From d4794f60906967d1c95ce6544d2b3a08ac988f18 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Mon, 15 Apr 2024 13:04:18 -0500 Subject: [PATCH 1/4] Change 1 test case and add 5 more. --- .../testcode/BenchmarkTest00005.java | 2 +- .../testcode/BenchmarkTest00006.java | 77 +++++++++++ .../testcode/BenchmarkTest00007.java | 70 ++++++++++ .../testcode/BenchmarkTest00008.java | 68 ++++++++++ .../testcode/BenchmarkTest00009.java | 124 ++++++++++++++++++ .../testcode/BenchmarkTest00010.java | 116 ++++++++++++++++ 6 files changed, 456 insertions(+), 1 deletion(-) create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java index 1531169..64ea418 100644 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java @@ -115,7 +115,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) response.getWriter() .println( "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); - e.printStackTrace(); + e.printStackTrace(response.getWriter()); throw new ServletException(e); } } diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java new file mode 100644 index 0000000..2359c9b --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java @@ -0,0 +1,77 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00006") +public class BenchmarkTest00006 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00006") != null) { + param = request.getHeader("BenchmarkTest00006"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + java.util.List argList = new java.util.ArrayList(); + + String osName = System.getProperty("os.name"); + if (osName.indexOf("Windows") != -1) { + argList.add("cmd.exe"); + argList.add("/c"); + } else { + argList.add("sh"); + argList.add("-c"); + } + argList.add("echo " + param); + + ProcessBuilder pb = new ProcessBuilder(); + + pb.command(argList); + + try { + Process p = pb.start(); + org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); + } catch (IOException e) { + System.out.println( + "Problem executing cmdi - java.lang.ProcessBuilder(java.util.List) Test Case"); + throw new ServletException(e); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java new file mode 100644 index 0000000..d1d180a --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java @@ -0,0 +1,70 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00007") +public class BenchmarkTest00007 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00007") != null) { + param = request.getHeader("BenchmarkTest00007"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + String cmd = + org.owasp.benchmark.helpers.Utils.getInsecureOSCommandString( + this.getClass().getClassLoader()); + String[] args = {cmd}; + String[] argsEnv = {param}; + + Runtime r = Runtime.getRuntime(); + + try { + Process p = r.exec(args, argsEnv); + org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); + } catch (IOException e) { + System.out.println("Problem executing cmdi - TestCase"); + response.getWriter() + .println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage())); + return; + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java new file mode 100644 index 0000000..3d2710e --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java @@ -0,0 +1,68 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/sqli-00/BenchmarkTest00008") +public class BenchmarkTest00008 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00008") != null) { + param = request.getHeader("BenchmarkTest00008"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + String sql = "{call " + param + "}"; + + try { + java.sql.Connection connection = + org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection(); + java.sql.CallableStatement statement = connection.prepareCall(sql); + java.sql.ResultSet rs = statement.executeQuery(); + org.owasp.benchmark.helpers.DatabaseHelper.printResults(rs, sql, response); + + } catch (java.sql.SQLException e) { + if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { + response.getWriter().println("Error processing request."); + return; + } else throw new ServletException(e); + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java new file mode 100644 index 0000000..abe18a4 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java @@ -0,0 +1,124 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/hash-00/BenchmarkTest00009") +public class BenchmarkTest00009 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration names = request.getHeaderNames(); + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (org.owasp.benchmark.helpers.Utils.commonHeaders.contains(name)) { + continue; // If standard header, move on to next one + } + + java.util.Enumeration values = request.getHeaders(name); + if (values != null && values.hasMoreElements()) { + param = name; // Grabs the name of the first non-standard header as the parameter + // value + break; + } + } + // Note: We don't URL decode header names because people don't normally do that + + java.security.Provider[] provider = java.security.Security.getProviders(); + java.security.MessageDigest md; + + try { + if (provider.length > 1) { + + md = java.security.MessageDigest.getInstance("sha-384", provider[0]); + } else { + md = java.security.MessageDigest.getInstance("sha-384", "SUN"); + } + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + md.update(input); + + byte[] result = md.digest(); + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "hash_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' hashed and stored
"); + + } catch (java.security.NoSuchAlgorithmException e) { + System.out.println( + "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)"); + throw new ServletException(e); + } catch (java.security.NoSuchProviderException e) { + System.out.println( + "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)"); + throw new ServletException(e); + } + + response.getWriter() + .println( + "Hash Test java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider) executed"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java new file mode 100644 index 0000000..2a08396 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java @@ -0,0 +1,116 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/weakrand-00/BenchmarkTest00010") +public class BenchmarkTest00010 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + java.util.Enumeration names = request.getHeaderNames(); + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (org.owasp.benchmark.helpers.Utils.commonHeaders.contains(name)) { + continue; // If standard header, move on to next one + } + + java.util.Enumeration values = request.getHeaders(name); + if (values != null && values.hasMoreElements()) { + param = name; // Grabs the name of the first non-standard header as the parameter + // value + break; + } + } + // Note: We don't URL decode header names because people don't normally do that + + try { + int randNumber = java.security.SecureRandom.getInstance("SHA1PRNG").nextInt(99); + String rememberMeKey = Integer.toString(randNumber); + + String user = "SafeInga"; + String fullClassName = this.getClass().getName(); + String testCaseNumber = + fullClassName.substring( + fullClassName.lastIndexOf('.') + 1 + "BenchmarkTest".length()); + user += testCaseNumber; + + String cookieName = "rememberMe" + testCaseNumber; + + boolean foundUser = false; + javax.servlet.http.Cookie[] cookies = request.getCookies(); + if (cookies != null) { + for (int i = 0; !foundUser && i < cookies.length; i++) { + javax.servlet.http.Cookie cookie = cookies[i]; + if (cookieName.equals(cookie.getName())) { + if (cookie.getValue() + .equals(request.getSession().getAttribute(cookieName))) { + foundUser = true; + } + } + } + } + + if (foundUser) { + response.getWriter().println("Welcome back: " + user + "
"); + } else { + javax.servlet.http.Cookie rememberMe = + new javax.servlet.http.Cookie(cookieName, rememberMeKey); + rememberMe.setSecure(true); + rememberMe.setHttpOnly(true); + rememberMe.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet + // e.g., /benchmark/sql-01/BenchmarkTest01001 + request.getSession().setAttribute(cookieName, rememberMeKey); + response.addCookie(rememberMe); + response.getWriter() + .println( + user + + " has been remembered with cookie: " + + rememberMe.getName() + + " whose value is: " + + rememberMe.getValue() + + "
"); + } + } catch (java.security.NoSuchAlgorithmException e) { + System.out.println("Problem executing SecureRandom.nextInt(int) - TestCase"); + throw new ServletException(e); + } + response.getWriter() + .println("Weak Randomness Test java.security.SecureRandom.nextInt(int) executed"); + } +} From 882cca3477c23c30dae005085461d1a96c6a15c2 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Mon, 15 Apr 2024 16:32:58 -0500 Subject: [PATCH 2/4] Undo change to test case 5. --- .../java/org/owasp/benchmark/testcode/BenchmarkTest00005.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java index 64ea418..1531169 100644 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java @@ -115,7 +115,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) response.getWriter() .println( "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); - e.printStackTrace(response.getWriter()); + e.printStackTrace(); throw new ServletException(e); } } From c4671c69803145278c6cfd305973d2a1d063123d Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Mon, 15 Apr 2024 16:34:45 -0500 Subject: [PATCH 3/4] Add 1st 5 test cases. --- .../testcode/BenchmarkTest00001.java | 105 +++++++++++++++ .../testcode/BenchmarkTest00002.java | 92 +++++++++++++ .../testcode/BenchmarkTest00003.java | 119 +++++++++++++++++ .../testcode/BenchmarkTest00004.java | 75 +++++++++++ .../testcode/BenchmarkTest00005.java | 122 ++++++++++++++++++ 5 files changed, 513 insertions(+) create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java new file mode 100644 index 0000000..34c8209 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java @@ -0,0 +1,105 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/pathtraver-00/BenchmarkTest00001") +public class BenchmarkTest00001 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + javax.servlet.http.Cookie userCookie = + new javax.servlet.http.Cookie("BenchmarkTest00001", "FileName"); + userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes + userCookie.setSecure(true); + userCookie.setPath(request.getRequestURI()); + userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); + response.addCookie(userCookie); + javax.servlet.RequestDispatcher rd = + request.getRequestDispatcher("/pathtraver-00/BenchmarkTest00001.html"); + rd.include(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + javax.servlet.http.Cookie[] theCookies = request.getCookies(); + + String param = "noCookieValueSupplied"; + if (theCookies != null) { + for (javax.servlet.http.Cookie theCookie : theCookies) { + if (theCookie.getName().equals("BenchmarkTest00001")) { + param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8"); + break; + } + } + } + + String fileName = null; + java.io.FileInputStream fis = null; + + try { + fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param; + fis = new java.io.FileInputStream(new java.io.File(fileName)); + byte[] b = new byte[1000]; + int size = fis.read(b); + response.getWriter() + .println( + "The beginning of file: '" + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(fileName) + + "' is:\n\n" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(b, 0, size))); + } catch (Exception e) { + System.out.println("Couldn't open FileInputStream on file: '" + fileName + "'"); + response.getWriter() + .println( + "Problem getting FileInputStream: " + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(e.getMessage())); + } finally { + if (fis != null) { + try { + fis.close(); + fis = null; + } catch (Exception e) { + // we tried... + } + } + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java new file mode 100644 index 0000000..b31b6a3 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java @@ -0,0 +1,92 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/pathtraver-00/BenchmarkTest00002") +public class BenchmarkTest00002 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + javax.servlet.http.Cookie userCookie = + new javax.servlet.http.Cookie("BenchmarkTest00002", "FileName"); + userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes + userCookie.setSecure(true); + userCookie.setPath(request.getRequestURI()); + userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); + response.addCookie(userCookie); + javax.servlet.RequestDispatcher rd = + request.getRequestDispatcher("/pathtraver-00/BenchmarkTest00002.html"); + rd.include(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + javax.servlet.http.Cookie[] theCookies = request.getCookies(); + + String param = "noCookieValueSupplied"; + if (theCookies != null) { + for (javax.servlet.http.Cookie theCookie : theCookies) { + if (theCookie.getName().equals("BenchmarkTest00002")) { + param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8"); + break; + } + } + } + + String fileName = null; + java.io.FileOutputStream fos = null; + + try { + fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param; + + fos = new java.io.FileOutputStream(fileName, false); + response.getWriter() + .println( + "Now ready to write to file: " + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(fileName)); + + } catch (Exception e) { + System.out.println("Couldn't open FileOutputStream on file: '" + fileName + "'"); + // System.out.println("File exception caught and swallowed: " + e.getMessage()); + } finally { + if (fos != null) { + try { + fos.close(); + fos = null; + } catch (Exception e) { + // we tried... + } + } + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java new file mode 100644 index 0000000..501535c --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java @@ -0,0 +1,119 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/hash-00/BenchmarkTest00003") +public class BenchmarkTest00003 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + javax.servlet.http.Cookie userCookie = + new javax.servlet.http.Cookie("BenchmarkTest00003", "someSecret"); + userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes + userCookie.setSecure(true); + userCookie.setPath(request.getRequestURI()); + userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); + response.addCookie(userCookie); + javax.servlet.RequestDispatcher rd = + request.getRequestDispatcher("/hash-00/BenchmarkTest00003.html"); + rd.include(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + javax.servlet.http.Cookie[] theCookies = request.getCookies(); + + String param = "noCookieValueSupplied"; + if (theCookies != null) { + for (javax.servlet.http.Cookie theCookie : theCookies) { + if (theCookie.getName().equals("BenchmarkTest00003")) { + param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8"); + break; + } + } + } + + try { + java.util.Properties benchmarkprops = new java.util.Properties(); + benchmarkprops.load( + this.getClass().getClassLoader().getResourceAsStream("benchmark.properties")); + String algorithm = benchmarkprops.getProperty("hashAlg1", "SHA512"); + java.security.MessageDigest md = java.security.MessageDigest.getInstance(algorithm); + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + md.update(input); + + byte[] result = md.digest(); + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "hash_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' hashed and stored
"); + + } catch (java.security.NoSuchAlgorithmException e) { + System.out.println("Problem executing hash - TestCase"); + throw new ServletException(e); + } + + response.getWriter() + .println( + "Hash Test java.security.MessageDigest.getInstance(java.lang.String) executed"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java new file mode 100644 index 0000000..beaa3b2 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java @@ -0,0 +1,75 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/trustbound-00/BenchmarkTest00004") +public class BenchmarkTest00004 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + javax.servlet.http.Cookie userCookie = + new javax.servlet.http.Cookie("BenchmarkTest00004", "color"); + userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes + userCookie.setSecure(true); + userCookie.setPath(request.getRequestURI()); + userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); + response.addCookie(userCookie); + javax.servlet.RequestDispatcher rd = + request.getRequestDispatcher("/trustbound-00/BenchmarkTest00004.html"); + rd.include(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + javax.servlet.http.Cookie[] theCookies = request.getCookies(); + + String param = "noCookieValueSupplied"; + if (theCookies != null) { + for (javax.servlet.http.Cookie theCookie : theCookies) { + if (theCookie.getName().equals("BenchmarkTest00004")) { + param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8"); + break; + } + } + } + + // javax.servlet.http.HttpSession.setAttribute(java.lang.String^,java.lang.Object) + request.getSession().setAttribute(param, "10340"); + + response.getWriter() + .println( + "Item: '" + + org.owasp.benchmark.helpers.Utils.encodeForHTML(param) + + "' with value: '10340' saved in session."); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java new file mode 100644 index 0000000..64ea418 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java @@ -0,0 +1,122 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/crypto-00/BenchmarkTest00005") +public class BenchmarkTest00005 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00005") != null) { + param = request.getHeader("BenchmarkTest00005"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + // Code based on example from: + // http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/ + // 8-byte initialization vector + // byte[] iv = { + // (byte)0xB2, (byte)0x12, (byte)0xD5, (byte)0xB2, + // (byte)0x44, (byte)0x21, (byte)0xC3, (byte)0xC3033 + // }; + java.security.SecureRandom random = new java.security.SecureRandom(); + byte[] iv = random.generateSeed(8); // DES requires 8 byte keys + + try { + javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding"); + + // Prepare the cipher to encrypt + javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey(); + java.security.spec.AlgorithmParameterSpec paramSpec = + new javax.crypto.spec.IvParameterSpec(iv); + c.init(javax.crypto.Cipher.ENCRYPT_MODE, key, paramSpec); + + // encrypt and store the results + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + byte[] result = c.doFinal(input); + + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "secret_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value: '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' encrypted and stored
"); + + } catch (java.security.NoSuchAlgorithmException + | javax.crypto.NoSuchPaddingException + | javax.crypto.IllegalBlockSizeException + | javax.crypto.BadPaddingException + | java.security.InvalidKeyException + | java.security.InvalidAlgorithmParameterException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } + } +} From dc3ac4645105947b6ce9f251b8818d5ea6a6f304 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Mon, 29 Apr 2024 10:59:36 -0500 Subject: [PATCH 4/4] Remove 5 test cases so there will be under 20 issues, so hopefully GitHub AdvSec autofix will trigger. --- .../testcode/BenchmarkTest00006.java | 77 ----------- .../testcode/BenchmarkTest00007.java | 70 ---------- .../testcode/BenchmarkTest00008.java | 68 ---------- .../testcode/BenchmarkTest00009.java | 124 ------------------ .../testcode/BenchmarkTest00010.java | 116 ---------------- 5 files changed, 455 deletions(-) delete mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java delete mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java delete mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java delete mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java delete mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java deleted file mode 100644 index 2359c9b..0000000 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java +++ /dev/null @@ -1,77 +0,0 @@ -/** - * OWASP Benchmark v1.2 - * - *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For - * details, please see https://owasp.org/www-project-benchmark/. - * - *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms - * of the GNU General Public License as published by the Free Software Foundation, version 2. - * - *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY - * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU General Public License for more details. - * - * @author Dave Wichers - * @created 2015 - */ -package org.owasp.benchmark.testcode; - -import java.io.IOException; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -@WebServlet(value = "/cmdi-00/BenchmarkTest00006") -public class BenchmarkTest00006 extends HttpServlet { - - private static final long serialVersionUID = 1L; - - @Override - public void doGet(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - doPost(request, response); - } - - @Override - public void doPost(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - // some code - response.setContentType("text/html;charset=UTF-8"); - - String param = ""; - if (request.getHeader("BenchmarkTest00006") != null) { - param = request.getHeader("BenchmarkTest00006"); - } - - // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). - param = java.net.URLDecoder.decode(param, "UTF-8"); - - java.util.List argList = new java.util.ArrayList(); - - String osName = System.getProperty("os.name"); - if (osName.indexOf("Windows") != -1) { - argList.add("cmd.exe"); - argList.add("/c"); - } else { - argList.add("sh"); - argList.add("-c"); - } - argList.add("echo " + param); - - ProcessBuilder pb = new ProcessBuilder(); - - pb.command(argList); - - try { - Process p = pb.start(); - org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); - } catch (IOException e) { - System.out.println( - "Problem executing cmdi - java.lang.ProcessBuilder(java.util.List) Test Case"); - throw new ServletException(e); - } - } -} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java deleted file mode 100644 index d1d180a..0000000 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java +++ /dev/null @@ -1,70 +0,0 @@ -/** - * OWASP Benchmark v1.2 - * - *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For - * details, please see https://owasp.org/www-project-benchmark/. - * - *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms - * of the GNU General Public License as published by the Free Software Foundation, version 2. - * - *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY - * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU General Public License for more details. - * - * @author Dave Wichers - * @created 2015 - */ -package org.owasp.benchmark.testcode; - -import java.io.IOException; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -@WebServlet(value = "/cmdi-00/BenchmarkTest00007") -public class BenchmarkTest00007 extends HttpServlet { - - private static final long serialVersionUID = 1L; - - @Override - public void doGet(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - doPost(request, response); - } - - @Override - public void doPost(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - // some code - response.setContentType("text/html;charset=UTF-8"); - - String param = ""; - if (request.getHeader("BenchmarkTest00007") != null) { - param = request.getHeader("BenchmarkTest00007"); - } - - // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). - param = java.net.URLDecoder.decode(param, "UTF-8"); - - String cmd = - org.owasp.benchmark.helpers.Utils.getInsecureOSCommandString( - this.getClass().getClassLoader()); - String[] args = {cmd}; - String[] argsEnv = {param}; - - Runtime r = Runtime.getRuntime(); - - try { - Process p = r.exec(args, argsEnv); - org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); - } catch (IOException e) { - System.out.println("Problem executing cmdi - TestCase"); - response.getWriter() - .println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage())); - return; - } - } -} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java deleted file mode 100644 index 3d2710e..0000000 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java +++ /dev/null @@ -1,68 +0,0 @@ -/** - * OWASP Benchmark v1.2 - * - *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For - * details, please see https://owasp.org/www-project-benchmark/. - * - *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms - * of the GNU General Public License as published by the Free Software Foundation, version 2. - * - *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY - * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU General Public License for more details. - * - * @author Dave Wichers - * @created 2015 - */ -package org.owasp.benchmark.testcode; - -import java.io.IOException; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -@WebServlet(value = "/sqli-00/BenchmarkTest00008") -public class BenchmarkTest00008 extends HttpServlet { - - private static final long serialVersionUID = 1L; - - @Override - public void doGet(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - doPost(request, response); - } - - @Override - public void doPost(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - // some code - response.setContentType("text/html;charset=UTF-8"); - - String param = ""; - if (request.getHeader("BenchmarkTest00008") != null) { - param = request.getHeader("BenchmarkTest00008"); - } - - // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). - param = java.net.URLDecoder.decode(param, "UTF-8"); - - String sql = "{call " + param + "}"; - - try { - java.sql.Connection connection = - org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection(); - java.sql.CallableStatement statement = connection.prepareCall(sql); - java.sql.ResultSet rs = statement.executeQuery(); - org.owasp.benchmark.helpers.DatabaseHelper.printResults(rs, sql, response); - - } catch (java.sql.SQLException e) { - if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { - response.getWriter().println("Error processing request."); - return; - } else throw new ServletException(e); - } - } -} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java deleted file mode 100644 index abe18a4..0000000 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java +++ /dev/null @@ -1,124 +0,0 @@ -/** - * OWASP Benchmark v1.2 - * - *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For - * details, please see https://owasp.org/www-project-benchmark/. - * - *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms - * of the GNU General Public License as published by the Free Software Foundation, version 2. - * - *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY - * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU General Public License for more details. - * - * @author Dave Wichers - * @created 2015 - */ -package org.owasp.benchmark.testcode; - -import java.io.IOException; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -@WebServlet(value = "/hash-00/BenchmarkTest00009") -public class BenchmarkTest00009 extends HttpServlet { - - private static final long serialVersionUID = 1L; - - @Override - public void doGet(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - doPost(request, response); - } - - @Override - public void doPost(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - // some code - response.setContentType("text/html;charset=UTF-8"); - - String param = ""; - java.util.Enumeration names = request.getHeaderNames(); - while (names.hasMoreElements()) { - String name = (String) names.nextElement(); - - if (org.owasp.benchmark.helpers.Utils.commonHeaders.contains(name)) { - continue; // If standard header, move on to next one - } - - java.util.Enumeration values = request.getHeaders(name); - if (values != null && values.hasMoreElements()) { - param = name; // Grabs the name of the first non-standard header as the parameter - // value - break; - } - } - // Note: We don't URL decode header names because people don't normally do that - - java.security.Provider[] provider = java.security.Security.getProviders(); - java.security.MessageDigest md; - - try { - if (provider.length > 1) { - - md = java.security.MessageDigest.getInstance("sha-384", provider[0]); - } else { - md = java.security.MessageDigest.getInstance("sha-384", "SUN"); - } - byte[] input = {(byte) '?'}; - Object inputParam = param; - if (inputParam instanceof String) input = ((String) inputParam).getBytes(); - if (inputParam instanceof java.io.InputStream) { - byte[] strInput = new byte[1000]; - int i = ((java.io.InputStream) inputParam).read(strInput); - if (i == -1) { - response.getWriter() - .println( - "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); - return; - } - input = java.util.Arrays.copyOf(strInput, i); - } - md.update(input); - - byte[] result = md.digest(); - java.io.File fileTarget = - new java.io.File( - new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), - "passwordFile.txt"); - java.io.FileWriter fw = - new java.io.FileWriter(fileTarget, true); // the true will append the new data - fw.write( - "hash_value=" - + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) - + "\n"); - fw.close(); - response.getWriter() - .println( - "Sensitive value '" - + org.owasp - .esapi - .ESAPI - .encoder() - .encodeForHTML(new String(input)) - + "' hashed and stored
"); - - } catch (java.security.NoSuchAlgorithmException e) { - System.out.println( - "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)"); - throw new ServletException(e); - } catch (java.security.NoSuchProviderException e) { - System.out.println( - "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)"); - throw new ServletException(e); - } - - response.getWriter() - .println( - "Hash Test java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider) executed"); - } -} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java deleted file mode 100644 index 2a08396..0000000 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java +++ /dev/null @@ -1,116 +0,0 @@ -/** - * OWASP Benchmark v1.2 - * - *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For - * details, please see https://owasp.org/www-project-benchmark/. - * - *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms - * of the GNU General Public License as published by the Free Software Foundation, version 2. - * - *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY - * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU General Public License for more details. - * - * @author Dave Wichers - * @created 2015 - */ -package org.owasp.benchmark.testcode; - -import java.io.IOException; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -@WebServlet(value = "/weakrand-00/BenchmarkTest00010") -public class BenchmarkTest00010 extends HttpServlet { - - private static final long serialVersionUID = 1L; - - @Override - public void doGet(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - doPost(request, response); - } - - @Override - public void doPost(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - // some code - response.setContentType("text/html;charset=UTF-8"); - - String param = ""; - java.util.Enumeration names = request.getHeaderNames(); - while (names.hasMoreElements()) { - String name = (String) names.nextElement(); - - if (org.owasp.benchmark.helpers.Utils.commonHeaders.contains(name)) { - continue; // If standard header, move on to next one - } - - java.util.Enumeration values = request.getHeaders(name); - if (values != null && values.hasMoreElements()) { - param = name; // Grabs the name of the first non-standard header as the parameter - // value - break; - } - } - // Note: We don't URL decode header names because people don't normally do that - - try { - int randNumber = java.security.SecureRandom.getInstance("SHA1PRNG").nextInt(99); - String rememberMeKey = Integer.toString(randNumber); - - String user = "SafeInga"; - String fullClassName = this.getClass().getName(); - String testCaseNumber = - fullClassName.substring( - fullClassName.lastIndexOf('.') + 1 + "BenchmarkTest".length()); - user += testCaseNumber; - - String cookieName = "rememberMe" + testCaseNumber; - - boolean foundUser = false; - javax.servlet.http.Cookie[] cookies = request.getCookies(); - if (cookies != null) { - for (int i = 0; !foundUser && i < cookies.length; i++) { - javax.servlet.http.Cookie cookie = cookies[i]; - if (cookieName.equals(cookie.getName())) { - if (cookie.getValue() - .equals(request.getSession().getAttribute(cookieName))) { - foundUser = true; - } - } - } - } - - if (foundUser) { - response.getWriter().println("Welcome back: " + user + "
"); - } else { - javax.servlet.http.Cookie rememberMe = - new javax.servlet.http.Cookie(cookieName, rememberMeKey); - rememberMe.setSecure(true); - rememberMe.setHttpOnly(true); - rememberMe.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet - // e.g., /benchmark/sql-01/BenchmarkTest01001 - request.getSession().setAttribute(cookieName, rememberMeKey); - response.addCookie(rememberMe); - response.getWriter() - .println( - user - + " has been remembered with cookie: " - + rememberMe.getName() - + " whose value is: " - + rememberMe.getValue() - + "
"); - } - } catch (java.security.NoSuchAlgorithmException e) { - System.out.println("Problem executing SecureRandom.nextInt(int) - TestCase"); - throw new ServletException(e); - } - response.getWriter() - .println("Weak Randomness Test java.security.SecureRandom.nextInt(int) executed"); - } -}