Merge branch 'docs-describe-dast-active-checks' into 'master'

Document more DAST active checks See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/133442 Merged-by: Russell Dickenson <rdickenson@gitlab.com> Approved-by: David Nelson <dnelson@gitlab.com> Approved-by: Russell Dickenson <rdickenson@gitlab.com> Reviewed-by: David Nelson <dnelson@gitlab.com> Co-authored-by: Cameron Swords <cswords@gitlab.com>

Merge branch 'docs-describe-dast-active-checks' into 'master'
810683c3 · Russell Dickenson · 11d2e83e · 92a1e8e5 · 810683c3 · 810683c3
--- a/doc/user/application_security/dast/checks/89.1.md
+++ b/doc/user/application_security/dast/checks/89.1.md
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+# SQL Injection
+## Description
+It is possible to execute arbitrary SQL commands on the target application server's
+backend database.
+SQL Injection is a critical vulnerability that can lead to a data or system
+compromise.
+## Remediation
+Always use parameterized queries when issuing requests to backend database systems. In
+situations where dynamic queries must be created, never use direct user input, but
+instead use a map or dictionary of valid values and resolve them using a user-supplied key.
+For example, some database drivers do not allow parameterized queries for `>` or `<` comparison
+operators. In these cases, do not use a user supplied `>` or `<` value, but rather have the user
+supply a `gt` or `lt` value. The alphabetical values are then used to look up the `>` and `<`
+values to be used in the construction of the dynamic query. The same goes for other queries where
+column or table names are required but can not be parameterized.
+## Details
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 89.1 | false | 89 | Active | high |
+## Links
+- [OWASP](https://owasp.org/www-community/attacks/SQL_Injection)
+- [CWE](https://cwe.mitre.org/data/definitions/89.html)
--- a/doc/user/application_security/dast/checks/917.1.md
+++ b/doc/user/application_security/dast/checks/917.1.md
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+# Expression Language Injection
+## Description
+It is possible to execute arbitrary Expression Language (EL) statements on the target
+application server. EL injection is a critical severity vulnerability that can lead to
+full system compromise. EL injection can occur when attacker-controlled data is used to construct
+EL statements without neutralizing special characters. These special characters could modify the
+intended EL statement prior to it being executed by an interpreter.
+## Remediation
+User-controlled data should always have special elements neutralized when used as part of
+constructing Expression Language statements. Please consult the documentation for the EL
+interpreter in use on how properly neutralize user controlled data.
+## Details
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 917.1 | false | 917 | Active | high |
+## Links
+- [CWE](https://cwe.mitre.org/data/definitions/917.html)
+- [OWASP](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection)
+- [Expression Language Injection [PDF]](https://mindedsecurity.com/wp-content/uploads/2020/10/ExpressionLanguageInjection.pdf)
--- a/doc/user/application_security/dast/checks/94.1.md
+++ b/doc/user/application_security/dast/checks/94.1.md
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+# Server-side code injection (PHP)
+## Description
+The target application was found vulnerable to code injection. A malicious actor could inject arbitrary
+PHP code to be executed on the server. This could lead to a full system compromise by accessing
+stored secrets, injecting code to take over accounts, or executing OS commands.
+## Remediation
+Never pass user input directly into functions which evaluate string data as code, such as `eval`.
+There is almost no benefit of passing string values to `eval`, as such the best recommendation is
+to replace the current logic with more safe implementations of dynamically evaluating logic with
+user input. One alternative is to use an `array()`, storing expected user inputs in an array
+key, and use that key as a look up to execute functions:
+```php
+$func_to_run = function()
+{
+    print('hello world');
+};
+$function_map = array();
+$function_map["fn"] = $func_to_run; // store additional input to function mappings here
+$input = "fn";
+// lookup "fn" as the key
+if (array_key_exists($input, $function_map)) {
+    // run the $func_to_run that was stored in the "fn" array hash value.
+    $func = $function_map[$input];
+    $func();
+} else {
+    print('invalid input');
+}
+```
+## Details
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 94.1 | false | 94 | Active | high |
+## Links
+- [CWE](https://cwe.mitre.org/data/definitions/94.html)
+- [OWASP](https://owasp.org/www-community/attacks/Code_Injection)
--- a/doc/user/application_security/dast/checks/94.2.md
+++ b/doc/user/application_security/dast/checks/94.2.md
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+# Server-side code injection (Ruby)
+## Description
+The target application was found vulnerable to code injection. A malicious actor could inject arbitrary
+Ruby code to be executed on the server. This could lead to a full system compromise by accessing
+stored secrets, injecting code to take over accounts, or executing OS commands.
+## Remediation
+Never pass user input directly into functions which evaluate string data as code, such as `eval`,
+`send`, `public_send`, `instance_eval` or `class_eval`. There is almost no benefit of passing string 
+values to these methods, as such the best recommendation is to replace the current logic with more safe
+implementations of dynamically evaluating logic with user input. If using `send` or `public_send` ensure
+the first argument is to a known, hardcoded method/symbol and does not come from user input. 
+For `eval`, `instance_eval` and `class_eval`, user input should never be sent directly to these methods.
+One alternative is to store functions or methods in a Hash that can be looked up using a key. If the key
+exists, the function can be executed.
+```ruby
+def func_to_run
+  puts 'hello world'
+end
+input = 'fn'
+function_map = { fn: method(:func_to_run) }
+if function_map.key?(input.to_sym)
+  function_map[input.to_sym].call
+else
+  puts 'invalid input'
+end
+```
+## Details
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 94.2 | false | 94 | Active | high |
+## Links
+- [CWE](https://cwe.mitre.org/data/definitions/94.html)
--- a/doc/user/application_security/dast/checks/94.3.md
+++ b/doc/user/application_security/dast/checks/94.3.md
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+# Server-side code injection (Python)
+## Description
+The target application was found vulnerable to code injection. A malicious actor could inject arbitrary
+Python code to be executed on the server. This could lead to a full system compromise by accessing
+stored secrets, injecting code to take over accounts, or executing OS commands.
+## Remediation
+Never pass user input directly into functions which evaluate string data as code, such as `eval`,
+or `exec`. There is almost no benefit of passing string values to these methods, as such the best
+recommendation is to replace the current logic with more safe implementations of dynamically evaluating
+logic with user input. One alternative is to store functions or methods in a hashmap that can be looked
+up using a key. If the key exists, the function can be executed.
+```python
+def func_to_run():
+    print('hello world')
+function_map = {'fn': func_to_run}
+input = 'fn'
+if input in function_map:
+    function_map[input]()
+else:
+    print('invalid input')
+```
+## Details
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 94.3 | false | 94 | Active | high |
+## Links
+- [CWE](https://cwe.mitre.org/data/definitions/94.html)
--- a/doc/user/application_security/dast/checks/943.1.md
+++ b/doc/user/application_security/dast/checks/943.1.md
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+# Improper neutralization of special elements in data query logic
+## Description
+The application generates a query intended to interact with MongoDB,
+but it does not neutralize or incorrectly neutralizes special elements
+that can modify the intended logic of the query.
+## Remediation
+Refactor find or search queries to use standard
+filtering operators such as `$gt` or `$in` instead of broad operators such
+as `$where`. If possible, disable the MongoDB JavaScript interface entirely.
+## Details
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 943.1 | false | 943 | Active | high |
+## Links
+- [CWE](https://cwe.mitre.org/data/definitions/943.html)
+- [Disabling MongoDB Server Side JS](https://www.mongodb.com/docs/manual/core/server-side-javascript/#std-label-disable-server-side-js)
--- a/doc/user/application_security/dast/checks/index.md
+++ b/doc/user/application_security/dast/checks/index.md
@@ -170,4 +170,11 @@ The [DAST browser-based crawler](../browser_based.md) provides a number of vulne
 | [113.1](113.1.md) | Improper Neutralization of CRLF Sequences in HTTP Headers | High | Active |
 | [22.1](22.1.md) | Improper limitation of a pathname to a restricted directory (Path traversal) | High | Active |
 | [611.1](611.1.md) | External XML Entity Injection (XXE) | High | Active |
+| [89.1](89.1.md) | SQL Injection | High | Active |
+| [917.1](917.1.md) | Expression Language Injection | High | Active |
+| [94.1](94.1.md) | Server-side code injection (PHP) | High | Active |
+| [94.2](94.2.md) | Server-side code injection (Ruby) | High | Active |
+| [94.3](94.3.md) | Server-side code injection (Python) | High | Active |
 | [94.4](94.4.md) | Server-side code injection (NodeJS) | High | Active |
+| [943.1](943.1.md) | Improper neutralization of special elements in data query logic | High | Active |
+>