The PHP security engine detects 9 additional security problems related to XXE, CORS, Session Management, CSRF and more

Hello PHP developers,

We upgraded the PHP security engine to detect more issues. These issues increase our coverage of the most common security risks (OWASP Top 10 and CWE Top 25).

Here is the list of new the Vulnerabilities that can be detected:

  • S2755: XML parsers should not be vulnerable to XXE attacks
  • S5808: Authorizations should be based on strong decisions
  • S5876: A new session should be created during user authentication

And here is the list of the new Security Hotposts:

  • S2612: Setting loose file permissions is security-sensitive
  • S4502: Disabling CSRF protections is security-sensitive
  • S5332: Using clear-text protocols is security-sensitive
  • S5693: Allowing requests with excessive content length is security-sensitive
  • S5122: Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
  • S5042: Expanding archive files without controlling resource consumption is security sensitive

These new rules are available on SonarCloud, and will be included in SonarQube 8.7.