Esempio n. 1
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("foo");

    String bar = new Test().doSomething(param);

    String a1 = "";
    String a2 = "";
    String osName = System.getProperty("os.name");
    if (osName.indexOf("Windows") != -1) {
      a1 = "cmd.exe";
      a2 = "/c";
    } else {
      a1 = "sh";
      a2 = "-c";
    }
    String[] args = {a1, a2, "echo", bar};

    String[] argsEnv = {"foo=bar"};

    Runtime r = Runtime.getRuntime();

    try {
      Process p = r.exec(args, argsEnv, new java.io.File(System.getProperty("user.dir")));
      org.owasp.benchmark.helpers.Utils.printOSCommandResults(p);
    } catch (IOException e) {
      System.out.println("Problem executing cmdi - TestCase");
      throw new ServletException(e);
    }
  } // end doPost
Esempio n. 2
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("foo");

    String bar = "safe!";
    java.util.HashMap<String, Object> map72994 = new java.util.HashMap<String, Object>();
    map72994.put("keyA-72994", "a_Value"); // put some stuff in the collection
    map72994.put("keyB-72994", param.toString()); // put it in a collection
    map72994.put("keyC", "another_Value"); // put some stuff in the collection
    bar = (String) map72994.get("keyB-72994"); // get it back out
    bar = (String) map72994.get("keyA-72994"); // get safe value back out

    try {
      java.util.Random numGen = java.security.SecureRandom.getInstance("SHA1PRNG");
      boolean randNumber = getNextNumber(numGen);
    } catch (java.security.NoSuchAlgorithmException e) {
      System.out.println("Problem executing SecureRandom.nextBoolean() - TestCase");
      throw new ServletException(e);
    }

    response
        .getWriter()
        .println("Weak Randomness Test java.security.SecureRandom.nextBoolean() executed");
  }
Esempio n. 3
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar = new Test().doSomething(param);

    String sql = "{call verifyUserPassword('foo','" + bar + "')}";

    try {
      java.sql.Connection connection =
          org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
      java.sql.CallableStatement statement =
          connection.prepareCall(
              sql,
              java.sql.ResultSet.TYPE_FORWARD_ONLY,
              java.sql.ResultSet.CONCUR_READ_ONLY,
              java.sql.ResultSet.CLOSE_CURSORS_AT_COMMIT);
      statement.execute();
    } catch (java.sql.SQLException e) {
      throw new ServletException(e);
    }
  } // end doPost
Esempio n. 4
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar = new Test().doSomething(param);

    java.security.Provider[] provider = java.security.Security.getProviders();
    javax.crypto.Cipher c;

    try {
      c =
          javax.crypto.Cipher.getInstance(
              "AES/CBC/PKCS5PADDING", java.security.Security.getProvider("SunJCE"));
    } catch (java.security.NoSuchAlgorithmException e) {
      System.out.println(
          "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
      throw new ServletException(e);
    } catch (javax.crypto.NoSuchPaddingException e) {
      System.out.println(
          "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
      throw new ServletException(e);
    }
    response
        .getWriter()
        .println(
            "Crypto Test javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) executed");
  } // end doPost
Esempio n. 5
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("foo");

    String bar = param.split(" ")[0];

    try {
      java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN");
    } catch (java.security.NoSuchAlgorithmException e) {
      System.out.println(
          "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.lang.String)");
      throw new ServletException(e);
    } catch (java.security.NoSuchProviderException e) {
      System.out.println(
          "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.lang.String)");
      throw new ServletException(e);
    }

    response
        .getWriter()
        .println(
            "Hash Test java.security.MessageDigest.getInstance(java.lang.String,java.lang.String) executed");
  }
Esempio n. 6
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("foo");

    String bar = param;
    if (param.length() > 1) {
      bar = param.substring(0, param.length() - 1);
    }

    // FILE URIs are tricky because they are different between Mac and Windows because of lack of
    // standardization.
    // Mac requires an extra slash for some reason.
    String startURIslashes = "";
    if (System.getProperty("os.name").indexOf("Windows") != -1)
      if (System.getProperty("os.name").indexOf("Windows") != -1) startURIslashes = "/";
      else startURIslashes = "//";

    try {
      java.net.URI fileURI =
          new java.net.URI(
              "file:"
                  + startURIslashes
                  + org.owasp.benchmark.helpers.Utils.testfileDir
                      .replace('\\', '/')
                      .replace(' ', '_')
                  + bar);
      new java.io.File(fileURI);
    } catch (java.net.URISyntaxException e) {
      throw new ServletException(e);
    }
  }
Esempio n. 7
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    // Chain a bunch of propagators in sequence
    String a93077 = param; // assign
    StringBuilder b93077 = new StringBuilder(a93077); // stick in stringbuilder
    b93077.append(" SafeStuff"); // append some safe content
    b93077.replace(
        b93077.length() - "Chars".length(),
        b93077.length(),
        "Chars"); // replace some of the end content
    java.util.HashMap<String, Object> map93077 = new java.util.HashMap<String, Object>();
    map93077.put("key93077", b93077.toString()); // put in a collection
    String c93077 = (String) map93077.get("key93077"); // get it back out
    String d93077 = c93077.substring(0, c93077.length() - 1); // extract most of it
    String e93077 =
        new String(
            new sun.misc.BASE64Decoder()
                .decodeBuffer(
                    new sun.misc.BASE64Encoder()
                        .encode(d93077.getBytes()))); // B64 encode and decode it
    String f93077 = e93077.split(" ")[0]; // split it on a space
    org.owasp.benchmark.helpers.ThingInterface thing =
        org.owasp.benchmark.helpers.ThingFactory.createThing();
    String bar = thing.doSomething(f93077); // reflection

    java.io.File file = new java.io.File(bar);
  }
Esempio n. 8
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("foo");

    String bar = "safe!";
    java.util.HashMap<String, Object> map13216 = new java.util.HashMap<String, Object>();
    map13216.put("keyA-13216", "a Value"); // put some stuff in the collection
    map13216.put("keyB-13216", param.toString()); // put it in a collection
    map13216.put("keyC", "another Value"); // put some stuff in the collection
    bar = (String) map13216.get("keyB-13216"); // get it back out

    String sql = "{call verifyUserPassword('foo','" + bar + "')}";

    try {
      java.sql.Connection connection =
          org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
      java.sql.CallableStatement statement = connection.prepareCall(sql);
      statement.execute();
    } catch (java.sql.SQLException e) {
      throw new ServletException(e);
    }
  }
Esempio n. 9
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar = new Test().doSomething(param);

    try {
      java.util.Random numGen = java.security.SecureRandom.getInstance("SHA1PRNG");

      // Get 40 random bytes
      byte[] randomBytes = new byte[40];
      getNextNumber(numGen, randomBytes);
      response.getWriter().println("Random bytes are: " + new String(randomBytes));

    } catch (java.security.NoSuchAlgorithmException e) {
      System.out.println("Problem executing SecureRandom.nextBytes() - TestCase");
      throw new ServletException(e);
    } finally {
      response
          .getWriter()
          .println("Randomness Test java.security.SecureRandom.nextBytes(byte[]) executed");
    }
  }
Esempio n. 10
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar = doSomething(param);

    java.security.Provider[] provider = java.security.Security.getProviders();
    java.security.MessageDigest md;

    try {
      if (provider.length > 1) {

        md = java.security.MessageDigest.getInstance("SHA1", provider[0]);
      } else {
        md = java.security.MessageDigest.getInstance("SHA1", "SUN");
      }
    } catch (java.security.NoSuchAlgorithmException e) {
      System.out.println(
          "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)");
      throw new ServletException(e);
    } catch (java.security.NoSuchProviderException e) {
      System.out.println(
          "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)");
      throw new ServletException(e);
    }

    response
        .getWriter()
        .println(
            "Hash Test java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider) executed");
  } // end doPost
Esempio n. 11
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar = new Test().doSomething(param);

    try {
      java.util.Properties Benchmarkprops = new java.util.Properties();
      Benchmarkprops.load(
          this.getClass().getClassLoader().getResourceAsStream("Benchmark.properties"));
      String algorithm = Benchmarkprops.getProperty("cryptoAlg2", "AES/ECB/PKCS5Padding");
      javax.crypto.Cipher c = javax.crypto.Cipher.getInstance(algorithm);
    } catch (java.security.NoSuchAlgorithmException e) {
      System.out.println(
          "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String) Test Case");
      throw new ServletException(e);
    } catch (javax.crypto.NoSuchPaddingException e) {
      System.out.println(
          "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String) Test Case");
      throw new ServletException(e);
    }
    response
        .getWriter()
        .println("Crypto Test javax.crypto.Cipher.getInstance(java.lang.String) executed");
  } // end doPost
Esempio n. 12
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    response.setContentType("text/html");

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("vector");
    if (param == null) param = "";

    String bar = "safe!";
    java.util.HashMap<String, Object> map51510 = new java.util.HashMap<String, Object>();
    map51510.put("keyA-51510", "a_Value"); // put some stuff in the collection
    map51510.put("keyB-51510", param); // put it in a collection
    map51510.put("keyC", "another_Value"); // put some stuff in the collection
    bar = (String) map51510.get("keyB-51510"); // get it back out
    bar = (String) map51510.get("keyA-51510"); // get safe value back out

    String cmd = "";
    String osName = System.getProperty("os.name");
    if (osName.indexOf("Windows") != -1) {
      cmd = org.owasp.benchmark.helpers.Utils.getOSCommandString("echo");
    }

    Runtime r = Runtime.getRuntime();

    try {
      Process p = r.exec(cmd + bar);
      org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
    } catch (IOException e) {
      System.out.println("Problem executing cmdi - TestCase");
      throw new ServletException(e);
    }
  }
Esempio n. 13
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    response.setContentType("text/html");

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("vector");
    if (param == null) param = "";

    String bar = doSomething(param);

    byte[] bytes = new byte[10];
    new java.util.Random().nextBytes(bytes);
    String rememberMeKey = org.owasp.esapi.ESAPI.encoder().encodeForBase64(bytes, true);

    String user = "******";
    String fullClassName = this.getClass().getName();
    String testCaseNumber =
        fullClassName.substring(fullClassName.lastIndexOf('.') + 1 + "BenchmarkTest".length());
    user += testCaseNumber;

    String cookieName = "rememberMe" + testCaseNumber;

    boolean foundUser = false;
    javax.servlet.http.Cookie[] cookies = request.getCookies();
    if (cookies != null) {
      for (int i = 0; !foundUser && i < cookies.length; i++) {
        javax.servlet.http.Cookie cookie = cookies[i];
        if (cookieName.equals(cookie.getName())) {
          if (cookie.getValue().equals(request.getSession().getAttribute(cookieName))) {
            foundUser = true;
          }
        }
      }
    }

    if (foundUser) {
      response.getWriter().println("Welcome back: " + user + "<br/>");
    } else {
      javax.servlet.http.Cookie rememberMe =
          new javax.servlet.http.Cookie(cookieName, rememberMeKey);
      rememberMe.setSecure(true);
      rememberMe.setPath("/benchmark/" + this.getClass().getSimpleName());
      request.getSession().setAttribute(cookieName, rememberMeKey);
      response.addCookie(rememberMe);
      response
          .getWriter()
          .println(
              user
                  + " has been remembered with cookie: "
                  + rememberMe.getName()
                  + " whose value is: "
                  + rememberMe.getValue()
                  + "<br/>");
    }

    response.getWriter().println("Weak Randomness Test java.util.Random.nextBytes() executed");
  } // end doPost
Esempio n. 14
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    response.setContentType("text/html");

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("vector");

    String bar = doSomething(param);

    try {
      java.util.Properties benchmarkprops = new java.util.Properties();
      benchmarkprops.load(
          this.getClass().getClassLoader().getResourceAsStream("benchmark.properties"));
      String algorithm = benchmarkprops.getProperty("hashAlg2", "SHA5");
      java.security.MessageDigest md = java.security.MessageDigest.getInstance(algorithm);
      byte[] input = {(byte) '?'};
      Object inputParam = bar;
      if (inputParam instanceof String) input = ((String) inputParam).getBytes();
      if (inputParam instanceof java.io.InputStream) {
        byte[] strInput = new byte[1000];
        int i = ((java.io.InputStream) inputParam).read(strInput);
        if (i == -1) {
          response
              .getWriter()
              .println(
                  "This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");
          return;
        }
        input = java.util.Arrays.copyOf(strInput, i);
      }
      md.update(input);

      byte[] result = md.digest();
      java.io.File fileTarget =
          new java.io.File(
              new java.io.File(org.owasp.benchmark.helpers.Utils.testfileDir), "passwordFile.txt");
      java.io.FileWriter fw =
          new java.io.FileWriter(fileTarget, true); // the true will append the new data
      fw.write(
          "hash_value=" + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true) + "\n");
      fw.close();
      response
          .getWriter()
          .println(
              "Sensitive value '"
                  + org.owasp.esapi.ESAPI.encoder().encodeForHTML(new String(input))
                  + "' hashed and stored<br/>");
    } catch (java.security.NoSuchAlgorithmException e) {
      System.out.println("Problem executing hash - TestCase");
      throw new ServletException(e);
    }

    response
        .getWriter()
        .println("Hash Test java.security.MessageDigest.getInstance(java.lang.String) executed");
  } // end doPost
Esempio n. 15
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar;
    String guess = "ABC";
    char switchTarget = guess.charAt(2);

    // Simple case statement that assigns param to bar on conditions 'A' or 'C'
    switch (switchTarget) {
      case 'A':
        bar = param;
        break;
      case 'B':
        bar = "bobs_your_uncle";
        break;
      case 'C':
      case 'D':
        bar = param;
        break;
      default:
        bar = "bobs_your_uncle";
        break;
    }

    java.security.Provider[] provider = java.security.Security.getProviders();
    java.security.MessageDigest md;

    try {
      if (provider.length > 1) {

        md = java.security.MessageDigest.getInstance("sha-384", provider[0]);
      } else {
        md = java.security.MessageDigest.getInstance("sha-384", "SUN");
      }
    } catch (java.security.NoSuchAlgorithmException e) {
      System.out.println(
          "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)");
      throw new ServletException(e);
    } catch (java.security.NoSuchProviderException e) {
      System.out.println(
          "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)");
      throw new ServletException(e);
    }

    response
        .getWriter()
        .println(
            "Hash Test java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider) executed");
  }
Esempio n. 16
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar = org.owasp.esapi.ESAPI.encoder().encodeForHTML(param);

    response.getWriter().write(bar);
  }
Esempio n. 17
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("foo");

    String bar = doSomething(param);

    response.getWriter().print(bar.toCharArray());
  } // end doPost
Esempio n. 18
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("foo");

    String bar = doSomething(param);

    java.io.File file = new java.io.File(bar);
  } // end doPost
Esempio n. 19
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("foo");

    String bar = param;

    // javax.servlet.http.HttpSession.putValue(java.lang.String^,java.lang.Object)
    request.getSession().putValue(bar, "foo");
  }
Esempio n. 20
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("foo");

    String bar = doSomething(param);

    // javax.servlet.http.HttpSession.setAttribute(java.lang.String,java.lang.Object^)
    request.getSession().setAttribute("foo", bar);
  } // end doPost
Esempio n. 21
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar = new Test().doSomething(param);

    Object[] obj = {"a", "b"};

    response.getWriter().printf(bar, obj);
  } // end doPost
Esempio n. 22
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("foo");

    String bar = new Test().doSomething(param);

    Object[] obj = {"a", bar};

    response.getWriter().format(java.util.Locale.US, "notfoo", obj);
  } // end doPost
Esempio n. 23
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar = new Test().doSomething(param);

    double rand = new java.util.Random().nextDouble();

    response.getWriter().println("Weak Randomness Test java.util.Random.nextDouble() executed");
  } // end doPost
Esempio n. 24
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    // Chain a bunch of propagators in sequence
    String a32671 = param; // assign
    StringBuilder b32671 = new StringBuilder(a32671); // stick in stringbuilder
    b32671.append(" SafeStuff"); // append some safe content
    b32671.replace(
        b32671.length() - "Chars".length(),
        b32671.length(),
        "Chars"); // replace some of the end content
    java.util.HashMap<String, Object> map32671 = new java.util.HashMap<String, Object>();
    map32671.put("key32671", b32671.toString()); // put in a collection
    String c32671 = (String) map32671.get("key32671"); // get it back out
    String d32671 = c32671.substring(0, c32671.length() - 1); // extract most of it
    String e32671 =
        new String(
            new sun.misc.BASE64Decoder()
                .decodeBuffer(
                    new sun.misc.BASE64Encoder()
                        .encode(d32671.getBytes()))); // B64 encode and decode it
    String f32671 = e32671.split(" ")[0]; // split it on a space
    org.owasp.benchmark.helpers.ThingInterface thing =
        org.owasp.benchmark.helpers.ThingFactory.createThing();
    String bar = thing.doSomething(f32671); // reflection

    try {
      java.security.SecureRandom secureRandomGenerator =
          java.security.SecureRandom.getInstance("SHA1PRNG");

      // Get 40 random bytes
      byte[] randomBytes = new byte[40];
      secureRandomGenerator.nextBytes(randomBytes);
      response.getWriter().println("Random bytes are: " + new String(randomBytes));

    } catch (java.security.NoSuchAlgorithmException e) {
      System.out.println("Problem executing SecureRandom.nextBytes() - TestCase");
      throw new ServletException(e);
    } finally {
      response
          .getWriter()
          .println("Randomness Test java.security.SecureRandom.nextBytes(byte[]) executed");
    }
  }
Esempio n. 25
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar = doSomething(param);

    int length = 1;
    if (bar != null) {
      length = bar.length();
      response.getWriter().write(bar, 0, length - 1);
    }
  } // end doPost
Esempio n. 26
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("foo");

    String bar = new Test().doSomething(param);

    javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie("SomeCookie", "SomeValue");

    cookie.setSecure(false);

    response.addCookie(cookie);
  } // end doPost
Esempio n. 27
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheValue("foo");

    String bar = doSomething(param);

    try {
      javax.naming.directory.DirContext dc = org.owasp.benchmark.helpers.Utils.getDirContext();
      dc.search("name", bar, new javax.naming.directory.SearchControls());
    } catch (javax.naming.NamingException e) {
      throw new ServletException(e);
    }
  } // end doPost
Esempio n. 28
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar;

    // Simple if statement that assigns param to bar on true condition
    int i = 196;
    if ((500 / 42) + i > 200) bar = param;
    else bar = "This should never happen";

    response.getWriter().print(bar.toCharArray());
  }
Esempio n. 29
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    response.setContentType("text/html");

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("vector");
    if (param == null) param = "";

    // Chain a bunch of propagators in sequence
    String a59200 = param; // assign
    StringBuilder b59200 = new StringBuilder(a59200); // stick in stringbuilder
    b59200.append(" SafeStuff"); // append some safe content
    b59200.replace(
        b59200.length() - "Chars".length(),
        b59200.length(),
        "Chars"); // replace some of the end content
    java.util.HashMap<String, Object> map59200 = new java.util.HashMap<String, Object>();
    map59200.put("key59200", b59200.toString()); // put in a collection
    String c59200 = (String) map59200.get("key59200"); // get it back out
    String d59200 = c59200.substring(0, c59200.length() - 1); // extract most of it
    String e59200 =
        new String(
            new sun.misc.BASE64Decoder()
                .decodeBuffer(
                    new sun.misc.BASE64Encoder()
                        .encode(d59200.getBytes()))); // B64 encode and decode it
    String f59200 = e59200.split(" ")[0]; // split it on a space
    org.owasp.benchmark.helpers.ThingInterface thing =
        org.owasp.benchmark.helpers.ThingFactory.createThing();
    String g59200 = "barbarians_at_the_gate"; // This is static so this whole flow is 'safe'
    String bar = thing.doSomething(g59200); // reflection

    java.io.File fileTarget =
        new java.io.File(new java.io.File(org.owasp.benchmark.helpers.Utils.testfileDir), bar);
    response.getWriter().write("Access to file: '" + fileTarget + "' created.");
    if (fileTarget.exists()) {
      response.getWriter().write(" And file already exists.");
    } else {
      response.getWriter().write(" But file doesn't exist yet.");
    }
  }
Esempio n. 30
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar = doSomething(param);

    javax.xml.xpath.XPathFactory xpf = javax.xml.xpath.XPathFactory.newInstance();
    javax.xml.xpath.XPath xp = xpf.newXPath();
    try {
      xp.compile(bar);
    } catch (javax.xml.xpath.XPathExpressionException e) {
      // OK to swallow
      System.out.println("XPath expression exception caught and swallowed: " + e.getMessage());
    }
  } // end doPost