Insecure API Calls
Description
The code uses potentially insecure API functions that can be exploited by attackers. These functions can be used to access sensitive data, execute system commands, or perform other malicious activities.
Examples
Insecure Code
c
strcpy(buffer, user_input);Secure Code
c
strncpy(buffer, user_input, sizeof(buffer) - 1); buffer[sizeof(buffer) - 1] = '\0';Remediation
Review the code and replace insecure API calls with secure alternatives. Ensure that all input data is validated and sanitized before passing it to API functions.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0222 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | insecure-api, code-injection |
| OWASP | N/A |
References
- https://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-2016-v01.pdf
- https://github.com/0xdea/ghidra-scripts/blob/main/Rhabdomancer.java
- https://github.com/x509cert/banned/blob/master/banned.h
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28719-banned-api-usage-use-updated-function-replacement
- https://g.co/kgs/PCHQjJ