Initial commit

2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
--- a/skills/appsec/sast-semgrep/references/owasp_cwe_mapping.md
+++ b/skills/appsec/sast-semgrep/references/owasp_cwe_mapping.md
@@ -0,0 +1,300 @@
+# OWASP Top 10 to CWE Mapping with Semgrep Rules
+
+## Table of Contents
+
+- [A01:2021 - Broken Access Control](#a012021---broken-access-control)
+- [A02:2021 - Cryptographic Failures](#a022021---cryptographic-failures)
+- [A03:2021 - Injection](#a032021---injection)
+- [A04:2021 - Insecure Design](#a042021---insecure-design)
+- [A05:2021 - Security Misconfiguration](#a052021---security-misconfiguration)
+- [A06:2021 - Vulnerable and Outdated Components](#a062021---vulnerable-and-outdated-components)
+- [A07:2021 - Identification and Authentication Failures](#a072021---identification-and-authentication-failures)
+- [A08:2021 - Software and Data Integrity Failures](#a082021---software-and-data-integrity-failures)
+- [A09:2021 - Security Logging and Monitoring Failures](#a092021---security-logging-and-monitoring-failures)
+- [A10:2021 - Server-Side Request Forgery (SSRF)](#a102021---server-side-request-forgery-ssrf)
+
+## A01:2021 - Broken Access Control
+
+### CWE Mappings
+- CWE-22: Path Traversal
+- CWE-23: Relative Path Traversal
+- CWE-35: Path Traversal
+- CWE-352: Cross-Site Request Forgery (CSRF)
+- CWE-434: Unrestricted Upload of Dangerous File Type
+- CWE-639: Authorization Bypass Through User-Controlled Key
+- CWE-918: Server-Side Request Forgery (SSRF)
+
+### Semgrep Rules
+```bash
+# Path traversal detection
+semgrep --config "r/python.lang.security.audit.path-traversal"
+
+# Missing authorization checks
+semgrep --config "r/generic.secrets.security.detected-generic-secret"
+
+# CSRF protection
+semgrep --config "r/javascript.express.security.audit.express-check-csurf-middleware-usage"
+```
+
+### Detection Patterns
+- Unrestricted file access using user input
+- Missing or improper authorization checks
+- Insecure direct object references (IDOR)
+- Elevation of privilege vulnerabilities
+
+## A02:2021 - Cryptographic Failures
+
+### CWE Mappings
+- CWE-259: Use of Hard-coded Password
+- CWE-326: Inadequate Encryption Strength
+- CWE-327: Use of Broken/Risky Crypto Algorithm
+- CWE-328: Reversible One-Way Hash
+- CWE-330: Use of Insufficiently Random Values
+- CWE-780: Use of RSA Without OAEP
+
+### Semgrep Rules
+```bash
+# Weak crypto algorithms
+semgrep --config "p/crypto"
+
+# Hard-coded secrets
+semgrep --config "p/secrets"
+
+# Insecure random
+semgrep --config "r/python.lang.security.audit.insecure-random"
+```
+
+### Detection Patterns
+- Use of MD5, SHA1 for cryptographic purposes
+- Hard-coded passwords, API keys, tokens
+- Weak encryption algorithms (DES, RC4)
+- Insecure random number generation
+
+## A03:2021 - Injection
+
+### CWE Mappings
+- CWE-79: Cross-site Scripting (XSS)
+- CWE-89: SQL Injection
+- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (eval injection)
+- CWE-917: Expression Language Injection
+- CWE-943: Improper Neutralization of Special Elements in Data Query Logic
+
+### Semgrep Rules
+```bash
+# SQL Injection
+semgrep --config "r/python.django.security.injection.sql"
+semgrep --config "r/javascript.sequelize.security.audit.sequelize-injection"
+
+# XSS
+semgrep --config "r/javascript.express.security.audit.xss"
+semgrep --config "r/python.flask.security.audit.template-xss"
+
+# Command Injection
+semgrep --config "r/python.lang.security.audit.dangerous-subprocess-use"
+
+# Code Injection
+semgrep --config "r/python.lang.security.audit.exec-used"
+semgrep --config "r/javascript.lang.security.audit.eval-detected"
+```
+
+### Detection Patterns
+- Unsafe SQL query construction
+- Unescaped user input in HTML context
+- OS command execution with user input
+- Use of eval() or similar dynamic code execution
+
+## A04:2021 - Insecure Design
+
+### CWE Mappings
+- CWE-209: Generation of Error Message with Sensitive Information
+- CWE-256: Unprotected Storage of Credentials
+- CWE-501: Trust Boundary Violation
+- CWE-522: Insufficiently Protected Credentials
+
+### Semgrep Rules
+```bash
+# Information disclosure
+semgrep --config "r/python.flask.security.audit.debug-enabled"
+
+# Missing security controls
+semgrep --config "p/security-audit"
+```
+
+### Detection Patterns
+- Debug mode enabled in production
+- Verbose error messages exposing internals
+- Missing rate limiting
+- Insecure default configurations
+
+## A05:2021 - Security Misconfiguration
+
+### CWE Mappings
+- CWE-16: Configuration
+- CWE-611: Improper Restriction of XML External Entity Reference
+- CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
+- CWE-756: Missing Custom Error Page
+- CWE-776: Improper Restriction of Recursive Entity References in DTDs
+
+### Semgrep Rules
+```bash
+# XXE vulnerabilities
+semgrep --config "r/python.lang.security.audit.avoid-lxml-in-xml-parsing"
+
+# Insecure cookie settings
+semgrep --config "r/javascript.express.security.audit.express-cookie-settings"
+
+# CORS misconfiguration
+semgrep --config "r/javascript.express.security.audit.express-cors-misconfiguration"
+```
+
+### Detection Patterns
+- XML External Entity (XXE) vulnerabilities
+- Insecure cookie flags (missing Secure, HttpOnly, SameSite)
+- Open CORS policies
+- Unnecessary features enabled
+
+## A06:2021 - Vulnerable and Outdated Components
+
+### CWE Mappings
+- CWE-1035: Using Components with Known Vulnerabilities
+- CWE-1104: Use of Unmaintained Third Party Components
+
+### Semgrep Rules
+```bash
+# Known vulnerable dependencies
+semgrep --config "p/supply-chain"
+
+# Deprecated APIs
+semgrep --config "p/owasp-top-ten"
+```
+
+### Detection Patterns
+- Outdated library versions
+- Dependencies with known CVEs
+- Use of deprecated/unmaintained packages
+- Insecure package imports
+
+## A07:2021 - Identification and Authentication Failures
+
+### CWE Mappings
+- CWE-287: Improper Authentication
+- CWE-288: Authentication Bypass Using Alternate Path/Channel
+- CWE-306: Missing Authentication for Critical Function
+- CWE-307: Improper Restriction of Excessive Authentication Attempts
+- CWE-521: Weak Password Requirements
+- CWE-798: Use of Hard-coded Credentials
+- CWE-916: Use of Password Hash With Insufficient Computational Effort
+
+### Semgrep Rules
+```bash
+# Weak password hashing
+semgrep --config "r/python.lang.security.audit.hashlib-md5-used"
+
+# Missing authentication
+semgrep --config "p/jwt"
+
+# Session management
+semgrep --config "r/javascript.express.security.audit.express-session-misconfiguration"
+```
+
+### Detection Patterns
+- Weak password hashing (MD5, SHA1 without salt)
+- Missing multi-factor authentication
+- Predictable session identifiers
+- Credential stuffing vulnerabilities
+
+## A08:2021 - Software and Data Integrity Failures
+
+### CWE Mappings
+- CWE-345: Insufficient Verification of Data Authenticity
+- CWE-502: Deserialization of Untrusted Data
+- CWE-829: Inclusion of Functionality from Untrusted Control Sphere
+- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
+
+### Semgrep Rules
+```bash
+# Unsafe deserialization
+semgrep --config "r/python.lang.security.audit.unsafe-pickle"
+semgrep --config "r/javascript.lang.security.audit.unsafe-deserialization"
+
+# Prototype pollution
+semgrep --config "r/javascript.lang.security.audit.prototype-pollution"
+```
+
+### Detection Patterns
+- Unsafe deserialization (pickle, YAML, JSON)
+- Missing integrity checks on updates
+- Prototype pollution in JavaScript
+- Unsafe code loading from external sources
+
+## A09:2021 - Security Logging and Monitoring Failures
+
+### CWE Mappings
+- CWE-117: Improper Output Neutralization for Logs
+- CWE-223: Omission of Security-relevant Information
+- CWE-532: Information Exposure Through Log Files
+- CWE-778: Insufficient Logging
+
+### Semgrep Rules
+```bash
+# Log injection
+semgrep --config "r/python.lang.security.audit.logging-unsanitized-input"
+
+# Sensitive data in logs
+semgrep --config "p/secrets"
+```
+
+### Detection Patterns
+- Log injection vulnerabilities
+- Sensitive data logged (passwords, tokens)
+- Missing security event logging
+- Insufficient audit trails
+
+## A10:2021 - Server-Side Request Forgery (SSRF)
+
+### CWE Mappings
+- CWE-918: Server-Side Request Forgery (SSRF)
+
+### Semgrep Rules
+```bash
+# SSRF detection
+semgrep --config "r/python.requests.security.audit.requests-http-request"
+semgrep --config "r/javascript.lang.security.audit.detect-unsafe-url"
+```
+
+### Detection Patterns
+- Unvalidated URL fetching
+- Internal network access via user input
+- Missing URL validation
+- Bypassing access controls via SSRF
+
+## Using This Mapping
+
+### Scan for Specific OWASP Category
+
+```bash
+# Example: Scan for Injection vulnerabilities (A03)
+semgrep --config "r/python.django.security.injection.sql" \
+        --config "r/python.lang.security.audit.exec-used" \
+        /path/to/code
+```
+
+### Comprehensive OWASP Top 10 Scan
+
+```bash
+semgrep --config="p/owasp-top-ten" /path/to/code
+```
+
+### Filter by CWE
+
+```bash
+# Scan and filter results by CWE
+semgrep --config="p/security-audit" --json /path/to/code | \
+  jq '.results[] | select(.extra.metadata.cwe == "CWE-89")'
+```
+
+## References
+
+- [OWASP Top 10 2021](https://owasp.org/Top10/)
+- [CWE/SANS Top 25](https://cwe.mitre.org/top25/)
+- [Semgrep Rule Registry](https://semgrep.dev/explore)