getdynamicflaws.do

APIs

The getdynamicflaws.do call returns information on a specific flaw.

Before using this API, Veracode strongly recommends that you read API Usage and Access Guidelines.

Resource URL

https://analysiscenter.veracode.com/api/5.0/getdynamicflaws.do

Permissions

You need the Results API role to use this call.

Parameters

build_id Integer. Required.
flaw_id Integer. Required.

To locate the parameters for getdynamicflaws.do, execute the following calls:

  1. getapplist.do.
  2. getbuildlist.do.
  3. detailedreport.do.

Example

curl --compressed -u <VeracodeUsername>:<VeracodePassword>
          https://analysiscenter.veracode.com/api/5.0/getdynamicflaws.do -F "build_id=12345" -F "
          flaw_id=5 "

Results

The getdynamicflaws.do call returns the dynamicfinding XML document, which references the dynamicscaninfo.xsd. Additional dynamicscaninfo.xsd schema documentation is available. Use the XSD file to validate the XML data. The following is an example of the returned XML.

<dynamicfinding xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns="https://analysiscenter.veracode.com/schema/4.0/dynamicfinding"
 xsi:schemaLocation="https://analysiscenter.veracode.com/schema/4.0/dynamicfinding
          https://analysiscenter.veracode.com/resource/4.0/dynamicscaninfo.xsd"
 app_id="111111" build_id="12345 " flaw_id="5" engine_version="123" cwe_id="78"
 description="It is possible
          to execute arbitrary OS commands at
          http://veracode.com/smoketest/oscommandinjection/oscmd_get.php?command=bar%26ping.exe&#8203;%3c%261127.0.0.1%26ping.exe%3c%261127.0.0.1%26ping.exe%3c%261127.0.0.1
          by injecting
          bar&amp;ping.exe&amp;lt;&amp;1127.0.0.1&amp;ping.exe&amp;lt;&amp;1127.0.0.1&amp;&#8203;amp;ping.exe&amp;lt;&amp;1127.0.0.1
          into the value bar of URI query parameter command at position 0 parameter. OS command
          injection attacks are exploited by using shell meta characters to escape, or break out of,
          the hardcoded command and issue additional commands on the system."
 remediation="Do not
          allow the end user to submit data which will be used in constructing OS commands to be
          executed. If it is necessary to use user input, properly escape shell meta characters
          before including the input in operating system commands. Most APIs that execute system
          commands also have a &amp;quot;safe&amp;quot; version of the method that takes an array of
          strings as input rather than a single string, which protects against some forms of command
          injection."
 parameter_type="query_value" parameter_name="command"
 parameter="value bar of
          URI query parameter command at position 0" original_arg="bar"
 raw_response="HTTP/1.1 200
          OKDate: Fri, 10 Feb 2012 03:08:15 GMTServer: Apache/2.2.4 (Win32) mod_auth_sspi/1.0.4
          mod_perl/2.0.3 Perl/v5.8.8Content-Length: 11Content-Type: text/htmlYou got me!"
 injected_arg="bar&amp;ping.exe&amp;lt;&amp;1127.0.0.1&amp;ping.exe&amp;lt;&amp;&#8203;amp;1127.0.0.1&amp;ping.exe&amp;lt;&amp;1127.0.0.1"
 referer_url="http://veracode.com/smoketest/oscommandinjection/oscmd_get.php?command=bar">
 <request host="10.0.4.148"
  port="http://
          veracode.com/smoketest/oscommandinjection/oscmd_get.php?command=bar%26ping.exe%3c%261127.0.0.1%26ping.exe&#8203;%3c%261127.0.0.1%26ping.exe%3c%261127.0.0.1"
  secure="false"
  raw_request="GET
          /smoketest/oscommandinjection/oscmd_get.php?command=bar%26ping.exe%3c%261127.0.0.1%26ping.exe&#8203;%3c%261127.0.0.1%26ping.exe%3c%261127.0.0.1
          HTTP/1.1Host: 10.0.4.148User-Agent: FirefoxAccept:
          text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language:
          en-us,en;q=0.5Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Referer: http://
          veracode.com/smoketest/oscommandinjection/"
  method="GET" protocol="HTTP/1.1"
  url="http://veracode.com/smoketest/oscommandinjection/oscmd_get.php?command=bar%26ping.exe%3c%261127.0.0.1%26ping.exe
  &#8203;%3c%261127.0.0.1%26ping.exe%3c%261127.0.0.1"
  uri="/smoketest/oscommandinjection/oscmd_get.php?command=bar%26ping.exe%3c%261127.0.0.1%26ping.exe&#8203;%3c%261127.0.0.1%26ping.exe%3c%261127.0.0.1"
  path="/smoketest/oscommandinjection/oscmd_get.php" body="">
  <header name="Host" value="10.0.4.148"/>
  <header name="User-Agent" value="Firefox"/>
  <header name="Accept" value="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"/>
  <header name="Accept-Language" value="en-us,en;q=0.5"/>
  <header name="Accept-Charset" value="ISO-8859-1,utf-8;q=0.7,*;q=0.7"/>
  <header name="Referer" value="http://veracode.com/smoketest/oscommandinjection/"/>
 </request>
</dynamicfinding>