diff --git a/README.md b/README.md index a36fbbb..e3e7f9a 100644 --- a/README.md +++ b/README.md @@ -134,9 +134,41 @@ Explore the API endpoints and documentation here: org.json json - 20231013 + 20240303 com.nimbusds nimbus-jose-jwt - 9.38-rc3 + 9.41.2 org.bouncycastle @@ -27,17 +27,17 @@ com.google.code.gson gson - 2.10.1 + 2.11.0 org.seleniumhq.selenium selenium-java - 4.16.1 + 4.25.0 org.apache.santuario xmlsec - 4.0.1 + 4.0.2 com.sun.xml.security @@ -47,7 +47,7 @@ org.junit.jupiter junit-jupiter-engine - 5.10.1 + 5.11.2 test @@ -58,7 +58,7 @@ net.minidev json-smart - 2.5.0 + 2.5.1 org.apache.httpcomponents @@ -73,44 +73,44 @@ com.networknt json-schema-validator - 1.2.0 + 1.5.2 org.apache.commons commons-text - 1.11.0 + 1.12.0 org.eclipse.jetty jetty-server - 9.4.3.v20170317 + 11.0.24 org.eclipse.jetty jetty-servlet - 9.4.3.v20170317 + 11.0.24 io.jsonwebtoken jjwt-api - 0.11.2 + 0.12.6 io.jsonwebtoken jjwt-impl - 0.11.2 + 0.12.6 runtime io.jsonwebtoken jjwt-jackson - 0.11.2 + 0.12.6 runtime org.springframework.security spring-security-crypto - 5.4.6 + 6.3.3 diff --git a/tool/pom.xml.versionsBackup b/tool/pom.xml.versionsBackup new file mode 100644 index 0000000..bcb4738 --- /dev/null +++ b/tool/pom.xml.versionsBackup @@ -0,0 +1,180 @@ + + + 4.0.0 + + FBK.MIG + mig-t + beta + + + + org.json + json + 20231013 + + + com.nimbusds + nimbus-jose-jwt + 9.38-rc3 + + + org.bouncycastle + bcpkix-jdk15on + 1.70 + + + com.google.code.gson + gson + 2.10.1 + + + org.seleniumhq.selenium + selenium-java + 4.16.1 + + + org.apache.santuario + xmlsec + 4.0.1 + + + com.sun.xml.security + xml-security-impl + 1.0 + + + org.junit.jupiter + junit-jupiter-engine + 5.10.1 + test + + + com.jayway.jsonpath + json-path + 2.9.0 + + + net.minidev + json-smart + 2.5.0 + + + org.apache.httpcomponents + httpclient + 4.5.14 + + + org.apache.httpcomponents + httpcore + 4.4.16 + + + com.networknt + json-schema-validator + 1.2.0 + + + org.apache.commons + commons-text + 1.11.0 + + + org.eclipse.jetty + jetty-server + 9.4.3.v20170317 + + + org.eclipse.jetty + jetty-servlet + 9.4.3.v20170317 + + + io.jsonwebtoken + jjwt-api + 0.11.2 + + + io.jsonwebtoken + jjwt-impl + 0.11.2 + runtime + + + io.jsonwebtoken + jjwt-jackson + 0.11.2 + runtime + + + org.springframework.security + spring-security-crypto + 5.4.6 + + + + + 11 + 11 + + + + + + src/main/resources + + **/* + + + + + + org.apache.maven.plugins + maven-surefire-plugin + 3.1.2 + + + maven-assembly-plugin + + + + + + + jar-with-dependencies + + + + + make-assembly + package + + single + + + + + + org.apache.maven.plugins + maven-enforcer-plugin + 3.3.0 + + + enforce-maven + + enforce + + + + + 3.0 + + + + + + + + + \ No newline at end of file diff --git a/tool/src/main/java/migt/ExecuteWebServer.java b/tool/src/main/java/migt/ExecuteWebServer.java index 2224786..4fd8497 100644 --- a/tool/src/main/java/migt/ExecuteWebServer.java +++ b/tool/src/main/java/migt/ExecuteWebServer.java @@ -1,68 +1,51 @@ package migt; -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; - import burp.IBurpExtenderCallbacks; - -import java.io.*; -import java.net.URL; -import java.nio.charset.StandardCharsets; -import java.security.Key; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Date; -import java.util.List; - -import com.google.gson.JsonObject; -import com.google.gson.JsonParser; -import io.jsonwebtoken.security.Keys; +import com.google.gson.*; +import com.google.gson.reflect.TypeToken; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.handler.AbstractHandler; -import org.eclipse.jetty.server.handler.HandlerList; -import org.eclipse.jetty.servlet.ServletContextHandler; -import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.server.handler.ResourceHandler; -import javax.servlet.ServletException; +import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpServletRequest; +import javax.swing.table.DefaultTableModel; import java.io.IOException; - -import org.eclipse.jetty.servlet.ServletContextHandler; -import org.eclipse.jetty.servlet.ServletHolder; -import org.json.JSONObject; -import org.springframework.security.crypto.bcrypt.BCrypt; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.swing.*; -import java.io.BufferedReader; import java.io.PrintWriter; -import java.util.concurrent.BlockingQueue; -import java.util.concurrent.LinkedBlockingQueue; -import io.jsonwebtoken.Jwts; -import io.jsonwebtoken.Claims; -import io.jsonwebtoken.SignatureAlgorithm; - - +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Base64; +import java.util.Map; public class ExecuteWebServer implements Runnable { static Main mainPane; - static String[] messages = new String[17]; - static String[] outputMessages = new String[4]; private IBurpExtenderCallbacks callbacks; - private static final int PORT = 3000; - private volatile boolean isRunning = true; - static String outputMessageValidation; - static String file1; - static String file2; - static String userInput; - static String jsonString; - private static final List users = new ArrayList<>(); - private static final int BCRYPT_ROUNDS = 10; + + private boolean enableAuthentication = true; + private String authenticationKey = null; public ExecuteWebServer(IBurpExtenderCallbacks callbacks, Main mainPane) { this.callbacks = callbacks; this.mainPane = mainPane; + + enableAuthentication = Boolean.parseBoolean(System.getProperty("migt.webserver.enableauth", "false")); + if(enableAuthentication) { + authenticationKey = sha256(System.getProperty("migt.webserver.authkey")); + } + + } + + public String sha256(String original) { + try { + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] hash = md.digest(original.getBytes(StandardCharsets.UTF_8)); + return new String(hash, StandardCharsets.UTF_8); + } catch(NoSuchAlgorithmException ignored) { + // È sicuro? Probabilmente no + return original; + } } public void run() { @@ -77,7 +60,9 @@ public void run() { } public void start() throws Exception { - Server server = new Server(PORT); + int port = Integer.parseInt(System.getProperty("migt.webserver.port", "3000")); + + Server server = new Server(port); ResourceHandler resourceHandler = new ResourceHandler(); @@ -89,441 +74,141 @@ public void start() throws Exception { server.insertHandler(resourceHandler); server.start(); - callbacks.printOutput("Server is running at http://localhost:" + PORT); + callbacks.printOutput("Server is running at http://localhost:" + port); server.join(); } - static class SendMessageHandler extends AbstractHandler { - - private static final String SECRET_KEY = "eldk8ubHkfPvjNcXVHQX1VRN+T+2pQ/XWRFKH1Ixjuc="; - private static final BlockingQueue requestQueue = new LinkedBlockingQueue<>(); + class SendMessageHandler extends AbstractHandler { @Override public void handle(String target, org.eclipse.jetty.server.Request baseRequest, HttpServletRequest request, HttpServletResponse response) - throws IOException, ServletException { - - response.setHeader("Access-Control-Allow-Origin", "*"); - response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); - response.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization"); - - if ("/users".equals(target) && baseRequest.getMethod().equals("POST")) { - //aggiungo nuovo utente solo se non è già presente nel sistema - try { - String requestBody = request.getReader().lines().reduce("", (accumulator, actual) -> accumulator + actual); - JsonObject jsonObject = JsonParser.parseString(requestBody).getAsJsonObject(); - String name = jsonObject.get("name").getAsString(); - String password = jsonObject.get("password").getAsString(); - - //verifico - boolean userExists = users.stream() - .anyMatch(u -> u.getName().equals(name)); - - if (userExists) { - //utente già presente, 409 Conflict - response.setStatus(HttpServletResponse.SC_CONFLICT); - PrintWriter out = response.getWriter(); - out.println("User already exists"); - } else { - //utente non presente, quindi aggiungo - //hash - String hashedPassword = BCrypt.hashpw(password, BCrypt.gensalt(BCRYPT_ROUNDS)); - - //creo utente - User user = new User(name, hashedPassword); - users.add(user); - - response.setStatus(HttpServletResponse.SC_CREATED); - baseRequest.setHandled(true); - } - } catch (Exception e) { - response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); - baseRequest.setHandled(true); - } - } - if ("/users/login".equals(target) && baseRequest.getMethod().equals("POST")) { - //Autenticazione utente - try { - String requestBody = request.getReader().lines().reduce("", (accumulator, actual) -> accumulator + actual); - JsonObject jsonObject = JsonParser.parseString(requestBody).getAsJsonObject(); - String name = jsonObject.get("name").getAsString(); - - String password = jsonObject.get("password").getAsString(); - - User user = users.stream() - .filter(u -> u.getName().equals(name)) - .findFirst() - .orElse(null); - - if (user != null && BCrypt.checkpw(password, user.getPassword())) { - response.setStatus(HttpServletResponse.SC_OK); - PrintWriter out = response.getWriter(); - //ritorno JWT alla SPA - String jwt = generateJWT(user.getName()); - out.println("{\"token\": \"" + jwt + "\"}"); - } else { - response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); - PrintWriter out = response.getWriter(); - out.println("Not Allowed"); - } + throws IOException { - baseRequest.setHandled(true); - } catch (Exception e) { - response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); - baseRequest.setHandled(true); + if(enableAuthentication) { + String key = request.getHeader("X-AuthKey"); + if(key == null || !sha256(key).equals(authenticationKey)) { + response.sendError(403); + return; } } - //------------------------------------------API only for validation - if ("/validation".equals(target) && baseRequest.getMethod().equals("POST")) { - //verifico JWT nell'intestazione Authorization - String jwt = request.getHeader("Authorization"); - if (jwt != null && jwt.startsWith("Bearer ")) { - String token = jwt.substring(7); //rimuove il prefisso "Bearer" - - //verifica il token - try { - Key key = Keys.hmacShaKeyFor(SECRET_KEY.getBytes()); - Claims claims = Jwts.parserBuilder().setSigningKey(key).build().parseClaimsJws(token).getBody(); - String username = claims.getSubject(); - - StringBuilder requestBodyBuilder = new StringBuilder(); - try (BufferedReader reader = request.getReader()) { - String line; - while ((line = reader.readLine()) != null) { - requestBodyBuilder.append(line).append(System.lineSeparator()); - } - } - - String requestBody = requestBodyBuilder.toString(); - response.setStatus(HttpServletResponse.SC_OK); - RequestData requestData = new RequestData(System.currentTimeMillis(), requestBody); - requestQueue.add(requestData); - - synchronized (this) { - mainPane.readJSONinput(requestBody); - outputMessageValidation = mainPane.lblOutput.getText(); - if (outputMessageValidation == null || outputMessageValidation.trim().isEmpty()) { - outputMessageValidation = "Validate Test"; - } - } - - RequestData oldestRequest = requestQueue.poll(); - if (oldestRequest != null) { - response.setContentType("application/json"); - response.setCharacterEncoding("UTF-8"); - - JSONObject jsonResponse = new JSONObject(); + response.setHeader("Access-Control-Allow-Origin", "*"); + response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); + response.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization"); + if("/execute".equals(target) && baseRequest.getMethod().equals("POST")) { + // read content + JsonObject body = new Gson().fromJson(request.getReader(), TypeToken.get(JsonObject.class)); - jsonResponse.put("validation:", "" + outputMessageValidation); + // apply test + mainPane.txtSearch.setText(body.get("test").getAsString()); + mainPane.btnReadJSON.doClick(); - PrintWriter writer = response.getWriter(); - writer.println(jsonResponse.toString()); - } - response.setStatus(HttpServletResponse.SC_OK); - } catch (Exception e) { - //JWT non valido, restituisci un errore - response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); - response.getWriter().println("Invalid token"); - } + // verify errors + JsonObject result = new JsonObject(); + String error = mainPane.lblOutput.getText(); + if (false) { + result.addProperty("success", false); + result.addProperty("error", error); } else { - //JWT mancante nell'intestazione Authorization - response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); - response.getWriter().println("JWT missing in Authorization header"); - } - //richiesta è stata gestita - baseRequest.setHandled(true); - } - //------------------------------------------ - if ("/messages".equals(target) && baseRequest.getMethod().equals("POST")) { - //verifico JWT nell'intestazione Authorization - String jwt = request.getHeader("Authorization"); - if (jwt != null && jwt.startsWith("Bearer ")) { - String token = jwt.substring(7); //rimuove il prefisso "Bearer" - - //verifica il token - try { - Key key = Keys.hmacShaKeyFor(SECRET_KEY.getBytes()); - Claims claims = Jwts.parserBuilder().setSigningKey(key).build().parseClaimsJws(token).getBody(); - String username = claims.getSubject(); - - StringBuilder requestBodyBuilder = new StringBuilder(); - try (BufferedReader reader = request.getReader()) { - String line; - while ((line = reader.readLine()) != null) { - requestBodyBuilder.append(line).append(System.lineSeparator()); - } - } - - String requestBody = requestBodyBuilder.toString(); - //int index = requestBody.indexOf("&"); - JSONObject jsonObject = new JSONObject(requestBody); - String combinedContent = jsonObject.getString("msg"); - int index = combinedContent.indexOf("&"); - - //verifica se "&" è presente nella stringa - if (index != -1) { - //estrai la prima parte (fino a "&" esclusa) - //file1 = requestBody.substring(0, index).trim(); - file1 = combinedContent.substring(0, index).trim(); - - //estrai la seconda parte (da "&" esclusa alla fine) - //file2 = requestBody.substring(index + 1).trim(); - file2 = combinedContent.substring(index + 1).trim(); - + // import sessions + JsonObject sessions = body.get("sessions").getAsJsonObject(); + for (Map.Entry s : sessions.asMap().entrySet()) { + String content = s.getValue().getAsString(); + if ("main".equals(s.getKey())) { + mainPane.txtScript.setText(content); } else { - mainPane.callbacks.printOutput("Il carattere '&' non è presente nella stringa."); + mainPane.sessions_text.get(s.getKey()).setText(content); } + } - response.setStatus(HttpServletResponse.SC_OK); - RequestData requestData = new RequestData(System.currentTimeMillis(), requestBody); - requestQueue.add(requestData); - - String[] finalMessages = new String[4]; - - synchronized (this) { - mainPane.txtScript.setText(file1); - mainPane.txtSearch.setText(file2); - mainPane.readJSONinput(file2); - mainPane.executeSuite(); - - createMessages(); - //createJsonString(username); - createJsonString(); - System.out.println("Json returned is\n" + jsonString); - finalMessages = outputMessages; - } + result.addProperty("success", true); + } - RequestData oldestRequest = requestQueue.poll(); - if (oldestRequest != null) { - response.setContentType("application/json"); - response.setCharacterEncoding("UTF-8"); + mainPane.btnExecuteSuite.doClick(); - JSONObject jsonResponse = new JSONObject(); - jsonResponse.put("Test Name", "Test Name: "+finalMessages[0]); - jsonResponse.put("Description", "Description: "+finalMessages[1]); - jsonResponse.put("Result", "Result: "+finalMessages[2]); - jsonResponse.put("Details", finalMessages[3]); + writeOutputJson(result, response.getWriter()); + baseRequest.setHandled(true); - PrintWriter writer = response.getWriter(); - writer.println(jsonResponse.toString()); + } else if("/result".equals(target)) { + DefaultTableModel res = Main.resultTableModel; + JsonObject result = new JsonObject(); + if(res.getRowCount() > 0) { + String param = request.getParameter("verbose"); + boolean verbose = Boolean.parseBoolean(param); + + result.addProperty("finished", true); + TestSuite ts = mainPane.testSuite; + + JsonArray tests = new JsonArray(); + for(int i = 0; i < ts.tests.size(); i++) { + Test t = ts.tests.get(i); + JsonObject record = new JsonObject(); + record.addProperty("references", t.references); + record.addProperty("test name", t.getName()); + record.addProperty("description", t.getDescription()); + record.addProperty("type", t.isActive ? "active" : "passive"); + record.addProperty("mitigations", t.mitigations); + record.addProperty("result", t.applicable ? (t.success ? "success" : "failed") : "not applicable"); + /* record.addProperty("statements", ""); + System.out.println("Affected entity: " + t.affected_entity); + record.add("affected entity", JsonNull.INSTANCE); */ + + JsonArray details = new JsonArray(); + if(verbose) { + for (int ii = 0; ii < t.getRows().size(); ii++) { + String[] r = t.getRows().get(ii); + int index0 = Integer.parseInt(r[0]); + int index = Integer.parseInt(r[4]); + + JsonObject a = new JsonObject(); + //a.addProperty("op. num", index0); + a.addProperty("message type", r[1]); + // a.addProperty("message section", r[2]); + // a.addProperty("check/regex", r[3]); + // a.addProperty("index", index); + // a.addProperty("result", r[4]); // TODO: fix + Operation op = t.operations.get(index0); + + try { + MessageType mt = MessageType.getFromList(mainPane.messageTypes, op.getMessageType()); + for (HTTPReqRes msg : op.matchedMessages) { + if (msg.index == index) { + if (mt.msg_to_process_is_request) { + a.addProperty("request", Base64.getEncoder().encodeToString(msg.getRequest())); + } else { + a.addProperty("response", Base64.getEncoder().encodeToString(msg.getResponse())); + } + } + } + } catch (ParsingException ignored) { + // nothing + } + details.add(a); + } + record.add("details", details); } - response.setStatus(HttpServletResponse.SC_OK); - } catch (Exception e) { - //JWT non valido, restituisci un errore - response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); - response.getWriter().println("Invalid token"); + tests.add(record); } + result.add("tests", tests); } else { - //JWT mancante nell'intestazione Authorization - response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); - response.getWriter().println("JWT missing in Authorization header"); - } - //richiesta è stata gestita - baseRequest.setHandled(true); - } - } - - private static String generateJWT(String user) { - Key key = Keys.hmacShaKeyFor(SECRET_KEY.getBytes()); - String jwt = Jwts.builder() - .setHeaderParam("typ", "JWT") - .setSubject(user) //==> impostato il soggetto del token - .setIssuedAt(new Date()) //==> impostata la data di emissione - .setExpiration(new Date(System.currentTimeMillis() + 3600000)) //==> data di scadenza (1 ora) - .signWith(key, SignatureAlgorithm.HS256) //==> token firmato - .compact(); - return jwt; - } - - } - - public static void createMessages(){ - messages[0] = mainPane.lblInfo.getText(); - while (mainPane.resultTableModel.getRowCount() == 0) { - //attendo finché il numero di righe non è diverso da zero ==> finito di eseguire operazioni - try { - Thread.sleep(1000); - } catch (InterruptedException e) { - e.printStackTrace(); - } - } - int rowCount = mainPane.resultTableModel.getRowCount(); - int columnCount = mainPane.resultTableModel.getColumnCount(); - - for (int row = 0; row < rowCount; row++) { - for (int col = 0; col < columnCount; col++) { - Object value = mainPane.resultTableModel.getValueAt(row, col); - messages[col+1] = "" + value; - if(col+1==1){ - outputMessages[0]=messages[col+1]; - }else if(col+1==2){ - outputMessages[1]=messages[col+1]; - }else if(col+1==7){ - outputMessages[2]=messages[col+1]; + result.addProperty("finished", false); } - } - } - messages[8] = mainPane.lblOutput.getText(); - - //DEBUG TAB - String txt_out_debug_tab = mainPane.txt_out_debug_tab.getText(); - messages[9] = mainPane.txt_out_debug_tab.getText(); - String txt_err_debug_tab = mainPane.txt_err_debug_tab.getText(); - messages[10] = mainPane.txt_err_debug_tab.getText(); + writeOutputJson(result, response.getWriter()); - //RESULT TABLE - rowCount = mainPane.testTable.getRowCount(); - int colCount = mainPane.testTable.getColumnCount(); - - if(rowCount==0){ - for (int col = 0; col < colCount; col++) { - messages[col + 11] = ""; - } - } else { - for (int row = 0; row < rowCount; row++) { - for (int col = 0; col < colCount; col++) { - messages[col + 11] = mainPane.testTable.getValueAt(row, col) + ""; - } - } - } - } - - static class User { - private String name; - private String password; - - public User(String name, String password) { - this.name = name; - this.password = password; - } - - public String getName() { - return name; - } - - public String getPassword() { - return password; - } - } - - static class RequestData { - private static int requestCount = 0; - private final long timestamp; - private final String message; - private final int requestNumber; - - public RequestData(long timestamp, String message) { - this.timestamp = timestamp; - this.message = message; - synchronized (RequestData.class) { - this.requestNumber = ++requestCount; + baseRequest.setHandled(true); } } - public long getTimestamp() { - return timestamp; - } - - public String getMessage() { - return message; - } - - public int getRequestNumber() { - return requestNumber; - } } - - public static void createJsonString() { - String outputJson; - - MyJsonObject jsonObject = new MyJsonObject(messages); - - Gson gson = new GsonBuilder().setPrettyPrinting().create(); - StringWriter stringWriter = new StringWriter(); - - gson.toJson(jsonObject, stringWriter); - outputJson = stringWriter.toString(); - - outputMessages[3]= outputJson; + public void writeOutputJson(JsonElement elm, PrintWriter pw) { + Gson gson = new GsonBuilder() + .setPrettyPrinting() + .serializeNulls() + .create(); + pw.write(gson.toJson(elm)); } - - static class MyJsonObject { - private String inputJson1; - private List testSuiteResult; - private String inputJson2; - private List testResult; - private List debugTab; - - public MyJsonObject(String[] values) { - this.inputJson1 = values[0]; - - this.testSuiteResult = Arrays.asList( - new TestSuiteResult(values[1], values[2], values[3], values[4], values[5], values[6], values[7]) - ); - - this.inputJson2 = values[8]; - - this.testResult = Arrays.asList( - new TestResult(values[11], values[12], values[13], values[14], values[15], values[16]) - ); - - this.debugTab = Arrays.asList( - new DebugTab(values[9], values[10]) - ); - - } - } - - static class DebugTab { - private String output_log; - private String error_log; - - public DebugTab(String output_log, String error_log) { - this.output_log = output_log; - this.error_log = error_log; - } - } - - static class TestResult { - private String Op_num; - private String messageType; - private String messageSection; - private String check_regex; - private String index; - private String result; - - public TestResult(String Op_num, String messageType, String messageSection, String check_regex, String index, String result) { - this.Op_num = Op_num; - this.messageType = messageType; - this.messageSection = messageSection; - this.check_regex = check_regex; - this.index = index; - this.result = result; - } - } - - static class TestSuiteResult { - private String testName; - private String description; - private String references; - private String statementInRefToTest; - private String affectedEntity; - private String mitigations; - private String result; - - public TestSuiteResult(String testName, String description, String references, String statementInRefToTest, String affectedEntity, String mitigations, String result) { - this.testName = testName; - this.description = description; - this.references = references; - this.statementInRefToTest = statementInRefToTest; - this.affectedEntity = affectedEntity; - this.mitigations = mitigations; - this.result = result; - } - } - } \ No newline at end of file diff --git a/tool/src/main/java/migt/Main.java b/tool/src/main/java/migt/Main.java index 8efdc58..30ec20b 100644 --- a/tool/src/main/java/migt/Main.java +++ b/tool/src/main/java/migt/Main.java @@ -89,6 +89,7 @@ public class Main extends JSplitPane { JButton btnExecuteTrack; JButton btnSaveToFile; JButton btndriverSelector; + JButton btnReadJSON; JTextArea txtScript; JTextArea txtSearch; JTextArea txtSessionConfig; @@ -117,7 +118,7 @@ public class Main extends JSplitPane { private Integer DEFAULT_PORT = 8080; private String DRIVER_PATH; private List actives; - private Map sessions_text; + Map sessions_text; private List passives; private Thread active_ex; private boolean active_ex_finished = false; @@ -1394,7 +1395,7 @@ private JPanel setup_tab_input_json(GridBagLayout bottom_layout) { gbc.gridheight = 3; inputContainer.add(scrollPane2, gbc); - JButton btnReadJSON = new JButton("Read JSON"); + btnReadJSON = new JButton("Read JSON"); gbc = new GridBagConstraints(); gbc.anchor = GridBagConstraints.WEST; gbc.insets = new Insets(10, 10, 10, 10); diff --git a/tool/src/main/java/migt/debug.http b/tool/src/main/java/migt/debug.http index a87810e..e648dea 100644 --- a/tool/src/main/java/migt/debug.http +++ b/tool/src/main/java/migt/debug.http @@ -1,12 +1,21 @@ POST localhost:3000/execute Content-Type: application/json +# X-AuthKey: ciao { - "test": "{\r\n \"test suite\": {\r\n \"name\": \"Single test\",\r\n \"description\": \"One test only\",\r\n \"filter messages\": true\r\n },\r\n \"tests\": [\r\n {\r\n \"test\": {\r\n \"name\": \"Does the OP release Access Tokens with the use of refresh tokens\",\r\n \"description\": \"In this test the offline access flow is accomplished and a refresh token is obtained. After this, a new token request is done with \\\"grant_type=refresh_token\\\" and the refresh token inserted in the \\\"refresh_token\\\" parameter. The response must include the Access Token\",\r\n \"type\": \"active\",\r\n \"sessions\": [\r\n \"s1\",\r\n \"s1.1\",\r\n \"s1.2\"\r\n ],\r\n \"operations\": [\r\n {\r\n \"session\": \"s1\",\r\n \"action\": \"start\"\r\n },\r\n {\r\n \"action\": \"intercept\",\r\n \"from session\": \"s1\",\r\n \"then\": \"forward\",\r\n \"message type\": \"Authentication request\",\r\n \"decode operations\": [\r\n {\r\n \"from\": \"url\",\r\n \"decode param\": \"request\",\r\n \"type\": \"jwt\",\r\n \"edits\": [\r\n {\r\n \"jwt from\": \"payload\",\r\n \"jwt edit\": \"$.acr_values\",\r\n \"value\": \"https:\/\/www.spid.gov.it\/SpidL1\"\r\n },\r\n {\r\n \"jwt sign\": \"X_key_core_RP\"\r\n }\r\n ]\r\n }\r\n ]\r\n },\r\n {\r\n \"action\": \"intercept\",\r\n \"from session\": \"s1\",\r\n \"then\": \"forward\",\r\n \"message type\": \"Token response\",\r\n \"message operations\": [\r\n {\r\n \"from\": \"body\",\r\n \"save\": \"(?<=\\\"refresh_token\\\": \\\")[^\\\"]+\",\r\n \"as\": \"saved_refresh_token\"\r\n }\r\n ]\r\n },\r\n {\r\n \"session\": \"s1\",\r\n \"action\": \"pause\"\r\n },\r\n {\r\n \"session\": \"s1.1\",\r\n \"action\": \"start\"\r\n },\r\n {\r\n \"action\": \"intercept\",\r\n \"from session\": \"s1.1\",\r\n \"then\": \"forward\",\r\n \"message type\": \"Token request\",\r\n \"edit operations\": [\r\n {\r\n \"from\": \"body\",\r\n \"edit regex\": \"(?<=grant_type=)([^&\\\\n]+)\",\r\n \"value\": \"refresh_token\"\r\n },\r\n {\r\n \"from\": \"body\",\r\n \"add\": \"\",\r\n \"value\": \"&refresh_token=\"\r\n },\r\n {\r\n \"from\": \"body\",\r\n \"add\": \"\",\r\n \"use\": \"saved_refresh_token\"\r\n }\r\n ]\r\n },\r\n {\r\n \"action\": \"intercept\",\r\n \"from session\": \"s1.1\",\r\n \"then\": \"forward\",\r\n \"message type\": \"UserInfo request\"\r\n },\r\n {\r\n \"session\": \"s1.1\",\r\n \"action\": \"pause\"\r\n },\r\n {\r\n \"session\": \"s1.2\",\r\n \"action\": \"start\"\r\n },\r\n {\r\n \"action\": \"intercept\",\r\n \"from session\": \"s1.2\",\r\n \"then\": \"forward\",\r\n \"message type\": \"Token request\",\r\n \"edit operations\": [\r\n {\r\n \"from\": \"body\",\r\n \"edit regex\": \"(?<=grant_type=)([^&\\\\n]+)\",\r\n \"value\": \"refresh_token\"\r\n },\r\n {\r\n \"from\": \"body\",\r\n \"add\": \"\",\r\n \"value\": \"&refresh_token=\"\r\n },\r\n {\r\n \"from\": \"body\",\r\n \"add\": \"\",\r\n \"use\": \"saved_refresh_token\"\r\n }\r\n ]\r\n },\r\n {\r\n \"action\": \"intercept\",\r\n \"from session\": \"s1.2\",\r\n \"then\": \"forward\",\r\n \"message type\": \"Token response\",\r\n \"checks\": [\r\n {\r\n \"in\": \"head\",\r\n \"check regex\": \"HTTP\/?\\\\d?\\\\.?\\\\d?\\\\s400\"\r\n },\r\n {\r\n \"in\": \"body\",\r\n \"check\": \"invalid_request\"\r\n }\r\n ]\r\n },\r\n {\r\n \"session\": \"s1\",\r\n \"action\": \"resume\"\r\n },\r\n {\r\n \"session\": \"s1.1\",\r\n \"action\": \"resume\"\r\n }\r\n ],\r\n \"result\": \"assert_only\"\r\n }\r\n }\r\n ]\r\n}", + "test": "{\r\n \"test suite\": {\r\n \"name\": \"Single test\",\r\n \"description\": \"One test only\",\r\n \"filter messages\": true\r\n },\r\n \"tests\": [\r\n {\r\n \"test\": {\r\n \"name\": \"Does the OP release Access Tokens with the use of refresh tokens\",\r\n \"description\": \"In this test the offline access flow is accomplished and a refresh token is obtained. After this, a new token request is done with \\\"grant_type=refresh_token\\\" and the refresh token inserted in the \\\"refresh_token\\\" parameter. The response must include the Access Token\",\r\n \"type\": \"active\",\r\n \"sessions\": [\r\n \"s1\",\r\n \"s1.1\",\r\n \"s1.2\"\r\n ],\r\n \"operations\": [\r\n {\r\n \"session\": \"s1\",\r\n \"action\": \"start\"\r\n },\r\n {\r\n \"action\": \"intercept\",\r\n \"from session\": \"s1\",\r\n \"then\": \"forward\",\r\n \"message type\": \"Authentication request\",\r\n \"decode operations\": [\r\n {\r\n \"from\": \"url\",\r\n \"decode param\": \"request\",\r\n \"type\": \"jwt\",\r\n \"edits\": [\r\n {\r\n \"jwt from\": \"payload\",\r\n \"jwt edit\": \"$.acr_values\",\r\n \"value\": \"https:\/\/www.spid.gov.it\/SpidL1\"\r\n },\r\n {\r\n \"jwt sign\": \"-----BEGIN PRIVATE KEY-----\\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ\/IbUkkWbrgbnVwEnA\\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL\/rTCN\/yyQmAFGmJdA+XAf2MMZqpUT8\\n8QFM5sM7nDdei6sPUXfrT6\/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn\/Vu\\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw\/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\\nBmnYLzixAgMBAAECggEBAJ\/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\\nV0CSu7W8ybR6BkHh+BPrMN\/\/gXOzimOw3GwVoB04ozEVo\/S5ALvbgr6qhjGgK6Fh\\n9GgXFJmQLDY3MlCMid\/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\\n9iKgwml\/EnaZ1NoE4\/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF\/U5v\\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt\/y\/ff8\\nk\/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\\nGpo8JHnfnGOUsvO\/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\\nDSy9Suumyktu3PbGgjqu\/izRim8Xlg7sz8Hs2quJPII\/fQ8BCoaWpg30osFZqCBa\\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE\/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\\nNXf2uke\/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o\/ZDu4o2RR7idxyu7qWZ740h\\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C\/e+C88bF8uBEolFfJ4Z7soxlN6\\n\/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE\/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\\nSOWFs2QXN\/P4ZvmiVpXK\/9Tcnth2BThpb9apQCT2a\/CYtrRiGNAVWKiK0U9QlN\/w\\n9fVBO\/ZgdaXE4xqYOSceH14yrQ==\\n-----END PRIVATE KEY-----\\n\"\r\n }\r\n ]\r\n }\r\n ]\r\n },\r\n {\r\n \"action\": \"intercept\",\r\n \"from session\": \"s1\",\r\n \"then\": \"forward\",\r\n \"message type\": \"Token response\",\r\n \"message operations\": [\r\n {\r\n \"from\": \"body\",\r\n \"save\": \"(?<=\\\"refresh_token\\\": \\\")[^\\\"]+\",\r\n \"as\": \"saved_refresh_token\"\r\n }\r\n ]\r\n },\r\n {\r\n \"session\": \"s1\",\r\n \"action\": \"pause\"\r\n },\r\n {\r\n \"session\": \"s1.1\",\r\n \"action\": \"start\"\r\n },\r\n {\r\n \"action\": \"intercept\",\r\n \"from session\": \"s1.1\",\r\n \"then\": \"forward\",\r\n \"message type\": \"Token request\",\r\n \"edit operations\": [\r\n {\r\n \"from\": \"body\",\r\n \"edit regex\": \"(?<=grant_type=)([^&\\\\n]+)\",\r\n \"value\": \"refresh_token\"\r\n },\r\n {\r\n \"from\": \"body\",\r\n \"add\": \"\",\r\n \"value\": \"&refresh_token=\"\r\n },\r\n {\r\n \"from\": \"body\",\r\n \"add\": \"\",\r\n \"use\": \"saved_refresh_token\"\r\n }\r\n ]\r\n },\r\n {\r\n \"action\": \"intercept\",\r\n \"from session\": \"s1.1\",\r\n \"then\": \"forward\",\r\n \"message type\": \"UserInfo request\"\r\n },\r\n {\r\n \"session\": \"s1.1\",\r\n \"action\": \"pause\"\r\n },\r\n {\r\n \"session\": \"s1.2\",\r\n \"action\": \"start\"\r\n },\r\n {\r\n \"action\": \"intercept\",\r\n \"from session\": \"s1.2\",\r\n \"then\": \"forward\",\r\n \"message type\": \"Token request\",\r\n \"edit operations\": [\r\n {\r\n \"from\": \"body\",\r\n \"edit regex\": \"(?<=grant_type=)([^&\\\\n]+)\",\r\n \"value\": \"refresh_token\"\r\n },\r\n {\r\n \"from\": \"body\",\r\n \"add\": \"\",\r\n \"value\": \"&refresh_token=\"\r\n },\r\n {\r\n \"from\": \"body\",\r\n \"add\": \"\",\r\n \"use\": \"saved_refresh_token\"\r\n }\r\n ]\r\n },\r\n {\r\n \"action\": \"intercept\",\r\n \"from session\": \"s1.2\",\r\n \"then\": \"forward\",\r\n \"message type\": \"Token response\",\r\n \"checks\": [\r\n {\r\n \"in\": \"head\",\r\n \"check regex\": \"HTTP\/?\\\\d?\\\\.?\\\\d?\\\\s400\"\r\n },\r\n {\r\n \"in\": \"body\",\r\n \"check\": \"invalid_request\"\r\n }\r\n ]\r\n },\r\n {\r\n \"session\": \"s1\",\r\n \"action\": \"resume\"\r\n },\r\n {\r\n \"session\": \"s1.1\",\r\n \"action\": \"resume\"\r\n }\r\n ],\r\n \"result\": \"assert_only\"\r\n }\r\n }\r\n ]\r\n}", "sessions": { "main": "open | http:\/\/relying-party.org:8001\/oidc\/rp\/landing |\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/div[2]\/div\/span[2]\/a |\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/div[2]\/div\/span[2]\/div\/ul\/li[2]\/a |\r\ntype | id=id_username | user\r\ntype | id=id_password | oidcuser\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/div[2]\/div[2]\/div[1]\/form\/fieldset\/div\/div\/div\/div[3]\/button\/span[2] |\r\nclick | id=agree |\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/a |\r\nwait | 1000", "s1": "open | http:\/\/relying-party.org:8001\/oidc\/rp\/landing |\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/div[2]\/div\/span[2]\/a |\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/div[2]\/div\/span[2]\/div\/ul\/li[2]\/a |\r\ntype | id=id_username | user\r\ntype | id=id_password | oidcuser\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/div[2]\/div[2]\/div[1]\/form\/fieldset\/div\/div\/div\/div[3]\/button\/span[2] |\r\nclick | id=agree |\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/a |\r\nwait | 1000", "s1.1": "open | http:\/\/relying-party.org:8001\/oidc\/rp\/landing |\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/div[2]\/div\/span[2]\/a |\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/div[2]\/div\/span[2]\/div\/ul\/li[2]\/a |\r\ntype | id=id_username | user\r\ntype | id=id_password | oidcuser\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/div[2]\/div[2]\/div[1]\/form\/fieldset\/div\/div\/div\/div[3]\/button\/span[2] |\r\nclick | id=agree |\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/a |\r\nwait | 1000", "s1.2": "open | http:\/\/relying-party.org:8001\/oidc\/rp\/landing |\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/div[2]\/div\/span[2]\/a |\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/div[2]\/div\/span[2]\/div\/ul\/li[2]\/a |\r\ntype | id=id_username | user\r\ntype | id=id_password | oidcuser\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/div[2]\/div[2]\/div[1]\/form\/fieldset\/div\/div\/div\/div[3]\/button\/span[2] |\r\nclick | id=agree |\r\nclick | xpath=\/html\/body\/div[2]\/div\/div\/div\/div\/div\/div\/div\/div\/div\/a |\r\nwait | 1000" } -} \ No newline at end of file +} + +### +POST localhost:3000/result + + +### +POST localhost:3000/result?verbose=true + diff --git a/tool/src/main/resources/driver/geckodriver 2 b/tool/src/main/resources/driver/geckodriver 2 deleted file mode 100755 index 6811740..0000000 Binary files a/tool/src/main/resources/driver/geckodriver 2 and /dev/null differ