Questions tagged [bluemix-app-scan]

IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance.

Filter by
Sorted by
Tagged with
8votes
4answers
20kviews

kubernetes deployment- container not starting- error- InvalidImageName

Below is the Kubernetes deployment yaml file -container image section: image: https://registry.ng.bluemix.net/****/test-service:test-branch-67 imagePullPolicy: Always Below is the error message ...
user avatar
4votes
1answer
3kviews

Cross Site Request Forgery prevention via 'Referer' header

We recently received result from IBM AppScan DAST and some of the result don't make much senses. 2.Medium -- Cross-Site Request Forgery Risk(s): It may be possible to steal or manipulate ...
user avatar
  • 381
4votes
1answer
335views

IBM AppScan - Missing Secure Attribute in Encrypted Session (SSL) Cookie

We have got an Missing Secure Attribute in Encrypted Session (SSL) Cookie issue for primefaces.download based on IBM App Scan DSAT test. Primefaces version is 7.0 Sample Example : https://www....
user avatar
  • 381
3votes
1answer
386views

IBM AppScan - Blind SQL Injection (Time Based) - JSF 2.2 & Primefaces - JBOSS 7.2 EAP

Orginal Post IBM AppScan We recently received result from IBM AppScan DAST and some of the result don't make much senses. High -- Blind SQL Injection (Time Based) Parameter: form:propertyTree:0:...
user avatar
  • 381
2votes
1answer
674views

A "No such file or directory" error occurs with the appscan.sh command

I am trying to generate .irx file using SAClientUtil.6.0.1142 in a Linux machine. However, when I execute the appscan.sh prepare -c <config file> -d <destination file> command, it throws ...
user avatar
  • 19
2votes
1answer
307views

SSL certificate propagation issue with custom domain on Bluemix app

I uploaded my SSL certificate in the section of my custom domain in the space of my organization. I linked the domain with my application and I have created the CNAME record in my DNS to my broken app ...
user avatar
  • 1,443
2votes
0answers
461views

Signalr poll request manipulated from POST to GET vulnerability

In my web application i am using signalR. SignalR connection is using the longpolling transport, which is making the POST request to the server and passing parameters in the query string. Now i ...
user avatar
2votes
0answers
376views

APPSACAN: Authentication.Credentials.Unprotected

I did a scan with the APPSCAN to an application, and the report says there's a vulnerability called:"Authentication. Credentials. Unprotected" and it's in that method: public string ...
user avatar
1vote
1answer
763views

Are ResultSet update{ColumnType} methods vulnerable to SQL injection?

A security scan made by AppScan source flags that the input has to be validated (Validation.Required) on the line uprs.updateString in the code below: PreparedStatement statement = conn....
user avatar
1vote
0answers
136views

<Exclude> tag in AppScanConfig.xml is not excluding the directory during App Scan

I followed the App Scan Doc to exclude node_modules directory when scanning a project but it doesn't work AppScanConfig.xml <Configuration> <Targets> <Target path="."&...
user avatar
  • 165
1vote
0answers
2kviews

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). on Firefox

I have my CSP added as below in my code res.header('Content-Security-Policy', "default-src 'self' ; style-src 'self' '<hashvalue>';" + "script-src 'self' '<hashvalue>';" + ...
user avatar
1vote
0answers
62views

AppScan Source scan has 143 findings for a Cordova Android project

I am working on a Cordova Application (Cordova 7.0.1) and am required to run a Source Scan on the Mobile App by our company's security team. I decided to create the Cordova Android (cordova-android 6....
user avatar
1vote
0answers
62views

Configure glass box in AppScan standard

I would like to configure a glass box agent in JBoss application server. However when l install the glass box's agent, as soon as l arrive to this section and click next. enter image description here ...
user avatar
0votes
2answers
727views

Remote file inclusion by tampering POST payloads. Is it really possible over HTTPS?

Here is how my front-end application loads its required JS files: A page (on HTTPS) will send a POST request describing what JS files should be loaded from various servers. The payload will look ...
user avatar
  • 734
0votes
2answers
1kviews

What all does AppScan scan with JavaScript? [closed]

I can't find any good documentation that lists what all IBM's AppScan Source scans for JavaScript projects. I've looked through many of their PDFs and websites but haven't found anything that details ...
user avatar
0votes
1answer
550views

How to handle CWE-400-Resource exhaustion error

We are getting an IBM APPSCAN exception for the following code. { br = new BufferedReader(new InputStreamReader((conn.getInputStream()))); } StringBuilder sb = new StringBuilder(); String line; ...
user avatar
0votes
1answer
4kviews

Appscan Validation.Required issue in java

I ran appScan on my application. I can see most of the Validation.Required issues for String objects. But, not sure what validation the appscan is expecting here. we have tried with null and empty ...
user avatar
  • 1
0votes
1answer
38views

Application Security on Cloud Not checking for encryption

I have an android application which contains login authentication, I am not sending encrypted username and password to back-end for authentication. When I scan this application in "Application ...
user avatar
0votes
1answer
116views

Bluemix: Can I scan a Java ReST API using Application Security on Cloud

I am planning to use Bluemix for a ReST API development using Java. I wanted to use Application Security on Cloud for scanning the application to eliminate security concern. Can I use it? Is there ...
user avatar
  • 14.3k
0votes
0answers
8views

AppScan - CSP Protection appears to be missing vulnerability in the body tag

After scanning my index.jsp with HCL AppScan I get Low CSP Protection Vulnerability in line <body ng-app="appname"> but if I remove the ng-app="appname" and keep only <...
user avatar
0votes
0answers
44views

How to fix Validation.EncodingRequired appscan issue in Java occurred on String Object

Recently we have gone through appscan and found Validation.EncodingRequired issue for String object. out.println(userid, email); Here out is PrintWriter object. userid and email is the parameter, we ...
user avatar
0votes
0answers
59views

How to fix Validation.EncodingRequired issue on outputstream for xls/xlsx getfiledata struts

I am getting Validation.EncodingRequired for uploading of xls/xlsx file code using struts framework public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, ...
user avatar
0votes
0answers
43views

AppScan issue: "Insecure "OPTIONS" HTTP Method Enabled" on Liberty server welcome page

I got an issue "Insecure "OPTIONS" HTTP Method Enabled" in my HCL AppScan report. While I’ve set up a filter to return 405 for any insecure http method ("OPTIONS", "...
user avatar
0votes
1answer
205views

IBM AppScan identified a password parameter that was received in the query string meaning

I am trying to fix the issues in IBM AppScan results and I\m getting the flag: AppScan identified a password parameter that was received in the query string with this command showing in the screen GET ...
user avatar
0votes
0answers
475views

IBM AppScan - Port Listener Command Injection - JSF 2.2 & Primefaces - JBOSS 7.2 EAP

Orginal Post IBM AppScan We recently received result from IBM AppScan DAST and some of the result don't make much senses. Parameter: **javax.faces.source** Risk(s): It is possible to run remote ...
user avatar
  • 381
0votes
0answers
87views

IBM Cloud foundry java services app: Class Not found exception

I'm trying to run my java app on ibm bluemix. The app is deployed succesfully but it's unable to start. The logs contain an error message: Error: 2018-10-26T11:25:08.85+0530 [APP/PROC/WEB/0] ERR ...
user avatar
0votes
2answers
2kviews

Validation Required issue by IBM AppScan

IBM AppScan has thrown the error Validation Required while scanning my app for the following code:- return Arrays.asList(System.getenv("PATH").split(":")); I am not sure why the error is thrown. ...
user avatar
  • 678
0votes
1answer
5kviews

Solve "missing secure attribute in encrypted session (ssl) cookie" with Java

Recently, IBM Security AppScan found an issue that missing secure attribute in encrypted session (ssl) cookie. the report is below: this app is code by Java and i add a filter to set all cookies ...
user avatar
  • 615
0votes
0answers
271views

BufferedReader issue in IBM Application Scanner

I am parsing a huge XML file using BufferedReader in my application and while scanning it through IBM Appscan (which is a mandate in our organisation) it is showing High Vulnerability of Denial of ...
user avatar
  • 63
0votes
2answers
336views

Issue while integration of IBM Application Security on Cloud (ASoC) with Jenkins

I am trying to integrate the IBM Application Security on Cloud (ASoC) with Jenkins by using the "IBM Application Security on Cloud Plugin". I have successfully installed Plugin in Jenkins and ...
user avatar
  • 25
0votes
0answers
977views

Another set-cookie attribute for secure flag

After adding the following tag in web.config <httpCookies requireSSL="true" /> I am getting "Set-Cookie:Secure" in every response header. But I can see there are duplicate &...
user avatar
0votes
0answers
62views

Use of method.invoke

I am new one for java. I am not able to understand the use of method.invoke. Please could you give me the more detail. Java Code: import java.util.Comparator; import java.lang.reflect.Method ...
user avatar
  • 167
0votes
3answers
149views

Application Security on Cloud static analysis not working for me

I need some help with using the Application Security on Cloud application. I am trying to use the free plan to do a static scan. I have installed the eclipse plugin and when attempting to scan a ...
user avatar
0votes
0answers
27views

Bluemix cloudant, when my project website started, it seems empty

I could deploy my project on bluemix successfully, but I am not able to see any images. and it shows nothing while I am entering data in the input fields. I took project from your github and followed ...
user avatar
  • 1
0votes
1answer
573views

Validate an object

There are various places APPScan is throwing a Validation.required error in my code, where I am setting an object. Now object is set in two ways: A) ExceptionBldr excepBuilder = (ExceptionBldr) ...
user avatar
0votes
2answers
709views

IBM AppScan Security PathTraversal issue in File.Copy method in VB.Net

I ran IBM AppScan tool on a VB.Net source.I am getting one security issue in File.Copy method under Path Traversal category. Issue Detail - Vulnerability Type - PathTraversal This API accepts a ...
user avatar
  • 1
0votes
1answer
624views

IBM Security Appscan returns MongoDB NoSQL Injection on SignalR connection

I have created a signalR site that displays collected server data from our intranet. Everything works accordingly without issue. There are no user inputs on the page. It's essentially a dashboard. ...
user avatar
  • 1,184
0votes
2answers
152views

How to get the Application Security ID for a IBM Bluemix android app from the dashboard in the latest version?

I wanted to build one android app on IBM Bluemix platform and application security key is needed to run this application. I added the app security service also. But I am not able to find the ...
user avatar
0votes
1answer
152views

IBM Bluemix Application Security on Cloud Service

I'm wanting to test out IBM's Application Security on Cloud for Bluemix on a dynamic web app. The issue I'm having is that after I declare that a login is required, the only fields to fill in are ...
user avatar
  • 49
0votes
0answers
56views

How do I pull appscan source filter parameters from the database

Using the IBM AppScan SDK I can open an assessment and apply a filter to create a new assessment. What I would like to do is produce a report that shows the assessment had x findings to start with ...
user avatar
  • 1
-1votes
1answer
861views

Permanent Cookie Contains Sensitive Session Information Laravel using Appscan security tool

I have scan the Laravel Project using AppScan tool, I am facing security issue Permanent Cookie Contains Sensitive Session Information issue in AppScan Security Document. Here is My Network ...
user avatar
-4votes
2answers
187views

How to make jQuery secure from XSS?

I have a website that uses jquery and bootstrap. Now when i run it through a scanning application, a bunch of issues show up including the use of append(), html() and write() and pointing to XSS ...
user avatar