From 138fe95c754b06a1aebbee84e75d62ad6302fc3d Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 11:13:50 -0400 Subject: [PATCH 01/19] Add test case 6. --- .../testcode/BenchmarkTest00006.java | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java new file mode 100644 index 0000000..2359c9b --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java @@ -0,0 +1,77 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00006") +public class BenchmarkTest00006 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00006") != null) { + param = request.getHeader("BenchmarkTest00006"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + java.util.List argList = new java.util.ArrayList(); + + String osName = System.getProperty("os.name"); + if (osName.indexOf("Windows") != -1) { + argList.add("cmd.exe"); + argList.add("/c"); + } else { + argList.add("sh"); + argList.add("-c"); + } + argList.add("echo " + param); + + ProcessBuilder pb = new ProcessBuilder(); + + pb.command(argList); + + try { + Process p = pb.start(); + org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); + } catch (IOException e) { + System.out.println( + "Problem executing cmdi - java.lang.ProcessBuilder(java.util.List) Test Case"); + throw new ServletException(e); + } + } +} From 7abadec7cc74af854382723d98ce920dc7bcbb92 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 14:11:00 -0400 Subject: [PATCH 02/19] Configure constrast-scan --- .github/workflows/contrast-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index efa4854..f8cc6e8 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -42,12 +42,12 @@ jobs: - name: Contrast Scan Action uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 with: - artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + artifact: target/benchmark.jar # replace this path with the path to your built artifact apiKey: ${{ secrets.CONTRAST_API_KEY }} orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} #Upload the results to GitHub - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output From e1dd12741b16a955793ee34f41b13e22b60656eb Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 14:13:01 -0400 Subject: [PATCH 03/19] Undo unnecessary change. --- .github/workflows/contrast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index f8cc6e8..33cad96 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -48,6 +48,6 @@ jobs: authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} #Upload the results to GitHub - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output From 1eb0219847a352c1bf5002abd317a6be99e66bdc Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 14:16:21 -0400 Subject: [PATCH 04/19] Fix war reference. --- .github/workflows/contrast-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index 33cad96..c2d7aff 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -42,12 +42,12 @@ jobs: - name: Contrast Scan Action uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 with: - artifact: target/benchmark.jar # replace this path with the path to your built artifact + artifact: target/benchmark.war # replace this path with the path to your built artifact apiKey: ${{ secrets.CONTRAST_API_KEY }} orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} #Upload the results to GitHub - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output From cfe2b8b108ce9ddbc952416087fb57c898f3e262 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 14:27:19 -0400 Subject: [PATCH 05/19] Add mvn compile compand to build required artifact, and change name to contrast-codesec --- .github/workflows/contrast-scan.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index c2d7aff..cda9c04 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -26,7 +26,7 @@ permissions: name: Scan analyze workflow jobs: - build-and-scan: + contrast-codesec: permissions: contents: read # for actions/checkout security-events: write # for github/codeql-action/upload-sarif @@ -35,9 +35,9 @@ jobs: # check out project steps: - uses: actions/checkout@v3 - # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. - # -name: Build Project - # ... + # Build the war + - name: Build + run: mvn compile # Scan Artifact - name: Contrast Scan Action uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 From 6d75f6c2e02ff76a86a7aff4fc4bd0c1c226fe37 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 14:32:46 -0400 Subject: [PATCH 06/19] Fix build steps and upgrade contrast codesec scan version. --- .github/workflows/contrast-scan.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index cda9c04..bca57bd 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -37,10 +37,18 @@ jobs: - uses: actions/checkout@v3 # Build the war - name: Build + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Set up JDK 8 + uses: actions/setup-java@v4 + with: + java-version: '8' + distribution: 'zulu' run: mvn compile # Scan Artifact - name: Contrast Scan Action - uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 + uses: Contrast-Security-OSS/contrastscan-action@3.0.1 with: artifact: target/benchmark.war # replace this path with the path to your built artifact apiKey: ${{ secrets.CONTRAST_API_KEY }} From 854b34457424d1d494bc72355411c675ac675aa3 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 14:36:49 -0400 Subject: [PATCH 07/19] Try again. --- .github/workflows/contrast-scan.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index bca57bd..2dca88d 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -37,10 +37,9 @@ jobs: - uses: actions/checkout@v3 # Build the war - name: Build - - uses: actions/checkout@v4 + uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 8 uses: actions/setup-java@v4 with: java-version: '8' From 237f2086b95908376baebc67e6c2b6b70063f629 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 14:40:26 -0400 Subject: [PATCH 08/19] Try again. --- .github/workflows/contrast-scan.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index 2dca88d..9cfac1f 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -40,10 +40,12 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + - name: Java 8 uses: actions/setup-java@v4 with: java-version: '8' distribution: 'zulu' + - name: Compile run: mvn compile # Scan Artifact - name: Contrast Scan Action @@ -53,7 +55,7 @@ jobs: apiKey: ${{ secrets.CONTRAST_API_KEY }} orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} - #Upload the results to GitHub + # Upload the results to GitHub - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: From dfad52347372969f0efe24f6145fe85bec9c3923 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 14:45:05 -0400 Subject: [PATCH 09/19] Try again. --- .github/workflows/contrast-scan.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index 9cfac1f..21981cc 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -34,18 +34,15 @@ jobs: runs-on: ubuntu-latest # check out project steps: - - uses: actions/checkout@v3 - # Build the war - - name: Build - uses: actions/checkout@v4 + - uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Java 8 + # Build the war + - name: Build uses: actions/setup-java@v4 with: java-version: '8' distribution: 'zulu' - - name: Compile run: mvn compile # Scan Artifact - name: Contrast Scan Action From 7e34cb904d12427ce31dca381edd716427852dba Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 14:46:38 -0400 Subject: [PATCH 10/19] Again. --- .github/workflows/contrast-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index 21981cc..3f6032b 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -43,6 +43,7 @@ jobs: with: java-version: '8' distribution: 'zulu' + - name: Compile run: mvn compile # Scan Artifact - name: Contrast Scan Action From 75c333fa12b073c9d299ba1782d6c3576a8223c0 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 14:48:04 -0400 Subject: [PATCH 11/19] Fix contrast version. --- .github/workflows/contrast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index 3f6032b..fb3bd02 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -47,7 +47,7 @@ jobs: run: mvn compile # Scan Artifact - name: Contrast Scan Action - uses: Contrast-Security-OSS/contrastscan-action@3.0.1 + uses: Contrast-Security-OSS/contrastscan-action@v3.0.1 with: artifact: target/benchmark.war # replace this path with the path to your built artifact apiKey: ${{ secrets.CONTRAST_API_KEY }} From 31a28a4d87dc153ea079d3455735fcfd05cf0c9c Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 14:52:37 -0400 Subject: [PATCH 12/19] Actually build the .war. --- .github/workflows/contrast-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index fb3bd02..e8ae872 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -38,13 +38,13 @@ jobs: with: fetch-depth: 0 # Build the war - - name: Build + - name: Java 8 uses: actions/setup-java@v4 with: java-version: '8' distribution: 'zulu' - - name: Compile - run: mvn compile + - name: Build WAR + run: mvn test # Scan Artifact - name: Contrast Scan Action uses: Contrast-Security-OSS/contrastscan-action@v3.0.1 From 6060ba6406831761f77e62a2b057732a52a59bdf Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 15:07:20 -0400 Subject: [PATCH 13/19] Test. --- .github/workflows/contrast-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index e8ae872..04c314b 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -45,6 +45,7 @@ jobs: distribution: 'zulu' - name: Build WAR run: mvn test + run: ls -l target/ # Scan Artifact - name: Contrast Scan Action uses: Contrast-Security-OSS/contrastscan-action@v3.0.1 From 8c92360e66a78affbbb3ebc2456707bcbd418943 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 15:08:38 -0400 Subject: [PATCH 14/19] Test --- .github/workflows/contrast-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index 04c314b..380a02d 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -45,6 +45,7 @@ jobs: distribution: 'zulu' - name: Build WAR run: mvn test + - name: Verify WAR built run: ls -l target/ # Scan Artifact - name: Contrast Scan Action From 9f08a0f62d045f56a17d29bc7438d8c20839a8c1 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 29 Mar 2024 15:13:28 -0400 Subject: [PATCH 15/19] Try again. --- .github/workflows/contrast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index 380a02d..dd52847 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -44,7 +44,7 @@ jobs: java-version: '8' distribution: 'zulu' - name: Build WAR - run: mvn test + run: mvn package - name: Verify WAR built run: ls -l target/ # Scan Artifact From 7e5809dfa18d2da9fecd4d834559a15018a53ce5 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Tue, 9 Apr 2024 12:50:10 -0500 Subject: [PATCH 16/19] Add test cases 6-10. --- .../testcode/BenchmarkTest00007.java | 70 ++++++++++ .../testcode/BenchmarkTest00008.java | 68 ++++++++++ .../testcode/BenchmarkTest00009.java | 124 ++++++++++++++++++ .../testcode/BenchmarkTest00010.java | 116 ++++++++++++++++ 4 files changed, 378 insertions(+) create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java new file mode 100644 index 0000000..d1d180a --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java @@ -0,0 +1,70 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00007") +public class BenchmarkTest00007 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00007") != null) { + param = request.getHeader("BenchmarkTest00007"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + String cmd = + org.owasp.benchmark.helpers.Utils.getInsecureOSCommandString( + this.getClass().getClassLoader()); + String[] args = {cmd}; + String[] argsEnv = {param}; + + Runtime r = Runtime.getRuntime(); + + try { + Process p = r.exec(args, argsEnv); + org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); + } catch (IOException e) { + System.out.println("Problem executing cmdi - TestCase"); + response.getWriter() + .println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage())); + return; + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java new file mode 100644 index 0000000..3d2710e --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java @@ -0,0 +1,68 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/sqli-00/BenchmarkTest00008") +public class BenchmarkTest00008 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00008") != null) { + param = request.getHeader("BenchmarkTest00008"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + String sql = "{call " + param + "}"; + + try { + java.sql.Connection connection = + org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection(); + java.sql.CallableStatement statement = connection.prepareCall(sql); + java.sql.ResultSet rs = statement.executeQuery(); + org.owasp.benchmark.helpers.DatabaseHelper.printResults(rs, sql, response); + + } catch (java.sql.SQLException e) { + if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { + response.getWriter().println("Error processing request."); + return; + } else throw new ServletException(e); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java new file mode 100644 index 0000000..abe18a4 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java @@ -0,0 +1,124 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/hash-00/BenchmarkTest00009") +public class BenchmarkTest00009 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration names = request.getHeaderNames(); + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (org.owasp.benchmark.helpers.Utils.commonHeaders.contains(name)) { + continue; // If standard header, move on to next one + } + + java.util.Enumeration values = request.getHeaders(name); + if (values != null && values.hasMoreElements()) { + param = name; // Grabs the name of the first non-standard header as the parameter + // value + break; + } + } + // Note: We don't URL decode header names because people don't normally do that + + java.security.Provider[] provider = java.security.Security.getProviders(); + java.security.MessageDigest md; + + try { + if (provider.length > 1) { + + md = java.security.MessageDigest.getInstance("sha-384", provider[0]); + } else { + md = java.security.MessageDigest.getInstance("sha-384", "SUN"); + } + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + md.update(input); + + byte[] result = md.digest(); + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "hash_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' hashed and stored
"); + + } catch (java.security.NoSuchAlgorithmException e) { + System.out.println( + "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)"); + throw new ServletException(e); + } catch (java.security.NoSuchProviderException e) { + System.out.println( + "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)"); + throw new ServletException(e); + } + + response.getWriter() + .println( + "Hash Test java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider) executed"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java new file mode 100644 index 0000000..2a08396 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java @@ -0,0 +1,116 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/weakrand-00/BenchmarkTest00010") +public class BenchmarkTest00010 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration names = request.getHeaderNames(); + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (org.owasp.benchmark.helpers.Utils.commonHeaders.contains(name)) { + continue; // If standard header, move on to next one + } + + java.util.Enumeration values = request.getHeaders(name); + if (values != null && values.hasMoreElements()) { + param = name; // Grabs the name of the first non-standard header as the parameter + // value + break; + } + } + // Note: We don't URL decode header names because people don't normally do that + + try { + int randNumber = java.security.SecureRandom.getInstance("SHA1PRNG").nextInt(99); + String rememberMeKey = Integer.toString(randNumber); + + String user = "SafeInga"; + String fullClassName = this.getClass().getName(); + String testCaseNumber = + fullClassName.substring( + fullClassName.lastIndexOf('.') + 1 + "BenchmarkTest".length()); + user += testCaseNumber; + + String cookieName = "rememberMe" + testCaseNumber; + + boolean foundUser = false; + javax.servlet.http.Cookie[] cookies = request.getCookies(); + if (cookies != null) { + for (int i = 0; !foundUser && i < cookies.length; i++) { + javax.servlet.http.Cookie cookie = cookies[i]; + if (cookieName.equals(cookie.getName())) { + if (cookie.getValue() + .equals(request.getSession().getAttribute(cookieName))) { + foundUser = true; + } + } + } + } + + if (foundUser) { + response.getWriter().println("Welcome back: " + user + "
"); + } else { + javax.servlet.http.Cookie rememberMe = + new javax.servlet.http.Cookie(cookieName, rememberMeKey); + rememberMe.setSecure(true); + rememberMe.setHttpOnly(true); + rememberMe.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet + // e.g., /benchmark/sql-01/BenchmarkTest01001 + request.getSession().setAttribute(cookieName, rememberMeKey); + response.addCookie(rememberMe); + response.getWriter() + .println( + user + + " has been remembered with cookie: " + + rememberMe.getName() + + " whose value is: " + + rememberMe.getValue() + + "
"); + } + } catch (java.security.NoSuchAlgorithmException e) { + System.out.println("Problem executing SecureRandom.nextInt(int) - TestCase"); + throw new ServletException(e); + } + response.getWriter() + .println("Weak Randomness Test java.security.SecureRandom.nextInt(int) executed"); + } +} From 5283127f155c9a21ae3b9b31bd4e00525de08075 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Tue, 9 Apr 2024 13:49:13 -0500 Subject: [PATCH 17/19] Add tests 11-15. --- .../testcode/BenchmarkTest00011.java | 70 ++++++++++++ .../testcode/BenchmarkTest00012.java | 106 ++++++++++++++++++ .../testcode/BenchmarkTest00013.java | 58 ++++++++++ .../testcode/BenchmarkTest00014.java | 58 ++++++++++ .../testcode/BenchmarkTest00015.java | 79 +++++++++++++ 5 files changed, 371 insertions(+) create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00015.java diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java new file mode 100644 index 0000000..cfda6fb --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java @@ -0,0 +1,70 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/pathtraver-00/BenchmarkTest00011") +public class BenchmarkTest00011 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("BenchmarkTest00011"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + java.io.File fileTarget = new java.io.File(param, "/Test.txt"); + response.getWriter() + .println( + "Access to file: '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(fileTarget.toString()) + + "' created."); + if (fileTarget.exists()) { + response.getWriter().println(" And file already exists."); + } else { + response.getWriter().println(" But file doesn't exist yet."); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java new file mode 100644 index 0000000..5be39e8 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java @@ -0,0 +1,106 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/ldapi-00/BenchmarkTest00012") +public class BenchmarkTest00012 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("BenchmarkTest00012"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + org.owasp.benchmark.helpers.LDAPManager ads = new org.owasp.benchmark.helpers.LDAPManager(); + try { + response.setContentType("text/html;charset=UTF-8"); + String base = "ou=users,ou=system"; + javax.naming.directory.SearchControls sc = new javax.naming.directory.SearchControls(); + sc.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE); + String filter = "(&(objectclass=person))(|(uid=" + param + ")(street={0}))"; + Object[] filters = new Object[] {"The streetz 4 Ms bar"}; + + javax.naming.directory.DirContext ctx = ads.getDirContext(); + javax.naming.directory.InitialDirContext idc = + (javax.naming.directory.InitialDirContext) ctx; + boolean found = false; + javax.naming.NamingEnumeration results = + idc.search(base, filter, filters, sc); + while (results.hasMore()) { + javax.naming.directory.SearchResult sr = + (javax.naming.directory.SearchResult) results.next(); + javax.naming.directory.Attributes attrs = sr.getAttributes(); + + javax.naming.directory.Attribute attr = attrs.get("uid"); + javax.naming.directory.Attribute attr2 = attrs.get("street"); + if (attr != null) { + response.getWriter() + .println( + "LDAP query results:
" + + "Record found with name " + + attr.get() + + "
" + + "Address: " + + attr2.get() + + "
"); + // System.out.println("record found " + attr.get()); + found = true; + } + } + if (!found) { + response.getWriter() + .println( + "LDAP query results: nothing found for query: " + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter)); + } + } catch (javax.naming.NamingException e) { + throw new ServletException(e); + } finally { + try { + ads.closeDirContext(); + } catch (Exception e) { + throw new ServletException(e); + } + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java new file mode 100644 index 0000000..0073b0e --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java @@ -0,0 +1,58 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/xss-00/BenchmarkTest00013") +public class BenchmarkTest00013 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("Referer"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + response.setHeader("X-XSS-Protection", "0"); + Object[] obj = {"a", "b"}; + response.getWriter().format(java.util.Locale.US, param, obj); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java new file mode 100644 index 0000000..2038ab9 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java @@ -0,0 +1,58 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/xss-00/BenchmarkTest00014") +public class BenchmarkTest00014 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("Referer"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + response.setHeader("X-XSS-Protection", "0"); + Object[] obj = {"a", "b"}; + response.getWriter().format(param, obj); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00015.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00015.java new file mode 100644 index 0000000..4f4f57f --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00015.java @@ -0,0 +1,79 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00015") +public class BenchmarkTest00015 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("BenchmarkTest00015"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + java.util.List argList = new java.util.ArrayList(); + + String osName = System.getProperty("os.name"); + if (osName.indexOf("Windows") != -1) { + argList.add("cmd.exe"); + argList.add("/c"); + } else { + argList.add("sh"); + argList.add("-c"); + } + argList.add("echo " + param); + + ProcessBuilder pb = new ProcessBuilder(); + + pb.command(argList); + + try { + Process p = pb.start(); + org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); + } catch (IOException e) { + System.out.println( + "Problem executing cmdi - java.lang.ProcessBuilder(java.util.List) Test Case"); + throw new ServletException(e); + } + } +} From e9017d3437e8c83b0ebab16b00cc08c4946f0b79 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Wed, 10 Apr 2024 10:14:37 -0500 Subject: [PATCH 18/19] Add 5 more test cases. --- .../testcode/BenchmarkTest00016.java | 83 ++++++++++ .../testcode/BenchmarkTest00017.java | 72 +++++++++ .../testcode/BenchmarkTest00018.java | 68 ++++++++ .../testcode/BenchmarkTest00019.java | 107 +++++++++++++ .../testcode/BenchmarkTest00020.java | 151 ++++++++++++++++++ 5 files changed, 481 insertions(+) create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00017.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00018.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00019.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java new file mode 100644 index 0000000..cfa38de --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java @@ -0,0 +1,83 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/securecookie-00/BenchmarkTest00016") +public class BenchmarkTest00016 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("BenchmarkTest00016"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + byte[] input = new byte[1000]; + String str = "?"; + Object inputParam = param; + if (inputParam instanceof String) str = ((String) inputParam); + if (inputParam instanceof java.io.InputStream) { + int i = ((java.io.InputStream) inputParam).read(input); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + str = new String(input, 0, i); + } + if ("".equals(str)) str = "No cookie value supplied"; + javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie("SomeCookie", str); + + cookie.setSecure(true); + cookie.setHttpOnly(true); + cookie.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet + // e.g., /benchmark/sql-01/BenchmarkTest01001 + response.addCookie(cookie); + + response.getWriter() + .println( + "Created cookie: 'SomeCookie': with value: '" + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(str) + + "' and secure flag set to: true"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00017.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00017.java new file mode 100644 index 0000000..b022e91 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00017.java @@ -0,0 +1,72 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00017") +public class BenchmarkTest00017 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("BenchmarkTest00017"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + String cmd = ""; + String osName = System.getProperty("os.name"); + if (osName.indexOf("Windows") != -1) { + cmd = org.owasp.benchmark.helpers.Utils.getOSCommandString("echo"); + } + + Runtime r = Runtime.getRuntime(); + + try { + Process p = r.exec(cmd + param); + org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); + } catch (IOException e) { + System.out.println("Problem executing cmdi - TestCase"); + response.getWriter() + .println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage())); + return; + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00018.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00018.java new file mode 100644 index 0000000..df9dae2 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00018.java @@ -0,0 +1,68 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/sqli-00/BenchmarkTest00018") +public class BenchmarkTest00018 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("BenchmarkTest00018"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + String sql = "INSERT INTO users (username, password) VALUES ('foo','" + param + "')"; + + try { + java.sql.Statement statement = + org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement(); + int count = statement.executeUpdate(sql); + org.owasp.benchmark.helpers.DatabaseHelper.outputUpdateComplete(sql, response); + } catch (java.sql.SQLException e) { + if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { + response.getWriter().println("Error processing request."); + return; + } else throw new ServletException(e); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00019.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00019.java new file mode 100644 index 0000000..f3fddb7 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00019.java @@ -0,0 +1,107 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/crypto-00/BenchmarkTest00019") +public class BenchmarkTest00019 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + java.io.InputStream param = request.getInputStream(); + + try { + java.util.Properties benchmarkprops = new java.util.Properties(); + benchmarkprops.load( + this.getClass().getClassLoader().getResourceAsStream("benchmark.properties")); + String algorithm = benchmarkprops.getProperty("cryptoAlg1", "DESede/ECB/PKCS5Padding"); + javax.crypto.Cipher c = javax.crypto.Cipher.getInstance(algorithm); + + // Prepare the cipher to encrypt + javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey(); + c.init(javax.crypto.Cipher.ENCRYPT_MODE, key); + + // encrypt and store the results + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + byte[] result = c.doFinal(input); + + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "secret_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value: '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' encrypted and stored
"); + + } catch (java.security.NoSuchAlgorithmException + | javax.crypto.NoSuchPaddingException + | javax.crypto.IllegalBlockSizeException + | javax.crypto.BadPaddingException + | java.security.InvalidKeyException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java new file mode 100644 index 0000000..33266ef --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java @@ -0,0 +1,151 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/crypto-00/BenchmarkTest00020") +public class BenchmarkTest00020 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = request.getParameter("BenchmarkTest00020"); + if (param == null) param = ""; + + // Code based on example from: + // http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/ + // 8-byte initialization vector + // byte[] iv = { + // (byte)0xB2, (byte)0x12, (byte)0xD5, (byte)0xB2, + // (byte)0x44, (byte)0x21, (byte)0xC3, (byte)0xC3033 + // }; + java.security.SecureRandom random = new java.security.SecureRandom(); + byte[] iv = random.generateSeed(8); // DES requires 8 byte keys + + try { + javax.crypto.Cipher c = + javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding", "SunJCE"); + // Prepare the cipher to encrypt + javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey(); + java.security.spec.AlgorithmParameterSpec paramSpec = + new javax.crypto.spec.IvParameterSpec(iv); + c.init(javax.crypto.Cipher.ENCRYPT_MODE, key, paramSpec); + + // encrypt and store the results + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + byte[] result = c.doFinal(input); + + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "secret_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value: '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' encrypted and stored
"); + + } catch (java.security.NoSuchAlgorithmException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } catch (java.security.NoSuchProviderException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } catch (javax.crypto.NoSuchPaddingException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } catch (javax.crypto.IllegalBlockSizeException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } catch (javax.crypto.BadPaddingException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } catch (java.security.InvalidKeyException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } catch (java.security.InvalidAlgorithmParameterException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } + response.getWriter() + .println( + "Crypto Test javax.crypto.Cipher.getInstance(java.lang.String,java.lang.String) executed"); + } +} From d304b19f0b5c8b4c5ae69f98e22039e3e834697f Mon Sep 17 00:00:00 2001 From: davewichers Date: Wed, 1 May 2024 13:53:43 -0500 Subject: [PATCH 19/19] Add 5x more test cases. --- .../testcode/BenchmarkTest00021.java | 97 +++++++++++++++++++ .../testcode/BenchmarkTest00022.java | 96 ++++++++++++++++++ .../testcode/BenchmarkTest00023.java | 96 ++++++++++++++++++ .../testcode/BenchmarkTest00024.java | 68 +++++++++++++ .../testcode/BenchmarkTest00025.java | 66 +++++++++++++ 5 files changed, 423 insertions(+) create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00022.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00024.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java new file mode 100644 index 0000000..0b469a3 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java @@ -0,0 +1,97 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/ldapi-00/BenchmarkTest00021") +public class BenchmarkTest00021 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = request.getParameter("BenchmarkTest00021"); + if (param == null) param = ""; + + org.owasp.benchmark.helpers.LDAPManager ads = new org.owasp.benchmark.helpers.LDAPManager(); + try { + response.setContentType("text/html;charset=UTF-8"); + javax.naming.directory.DirContext ctx = ads.getDirContext(); + String base = "ou=users,ou=system"; + javax.naming.directory.SearchControls sc = new javax.naming.directory.SearchControls(); + sc.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE); + String filter = "(&(objectclass=person))(|(uid=" + param + ")(street={0}))"; + Object[] filters = new Object[] {"The streetz 4 Ms bar"}; + // System.out.println("Filter " + filter); + boolean found = false; + javax.naming.NamingEnumeration results = + ctx.search(base, filter, filters, sc); + while (results.hasMore()) { + javax.naming.directory.SearchResult sr = + (javax.naming.directory.SearchResult) results.next(); + javax.naming.directory.Attributes attrs = sr.getAttributes(); + + javax.naming.directory.Attribute attr = attrs.get("uid"); + javax.naming.directory.Attribute attr2 = attrs.get("street"); + if (attr != null) { + response.getWriter() + .println( + "LDAP query results:
" + + "Record found with name " + + attr.get() + + "
" + + "Address: " + + attr2.get() + + "
"); + // System.out.println("record found " + attr.get()); + found = true; + } + } + if (!found) { + response.getWriter() + .println( + "LDAP query results: nothing found for query: " + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter)); + } + } catch (javax.naming.NamingException e) { + throw new ServletException(e); + } finally { + try { + ads.closeDirContext(); + } catch (Exception e) { + throw new ServletException(e); + } + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00022.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00022.java new file mode 100644 index 0000000..b9c8ae6 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00022.java @@ -0,0 +1,96 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/hash-00/BenchmarkTest00022") +public class BenchmarkTest00022 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = request.getParameter("BenchmarkTest00022"); + if (param == null) param = ""; + + try { + java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA-256"); + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + md.update(input); + + byte[] result = md.digest(); + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "hash_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' hashed and stored
"); + + } catch (java.security.NoSuchAlgorithmException e) { + System.out.println("Problem executing hash - TestCase"); + throw new ServletException(e); + } + + response.getWriter() + .println( + "Hash Test java.security.MessageDigest.getInstance(java.lang.String) executed"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java new file mode 100644 index 0000000..a26bb3e --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java @@ -0,0 +1,96 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/weakrand-00/BenchmarkTest00023") +public class BenchmarkTest00023 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = request.getParameter("BenchmarkTest00023"); + if (param == null) param = ""; + + float rand = new java.util.Random().nextFloat(); + String rememberMeKey = Float.toString(rand).substring(2); // Trim off the 0. at the front. + + String user = "Floyd"; + String fullClassName = this.getClass().getName(); + String testCaseNumber = + fullClassName.substring( + fullClassName.lastIndexOf('.') + 1 + "BenchmarkTest".length()); + user += testCaseNumber; + + String cookieName = "rememberMe" + testCaseNumber; + + boolean foundUser = false; + javax.servlet.http.Cookie[] cookies = request.getCookies(); + if (cookies != null) { + for (int i = 0; !foundUser && i < cookies.length; i++) { + javax.servlet.http.Cookie cookie = cookies[i]; + if (cookieName.equals(cookie.getName())) { + if (cookie.getValue().equals(request.getSession().getAttribute(cookieName))) { + foundUser = true; + } + } + } + } + + if (foundUser) { + response.getWriter().println("Welcome back: " + user + "
"); + } else { + javax.servlet.http.Cookie rememberMe = + new javax.servlet.http.Cookie(cookieName, rememberMeKey); + rememberMe.setSecure(true); + rememberMe.setHttpOnly(true); + rememberMe.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); + rememberMe.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet + // e.g., /benchmark/sql-01/BenchmarkTest01001 + request.getSession().setAttribute(cookieName, rememberMeKey); + response.addCookie(rememberMe); + response.getWriter() + .println( + user + + " has been remembered with cookie: " + + rememberMe.getName() + + " whose value is: " + + rememberMe.getValue() + + "
"); + } + + response.getWriter().println("Weak Randomness Test java.util.Random.nextFloat() executed"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00024.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00024.java new file mode 100644 index 0000000..a43678b --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00024.java @@ -0,0 +1,68 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/sqli-00/BenchmarkTest00024") +public class BenchmarkTest00024 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = request.getParameter("BenchmarkTest00024"); + if (param == null) param = ""; + + String sql = "SELECT * from USERS where USERNAME=? and PASSWORD='" + param + "'"; + + try { + java.sql.Connection connection = + org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection(); + java.sql.PreparedStatement statement = + connection.prepareStatement( + sql, + java.sql.ResultSet.TYPE_FORWARD_ONLY, + java.sql.ResultSet.CONCUR_READ_ONLY, + java.sql.ResultSet.CLOSE_CURSORS_AT_COMMIT); + statement.setString(1, "foo"); + statement.execute(); + org.owasp.benchmark.helpers.DatabaseHelper.printResults(statement, sql, response); + } catch (java.sql.SQLException e) { + if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { + response.getWriter().println("Error processing request."); + return; + } else throw new ServletException(e); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java new file mode 100644 index 0000000..051a1c7 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java @@ -0,0 +1,66 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/sqli-00/BenchmarkTest00025") +public class BenchmarkTest00025 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = request.getParameter("BenchmarkTest00025"); + if (param == null) param = ""; + + String sql = "SELECT userid from USERS where USERNAME='foo' and PASSWORD='" + param + "'"; + try { + // Long results = + // org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForLong(sql); + Long results = + org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForObject( + sql, Long.class); + response.getWriter().println("Your results are: " + String.valueOf(results)); + } catch (org.springframework.dao.EmptyResultDataAccessException e) { + response.getWriter() + .println( + "No results returned for query: " + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(sql)); + } catch (org.springframework.dao.DataAccessException e) { + if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { + response.getWriter().println("Error processing request."); + } else throw new ServletException(e); + } + } +}