diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml index efa4854..dd52847 100644 --- a/.github/workflows/contrast-scan.yml +++ b/.github/workflows/contrast-scan.yml @@ -26,7 +26,7 @@ permissions: name: Scan analyze workflow jobs: - build-and-scan: + contrast-codesec: permissions: contents: read # for actions/checkout security-events: write # for github/codeql-action/upload-sarif @@ -34,20 +34,29 @@ jobs: runs-on: ubuntu-latest # check out project steps: - - uses: actions/checkout@v3 - # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. - # -name: Build Project - # ... + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + # Build the war + - name: Java 8 + uses: actions/setup-java@v4 + with: + java-version: '8' + distribution: 'zulu' + - name: Build WAR + run: mvn package + - name: Verify WAR built + run: ls -l target/ # Scan Artifact - name: Contrast Scan Action - uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 + uses: Contrast-Security-OSS/contrastscan-action@v3.0.1 with: - artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + artifact: target/benchmark.war # replace this path with the path to your built artifact apiKey: ${{ secrets.CONTRAST_API_KEY }} orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} - #Upload the results to GitHub + # Upload the results to GitHub - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java new file mode 100644 index 0000000..2359c9b --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java @@ -0,0 +1,77 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00006") +public class BenchmarkTest00006 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00006") != null) { + param = request.getHeader("BenchmarkTest00006"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + java.util.List argList = new java.util.ArrayList(); + + String osName = System.getProperty("os.name"); + if (osName.indexOf("Windows") != -1) { + argList.add("cmd.exe"); + argList.add("/c"); + } else { + argList.add("sh"); + argList.add("-c"); + } + argList.add("echo " + param); + + ProcessBuilder pb = new ProcessBuilder(); + + pb.command(argList); + + try { + Process p = pb.start(); + org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); + } catch (IOException e) { + System.out.println( + "Problem executing cmdi - java.lang.ProcessBuilder(java.util.List) Test Case"); + throw new ServletException(e); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java new file mode 100644 index 0000000..d1d180a --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java @@ -0,0 +1,70 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00007") +public class BenchmarkTest00007 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00007") != null) { + param = request.getHeader("BenchmarkTest00007"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + String cmd = + org.owasp.benchmark.helpers.Utils.getInsecureOSCommandString( + this.getClass().getClassLoader()); + String[] args = {cmd}; + String[] argsEnv = {param}; + + Runtime r = Runtime.getRuntime(); + + try { + Process p = r.exec(args, argsEnv); + org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); + } catch (IOException e) { + System.out.println("Problem executing cmdi - TestCase"); + response.getWriter() + .println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage())); + return; + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java new file mode 100644 index 0000000..3d2710e --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java @@ -0,0 +1,68 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/sqli-00/BenchmarkTest00008") +public class BenchmarkTest00008 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00008") != null) { + param = request.getHeader("BenchmarkTest00008"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + String sql = "{call " + param + "}"; + + try { + java.sql.Connection connection = + org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection(); + java.sql.CallableStatement statement = connection.prepareCall(sql); + java.sql.ResultSet rs = statement.executeQuery(); + org.owasp.benchmark.helpers.DatabaseHelper.printResults(rs, sql, response); + + } catch (java.sql.SQLException e) { + if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { + response.getWriter().println("Error processing request."); + return; + } else throw new ServletException(e); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java new file mode 100644 index 0000000..abe18a4 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java @@ -0,0 +1,124 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/hash-00/BenchmarkTest00009") +public class BenchmarkTest00009 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration names = request.getHeaderNames(); + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (org.owasp.benchmark.helpers.Utils.commonHeaders.contains(name)) { + continue; // If standard header, move on to next one + } + + java.util.Enumeration values = request.getHeaders(name); + if (values != null && values.hasMoreElements()) { + param = name; // Grabs the name of the first non-standard header as the parameter + // value + break; + } + } + // Note: We don't URL decode header names because people don't normally do that + + java.security.Provider[] provider = java.security.Security.getProviders(); + java.security.MessageDigest md; + + try { + if (provider.length > 1) { + + md = java.security.MessageDigest.getInstance("sha-384", provider[0]); + } else { + md = java.security.MessageDigest.getInstance("sha-384", "SUN"); + } + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + md.update(input); + + byte[] result = md.digest(); + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "hash_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' hashed and stored
"); + + } catch (java.security.NoSuchAlgorithmException e) { + System.out.println( + "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)"); + throw new ServletException(e); + } catch (java.security.NoSuchProviderException e) { + System.out.println( + "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)"); + throw new ServletException(e); + } + + response.getWriter() + .println( + "Hash Test java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider) executed"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java new file mode 100644 index 0000000..2a08396 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java @@ -0,0 +1,116 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/weakrand-00/BenchmarkTest00010") +public class BenchmarkTest00010 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration names = request.getHeaderNames(); + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (org.owasp.benchmark.helpers.Utils.commonHeaders.contains(name)) { + continue; // If standard header, move on to next one + } + + java.util.Enumeration values = request.getHeaders(name); + if (values != null && values.hasMoreElements()) { + param = name; // Grabs the name of the first non-standard header as the parameter + // value + break; + } + } + // Note: We don't URL decode header names because people don't normally do that + + try { + int randNumber = java.security.SecureRandom.getInstance("SHA1PRNG").nextInt(99); + String rememberMeKey = Integer.toString(randNumber); + + String user = "SafeInga"; + String fullClassName = this.getClass().getName(); + String testCaseNumber = + fullClassName.substring( + fullClassName.lastIndexOf('.') + 1 + "BenchmarkTest".length()); + user += testCaseNumber; + + String cookieName = "rememberMe" + testCaseNumber; + + boolean foundUser = false; + javax.servlet.http.Cookie[] cookies = request.getCookies(); + if (cookies != null) { + for (int i = 0; !foundUser && i < cookies.length; i++) { + javax.servlet.http.Cookie cookie = cookies[i]; + if (cookieName.equals(cookie.getName())) { + if (cookie.getValue() + .equals(request.getSession().getAttribute(cookieName))) { + foundUser = true; + } + } + } + } + + if (foundUser) { + response.getWriter().println("Welcome back: " + user + "
"); + } else { + javax.servlet.http.Cookie rememberMe = + new javax.servlet.http.Cookie(cookieName, rememberMeKey); + rememberMe.setSecure(true); + rememberMe.setHttpOnly(true); + rememberMe.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet + // e.g., /benchmark/sql-01/BenchmarkTest01001 + request.getSession().setAttribute(cookieName, rememberMeKey); + response.addCookie(rememberMe); + response.getWriter() + .println( + user + + " has been remembered with cookie: " + + rememberMe.getName() + + " whose value is: " + + rememberMe.getValue() + + "
"); + } + } catch (java.security.NoSuchAlgorithmException e) { + System.out.println("Problem executing SecureRandom.nextInt(int) - TestCase"); + throw new ServletException(e); + } + response.getWriter() + .println("Weak Randomness Test java.security.SecureRandom.nextInt(int) executed"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java new file mode 100644 index 0000000..cfda6fb --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java @@ -0,0 +1,70 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/pathtraver-00/BenchmarkTest00011") +public class BenchmarkTest00011 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("BenchmarkTest00011"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + java.io.File fileTarget = new java.io.File(param, "/Test.txt"); + response.getWriter() + .println( + "Access to file: '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(fileTarget.toString()) + + "' created."); + if (fileTarget.exists()) { + response.getWriter().println(" And file already exists."); + } else { + response.getWriter().println(" But file doesn't exist yet."); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java new file mode 100644 index 0000000..5be39e8 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java @@ -0,0 +1,106 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/ldapi-00/BenchmarkTest00012") +public class BenchmarkTest00012 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("BenchmarkTest00012"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + org.owasp.benchmark.helpers.LDAPManager ads = new org.owasp.benchmark.helpers.LDAPManager(); + try { + response.setContentType("text/html;charset=UTF-8"); + String base = "ou=users,ou=system"; + javax.naming.directory.SearchControls sc = new javax.naming.directory.SearchControls(); + sc.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE); + String filter = "(&(objectclass=person))(|(uid=" + param + ")(street={0}))"; + Object[] filters = new Object[] {"The streetz 4 Ms bar"}; + + javax.naming.directory.DirContext ctx = ads.getDirContext(); + javax.naming.directory.InitialDirContext idc = + (javax.naming.directory.InitialDirContext) ctx; + boolean found = false; + javax.naming.NamingEnumeration results = + idc.search(base, filter, filters, sc); + while (results.hasMore()) { + javax.naming.directory.SearchResult sr = + (javax.naming.directory.SearchResult) results.next(); + javax.naming.directory.Attributes attrs = sr.getAttributes(); + + javax.naming.directory.Attribute attr = attrs.get("uid"); + javax.naming.directory.Attribute attr2 = attrs.get("street"); + if (attr != null) { + response.getWriter() + .println( + "LDAP query results:
" + + "Record found with name " + + attr.get() + + "
" + + "Address: " + + attr2.get() + + "
"); + // System.out.println("record found " + attr.get()); + found = true; + } + } + if (!found) { + response.getWriter() + .println( + "LDAP query results: nothing found for query: " + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter)); + } + } catch (javax.naming.NamingException e) { + throw new ServletException(e); + } finally { + try { + ads.closeDirContext(); + } catch (Exception e) { + throw new ServletException(e); + } + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java new file mode 100644 index 0000000..0073b0e --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java @@ -0,0 +1,58 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/xss-00/BenchmarkTest00013") +public class BenchmarkTest00013 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("Referer"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + response.setHeader("X-XSS-Protection", "0"); + Object[] obj = {"a", "b"}; + response.getWriter().format(java.util.Locale.US, param, obj); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java new file mode 100644 index 0000000..2038ab9 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java @@ -0,0 +1,58 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/xss-00/BenchmarkTest00014") +public class BenchmarkTest00014 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("Referer"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + response.setHeader("X-XSS-Protection", "0"); + Object[] obj = {"a", "b"}; + response.getWriter().format(param, obj); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00015.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00015.java new file mode 100644 index 0000000..4f4f57f --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00015.java @@ -0,0 +1,79 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00015") +public class BenchmarkTest00015 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("BenchmarkTest00015"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + java.util.List argList = new java.util.ArrayList(); + + String osName = System.getProperty("os.name"); + if (osName.indexOf("Windows") != -1) { + argList.add("cmd.exe"); + argList.add("/c"); + } else { + argList.add("sh"); + argList.add("-c"); + } + argList.add("echo " + param); + + ProcessBuilder pb = new ProcessBuilder(); + + pb.command(argList); + + try { + Process p = pb.start(); + org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); + } catch (IOException e) { + System.out.println( + "Problem executing cmdi - java.lang.ProcessBuilder(java.util.List) Test Case"); + throw new ServletException(e); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java new file mode 100644 index 0000000..cfa38de --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java @@ -0,0 +1,83 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/securecookie-00/BenchmarkTest00016") +public class BenchmarkTest00016 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("BenchmarkTest00016"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + byte[] input = new byte[1000]; + String str = "?"; + Object inputParam = param; + if (inputParam instanceof String) str = ((String) inputParam); + if (inputParam instanceof java.io.InputStream) { + int i = ((java.io.InputStream) inputParam).read(input); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + str = new String(input, 0, i); + } + if ("".equals(str)) str = "No cookie value supplied"; + javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie("SomeCookie", str); + + cookie.setSecure(true); + cookie.setHttpOnly(true); + cookie.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet + // e.g., /benchmark/sql-01/BenchmarkTest01001 + response.addCookie(cookie); + + response.getWriter() + .println( + "Created cookie: 'SomeCookie': with value: '" + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(str) + + "' and secure flag set to: true"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00017.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00017.java new file mode 100644 index 0000000..b022e91 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00017.java @@ -0,0 +1,72 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00017") +public class BenchmarkTest00017 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("BenchmarkTest00017"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + String cmd = ""; + String osName = System.getProperty("os.name"); + if (osName.indexOf("Windows") != -1) { + cmd = org.owasp.benchmark.helpers.Utils.getOSCommandString("echo"); + } + + Runtime r = Runtime.getRuntime(); + + try { + Process p = r.exec(cmd + param); + org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); + } catch (IOException e) { + System.out.println("Problem executing cmdi - TestCase"); + response.getWriter() + .println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage())); + return; + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00018.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00018.java new file mode 100644 index 0000000..df9dae2 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00018.java @@ -0,0 +1,68 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/sqli-00/BenchmarkTest00018") +public class BenchmarkTest00018 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration headers = request.getHeaders("BenchmarkTest00018"); + + if (headers != null && headers.hasMoreElements()) { + param = headers.nextElement(); // just grab first element + } + + // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + String sql = "INSERT INTO users (username, password) VALUES ('foo','" + param + "')"; + + try { + java.sql.Statement statement = + org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement(); + int count = statement.executeUpdate(sql); + org.owasp.benchmark.helpers.DatabaseHelper.outputUpdateComplete(sql, response); + } catch (java.sql.SQLException e) { + if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { + response.getWriter().println("Error processing request."); + return; + } else throw new ServletException(e); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00019.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00019.java new file mode 100644 index 0000000..f3fddb7 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00019.java @@ -0,0 +1,107 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/crypto-00/BenchmarkTest00019") +public class BenchmarkTest00019 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + java.io.InputStream param = request.getInputStream(); + + try { + java.util.Properties benchmarkprops = new java.util.Properties(); + benchmarkprops.load( + this.getClass().getClassLoader().getResourceAsStream("benchmark.properties")); + String algorithm = benchmarkprops.getProperty("cryptoAlg1", "DESede/ECB/PKCS5Padding"); + javax.crypto.Cipher c = javax.crypto.Cipher.getInstance(algorithm); + + // Prepare the cipher to encrypt + javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey(); + c.init(javax.crypto.Cipher.ENCRYPT_MODE, key); + + // encrypt and store the results + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + byte[] result = c.doFinal(input); + + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "secret_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value: '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' encrypted and stored
"); + + } catch (java.security.NoSuchAlgorithmException + | javax.crypto.NoSuchPaddingException + | javax.crypto.IllegalBlockSizeException + | javax.crypto.BadPaddingException + | java.security.InvalidKeyException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java new file mode 100644 index 0000000..33266ef --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java @@ -0,0 +1,151 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/crypto-00/BenchmarkTest00020") +public class BenchmarkTest00020 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = request.getParameter("BenchmarkTest00020"); + if (param == null) param = ""; + + // Code based on example from: + // http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/ + // 8-byte initialization vector + // byte[] iv = { + // (byte)0xB2, (byte)0x12, (byte)0xD5, (byte)0xB2, + // (byte)0x44, (byte)0x21, (byte)0xC3, (byte)0xC3033 + // }; + java.security.SecureRandom random = new java.security.SecureRandom(); + byte[] iv = random.generateSeed(8); // DES requires 8 byte keys + + try { + javax.crypto.Cipher c = + javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding", "SunJCE"); + // Prepare the cipher to encrypt + javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey(); + java.security.spec.AlgorithmParameterSpec paramSpec = + new javax.crypto.spec.IvParameterSpec(iv); + c.init(javax.crypto.Cipher.ENCRYPT_MODE, key, paramSpec); + + // encrypt and store the results + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + byte[] result = c.doFinal(input); + + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "secret_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value: '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' encrypted and stored
"); + + } catch (java.security.NoSuchAlgorithmException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } catch (java.security.NoSuchProviderException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } catch (javax.crypto.NoSuchPaddingException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } catch (javax.crypto.IllegalBlockSizeException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } catch (javax.crypto.BadPaddingException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } catch (java.security.InvalidKeyException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } catch (java.security.InvalidAlgorithmParameterException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } + response.getWriter() + .println( + "Crypto Test javax.crypto.Cipher.getInstance(java.lang.String,java.lang.String) executed"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java new file mode 100644 index 0000000..0b469a3 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java @@ -0,0 +1,97 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/ldapi-00/BenchmarkTest00021") +public class BenchmarkTest00021 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = request.getParameter("BenchmarkTest00021"); + if (param == null) param = ""; + + org.owasp.benchmark.helpers.LDAPManager ads = new org.owasp.benchmark.helpers.LDAPManager(); + try { + response.setContentType("text/html;charset=UTF-8"); + javax.naming.directory.DirContext ctx = ads.getDirContext(); + String base = "ou=users,ou=system"; + javax.naming.directory.SearchControls sc = new javax.naming.directory.SearchControls(); + sc.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE); + String filter = "(&(objectclass=person))(|(uid=" + param + ")(street={0}))"; + Object[] filters = new Object[] {"The streetz 4 Ms bar"}; + // System.out.println("Filter " + filter); + boolean found = false; + javax.naming.NamingEnumeration results = + ctx.search(base, filter, filters, sc); + while (results.hasMore()) { + javax.naming.directory.SearchResult sr = + (javax.naming.directory.SearchResult) results.next(); + javax.naming.directory.Attributes attrs = sr.getAttributes(); + + javax.naming.directory.Attribute attr = attrs.get("uid"); + javax.naming.directory.Attribute attr2 = attrs.get("street"); + if (attr != null) { + response.getWriter() + .println( + "LDAP query results:
" + + "Record found with name " + + attr.get() + + "
" + + "Address: " + + attr2.get() + + "
"); + // System.out.println("record found " + attr.get()); + found = true; + } + } + if (!found) { + response.getWriter() + .println( + "LDAP query results: nothing found for query: " + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter)); + } + } catch (javax.naming.NamingException e) { + throw new ServletException(e); + } finally { + try { + ads.closeDirContext(); + } catch (Exception e) { + throw new ServletException(e); + } + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00022.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00022.java new file mode 100644 index 0000000..b9c8ae6 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00022.java @@ -0,0 +1,96 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/hash-00/BenchmarkTest00022") +public class BenchmarkTest00022 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = request.getParameter("BenchmarkTest00022"); + if (param == null) param = ""; + + try { + java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA-256"); + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + md.update(input); + + byte[] result = md.digest(); + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "hash_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' hashed and stored
"); + + } catch (java.security.NoSuchAlgorithmException e) { + System.out.println("Problem executing hash - TestCase"); + throw new ServletException(e); + } + + response.getWriter() + .println( + "Hash Test java.security.MessageDigest.getInstance(java.lang.String) executed"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java new file mode 100644 index 0000000..a26bb3e --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java @@ -0,0 +1,96 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/weakrand-00/BenchmarkTest00023") +public class BenchmarkTest00023 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = request.getParameter("BenchmarkTest00023"); + if (param == null) param = ""; + + float rand = new java.util.Random().nextFloat(); + String rememberMeKey = Float.toString(rand).substring(2); // Trim off the 0. at the front. + + String user = "Floyd"; + String fullClassName = this.getClass().getName(); + String testCaseNumber = + fullClassName.substring( + fullClassName.lastIndexOf('.') + 1 + "BenchmarkTest".length()); + user += testCaseNumber; + + String cookieName = "rememberMe" + testCaseNumber; + + boolean foundUser = false; + javax.servlet.http.Cookie[] cookies = request.getCookies(); + if (cookies != null) { + for (int i = 0; !foundUser && i < cookies.length; i++) { + javax.servlet.http.Cookie cookie = cookies[i]; + if (cookieName.equals(cookie.getName())) { + if (cookie.getValue().equals(request.getSession().getAttribute(cookieName))) { + foundUser = true; + } + } + } + } + + if (foundUser) { + response.getWriter().println("Welcome back: " + user + "
"); + } else { + javax.servlet.http.Cookie rememberMe = + new javax.servlet.http.Cookie(cookieName, rememberMeKey); + rememberMe.setSecure(true); + rememberMe.setHttpOnly(true); + rememberMe.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); + rememberMe.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet + // e.g., /benchmark/sql-01/BenchmarkTest01001 + request.getSession().setAttribute(cookieName, rememberMeKey); + response.addCookie(rememberMe); + response.getWriter() + .println( + user + + " has been remembered with cookie: " + + rememberMe.getName() + + " whose value is: " + + rememberMe.getValue() + + "
"); + } + + response.getWriter().println("Weak Randomness Test java.util.Random.nextFloat() executed"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00024.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00024.java new file mode 100644 index 0000000..a43678b --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00024.java @@ -0,0 +1,68 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/sqli-00/BenchmarkTest00024") +public class BenchmarkTest00024 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = request.getParameter("BenchmarkTest00024"); + if (param == null) param = ""; + + String sql = "SELECT * from USERS where USERNAME=? and PASSWORD='" + param + "'"; + + try { + java.sql.Connection connection = + org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection(); + java.sql.PreparedStatement statement = + connection.prepareStatement( + sql, + java.sql.ResultSet.TYPE_FORWARD_ONLY, + java.sql.ResultSet.CONCUR_READ_ONLY, + java.sql.ResultSet.CLOSE_CURSORS_AT_COMMIT); + statement.setString(1, "foo"); + statement.execute(); + org.owasp.benchmark.helpers.DatabaseHelper.printResults(statement, sql, response); + } catch (java.sql.SQLException e) { + if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { + response.getWriter().println("Error processing request."); + return; + } else throw new ServletException(e); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java new file mode 100644 index 0000000..051a1c7 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java @@ -0,0 +1,66 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/sqli-00/BenchmarkTest00025") +public class BenchmarkTest00025 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = request.getParameter("BenchmarkTest00025"); + if (param == null) param = ""; + + String sql = "SELECT userid from USERS where USERNAME='foo' and PASSWORD='" + param + "'"; + try { + // Long results = + // org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForLong(sql); + Long results = + org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForObject( + sql, Long.class); + response.getWriter().println("Your results are: " + String.valueOf(results)); + } catch (org.springframework.dao.EmptyResultDataAccessException e) { + response.getWriter() + .println( + "No results returned for query: " + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(sql)); + } catch (org.springframework.dao.DataAccessException e) { + if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { + response.getWriter().println("Error processing request."); + } else throw new ServletException(e); + } + } +}