diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java new file mode 100644 index 0000000..34c8209 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java @@ -0,0 +1,105 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/pathtraver-00/BenchmarkTest00001") +public class BenchmarkTest00001 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + javax.servlet.http.Cookie userCookie = + new javax.servlet.http.Cookie("BenchmarkTest00001", "FileName"); + userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes + userCookie.setSecure(true); + userCookie.setPath(request.getRequestURI()); + userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); + response.addCookie(userCookie); + javax.servlet.RequestDispatcher rd = + request.getRequestDispatcher("/pathtraver-00/BenchmarkTest00001.html"); + rd.include(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + javax.servlet.http.Cookie[] theCookies = request.getCookies(); + + String param = "noCookieValueSupplied"; + if (theCookies != null) { + for (javax.servlet.http.Cookie theCookie : theCookies) { + if (theCookie.getName().equals("BenchmarkTest00001")) { + param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8"); + break; + } + } + } + + String fileName = null; + java.io.FileInputStream fis = null; + + try { + fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param; + fis = new java.io.FileInputStream(new java.io.File(fileName)); + byte[] b = new byte[1000]; + int size = fis.read(b); + response.getWriter() + .println( + "The beginning of file: '" + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(fileName) + + "' is:\n\n" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(b, 0, size))); + } catch (Exception e) { + System.out.println("Couldn't open FileInputStream on file: '" + fileName + "'"); + response.getWriter() + .println( + "Problem getting FileInputStream: " + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(e.getMessage())); + } finally { + if (fis != null) { + try { + fis.close(); + fis = null; + } catch (Exception e) { + // we tried... + } + } + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java new file mode 100644 index 0000000..b31b6a3 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java @@ -0,0 +1,92 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/pathtraver-00/BenchmarkTest00002") +public class BenchmarkTest00002 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + javax.servlet.http.Cookie userCookie = + new javax.servlet.http.Cookie("BenchmarkTest00002", "FileName"); + userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes + userCookie.setSecure(true); + userCookie.setPath(request.getRequestURI()); + userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); + response.addCookie(userCookie); + javax.servlet.RequestDispatcher rd = + request.getRequestDispatcher("/pathtraver-00/BenchmarkTest00002.html"); + rd.include(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + javax.servlet.http.Cookie[] theCookies = request.getCookies(); + + String param = "noCookieValueSupplied"; + if (theCookies != null) { + for (javax.servlet.http.Cookie theCookie : theCookies) { + if (theCookie.getName().equals("BenchmarkTest00002")) { + param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8"); + break; + } + } + } + + String fileName = null; + java.io.FileOutputStream fos = null; + + try { + fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param; + + fos = new java.io.FileOutputStream(fileName, false); + response.getWriter() + .println( + "Now ready to write to file: " + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(fileName)); + + } catch (Exception e) { + System.out.println("Couldn't open FileOutputStream on file: '" + fileName + "'"); + // System.out.println("File exception caught and swallowed: " + e.getMessage()); + } finally { + if (fos != null) { + try { + fos.close(); + fos = null; + } catch (Exception e) { + // we tried... + } + } + } + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java new file mode 100644 index 0000000..501535c --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java @@ -0,0 +1,119 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/hash-00/BenchmarkTest00003") +public class BenchmarkTest00003 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + javax.servlet.http.Cookie userCookie = + new javax.servlet.http.Cookie("BenchmarkTest00003", "someSecret"); + userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes + userCookie.setSecure(true); + userCookie.setPath(request.getRequestURI()); + userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); + response.addCookie(userCookie); + javax.servlet.RequestDispatcher rd = + request.getRequestDispatcher("/hash-00/BenchmarkTest00003.html"); + rd.include(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + javax.servlet.http.Cookie[] theCookies = request.getCookies(); + + String param = "noCookieValueSupplied"; + if (theCookies != null) { + for (javax.servlet.http.Cookie theCookie : theCookies) { + if (theCookie.getName().equals("BenchmarkTest00003")) { + param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8"); + break; + } + } + } + + try { + java.util.Properties benchmarkprops = new java.util.Properties(); + benchmarkprops.load( + this.getClass().getClassLoader().getResourceAsStream("benchmark.properties")); + String algorithm = benchmarkprops.getProperty("hashAlg1", "SHA512"); + java.security.MessageDigest md = java.security.MessageDigest.getInstance(algorithm); + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + md.update(input); + + byte[] result = md.digest(); + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "hash_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' hashed and stored
"); + + } catch (java.security.NoSuchAlgorithmException e) { + System.out.println("Problem executing hash - TestCase"); + throw new ServletException(e); + } + + response.getWriter() + .println( + "Hash Test java.security.MessageDigest.getInstance(java.lang.String) executed"); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java new file mode 100644 index 0000000..beaa3b2 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java @@ -0,0 +1,75 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/trustbound-00/BenchmarkTest00004") +public class BenchmarkTest00004 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + javax.servlet.http.Cookie userCookie = + new javax.servlet.http.Cookie("BenchmarkTest00004", "color"); + userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes + userCookie.setSecure(true); + userCookie.setPath(request.getRequestURI()); + userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); + response.addCookie(userCookie); + javax.servlet.RequestDispatcher rd = + request.getRequestDispatcher("/trustbound-00/BenchmarkTest00004.html"); + rd.include(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + javax.servlet.http.Cookie[] theCookies = request.getCookies(); + + String param = "noCookieValueSupplied"; + if (theCookies != null) { + for (javax.servlet.http.Cookie theCookie : theCookies) { + if (theCookie.getName().equals("BenchmarkTest00004")) { + param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8"); + break; + } + } + } + + // javax.servlet.http.HttpSession.setAttribute(java.lang.String^,java.lang.Object) + request.getSession().setAttribute(param, "10340"); + + response.getWriter() + .println( + "Item: '" + + org.owasp.benchmark.helpers.Utils.encodeForHTML(param) + + "' with value: '10340' saved in session."); + } +} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java new file mode 100644 index 0000000..64ea418 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java @@ -0,0 +1,122 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/crypto-00/BenchmarkTest00005") +public class BenchmarkTest00005 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00005") != null) { + param = request.getHeader("BenchmarkTest00005"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + // Code based on example from: + // http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/ + // 8-byte initialization vector + // byte[] iv = { + // (byte)0xB2, (byte)0x12, (byte)0xD5, (byte)0xB2, + // (byte)0x44, (byte)0x21, (byte)0xC3, (byte)0xC3033 + // }; + java.security.SecureRandom random = new java.security.SecureRandom(); + byte[] iv = random.generateSeed(8); // DES requires 8 byte keys + + try { + javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding"); + + // Prepare the cipher to encrypt + javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey(); + java.security.spec.AlgorithmParameterSpec paramSpec = + new javax.crypto.spec.IvParameterSpec(iv); + c.init(javax.crypto.Cipher.ENCRYPT_MODE, key, paramSpec); + + // encrypt and store the results + byte[] input = {(byte) '?'}; + Object inputParam = param; + if (inputParam instanceof String) input = ((String) inputParam).getBytes(); + if (inputParam instanceof java.io.InputStream) { + byte[] strInput = new byte[1000]; + int i = ((java.io.InputStream) inputParam).read(strInput); + if (i == -1) { + response.getWriter() + .println( + "This input source requires a POST, not a GET. Incompatible UI for the InputStream source."); + return; + } + input = java.util.Arrays.copyOf(strInput, i); + } + byte[] result = c.doFinal(input); + + java.io.File fileTarget = + new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); + java.io.FileWriter fw = + new java.io.FileWriter(fileTarget, true); // the true will append the new data + fw.write( + "secret_value=" + + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + + "\n"); + fw.close(); + response.getWriter() + .println( + "Sensitive value: '" + + org.owasp + .esapi + .ESAPI + .encoder() + .encodeForHTML(new String(input)) + + "' encrypted and stored
"); + + } catch (java.security.NoSuchAlgorithmException + | javax.crypto.NoSuchPaddingException + | javax.crypto.IllegalBlockSizeException + | javax.crypto.BadPaddingException + | java.security.InvalidKeyException + | java.security.InvalidAlgorithmParameterException e) { + response.getWriter() + .println( + "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); + e.printStackTrace(response.getWriter()); + throw new ServletException(e); + } + } +}