Likelihood rule attributes

The Attribute.Likelihood.High and Attribute.Likelihood.Low attributes are part of the built-in rules and can be used when creating custom rules.

In AppScan® Source, likelihood represents the probability or chance that a security finding can be exploited. AppScan Source takes the definition of likelihood that is presented at https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#Step_2:_Factors_for_Estimating_Likelihood, and refines it by determining likelihood based on trace properties. Given a set of trace properties - for example, Source API name, Source API type, Source Technology, or Source Mechanism - AppScan Source determines the likelihood that a trace can or will be exploited using a specific vulnerability in the future.

Likelihood is tied to the source element of a trace. A source is an input to the program, such as a file, servlet request, console input, or socket. For most input sources, the data returned is unbounded in terms of content and length. When an input is unchecked, it is considered a source of taint.

Likelihood examples include:

  • Given a trace with an HTTP source (for example, Request.getQueryString) and a cross-site scripting sink (for example, Response.write), a high likelihood is determined, thereby raising the confidence of the finding.
  • Given a trace with a system property source (for example, getProperty) and a cross-site scripting sink (for example, Response.write), a low likelihood is determined, thereby lowering the confidence of the finding.

Likelihood is used to identify high priority actionable findings that must be acted on or fixed immediately. It is tied to highly-exploitable sources of taint and can provide you with a more fine-grained approach for classifying findings. Likelihood is stored as an attribute that is tied to a source of taint, in the AppScan Source vulnerability database. The feature is available out-of-the-box.

We have conducted extensive research in order to determine the likelihood factor for sources. Using the Custom Rules Wizard, you can add likelihood information to new sources of taint that you add to your rule base. This will improve the classification of findings generated from a scan and, in turn, improve the efficiency of your overall triage workflow.

In the Custom Rules Wizard, there are two values (High and Low) that you can set for the Likelihood property. A value of High means that the source is very susceptible to taint. In other words, the barrier to taint entering the system is very low making it easy for attackers to submit malicious data either manually or in an automated fashion. A value of Low means that the barrier to entering malicious data through this source is very high. This could mean that in order for taint to be introduced to the source, an attacker would have to have insider knowledge of the system and have permissions to operate on the victim's network.