While discovering a bug in Whistle, an HTTP debugging proxy, the vulnerability researchers from the R&D Team reported that the rule S5122 is not detecting this vulnerability. However, the rule description shows a noncompliant code example that is similar to the found vulnerability (see user-controlled origin subsection). It seems that the RSPEC was updated some time ago but the rule implementation was not.

The purpose of this ticket is to update the rule implementation to detect the vulnerability. The improvement should make sure of the following:

1. The rule should detect the vulnerability in the code snippet of the RSPEC.

2. The rule should detect the vulnerability in the reproducer provided by the vulnerability researchers.

3. The rule should detect the vulnerability in the original codebase where the vulnerability was found.

   1. Vulnerability in Whistle’s codebase

The suggested code fix in the RSPEC seems too specific to kill the noise. When tackling the implementation, one might want to ask the AppSec Squad if there are more code patterns validating the origin the rule should consider.

Original Discuss report from the R&D Team