Application Security

Detect code vulnerabilities and apply automatic fixes with StackSpot AI

Application vulnerabilities can lead to unauthorized data access, information manipulation, service interruptions, and hackers executing arbitrary code. This example demonstrates using StackSpot AI to detect and fix application vulnerabilities automatically.

The steps below show how to detect and fix common code vulnerabilities using StackSpot AI:

Create a Quick Command. This feature helps you centralize and orchestrate a series of command prompts, use a knowledge base, and call external APIs.
You can input information and code vulnerability fix snippets into a Knowledge Source. This step is optional, as the prompt will often be sufficient. You can use this option for specific cases or zero-day vulnerabilities.
Provide a base of customized company parameters (e.g., AWS account, region, naming standards, etc.).
Engineer the prompts to ensure optimal results using the artificial intelligence software for your specific purposes.
Create a step to integrate with GitHub to create a patch issue for the vulnerability found automatically.
Finally, publish the Quick Command to a Workspace AI.

The Quick Command created searches for vulnerabilities based on the OWASP Top 10, explains each vulnerability, displays the code snippet where it applies, and suggests a code fix.

Code vulnerability fix examples

Using a Quick Command to test hypotheses and automatically identify and fix code vulnerabilities. The screenshots demonstrate the suggested corrections for known vulnerabilities in the code.

Example 1. SQL Injection vulnerability in the Java language

SQL Injection is a cyberattack that exploits vulnerabilities in a system through SQL queries. Attackers insert malicious SQL code into input fields such as web forms and URL parameters. Suppose the web application fails to validate this input. In that case, the database system may execute the malicious SQL code, allowing attackers to access, modify, or delete data or execute commands on the server.

Before:

Screenshot of a java code with SQL Injection vulnerabilities

After:

Screenshot StackSpot AI has fixed the detected vulnerability by replacing String concatenation in the code with parameter passing using Java PreparedStatement.

Example 2. Hard-coded credentials vulnerability in the Java language

Hard-coded credentials involve embedding authentication details, such as usernames, passwords, access tokens, or API keys, directly in an application's source code. This practice is risky because anyone with access to the code, including developers, code reviewers, or attackers, can easily see these credentials. Instead, storing authentication information securely in a protected location, such as a secure configuration file or secret manager, is essential.

Before:

Screenshot Java code containing exposed credentials.

After:

Screenshot StackSpot AI has replaced the username and password fields hardcoded in the code by using AWS Secret Manager, applying the information stored in this secret.

Example 3. Cross-Site Scripting (XSS) vulnerability in the Python language

XSS (Cross-site scripting) constitutes a significant security vulnerability in web applications. It allows attackers to inject and execute malicious scripts within a user's browser. This threat arises when untrusted data is incorporated into a web page and executed in other users' browsers. Such attacks jeopardize users' security and privacy, leading to potential consequences such as session theft, redirection to malicious websites, cookie theft, and displaying unwanted content.

Before:

Screenshot Python code vulnerable to XSS attacks.

After:

Screenshot StackSpot AI detected the Cross-Site Scripting (XSS) vulnerability and fixed the code by escaping the user_input variable.

Example 4. XML external Entity (XXE) vulnerability in the Python language

XML External Entity (XXE) is a security vulnerability in systems that process XML documents. It happens when an application processes XML entries that contain references to external entities giving attackers the ability to access system resources or perform actions that are not desired. In an XXE attack, attackers can read system files, interact with internal services, execute remote code, and cause denial of service. It can result in severe consequences, such as leaking confidential data and compromising the system.

Before:

Screenshot Python code with XXE vulnerability

After:

Screenshot: The parser is correctly passed to the tree in the corrected code.fromstring function using the 'parser' keyword argument. It ensures the use of XMLParser, with the 'resolve_entities' setting set to False, preventing the XML parser from processing external entities and reducing the risk of XXE attacks.

Example 5. Creating a public bucket with a risk of data leakage in the Terraform language

While not precisely a vulnerability, it is not recommended, except in specific cases.

Before:

Screenshot Terraform code that creates a public S3 Bucket.

After:

Screenshot: StackSpot AI has removed public access to bucket S3 and restricted access policies.

Video & Blog

For more details, please refer to the article on the StackSpot Blog.
Discover more about how StackSpot AI addresses application vulnerabilities in this video: