## https://sploitus.com/exploit?id=F96B9E56-D0C9-53FD-B3C3-6E1C4956386E
# ๐ก๏ธ Static Application Security Testing (SAST): OWASP Mutillidae II



## ๐ Project Overview
This repository documents a security analysis of the **OWASP Mutillidae II** vulnerable web application.
The goal of this project was to implement **Static Application Security Testing (SAST)** into the development lifecycle. Instead of using pre-built rule sets, I developed **custom Semgrep rules** to identify specific coding flaws that lead to critical security vulnerabilities.
## ๐ฏ Learning Objectives
- **Understand** the mechanics of Rule-Based Static Analysis.
- **Identify** vulnerable code patterns (Sources and Sinks) manually.
- **Develop** custom YAML rules for the Semgrep engine.
- **Automate** the detection of SQL Injection and Cross-Site Scripting.
---
## ๐ Vulnerability Analysis
During the reconnaissance phase, the following vulnerabilities were identified in the source code:
### 1. ๐ SQL Injection (SQLi)
* **Severity:** `CRITICAL`
* **Location:** `src/classes/SQLQueryHandler.php`
* **Root Cause:** The application concatenates user-supplied variables directly into SQL query strings without using Prepared Statements or Parameterized Queries.
* **Impact:** Attackers can manipulate database queries to steal data, bypass authentication, or modify records.
### 2. ๐ Cross-Site Scripting (XSS)
* **Severity:** `HIGH`
* **Location:** `src/index.php`
* **Root Cause:** The application utilizes the PHP `echo` statement to output user input directly to the browser DOM without using sanitization functions like `htmlspecialchars()`.
* **Impact:** Attackers can execute malicious JavaScript in the victim's browser to steal session cookies or perform actions on their behalf.
---
## ๐ ๏ธ Custom Semgrep Rules
I developed a custom rule file (`sast-rules/sast-custom-rules.yaml`) to enforce secure coding standards.
### Rule 1: SQL Injection Detection
This rule flags any SQL `SELECT` statement that contains a PHP variable.
```yaml
- id: sast-sqli-check
patterns:
- pattern: '$query = "SELECT ... $VAR ...";'
message: "SAST ALERT: Possible SQL Injection. Variable used directly in SQL."
severity: ERROR
languages: [php]
### Rule 2: Reflected XSS Detection
- id: sast-xss-check
patterns:
- pattern: echo $VAR;
- pattern-not: echo htmlspecialchars(...);
message: "SAST ALERT: Possible XSS. Variable echoed without HTML encoding."
severity: WARNING
languages: [php]