IBM Support

AppScan Source cannot trace a validation routine API that doesn't return data

Technote (troubleshooting)


IBM Security AppScan Source cannot trace a validation routine API that does not return the actual data.


Let say, in your source code you created/wrote/used certain validation routines, that returns a 'string' value (e.g. true or false) based on the results of the validation and NOT the actual data that was passed for validation.

In this scenario IBM Security AppScan Source will loose trace of data and will not identify the validation routine. Refer to the example below.


These validation routines are custom APIs. They need to be added using custom rules wizard first for AppScan Source to know what is happening inside the API.

  • AppScan Source works on data flow analysis and is only concerned about the data that is returned after it enters such a validation routine API. If the expected data (or the actual data that was passed as input is) not returned, instead a string value is returned, like true or false, the tool will loose track and will not be able to trace the data after it enters this validation routine API.


Consider the following sample Java code, where you can see, isValidValue is the validation routine. This code does reproduce the issue. When you scan this code isValidValue API is left untraceable by AppScan Source and not identified as validation routine.

public class AppScanValidation
   public boolean isValidValue(String str)
       if(!str.contains("%") && !str.contains(";") && !str.contains("--"))
           return true;
       return false;

   public String getValidValue(String str)
       if(!str.contains("%") && !str.contains(";") && !str.contains("--"))
           return str;
       return null;

   public void useValue(String str)
       //If below 3 lines are uncommented, isValidValue does not appear
       //in trace for marking as a validation routine
           System.out.println("\n\nInput Value validated by boolean = "+str);
       //Uncomment below line and comment above 3 lines to get API
       //in trace for marking as validation routine
       //System.out.println("\n\nInput Value validated by data flow = "+getValidValue(str));

   public static void main(String[] args)
       String inputStr = System.getProperty("SET_VALUE", "DEFAULTSTR");
       AppScanValidation appVal = new AppScanValidation();

Diagnosing the problem

To diagnose the issue, let's describe first how AppScan Source works.

The isValidValue routine is a custom method that AppScan Source does not have markup for since it's custom API. As such, there is no way, by default, for AppScan Source to determine if this is a validation encoding routine. AppScan Source knows nothing about what happens inside the custom API, only about what is returned.

The only thing that AppScan Source knows is that the value of "str" was passed into this method, but it was never returned (instead 'true/false' was returned). AppScan Source stopped tracing the value of "str" once it realized that it wasn't being returned. In other words, the value of "str" never left the method since it was being passed into the method and never through it. Since "str" was never returned (note that AppScan Source knows nothing about happens inside the custom API) AppScan Source cannot assume that any validation was done to "str" and it believes that it may still contain malformed of malicious data. If "str" was returned, AppScan Source would be able to continue tracing it.

Resolving the problem

There can be two ways to resolve this:

  • Mark the custom APIs ("isValidValue") in AppScan Source as validation/encoding routine, so that it can identify and take appropriate actions the next time you scan such a code. Although even this way, AppScan Source won't be able to trace the data after it enters as an input to this validation routine API, since the output is not the same data but some string value, which the tool does not understand.
  • Use validation/encoding routine that returns the actual value that was passed to it and not some string return like 'true/false'. Bottom line is, with this string output from the validation routine API, AppScan Source can never trace the data that went in.

Document information

More support for: IBM Security AppScan Source
Findings issues

Software version:

Operating system(s): Windows

Reference #: 1623705

Modified date: 30 January 2013