From 3a2aabe07fc66d36437348a8ee0e500a14aeac79 Mon Sep 17 00:00:00 2001 From: shivababuh <75662423+shivababuh@users.noreply.github.com> Date: Wed, 8 Sep 2021 09:47:53 +0530 Subject: [PATCH 1/3] Generate Scorecard to include the New XML Format post 10.x release (#2) * New XML Format post 10.x release * take care of xpath issues --- .../score/parsers/AppScanDynamicReader2.java | 193 +++++++++++++----- 1 file changed, 144 insertions(+), 49 deletions(-) diff --git a/src/main/java/org/owasp/benchmark/score/parsers/AppScanDynamicReader2.java b/src/main/java/org/owasp/benchmark/score/parsers/AppScanDynamicReader2.java index bc1248ecf3..792830b7b8 100644 --- a/src/main/java/org/owasp/benchmark/score/parsers/AppScanDynamicReader2.java +++ b/src/main/java/org/owasp/benchmark/score/parsers/AppScanDynamicReader2.java @@ -19,19 +19,22 @@ import java.io.File; import java.io.FileInputStream; +import java.util.ArrayList; import java.util.List; + import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import org.owasp.benchmark.score.BenchmarkScore; import org.owasp.benchmark.score.TestCaseResult; import org.owasp.benchmark.score.TestSuiteResults; import org.w3c.dom.Document; +import org.w3c.dom.NamedNodeMap; import org.w3c.dom.Node; import org.xml.sax.InputSource; public class AppScanDynamicReader2 extends Reader { - // This is the new AppScan Dynamnic reader, where they generate ".xml" files. + // This is the new AppScan Dynamic reader, where they generate ".xml" files. public TestSuiteResults parse(File f) throws Exception { @@ -44,6 +47,11 @@ public TestSuiteResults parse(File f) throws Exception { Node root = doc.getDocumentElement(); Node scanInfo = getNamedChild("scan-information", root); + + Node scanConfiguration = getNamedChild("scan-configuration", root); + String startingUrl = getNamedChild("starting-url", scanConfiguration).getTextContent(); + System.out.println("Starting URL is: " + startingUrl); + TestSuiteResults tr = new TestSuiteResults("IBM AppScan Dynamic", true, TestSuiteResults.ToolType.DAST); @@ -57,60 +65,122 @@ public TestSuiteResults parse(File f) throws Exception { Node allIssues = getNamedChild("url-group", root); List vulnerabilities = getNamedChildren("item", allIssues); + + Node allIssueVariants = getNamedChild("issue-group", root); + List variants = getNamedChildren("item", allIssueVariants); + + // Loop through all the vulnerabilities for (Node vulnerability : vulnerabilities) { - - // First get the type of vuln, and if we don't care about that type, move on - String issueType = getNamedChild("issue-type", vulnerability).getTextContent(); - - String url = getNamedChild("name", vulnerability).getTextContent(); + String issueType = getNamedChild("issue-type", vulnerability).getTextContent(); + + String url = getNamedChild("name", vulnerability).getTextContent(); // to give DAST tools some credit, if they report a similar vuln in a different area, we // count it. // e.g., SQLi in the XPATHi tests. To do that, we have to pull out the vuln type from // the URL. - String urlElements[] = url.split("/"); - String testArea = - urlElements[urlElements.length - 2].split("-")[0]; // .split strips off the -## - // System.out.println("Candidate test area is: " + testArea); - - int vtype = cweLookup(issueType, testArea); - // System.out.println("Vuln type: " + issueType + " has CWE of: " + vtype); - - // Then get the filename containing the vuln. And if not in a test case, skip it. - // Parse out test number from: - // https://localhost:port/benchmark/testarea-##/BenchmarkTest02603 - int startOfTestCase = url.lastIndexOf("/") + 1; - String testcase = url.substring(startOfTestCase, url.length()); - testcase = - testcase.split("\\.")[ - 0]; // if test case has extension (e.g., BenchmarkTestCase#####.html), - // strip it off. - // System.out.println("Candidate test case is: " + testcase); - if (testcase.startsWith(BenchmarkScore.TESTCASENAME)) { - int tn = -1; - String testno = testcase.substring(BenchmarkScore.TESTCASENAME.length()); - try { - tn = Integer.parseInt(testno); - } catch (NumberFormatException e) { - e.printStackTrace(); - } - - // if (tn == -1) System.out.println("Found vuln outside of test case of type: " + - // issueType); - - // Add the vuln found in a test case to the results for this tool - TestCaseResult tcr = new TestCaseResult(); - tcr.setNumber(tn); - tcr.setCategory(issueType); // TODO: Is this right? - tcr.setCWE(vtype); - tcr.setEvidence(issueType); - - tr.put(tcr); - } + + NamedNodeMap itemNode = vulnerability.getAttributes(); + String variantItemID = itemNode.getNamedItem("id").getNodeValue(); + + List testCaseElementsFromVariants = variantLookup(issueType, variantItemID, startingUrl, variants); + if(testCaseElementsFromVariants.isEmpty()) { + //Handle non-variant issue types , Older xml format as in 9.x release versions and before + // First get the type of vuln, and if we don't care about that type, move on + TestCaseResult tcr = TestCaseLookup(issueType, url); + tr.put(tcr); + } + else { + //Handle issues which are Variants, new xml format after 10.x release + for (String testArea : testCaseElementsFromVariants ) { + TestCaseResult tcr = TestCaseLookup(issueType, testArea); + tr.put(tcr); + } + } } + return tr; } + + /// Issues which are not variants + private static TestCaseResult TestCaseLookup(String issueType, String url) { + TestCaseResult tcr = new TestCaseResult(); + String urlElements[] = url.split("/"); + String testArea = + urlElements[urlElements.length - 2].split("-")[0]; // .split strips off the -## + + int vtype = cweLookup(issueType, testArea); + + // Then get the filename containing the vuln. And if not in a test case, skip it. + // Parse out test number from: + // https://localhost:port/benchmark/testarea-##/BenchmarkTest02603 + int startOfTestCase = url.lastIndexOf("/") + 1; + String testcase = url.substring(startOfTestCase, url.length()); + testcase = + testcase.split("\\.")[ + 0]; // if test case has extension (e.g., BenchmarkTestCase#####.html), + // strip it off. + // System.out.println("Candidate test case is: " + testcase); + if (testcase.startsWith(BenchmarkScore.TESTCASENAME)) { + int tn = -1; + String testno = testcase.substring(BenchmarkScore.TESTCASENAME.length()); + try { + tn = Integer.parseInt(testno); + } catch (NumberFormatException e) { + e.printStackTrace(); + } + + // if (tn == -1) System.out.println("Found vuln outside of test case of type: " + + // issueType); + + // Add the vuln found in a test case to the results for this tool + tcr.setNumber(tn); + tcr.setCategory(issueType); // TODO: Is this right? + tcr.setCWE(vtype); + tcr.setEvidence(issueType); + } + return tcr; + } + + + //Fetch Issues listed as variants, to cater to post 10.x release xml format + private static List variantLookup(String issueType, String itemID,String startingUrl, List variants) { + List testCaseElementsFromVariants = new ArrayList(); + + //System.out.println("Variant Lookup Item ID: " + itemID); + + for (Node variant : variants) { + String variantUrlRefId = getNamedChild("url", variant).getTextContent().trim(); + String variantIssueType = getNamedChild("issue-type", variant).getTextContent().trim(); + //System.out.println("Variant Url Ref ID: " + variantUrlRefId); + + + // Add the record only if the issue type matches for the relevant variants + if (issueType.equals(variantIssueType) && itemID.equals(variantUrlRefId)) { + Node variantNodes = getNamedChild("variant-group", variant); + List variantNodeChildren = getNamedChildren("item", variantNodes); + for (Node variantNodeChild : variantNodeChildren) { + String httpTraffic = getNamedChild("test-http-traffic", variantNodeChild).getTextContent(); + String[] variantUrl = httpTraffic.split(" "); + + String benchMarkTestCase = variantUrl[1].trim(); + + if (benchMarkTestCase.contains("BenchmarkTest")) { + String urlElements[] = benchMarkTestCase.split("/"); + + String testAreaUrl = startingUrl + urlElements[urlElements.length - 2] + "/" + urlElements[urlElements.length - 1]; + String testArea = testAreaUrl.split("\\?")[0]; // .split strips off the -## + + if (testArea.contains("BenchmarkTest")) + testCaseElementsFromVariants.add(testArea); + } + } + } + } + + return testCaseElementsFromVariants; + } // e.g., 3 Hour(s) 7 Minute(s) 58 Second(s) /* private String parseTime(String message) { @@ -126,15 +196,40 @@ public TestSuiteResults parse(File f) throws Exception { */ private static int cweLookup(String vtype, String testArea) { int cwe = cweLookup(vtype); - if ("xpathi".equals(testArea) && cwe == 89) cwe = 643; // CWE for xpath injection - if ("ldapi".equals(testArea) && cwe == 89) cwe = 90; // CWE for xpath injection + if ("xpathi".equals(testArea) && cwe == 89) + cwe = 643; // CWE for xpath injection + if ("ldapi".equals(testArea) && cwe == 89) + cwe = 90; // CWE for xpath injection return cwe; } private static int cweLookup(String vtype) { switch (vtype) { - case "attBlindSqlInjectionStrings": + case "attDirectoryFound" : return 22; + case "attDirOptions" : return 22; + case "attApplicationRemoteCodeExecutionAdns" : return 78; // Score worse or + case "attLDAPInjection2" : return 90; + case "attLDAPInjection" : return 90; + case "attXPathInjection" : return 643; + case "attBlindXpathInjectionSingleQuote" : return 643; + case "attFileParamPipe" : return 78; + case "attContentSecurityPolicyObjectSrc" : return 00; + case "attContentSecurityPolicyScriptSrc" : return 00; + case "attBlindLDAPInjection": + return 90; + case "attCommandInjectionAdns": + return 78; + case "attCommandInjectionUnixTws": + return 78; + case "attBlindXPathInjection": + return 643; + case "attFileUnix": + return 22; + case "GV_SQLErr": return 00; + case "passParamGET": + return 523; + case "attBlindSqlInjectionStrings": return 89; // Score worse or better? case "attCachedSSL": return 00; @@ -158,7 +253,7 @@ private static int cweLookup(String vtype) { case "ContentTypeOptions": return 00; - // case "GD_EmailAddress" : return 00; + case "GD_EmailAddress" : return 00; case "GETParamOverSSL": return 00; // case "GV_SQLErr" : return 89; // Score worse or better with this or 00? From cb015f8939daba52e4853a94601b0b7ce88e42a3 Mon Sep 17 00:00:00 2001 From: shivababuh <75662423+shivababuh@users.noreply.github.com> Date: Wed, 22 Sep 2021 15:30:51 +0530 Subject: [PATCH 2/3] Xss mods (#1) * XSS Scenarios * xss mods * review comments incorporated * Renamed Intermediate class & removed the commented out code Co-authored-by: user Co-authored-by: gituser Co-authored-by: kaveti.l --- .../testcode/BenchmarkTest02741.java | 54 +++++++++++++++ .../benchmark/testcode/BenchmarkTest02741.xml | 7 ++ .../testcode/BenchmarkTest02742.java | 53 +++++++++++++++ .../benchmark/testcode/BenchmarkTest02742.xml | 7 ++ .../testcode/BenchmarkTest02743.java | 40 +++++++++++ .../benchmark/testcode/BenchmarkTest02743.xml | 7 ++ .../testcode/BenchmarkTest02744.java | 38 +++++++++++ .../benchmark/testcode/BenchmarkTest02744.xml | 7 ++ .../testcode/BenchmarkTest02745.java | 47 +++++++++++++ .../benchmark/testcode/BenchmarkTest02745.xml | 7 ++ .../testcode/BenchmarkTest02746.java | 47 +++++++++++++ .../benchmark/testcode/BenchmarkTest02746.xml | 7 ++ .../benchmark/testcode/Intermediate.java | 56 ++++++++++++++++ .../testcode/SanitizingHttpServlet.java | 56 ++++++++++++++++ .../webapp/xss-00/BenchmarkTest02741.html | 39 +++++++++++ .../webapp/xss-00/BenchmarkTest02742.html | 39 +++++++++++ .../webapp/xss-00/BenchmarkTest02743.html | 66 +++++++++++++++++++ .../webapp/xss-00/BenchmarkTest02744.html | 64 ++++++++++++++++++ .../webapp/xss-00/BenchmarkTest02745.html | 39 +++++++++++ .../webapp/xss-00/BenchmarkTest02746.html | 39 +++++++++++ src/main/webapp/xss-Index.html | 14 ++++ 21 files changed, 733 insertions(+) create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.xml create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02742.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02742.xml create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02743.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02743.xml create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02744.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02744.xml create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02745.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02745.xml create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02746.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02746.xml create mode 100644 src/main/java/org/owasp/benchmark/testcode/Intermediate.java create mode 100644 src/main/java/org/owasp/benchmark/testcode/SanitizingHttpServlet.java create mode 100644 src/main/webapp/xss-00/BenchmarkTest02741.html create mode 100644 src/main/webapp/xss-00/BenchmarkTest02742.html create mode 100644 src/main/webapp/xss-00/BenchmarkTest02743.html create mode 100644 src/main/webapp/xss-00/BenchmarkTest02744.html create mode 100644 src/main/webapp/xss-00/BenchmarkTest02745.html create mode 100644 src/main/webapp/xss-00/BenchmarkTest02746.html diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.java new file mode 100644 index 0000000000..30885f58a3 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.java @@ -0,0 +1,54 @@ +/** + * OWASP Benchmark Project v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Nick Sanidas + * @created 2015 + */ +package org.owasp.benchmark.testcode; + + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/xss-00/BenchmarkTest02741") +public class BenchmarkTest02741 extends SanitizingHttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + response.setHeader("X-XSS-Protection", "0"); + + String param = request.getParameter("email"); + if (param == null) param = ""; + String sanitizeParam = sanitizeAttribute(param); + + String htmlResponse = ""; + htmlResponse += + "

\n" + + " " + + "
"; + htmlResponse += ""; + + response.getWriter().println(htmlResponse); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.xml b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.xml new file mode 100644 index 0000000000..8dae3f1b37 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.xml @@ -0,0 +1,7 @@ + + 1.2 + xss + 02741 + false + 79 + diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02742.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02742.java new file mode 100644 index 0000000000..1b0dc83561 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02742.java @@ -0,0 +1,53 @@ +/** + * OWASP Benchmark Project v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Nick Sanidas + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/xss-00/BenchmarkTest02742") +public class BenchmarkTest02742 extends SanitizingHttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + response.setHeader("X-XSS-Protection", "0"); + + String param = request.getParameter("email"); + if (param == null) param = ""; + String sanitizeParam = sanitizeTag(param); + + String htmlResponse = ""; + htmlResponse += + "

\n" + + " " + + "
"; + htmlResponse += ""; + + response.getWriter().println(htmlResponse); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02742.xml b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02742.xml new file mode 100644 index 0000000000..7b26c50b83 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02742.xml @@ -0,0 +1,7 @@ + + 1.2 + xss + 02742 + true + 79 + diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02743.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02743.java new file mode 100644 index 0000000000..f3b452bf0c --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02743.java @@ -0,0 +1,40 @@ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/xss-00/BenchmarkTest02743") +public class BenchmarkTest02743 extends SanitizingHttpServlet { + private static final long serialVersionUID = 1L; + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + response.setHeader("X-XSS-Protection", "0"); + + String param = request.getParameter("email"); + if (param == null) param = ""; + Pattern p = + Pattern.compile( + "^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}$", Pattern.CASE_INSENSITIVE); + Matcher m = p.matcher(param); + boolean b = m.find(); + String sanitizeParam = newSanitizedValue(param); + + String htmlRespone = ""; + response.getWriter().println(htmlRespone); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02743.xml b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02743.xml new file mode 100644 index 0000000000..ab16fdfbc7 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02743.xml @@ -0,0 +1,7 @@ + + 1.2 + xss + 02743 + true + 79 + diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02744.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02744.java new file mode 100644 index 0000000000..b295b2dcd8 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02744.java @@ -0,0 +1,38 @@ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/xss-00/BenchmarkTest02744") +public class BenchmarkTest02744 extends SanitizingHttpServlet { + private static final long serialVersionUID = 1L; + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + response.setHeader("X-XSS-Protection", "0"); + String param = request.getParameter("email"); + if (param == null) param = ""; + Pattern p = + Pattern.compile( + "^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}$", Pattern.CASE_INSENSITIVE); + Matcher m = p.matcher(param); + boolean b = m.find(); + String sanitizeParam = newSanitizedValue(param); + + String htmlRespone = "

"; + if (param != null && param.trim().length() != 0 && b) { + htmlRespone += "Our reply will be sent to your email: " + sanitizeParam; + } else { + htmlRespone += "the provided email is not correct: " + sanitizeParam; + } + htmlRespone += "

"; + response.getWriter().println(htmlRespone); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02744.xml b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02744.xml new file mode 100644 index 0000000000..fc113cc247 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02744.xml @@ -0,0 +1,7 @@ + + 1.2 + xss + 02744 + false + 79 + diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02745.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02745.java new file mode 100644 index 0000000000..23cb6aa285 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02745.java @@ -0,0 +1,47 @@ +/** + * OWASP Benchmark Project v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Nick Sanidas + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/xss-00/BenchmarkTest02745") +public class BenchmarkTest02745 extends SanitizingHttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + response.setHeader("X-XSS-Protection", "0"); + + String param = request.getParameter("email"); + if (param == null) param = ""; + String sanitizeParam = sanitizeAttribute(param); + + String htmlResponse = ""; + htmlResponse += "" + sanitizeParam + ""; + htmlResponse += ""; + + response.getWriter().println(htmlResponse); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02745.xml b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02745.xml new file mode 100644 index 0000000000..30e6c34ad1 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02745.xml @@ -0,0 +1,7 @@ + + 1.2 + xss + 02745 + true + 79 + \ No newline at end of file diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02746.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02746.java new file mode 100644 index 0000000000..c271cfc6aa --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02746.java @@ -0,0 +1,47 @@ +/** + * OWASP Benchmark Project v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Nick Sanidas + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/xss-00/BenchmarkTest02746") +public class BenchmarkTest02746 extends SanitizingHttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + response.setHeader("X-XSS-Protection", "0"); + + String param = request.getParameter("email"); + if (param == null) param = ""; + String sanitizeParam = sanitizeTag(param); + + String htmlResponse = ""; + htmlResponse += "" + sanitizeParam + ""; + htmlResponse += ""; + + response.getWriter().println(htmlResponse); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02746.xml b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02746.xml new file mode 100644 index 0000000000..56daff28eb --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02746.xml @@ -0,0 +1,7 @@ + + 1.2 + xss + 02746 + false + 79 + \ No newline at end of file diff --git a/src/main/java/org/owasp/benchmark/testcode/Intermediate.java b/src/main/java/org/owasp/benchmark/testcode/Intermediate.java new file mode 100644 index 0000000000..cffa7e7d5b --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/Intermediate.java @@ -0,0 +1,56 @@ +/** + * OWASP Benchmark Project v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Nick Sanidas + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +public class Intermediate extends HttpServlet { + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + protected String sanitizeAttribute(String parameter) { + String parameter1 = parameter; + parameter1 = parameter1.replaceAll("'", "'"); + parameter1 = parameter1.replaceAll("\"", """); + parameter1 = parameter1.replaceAll("&", "&"); + return parameter1; + } + + protected String sanitizeTag(String parameter) { + String parameter1 = parameter; + parameter1 = parameter1.replaceAll("&", "&"); + parameter1 = parameter1.replaceAll("<", "\\u003C"); + parameter1 = parameter1.replaceAll(">", "\\u003E"); + return parameter1; + } + + protected String newSanitizedValue(String parameter) { + parameter = parameter.replaceAll("&", "&"); + parameter = parameter.replaceAll("<", "<"); + parameter = parameter.replaceAll(">", ">"); + return parameter; + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/SanitizingHttpServlet.java b/src/main/java/org/owasp/benchmark/testcode/SanitizingHttpServlet.java new file mode 100644 index 0000000000..ac27352d4c --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/SanitizingHttpServlet.java @@ -0,0 +1,56 @@ +/** + * OWASP Benchmark Project v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Nick Sanidas + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +public class SanitizingHttpServlet extends HttpServlet { + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + protected String sanitizeAttribute(String parameter) { + String parameter1 = parameter; + parameter1 = parameter1.replaceAll("'", "'"); + parameter1 = parameter1.replaceAll("\"", """); + parameter1 = parameter1.replaceAll("&", "&"); + return parameter1; + } + + protected String sanitizeTag(String parameter) { + String parameter1 = parameter; + parameter1 = parameter1.replaceAll("&", "&"); + parameter1 = parameter1.replaceAll("<", "\\u003C"); + parameter1 = parameter1.replaceAll(">", "\\u003E"); + return parameter1; + } + + protected String newSanitizedValue(String parameter) { + parameter = parameter.replaceAll("&", "&"); + parameter = parameter.replaceAll("<", "<"); + parameter = parameter.replaceAll(">", ">"); + return parameter; + } +} diff --git a/src/main/webapp/xss-00/BenchmarkTest02741.html b/src/main/webapp/xss-00/BenchmarkTest02741.html new file mode 100644 index 0000000000..32a11425d1 --- /dev/null +++ b/src/main/webapp/xss-00/BenchmarkTest02741.html @@ -0,0 +1,39 @@ + + + + + + +BenchmarkTest02741 + + +

+
+ +
+
+
+ +
+
+ +
+
+ +
+
+ +
+
 
+
+ +
+
+
+ +
+
+ + + diff --git a/src/main/webapp/xss-00/BenchmarkTest02742.html b/src/main/webapp/xss-00/BenchmarkTest02742.html new file mode 100644 index 0000000000..2d637db545 --- /dev/null +++ b/src/main/webapp/xss-00/BenchmarkTest02742.html @@ -0,0 +1,39 @@ + + + + + + +BenchmarkTest02742 + + +
+
+ +
+
+
+ +
+
+ +
+
+ +
+
+ +
+
 
+
+ +
+
+
+ +
+
+ + + diff --git a/src/main/webapp/xss-00/BenchmarkTest02743.html b/src/main/webapp/xss-00/BenchmarkTest02743.html new file mode 100644 index 0000000000..0dcccbe0d2 --- /dev/null +++ b/src/main/webapp/xss-00/BenchmarkTest02743.html @@ -0,0 +1,66 @@ + + + + + + +BenchmarkTest02743 + + +
+
+

Feedback

+ +

+ Our Frequently Asked Questions area will help you with many of your inquiries.
If you can't find your question, return to this page and use the e-mail form below. +

+ +

+ IMPORTANT! This feedback facility is not secure. Please do not send any
account information in a message sent from here. +

+ + +
+ +
+
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+
+ +
+
+ +
+
+ + + + diff --git a/src/main/webapp/xss-00/BenchmarkTest02744.html b/src/main/webapp/xss-00/BenchmarkTest02744.html new file mode 100644 index 0000000000..83f316f6ec --- /dev/null +++ b/src/main/webapp/xss-00/BenchmarkTest02744.html @@ -0,0 +1,64 @@ + + + + + + +BenchmarkTest02744 + + +
+
+

Feedback

+ +

+ Our Frequently Asked Questions area will help you with many of your inquiries.
If you can't find your question, return to this page and use the e-mail form below. +

+ +

+ IMPORTANT! This feedback facility is not secure. Please do not send any
account information in a message sent from here. +

+ + +
+ +
+
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+
+ +
+
+ +
+
+ + diff --git a/src/main/webapp/xss-00/BenchmarkTest02745.html b/src/main/webapp/xss-00/BenchmarkTest02745.html new file mode 100644 index 0000000000..5c43606da0 --- /dev/null +++ b/src/main/webapp/xss-00/BenchmarkTest02745.html @@ -0,0 +1,39 @@ + + + + + + +BenchmarkTest02745 + + +
+
+ +
+
+
+ +
+
+ +
+
+ +
+
+ +
+
 
+
+ +
+
+
+ +
+
+ + + diff --git a/src/main/webapp/xss-00/BenchmarkTest02746.html b/src/main/webapp/xss-00/BenchmarkTest02746.html new file mode 100644 index 0000000000..b3950791b0 --- /dev/null +++ b/src/main/webapp/xss-00/BenchmarkTest02746.html @@ -0,0 +1,39 @@ + + + + + + +BenchmarkTest02746 + + +
+
+ +
+
+
+ +
+
+ +
+
+ +
+
+ +
+
 
+
+ +
+
+
+ +
+
+ + + diff --git a/src/main/webapp/xss-Index.html b/src/main/webapp/xss-Index.html index 08dd9edb48..62f1a79595 100644 --- a/src/main/webapp/xss-Index.html +++ b/src/main/webapp/xss-Index.html @@ -480,6 +480,20 @@

OWASP Benchmark XSS (Cross-Site Scripting) Test Case Index

  • BenchmarkTest02695
  • BenchmarkTest02696
  • BenchmarkTest02712
    • +
  • BenchmarkTest02741
    • + +
  • BenchmarkTest02742
    • + +
  • BenchmarkTest02743
    • + +
  • BenchmarkTest02744
    • + + +
  • BenchmarkTest02745
    • + +
  • BenchmarkTest02746
    • + + From 77d6eb9edbcca81b8b7da5a0277448c92ba81ed8 Mon Sep 17 00:00:00 2001 From: lakshmankaveti1911 <60958252+lakshmankaveti1911@users.noreply.github.com> Date: Wed, 15 Dec 2021 13:00:09 +0530 Subject: [PATCH 3/3] xss_new_scenarios (#4) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * XSS Scenarios * xss mods * review comments incorporated * scripts to create several SAST reports * Update AppScanDynamicReader2.java per pull request #157, with additional changes by me, including running spotless properly. * Update codeql-analysis.yml CodeQL auto build is failing with a "Picked up JAVA_TOOL_OPTIONS:..." message, so let's try a plain old Maven build. * Update codeql-analysis.yml Ensure that the CodeQL workflow checks out enough git history to support the spotless ratchetFrom test in the Maven build. * Update README.md Trivial grammar fix. * Renamed Intermediate class & removed the commented out code * change horusec to docker * prevent installation outputs * insider - check for availability and updates * use docker instead of calling semgrep directly * require docker * fix typo * Upgrade a bunch of dependencies and remove a few unused ones. * fix insider installation check 🙈 * execute bit for docker script * more preconditions checks * store sonarqube credentials in seperate file * prevent adding of sonarqube credentials * docker cleanup * Revert "docker cleanup" This reverts commit 70e7c48bab28ed988e3046c6b26f96b0a468a02f. * docker cleanup * Add dependency used by a script. Minor tweaks to a few scripts. * A few minor fixes to the other IAST run scripts. * This is a MAJOR change. This commit rips out all the utilities included with Benchmark to score it, run crawlers on it, etc. Those utilities are now in a seperate project called BenchmarkUtils. BenchmarkUtils produces a maven plugin that is now used by all the scoring and crawling scripts updated in this commit. You have to clone BenchmarkUtils, then run: mvn install, to get the plugin (which is built and installed locally). * Proxy Settings added to OWASP Benchmark Crawler to enable different hosts (#1) * Simplify configuration of 2 config files. Minor updates to a number of test cases. * Updated the Dockerfile to reflect the repo change to BenchmarkJava * Fix utility method so more 'standard' headers are filtered out when trying to identify the custom header for test cases that use that. * Intermediate file is deleted Co-authored-by: user Co-authored-by: gituser Co-authored-by: kaveti.l Co-authored-by: Sascha Knoop Co-authored-by: Dave Wichers Co-authored-by: dandersonaspect Co-authored-by: Arun Muthu <36296285+arunmuthu255@users.noreply.github.com> Co-authored-by: Arun Muthu Co-authored-by: shivababuh <75662423+shivababuh@users.noreply.github.com>