags>
<FunctionIdentifier>
<NamespaceName>
<Pattern/>
</NamespaceName>
<ClassName>
<Pattern/>
</ClassName>
<FunctionName>
<Pattern>preventxss</Pattern>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
<OutArguments>return</OutArguments>
</DataflowCleanseRule>

 

 

0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.