Skip to main content

Severity Levels Update to Include Critical

With the addition of the Critical Severity, the entire set of SAST queries were reviewed for re-classification. As consequence, it means not only queries moving from High to Critical were reviewed, but also queries having lower severity were affected, while many queries had more meaningful severity changes.

Critical Severity Shift

By expanding the severity spectrum from 3 to 4 levels of severity, all queries had to be reviewed to ensure their classification remained appropriate.

As a result, for example, a query in the Low category that is more impactful than most others could be reassigned to a higher severity level.

severity-spectrum.png

Most affected by these are high-effort medium-impact vulnerabilities, exploitability of which is quite low, but not entirely negligible.

For example, the Secure flag could allow an attacker on the same network to steal user tokens by downgrading a connection to an insecure one. This depends on various factors such as HSTS and the HTTP client’s tolerance for downgrades, which is why queries related to the Secure flag have been raised from Low to Medium severity. Conversely, leaking code information via a stack trace may enable attackers to fingerprint a server's technology, but it doesn't pose a significant security risk and will remain classified as Low.

This added granularity provides a more nuanced approach to assessing risk within a less rigid severity system.

Most Significant Severity Changes

Severity changes can reflect various factors, such as shifting perceptions in the application security landscape, the expansion of exploitation techniques, and the evolution of technologies, all of which can alter overall risk over time. Another key reason is that SAST queries are designed to identify code weaknesses and classify them without context. Additional engines that provide context and risk calculations relieve SAST queries from the task of 'assuming context,' enabling them to focus on representing the inherent severity of the weakness, rather than attempting to infer and project a severity based on factors that are unknowable in a static context.

The following table represents the larger shifts, where severity was changed by more than one level:

Language

Query Name

Old Severity

New Severity

Reason

Java

CGI_Stored_XSS

Medium

Critical

Consistency.

All Stored XSS has a baseline severity of Critical, as it could allow attackers to poach high permission users without social engineering; this follows an improvement in CGI detection to raise confidence that the result is in code that relies on CGI in the first place.

Groovy

CGI_Stored_XSS

Medium

Critical

PHP

SSTI_Twig

SSTI_Twig

Critical

Updated during reevaluation of impact as this would lead to the same result as PHP code injection, which is also Critical.

Java

Stored_Code_Injection

Low

Critical

Historically, stored variants have had different severity compared to regular queries. We have reconsidered this approach. Stored variants are often as dangerous (if not more, in the case of Stored XSS), and stored inputs must be validated to ensure they cannot be tainted by malicious actors. What changes between variants of queries derived from a stored source, instead of user input, is a level of confidence and context that are not handled by the SAST engine itself.

Where a functionality for a stored source is used as intended, it must be validated. For example a design requiring evaluating code from a file, loading a SQL statement from a database, or dynamically executing a local program. These are still potential weaknesses, and must be validated during an audit rather than at the scan phase.

Java

Stored_Command_Injection

Medium

Critical

Java

Stored_Mongo_NoSQL_Injection

Low

Critical

CPP

Second_Order_SQL_Injection

Medium

Critical

CPP

Stored_Buffer_Overflow_boundcpy

Medium

Critical

CPP

Stored_Buffer_Overflow_cpycat

Medium

Critical

CPP

Stored_Buffer_Overflow_fgets

Medium

Critical

CPP

Stored_Buffer_Overflow_fscanf

Medium

Critical

ASP

Stored_Code_Injection

Medium

Critical

CSharp

Stored_Code_Injection

Low

Critical

Groovy

Stored_Code_Injection

Low

Critical

JavaScript

Stored_Code_Injection

Medium

Critical

Perl

Stored_Code_Injection

Medium

Critical

PHP

Stored_Code_Injection

Medium

Critical

Python

Stored_Code_Injection

Low

Critical

Ruby

Stored_Code_Injection

Medium

Critical

Scala

Stored_Code_Injection

Low

Critical

VB6

Stored_Code_Injection

Low

Critical

VbNet

Stored_Code_Injection

Low

Critical

CPP

Stored_Command_Injection

Medium

Critical

CSharp

Stored_Command_Injection

Medium

Critical

Groovy

Stored_Command_Injection

Medium

Critical

Kotlin

Stored_Command_Injection

Medium

Critical

Perl

Stored_Command_Injection

Medium

Critical

PHP

Stored_Command_Injection

Medium

Critical

Python

Stored_Command_Injection

Medium

Critical

Scala

Stored_Command_Injection

Medium

Critical

VbNet

Stored_Command_Injection

Medium

Critical

Java

JWT_Use_Of_None_Algorithm

Low

High

A JWT token with None validation is very likely to allow complete horizontal and vertical hijacking of all user accounts.

JavaScript

JWT_Use_Of_None_Algorithm

Low

High

Kotlin

JWT_Use_Of_None_Algorithm

Low

High

Scala

JWT_Use_Of_None_Algorithm

Low

High

PHP

Comparison_Timing_Attack

Low

High

This query has been improved to identify cryptographic or authentication contexts, which would allow detection of timing attacks specifically to disclose sensitive authentication information.

Ruby

Connection_String_Injection

Low

High

Parity with other languages.

Python

Debug_Enabled

Low

High

Debug mode for the Python servers as caught by this query isn’t limited to just debug information; it may also allow code execution with proper credentials, which could expose the server to significant risk when in production.

Java

Improper_Build_Of_Sql_Mapping

Low

High

SQL Injection variant, so severity changed to match SQL Injection.

Groovy

Improper_Build_Of_Sql_Mapping

Low

High

Go

Plain_Text_Transport_Layer_in_Server

Low

High

Parity

Objc

Use_of_Hardcoded_Cryptographic_Key

Low

High

Parity.

Other queries of this query set changed from Medium to High in mobile only.

Swift

Use_of_Hardcoded_Cryptographic_Key

Low

High

Java

Spring_Missing_Object_Level_Authorization

Information

Medium

Parity.

The original “Information” severity was incorrect, and has been fixed.

Swift

Third_Party_Keyboard_Enabled

Information

Medium

Parity.

Other queries of this query set were changed from Low to Medium.

Dart

WebView_Cache_Information_Leak

Medium

Information

This issue is highly unlikely to be exploited and is more of a coding practice concern.

Java

WebView_Cache_Information_Leak

Medium

Information

Kotlin

WebView_Cache_Information_Leak

Medium

Information