@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = new Test().doSomething(param); String sql = "{call verifyUserPassword('foo','" + bar + "')}"; try { java.sql.Connection connection = org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection(); java.sql.CallableStatement statement = connection.prepareCall( sql, java.sql.ResultSet.TYPE_FORWARD_ONLY, java.sql.ResultSet.CONCUR_READ_ONLY, java.sql.ResultSet.CLOSE_CURSORS_AT_COMMIT); statement.execute(); } catch (java.sql.SQLException e) { throw new ServletException(e); } } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = new Test().doSomething(param); try { java.util.Properties Benchmarkprops = new java.util.Properties(); Benchmarkprops.load( this.getClass().getClassLoader().getResourceAsStream("Benchmark.properties")); String algorithm = Benchmarkprops.getProperty("cryptoAlg2", "AES/ECB/PKCS5Padding"); javax.crypto.Cipher c = javax.crypto.Cipher.getInstance(algorithm); } catch (java.security.NoSuchAlgorithmException e) { System.out.println( "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String) Test Case"); throw new ServletException(e); } catch (javax.crypto.NoSuchPaddingException e) { System.out.println( "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String) Test Case"); throw new ServletException(e); } response .getWriter() .println("Crypto Test javax.crypto.Cipher.getInstance(java.lang.String) executed"); } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = new Test().doSomething(param); try { java.util.Random numGen = java.security.SecureRandom.getInstance("SHA1PRNG"); // Get 40 random bytes byte[] randomBytes = new byte[40]; getNextNumber(numGen, randomBytes); response.getWriter().println("Random bytes are: " + new String(randomBytes)); } catch (java.security.NoSuchAlgorithmException e) { System.out.println("Problem executing SecureRandom.nextBytes() - TestCase"); throw new ServletException(e); } finally { response .getWriter() .println("Randomness Test java.security.SecureRandom.nextBytes(byte[]) executed"); } }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = doSomething(param); java.security.Provider[] provider = java.security.Security.getProviders(); java.security.MessageDigest md; try { if (provider.length > 1) { md = java.security.MessageDigest.getInstance("SHA1", provider[0]); } else { md = java.security.MessageDigest.getInstance("SHA1", "SUN"); } } catch (java.security.NoSuchAlgorithmException e) { System.out.println( "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)"); throw new ServletException(e); } catch (java.security.NoSuchProviderException e) { System.out.println( "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)"); throw new ServletException(e); } response .getWriter() .println( "Hash Test java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider) executed"); } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("vector"); if (param == null) param = ""; String bar = "safe!"; java.util.HashMap<String, Object> map51510 = new java.util.HashMap<String, Object>(); map51510.put("keyA-51510", "a_Value"); // put some stuff in the collection map51510.put("keyB-51510", param); // put it in a collection map51510.put("keyC", "another_Value"); // put some stuff in the collection bar = (String) map51510.get("keyB-51510"); // get it back out bar = (String) map51510.get("keyA-51510"); // get safe value back out String cmd = ""; String osName = System.getProperty("os.name"); if (osName.indexOf("Windows") != -1) { cmd = org.owasp.benchmark.helpers.Utils.getOSCommandString("echo"); } Runtime r = Runtime.getRuntime(); try { Process p = r.exec(cmd + bar); org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); } catch (IOException e) { System.out.println("Problem executing cmdi - TestCase"); throw new ServletException(e); } }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = new Test().doSomething(param); java.security.Provider[] provider = java.security.Security.getProviders(); javax.crypto.Cipher c; try { c = javax.crypto.Cipher.getInstance( "AES/CBC/PKCS5PADDING", java.security.Security.getProvider("SunJCE")); } catch (java.security.NoSuchAlgorithmException e) { System.out.println( "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); throw new ServletException(e); } catch (javax.crypto.NoSuchPaddingException e) { System.out.println( "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); throw new ServletException(e); } response .getWriter() .println( "Crypto Test javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) executed"); } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); // Chain a bunch of propagators in sequence String a93077 = param; // assign StringBuilder b93077 = new StringBuilder(a93077); // stick in stringbuilder b93077.append(" SafeStuff"); // append some safe content b93077.replace( b93077.length() - "Chars".length(), b93077.length(), "Chars"); // replace some of the end content java.util.HashMap<String, Object> map93077 = new java.util.HashMap<String, Object>(); map93077.put("key93077", b93077.toString()); // put in a collection String c93077 = (String) map93077.get("key93077"); // get it back out String d93077 = c93077.substring(0, c93077.length() - 1); // extract most of it String e93077 = new String( new sun.misc.BASE64Decoder() .decodeBuffer( new sun.misc.BASE64Encoder() .encode(d93077.getBytes()))); // B64 encode and decode it String f93077 = e93077.split(" ")[0]; // split it on a space org.owasp.benchmark.helpers.ThingInterface thing = org.owasp.benchmark.helpers.ThingFactory.createThing(); String bar = thing.doSomething(f93077); // reflection java.io.File file = new java.io.File(bar); }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("vector"); if (param == null) param = ""; String bar = doSomething(param); byte[] bytes = new byte[10]; new java.util.Random().nextBytes(bytes); String rememberMeKey = org.owasp.esapi.ESAPI.encoder().encodeForBase64(bytes, true); String user = "******"; String fullClassName = this.getClass().getName(); String testCaseNumber = fullClassName.substring(fullClassName.lastIndexOf('.') + 1 + "BenchmarkTest".length()); user += testCaseNumber; String cookieName = "rememberMe" + testCaseNumber; boolean foundUser = false; javax.servlet.http.Cookie[] cookies = request.getCookies(); if (cookies != null) { for (int i = 0; !foundUser && i < cookies.length; i++) { javax.servlet.http.Cookie cookie = cookies[i]; if (cookieName.equals(cookie.getName())) { if (cookie.getValue().equals(request.getSession().getAttribute(cookieName))) { foundUser = true; } } } } if (foundUser) { response.getWriter().println("Welcome back: " + user + "<br/>"); } else { javax.servlet.http.Cookie rememberMe = new javax.servlet.http.Cookie(cookieName, rememberMeKey); rememberMe.setSecure(true); rememberMe.setPath("/benchmark/" + this.getClass().getSimpleName()); request.getSession().setAttribute(cookieName, rememberMeKey); response.addCookie(rememberMe); response .getWriter() .println( user + " has been remembered with cookie: " + rememberMe.getName() + " whose value is: " + rememberMe.getValue() + "<br/>"); } response.getWriter().println("Weak Randomness Test java.util.Random.nextBytes() executed"); } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar; String guess = "ABC"; char switchTarget = guess.charAt(2); // Simple case statement that assigns param to bar on conditions 'A' or 'C' switch (switchTarget) { case 'A': bar = param; break; case 'B': bar = "bobs_your_uncle"; break; case 'C': case 'D': bar = param; break; default: bar = "bobs_your_uncle"; break; } java.security.Provider[] provider = java.security.Security.getProviders(); java.security.MessageDigest md; try { if (provider.length > 1) { md = java.security.MessageDigest.getInstance("sha-384", provider[0]); } else { md = java.security.MessageDigest.getInstance("sha-384", "SUN"); } } catch (java.security.NoSuchAlgorithmException e) { System.out.println( "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)"); throw new ServletException(e); } catch (java.security.NoSuchProviderException e) { System.out.println( "Problem executing hash - TestCase java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)"); throw new ServletException(e); } response .getWriter() .println( "Hash Test java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider) executed"); }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = org.owasp.esapi.ESAPI.encoder().encodeForHTML(param); response.getWriter().write(bar); }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = new Test().doSomething(param); Object[] obj = {"a", "b"}; response.getWriter().printf(bar, obj); } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = new Test().doSomething(param); double rand = new java.util.Random().nextDouble(); response.getWriter().println("Weak Randomness Test java.util.Random.nextDouble() executed"); } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); // Chain a bunch of propagators in sequence String a32671 = param; // assign StringBuilder b32671 = new StringBuilder(a32671); // stick in stringbuilder b32671.append(" SafeStuff"); // append some safe content b32671.replace( b32671.length() - "Chars".length(), b32671.length(), "Chars"); // replace some of the end content java.util.HashMap<String, Object> map32671 = new java.util.HashMap<String, Object>(); map32671.put("key32671", b32671.toString()); // put in a collection String c32671 = (String) map32671.get("key32671"); // get it back out String d32671 = c32671.substring(0, c32671.length() - 1); // extract most of it String e32671 = new String( new sun.misc.BASE64Decoder() .decodeBuffer( new sun.misc.BASE64Encoder() .encode(d32671.getBytes()))); // B64 encode and decode it String f32671 = e32671.split(" ")[0]; // split it on a space org.owasp.benchmark.helpers.ThingInterface thing = org.owasp.benchmark.helpers.ThingFactory.createThing(); String bar = thing.doSomething(f32671); // reflection try { java.security.SecureRandom secureRandomGenerator = java.security.SecureRandom.getInstance("SHA1PRNG"); // Get 40 random bytes byte[] randomBytes = new byte[40]; secureRandomGenerator.nextBytes(randomBytes); response.getWriter().println("Random bytes are: " + new String(randomBytes)); } catch (java.security.NoSuchAlgorithmException e) { System.out.println("Problem executing SecureRandom.nextBytes() - TestCase"); throw new ServletException(e); } finally { response .getWriter() .println("Randomness Test java.security.SecureRandom.nextBytes(byte[]) executed"); } }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = doSomething(param); int length = 1; if (bar != null) { length = bar.length(); response.getWriter().write(bar, 0, length - 1); } } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar; // Simple if statement that assigns param to bar on true condition int i = 196; if ((500 / 42) + i > 200) bar = param; else bar = "This should never happen"; response.getWriter().print(bar.toCharArray()); }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = doSomething(param); String sql = "SELECT * from USERS where USERNAME='******' and PASSWORD='******'"; try { java.sql.Statement statement = org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement(); statement.execute(sql, new String[] {"username", "password"}); } catch (java.sql.SQLException e) { throw new ServletException(e); } } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar; // Simple if statement that assigns constant to bar on true condition int i = 86; if ((7 * 42) - i > 200) bar = "This_should_always_happen"; else bar = param; Object[] obj = {"a", bar}; response.getWriter().printf(java.util.Locale.US, "notfoo", obj); }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("vector"); if (param == null) param = ""; String bar; // Simple ? condition that assigns param to bar on false condition int num = 106; bar = (7 * 42) - num > 200 ? "This should never happen" : param; response.getWriter().write(bar); }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("vector"); if (param == null) param = ""; // Chain a bunch of propagators in sequence String a59200 = param; // assign StringBuilder b59200 = new StringBuilder(a59200); // stick in stringbuilder b59200.append(" SafeStuff"); // append some safe content b59200.replace( b59200.length() - "Chars".length(), b59200.length(), "Chars"); // replace some of the end content java.util.HashMap<String, Object> map59200 = new java.util.HashMap<String, Object>(); map59200.put("key59200", b59200.toString()); // put in a collection String c59200 = (String) map59200.get("key59200"); // get it back out String d59200 = c59200.substring(0, c59200.length() - 1); // extract most of it String e59200 = new String( new sun.misc.BASE64Decoder() .decodeBuffer( new sun.misc.BASE64Encoder() .encode(d59200.getBytes()))); // B64 encode and decode it String f59200 = e59200.split(" ")[0]; // split it on a space org.owasp.benchmark.helpers.ThingInterface thing = org.owasp.benchmark.helpers.ThingFactory.createThing(); String g59200 = "barbarians_at_the_gate"; // This is static so this whole flow is 'safe' String bar = thing.doSomething(g59200); // reflection java.io.File fileTarget = new java.io.File(new java.io.File(org.owasp.benchmark.helpers.Utils.testfileDir), bar); response.getWriter().write("Access to file: '" + fileTarget + "' created."); if (fileTarget.exists()) { response.getWriter().write(" And file already exists."); } else { response.getWriter().write(" But file doesn't exist yet."); } }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = doSomething(param); String sql = "UPDATE USERS SET PASSWORD='******' WHERE USERNAME='******'"; try { java.sql.Statement statement = org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement(); int count = statement.executeUpdate(sql, new int[] {1, 2}); } catch (java.sql.SQLException e) { throw new ServletException(e); } } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = doSomething(param); try { javax.naming.directory.InitialDirContext idc = org.owasp.benchmark.helpers.Utils.getInitialDirContext(); Object[] filterArgs = {"a", "b"}; idc.search("name", bar, filterArgs, new javax.naming.directory.SearchControls()); } catch (javax.naming.NamingException e) { throw new ServletException(e); } } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = doSomething(param); javax.xml.xpath.XPathFactory xpf = javax.xml.xpath.XPathFactory.newInstance(); javax.xml.xpath.XPath xp = xpf.newXPath(); try { xp.compile(bar); } catch (javax.xml.xpath.XPathExpressionException e) { // OK to swallow System.out.println("XPath expression exception caught and swallowed: " + e.getMessage()); } } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("vector"); if (param == null) param = ""; String bar = new Test().doSomething(param); String cmd = ""; String a1 = ""; String a2 = ""; String[] args = null; String osName = System.getProperty("os.name"); if (osName.indexOf("Windows") != -1) { a1 = "cmd.exe"; a2 = "/c"; cmd = "echo "; args = new String[] {a1, a2, cmd, bar}; } else { a1 = "sh"; a2 = "-c"; cmd = org.owasp.benchmark.helpers.Utils.getOSCommandString("ls"); args = new String[] {a1, a2, cmd + bar}; } String[] argsEnv = {"foo=bar"}; Runtime r = Runtime.getRuntime(); try { Process p = r.exec(args, argsEnv); org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); } catch (IOException e) { System.out.println("Problem executing cmdi - TestCase"); throw new ServletException(e); } } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = new Test().doSomething(param); try { long l = java.security.SecureRandom.getInstance("SHA1PRNG").nextLong(); } catch (java.security.NoSuchAlgorithmException e) { System.out.println("Problem executing SecureRandom.nextLong() - TestCase"); throw new ServletException(e); } response .getWriter() .println("Weak Randomness Test java.security.SecureRandom.nextLong() executed"); } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); // Chain a bunch of propagators in sequence String a20448 = param; // assign StringBuilder b20448 = new StringBuilder(a20448); // stick in stringbuilder b20448.append(" SafeStuff"); // append some safe content b20448.replace( b20448.length() - "Chars".length(), b20448.length(), "Chars"); // replace some of the end content java.util.HashMap<String, Object> map20448 = new java.util.HashMap<String, Object>(); map20448.put("key20448", b20448.toString()); // put in a collection String c20448 = (String) map20448.get("key20448"); // get it back out String d20448 = c20448.substring(0, c20448.length() - 1); // extract most of it String e20448 = new String( new sun.misc.BASE64Decoder() .decodeBuffer( new sun.misc.BASE64Encoder() .encode(d20448.getBytes()))); // B64 encode and decode it String f20448 = e20448.split(" ")[0]; // split it on a space org.owasp.benchmark.helpers.ThingInterface thing = org.owasp.benchmark.helpers.ThingFactory.createThing(); String g20448 = "barbarians_at_the_gate"; // This is static so this whole flow is 'safe' String bar = thing.doSomething(g20448); // reflection javax.xml.xpath.XPathFactory xpf = javax.xml.xpath.XPathFactory.newInstance(); javax.xml.xpath.XPath xp = xpf.newXPath(); try { xp.compile(bar); } catch (javax.xml.xpath.XPathExpressionException e) { // OK to swallow System.out.println("XPath expression exception caught and swallowed: " + e.getMessage()); } }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = new String( new sun.misc.BASE64Decoder() .decodeBuffer(new sun.misc.BASE64Encoder().encode(param.getBytes()))); java.util.List<String> argList = new java.util.ArrayList<String>(); String osName = System.getProperty("os.name"); if (osName.indexOf("Windows") != -1) { argList.add("cmd.exe"); argList.add("/c"); } else { argList.add("sh"); argList.add("-c"); } argList.add("echo"); argList.add(bar); ProcessBuilder pb = new ProcessBuilder(); pb.command(argList); try { Process p = pb.start(); org.owasp.benchmark.helpers.Utils.printOSCommandResults(p); } catch (IOException e) { System.out.println( "Problem executing cmdi - java.lang.ProcessBuilder(java.util.List) Test Case"); throw new ServletException(e); } }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("vector"); if (param == null) param = ""; String bar; String guess = "ABC"; char switchTarget = guess.charAt(1); // condition 'B', which is safe // Simple case statement that assigns param to bar on conditions 'A', 'C', or 'D' switch (switchTarget) { case 'A': bar = param; break; case 'B': bar = "bob"; break; case 'C': case 'D': bar = param; break; default: bar = "bob's your uncle"; break; } java.io.File fileTarget = new java.io.File(org.owasp.benchmark.helpers.Utils.testfileDir, bar); response.getWriter().write("Access to file: '" + fileTarget + "' created."); if (fileTarget.exists()) { response.getWriter().write(" And file already exists."); } else { response.getWriter().write(" But file doesn't exist yet."); } }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = param; if (param.length() > 1) { StringBuilder sbxyz98541 = new StringBuilder(param); bar = sbxyz98541.replace(param.length() - "Z".length(), param.length(), "Z").toString(); } try { javax.naming.directory.InitialDirContext idc = org.owasp.benchmark.helpers.Utils.getInitialDirContext(); idc.search("name", bar, new javax.naming.directory.SearchControls()); } catch (javax.naming.NamingException e) { throw new ServletException(e); } }
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("vector"); if (param == null) param = ""; String bar = new Test().doSomething(param); String fileName = null; java.io.FileOutputStream fos = null; try { fileName = org.owasp.benchmark.helpers.Utils.testfileDir + bar; fos = new java.io.FileOutputStream(fileName, false); response .getWriter() .write( "Now ready to write to file: " + org.owasp.esapi.ESAPI.encoder().encodeForHTML(fileName)); } catch (Exception e) { System.out.println("Couldn't open FileOutputStream on file: '" + fileName + "'"); // System.out.println("File exception caught and swallowed: " + e.getMessage()); } finally { if (fos != null) { try { fos.close(); fos = null; } catch (Exception e) { // we tried... } } } } // end doPost
@Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { org.owasp.benchmark.helpers.SeparateClassRequest scr = new org.owasp.benchmark.helpers.SeparateClassRequest(request); String param = scr.getTheParameter("foo"); String bar = new Test().doSomething(param); // Create the file first so the test won't throw an exception if it doesn't exist. // Note: Don't actually do this because this method signature could cause a tool to find THIS // file constructor // as a vuln, rather than the File signature we are trying to actually test. // If necessary, just run the benchmark twice. The 1st run should create all the necessary // files. // new java.io.File(org.owasp.benchmark.helpers.Utils.testfileDir + bar).createNewFile(); java.io.FileInputStream fileInputStream = new java.io.FileInputStream(org.owasp.benchmark.helpers.Utils.testfileDir + bar); java.io.FileDescriptor fd = fileInputStream.getFD(); java.io.FileOutputStream anotOutputStream = new java.io.FileOutputStream(fd); } // end doPost