Configurable Injection Analyzer
Configuration Name: ConfigurableInjection
Description
The ConfigurableInjection analyzer sends user-specified strings as values of
input parameters of an API operation. This analyzer only sends the attack
vectors to non-header input parameters. This enables users of Sift to
configure specific attack vectors in an analysis run.
Configuration Parameters
The ConfigurableInjection analyzer requires configuration of one or more attack rules
comprised of a set of attack strings and an associated severity.
attacks: list of attack rules
Each attack rule in the attacks list is an object with three fields:
name: Name of a rule used to identify any faults reported by the analyzer.file: Path of a file on the local filesystem that contains attack strings.injectionStrings: List of attack strings given in the configuration directly.severity: Severity to be reported in a finding if the rule fails. One of "high", "medium", or "low".
If specified, the value of file must be a filename that contains a list of attack strings, one per line.
attackString1
attackString2
attackString3
...
attackStringN
If both file and injectionStrings are given, then the list of attack vectors is the combined list of strings found in both.
Faults Reported
The name and severity configuration fields of an attack rule are used when
reporting a finding for a detected fault. The name parameter will be
included in the title of the fault. The severity field will assign the
severity the fault.
| Fault Identifier | Title | Summary | Solution | Severity |
|---|---|---|---|---|
| SIF-100 | User Injection - {name} |
A user-specified string was used as an attack vector for an API operation that reads or updates a resource using a string identifier in the request. | API implementation should properly sanitize inputs. API should respond with a client error for an invalid identifier. | {severity} as configured |