Skip to main content

Customize the descriptions of findings

This article will show you how to create a policy that customizes the description of individual findings in preZero.

You'll need the CONCLUSION and WHEN blocks for the categories you want to modify (e.g., xss-to-header); you can obtain these from Qwiet.

IMPORT io.shiftleft/default
IMPORT io.shiftleft/defaultdict

CONCLUSION xss-to-header = FLOW IO (http OR $http) -> IO (httpHeader)
WHEN CONCLUSION xss-to-header => EMIT {
     title: "XSS: HTTP data to header {{via `$paramname`}} {{in `$methodname`}}",
     category: "a7-XSS",
     description: "Data from HTTP request parameters is stored in HTTP headers. Unless the string is validated, this may result in a XSS attack.

## Countermeasures

This vulnerability can be prevented by using input sanitization/validation techniques (e.g., allowlisting) on the HTTP data before using it inside another HTTP header.

## Internal help

Visit the slack channel #team-xss to learn more about XSS. We have many resources in our [Confluence page](http://example.com) on XSS.

## Additional information

**[CWE-79](https://cwe.mitre.org/data/definitions/79.html)**

**[OWASP-A7](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS))**",
     score: "8.0",
     vulnerability_description: "XSS",
     owasp_link: "https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)",
     link: "https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)",
     cwe_link: "https://cwe.mitre.org/data/definitions/79.html"
}

Now, preZero will use your custom descriptions when reporting its findings.

Finding with Custom Description

The description field supports Markdown syntax.