Release Announcement – September 23, 2020
Published September 23, 2020
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
The Kiuwan team is excited to announce the availability of our latest release, featuring extended support for JSX React, the ability to check for dynamic components built using an Angular framework; and an updated plugin for Jenkins.
Angular dynamic components
We’ve expanded our JavaScript support with this release. Now, Kiuwan is able to check for dynamic components built in an Angular framework.
The underlying vulnerability from using dynamic component construction is identical to other types of “eval injection” issues, as described in the description of CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’). Dynamic component construction makes it possible for an attacker to attacker to “execute arbitrary code, or at least modify what code can be executed,” potentially giving the attacker full control of the browser environment.
JSX React
Previously, Kiuwan’s JavaScript implementation provided partial support for React. Now, this support is extended with JSX technology.
JSX, or JavaScript XML, is an XML-like syntax extension to ECMAScript part of the React library. The complete specification is available at Draft: JSX Specification.
The following elements have been identified as potential security flaws and are detected by the existing JS rules:
- The dangerouslySetInnerHTML attribute acts as the entrance door to perform an XSS attack (See dangerouslySetInnerHTML).
- Server-side rendering attacker-controlled initial state XSS in React apps using Redux.
- XSS in explicit calls to React.createElement(…) with untrusted props or children (See Avoiding XSS in React is Still Hard).
- Attribute injection also leads to XSS.
In React, the HTML code is embedded into the JS code, so the HTML code must be checked to mark sources, sinks, or neutralization (For example: elements).
Also, the embedded HTML code is analyzed by Kiuwan with the rules from the HTML technology. The following existing checks may be applied:
- OPT.HTML.AutocompleteOnForSensitiveFields.
- OPT.HTML.MissingPasswordFieldMasking.
- OPT.HTML.TargetBlankVulnerability.
- OPT.HTML.SandboxAllowScriptsAndSameOrigin.
- OPT.HTML.SpecifyIntegrityAttribute.
Kiuwan plugin for Jenkins update
The Kiuwan Plugin for Jenkins allows you to execute a Kiuwan analysis as a Post-build action or as a Pipeline step. For full documentation or to download the plugin, refer to the links below:
In this release, we’ve updated the Kiuwan plugin for Jenkins as described below:
- Connection Profiles: Previously, Kiuwan Jenkins Plugin’s connection settings were limited to one configuration per Jenkins installation. Now, you can set several profiles, you can use multiple accounts, and Kiuwan On-Premises customers may use different environments.
- New analysis result dashboard.
- Improved support for short-lived nodes.
- Pipeline support.
Additional bug fixes and improvements
For a full list of additional bug fixes and improvements, refer to our Change Log.