Monday, December 2, 2013 at 7:27AM

Looking for a Fortify rule that combines the power of structural rules with dataflow analysis capabilities? The (currently not well documented) CharacterizationRule is an awesome type of rule that will let you go beyond the restrictions of traditional dataflow analysis rules by allowing you to define dataflow parsing instructions based upon a code structural match.

Here’s an example of a rule, used against a Java Spring controller class, that will identify tainted data from parameters mapped using Spring specific annotations. This can be used to identify XSS flaws using static analysis that were only previously identified through dynamic testing.

<CharacterizationRule formatVersion="3.17" language="java"> <RuleID>34711D7A-C2BC-40B3-B1DE-B5C48EF65646</RuleID> <StructuralMatch><![CDATA[ Function f: f.parameters contains [Variable v: v.annotations[0].type.name matches "org.springframework.web.bind.annotation.RequestParam" ] ]]> </StructuralMatch> <Definition><![CDATA[ TaintEntrypoint(v, {+XSS}) ]]></Definition> </CharacterizationRule>