Unit tests for Http3 xx status code based injection vulnerability (#374)

unit tests for the Http3_xx_status_code_based_injection class
SasanLabs · Jul 18, 2022 · 4104fbb · 4104fbb
1 parent 1c2517c
commit 4104fbb
Show file tree

Hide file tree

Showing 6 changed files with 618 additions and 20 deletions.
diff --git a/src/main/java/org/sasanlabs/internal/utility/FrameworkConstants.java b/src/main/java/org/sasanlabs/internal/utility/FrameworkConstants.java
@@ -19,6 +19,8 @@ public interface FrameworkConstants {
 
     String HTTP = "http://";
     String HTTPS = "https://";
+
+    String WWW = "www.";
     String COLON = ":";
     String SLASH = "/";
     String NEXT_LINE = "\n";

diff --git a/...ava/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java b/...ava/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java
@@ -81,10 +81,11 @@ public ResponseEntity<?> getVulnerablePayloadLevel1(
     // Payloads:
     // 1. Protocol other than http can be used e.g. ftp://ftp.dlptest.com/ also
     // 2. "//facebook.com"
+
     @AttackVector(
             vulnerabilityExposed = {VulnerabilityType.OPEN_REDIRECT_3XX_STATUS_CODE},
             description =
-                    "OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_OR_DOMAIN_IS_SAME")
+                    "OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_WWW_OR_DOMAIN_IS_SAME")
     @VulnerableAppRequestMapping(
             value = LevelConstants.LEVEL_2,
             htmlTemplate = "LEVEL_1/Http3xxStatusCodeBasedInjection")
@@ -96,7 +97,8 @@ public ResponseEntity<?> getVulnerablePayloadLevel2(
                 urlToRedirect,
                 (url) ->
                         (!url.startsWith(FrameworkConstants.HTTP)
-                                        && !url.startsWith(FrameworkConstants.HTTPS))
+                                        && !url.startsWith(FrameworkConstants.HTTPS)
+                                        && !url.startsWith(FrameworkConstants.WWW))
                                 || requestUrl.getAuthority().equals(urlToRedirect));
     }
 
@@ -106,7 +108,7 @@ public ResponseEntity<?> getVulnerablePayloadLevel2(
     @AttackVector(
             vulnerabilityExposed = {VulnerabilityType.OPEN_REDIRECT_3XX_STATUS_CODE},
             description =
-                    "OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_OR_DOMAIN_IS_SAME")
+                    "OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_WWW_//_OR_DOMAIN_IS_SAME")
     @VulnerableAppRequestMapping(
             value = LevelConstants.LEVEL_3,
             htmlTemplate = "LEVEL_1/Http3xxStatusCodeBasedInjection")
@@ -119,15 +121,16 @@ public ResponseEntity<?> getVulnerablePayloadLevel3(
                 (url) ->
                         (!url.startsWith(FrameworkConstants.HTTP)
                                         && !url.startsWith(FrameworkConstants.HTTPS)
-                                        && !url.startsWith("//"))
+                                        && !url.startsWith("//")
+                                        && !url.startsWith(FrameworkConstants.WWW))
                                 || requestUrl.getAuthority().equals(url));
     }
 
     // As there can be too many hacks e.g. using %00 to %1F so blacklisting is not possible
     @AttackVector(
             vulnerabilityExposed = {VulnerabilityType.OPEN_REDIRECT_3XX_STATUS_CODE},
             description =
-                    "OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_NULL_BYTE_OR_DOMAIN_IS_SAME")
+                    "OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_WWW_HTTPS_//_NULL_BYTE_OR_DOMAIN_IS_SAME")
     @VulnerableAppRequestMapping(
             value = LevelConstants.LEVEL_4,
             htmlTemplate = "LEVEL_1/Http3xxStatusCodeBasedInjection")
@@ -140,6 +143,7 @@ public ResponseEntity<?> getVulnerablePayloadLevel4(
                 (url) ->
                         (!url.startsWith(FrameworkConstants.HTTP)
                                         && !url.startsWith(FrameworkConstants.HTTPS)
+                                        && !url.startsWith(FrameworkConstants.WWW)
                                         && !url.startsWith("//")
                                         && !url.startsWith(NULL_BYTE_CHARACTER))
                                 || requestUrl.getAuthority().equals(url));
@@ -152,7 +156,7 @@ public ResponseEntity<?> getVulnerablePayloadLevel4(
     @AttackVector(
             vulnerabilityExposed = {VulnerabilityType.OPEN_REDIRECT_3XX_STATUS_CODE},
             description =
-                    "OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_%_OR_DOMAIN_IS_SAME")
+                    "OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_WWW_%_OR_DOMAIN_IS_SAME")
     @VulnerableAppRequestMapping(
             value = LevelConstants.LEVEL_5,
             htmlTemplate = "LEVEL_1/Http3xxStatusCodeBasedInjection")
@@ -166,6 +170,7 @@ public ResponseEntity<?> getVulnerablePayloadLevel5(
                         (!url.startsWith(FrameworkConstants.HTTP)
                                         && !url.startsWith(FrameworkConstants.HTTPS)
                                         && !url.startsWith("//")
+                                        && !url.startsWith(FrameworkConstants.WWW)
                                         && !url.startsWith(NULL_BYTE_CHARACTER)
                                         && (url.length() > 0 && url.charAt(0) > 20))
                                 || requestUrl.getAuthority().equals(url));
@@ -225,7 +230,6 @@ public ResponseEntity<?> getVulnerablePayloadLevel7(
             htmlTemplate = "LEVEL_1/Http3xxStatusCodeBasedInjection")
     public ResponseEntity<?> getVulnerablePayloadLevel8(
             RequestEntity<String> requestEntity, @RequestParam(RETURN_TO) String urlToRedirect) {
-        return this.getURLRedirectionResponseEntity(
-                urlToRedirect, (url) -> WHITELISTED_URLS.contains(url));
+        return this.getURLRedirectionResponseEntity(urlToRedirect, WHITELISTED_URLS::contains);
     }
 }
diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties
@@ -74,11 +74,11 @@ the phishing attack because many users, even if they verify these features, will
  Some myths: <a href="https://security.stackexchange.com/questions/59517/are-url-shorteners-vulnerable-due-to-open-redirects" target="_blank">Are URL shorteners \u201Cvulnerable\u201D due to open redirects?</a><br/>
 
 OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER=\"returnTo\" query parameter's value is directly added to the \"Location\" header.
-OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\" and \"https\" or domain is same as the application.
-OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\", \"https\" and "//" or domain is same as the application.
-OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_NULL_BYTE_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\", \"https\", "//" and Null Byte or domain is same as the application.
-OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_%_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\", \"https\", "//" and character less than ascii value 33 or domain is same as the application.
-OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADDED_TO_LOCATION_HEADER_BY_ADDING_DOMAIN_AS_PREFIX=\"returnTo\" query parameter's value is directly added to the \"Location\" header by prefixing it will applications domain name.
+OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_WWW_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\" ,\"www\"and \"https\" or domain is same as the application.
+OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_WWW_//_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\", \"www\",\"https\" and "//" or domain is same as the application.
+OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_WWW_HTTPS_//_NULL_BYTE_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\", \"https\", \"www\","//" and Null Byte or domain is same as the application.
+OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_WWW_%_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\", \"www\", \"https\", "//" and character less than ascii value 33 or domain is same as the application.
+OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADDED_TO_LOCATION_HEADER_BY_ADDING_DOMAIN_AS_PREFIX=\"returnTo\" query parameter's value is directly added to the \"Location\" header by prefixing it with application's domain name.
 
 
 ## Meta Tag based URL Redirection

diff --git a/src/main/resources/i18n/messages_en_US.properties b/src/main/resources/i18n/messages_en_US.properties
@@ -70,10 +70,10 @@ the phishing attack because many users, even if they verify these features, will
  Some myths: <a href="https://security.stackexchange.com/questions/59517/are-url-shorteners-vulnerable-due-to-open-redirects" target="_blank">Are URL shorteners \u201Cvulnerable\u201D due to open redirects?</a><br/>
 
 OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER=\"returnTo\" query parameter's value is directly added to the \"Location\" header.
-OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\" and \"https\" or domain is same as the application.
-OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\", \"https\" and "//" or domain is same as the application.
-OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_NULL_BYTE_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\", \"https\", "//" and Null Byte or domain is same as the application.
-OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_%_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\", \"https\", "//" and character less than ascii value 33 or domain is same as the application.
+OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_WWW_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\",\"www\" and \"https\" or domain is same as the application.
+OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_WWW_//_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\",\"www\", \"https\" and "//" or domain is same as the application.
+OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_WWW_HTTPS_//_NULL_BYTE_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\",\"www\", \"https\", "//" and Null Byte or domain is same as the application.
+OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_WWW_%_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\",\"www\", \"https\", "//" and character less than ascii value 33 or domain is same as the application.
 OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADDED_TO_LOCATION_HEADER_BY_ADDING_DOMAIN_AS_PREFIX=\"returnTo\" query parameter's value is directly added to the \"Location\" header by prefixing it will applications domain name.
 
 

diff --git a/src/main/resources/static/index.html b/src/main/resources/static/index.html
@@ -119,16 +119,16 @@ <h2>How can Vulnerability Scanning Tools use VulnerableApp?</h2>
 				secure them and there are many security vulnerability finding tools but while
 				developing those tools developers need to test them but there are no or
 				very less such extensible vulnerable apps for testing those tools.
-				There are deliberately vulnerable applications exists in the market but they
+				There are deliberately vulnerable applications exists in the market, but they
 				are not written with such an intent and hence lags extensibility e.g. adding new vulnerablities is quite
 				difficult.
 			</div>
 			<div>
-				So generally developer write there own vulnerable applications but that cause productivity loss and
+				So generally developer write their own vulnerable applications but that cause productivity loss and
 				also many times rework is done. This Project VulnerableApp is build keeping these factors in mind so
 				this
 				project
-				is scalable, extensible, easiers to integrate and easier to learn.
+				is scalable, extensible, easier to integrate and easier to learn.
 			</div>
 		</div> -->
 	</div>