This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For - * details, please see https://owasp.org/www-project-benchmark/. - * - *
The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms - * of the GNU General Public License as published by the Free Software Foundation, version 2. - * - *
The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY - * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU General Public License for more details. - * - * @author Dave Wichers - * @created 2015 - */ -package org.owasp.benchmark.testcode; - -import java.io.IOException; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -@WebServlet(value = "/pathtraver-00/BenchmarkTest00001") -public class BenchmarkTest00001 extends HttpServlet { - - private static final long serialVersionUID = 1L; - - @Override - public void doGet(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - response.setContentType("text/html;charset=UTF-8"); - javax.servlet.http.Cookie userCookie = - new javax.servlet.http.Cookie("BenchmarkTest00001", "FileName"); - userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes - userCookie.setSecure(true); - userCookie.setPath(request.getRequestURI()); - userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); - response.addCookie(userCookie); - javax.servlet.RequestDispatcher rd = - request.getRequestDispatcher("/pathtraver-00/BenchmarkTest00001.html"); - rd.include(request, response); - } - - @Override - public void doPost(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - // some code - response.setContentType("text/html;charset=UTF-8"); - - javax.servlet.http.Cookie[] theCookies = request.getCookies(); - - String param = "noCookieValueSupplied"; - if (theCookies != null) { - for (javax.servlet.http.Cookie theCookie : theCookies) { - if (theCookie.getName().equals("BenchmarkTest00001")) { - param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8"); - break; - } - } - } - - String fileName = null; - java.io.FileInputStream fis = null; - - try { - fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param; - fis = new java.io.FileInputStream(new java.io.File(fileName)); - byte[] b = new byte[1000]; - int size = fis.read(b); - response.getWriter() - .println( - "The beginning of file: '" - + org.owasp.esapi.ESAPI.encoder().encodeForHTML(fileName) - + "' is:\n\n" - + org.owasp - .esapi - .ESAPI - .encoder() - .encodeForHTML(new String(b, 0, size))); - } catch (Exception e) { - System.out.println("Couldn't open FileInputStream on file: '" + fileName + "'"); - response.getWriter() - .println( - "Problem getting FileInputStream: " - + org.owasp - .esapi - .ESAPI - .encoder() - .encodeForHTML(e.getMessage())); - } finally { - if (fis != null) { - try { - fis.close(); - fis = null; - } catch (Exception e) { - // we tried... - } - } - } - } -} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java deleted file mode 100644 index b31b6a3..0000000 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java +++ /dev/null @@ -1,92 +0,0 @@ -/** - * OWASP Benchmark v1.2 - * - *
This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For - * details, please see https://owasp.org/www-project-benchmark/. - * - *
The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms - * of the GNU General Public License as published by the Free Software Foundation, version 2. - * - *
The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY - * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU General Public License for more details. - * - * @author Dave Wichers - * @created 2015 - */ -package org.owasp.benchmark.testcode; - -import java.io.IOException; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -@WebServlet(value = "/pathtraver-00/BenchmarkTest00002") -public class BenchmarkTest00002 extends HttpServlet { - - private static final long serialVersionUID = 1L; - - @Override - public void doGet(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - response.setContentType("text/html;charset=UTF-8"); - javax.servlet.http.Cookie userCookie = - new javax.servlet.http.Cookie("BenchmarkTest00002", "FileName"); - userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes - userCookie.setSecure(true); - userCookie.setPath(request.getRequestURI()); - userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); - response.addCookie(userCookie); - javax.servlet.RequestDispatcher rd = - request.getRequestDispatcher("/pathtraver-00/BenchmarkTest00002.html"); - rd.include(request, response); - } - - @Override - public void doPost(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - // some code - response.setContentType("text/html;charset=UTF-8"); - - javax.servlet.http.Cookie[] theCookies = request.getCookies(); - - String param = "noCookieValueSupplied"; - if (theCookies != null) { - for (javax.servlet.http.Cookie theCookie : theCookies) { - if (theCookie.getName().equals("BenchmarkTest00002")) { - param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8"); - break; - } - } - } - - String fileName = null; - java.io.FileOutputStream fos = null; - - try { - fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param; - - fos = new java.io.FileOutputStream(fileName, false); - response.getWriter() - .println( - "Now ready to write to file: " - + org.owasp.esapi.ESAPI.encoder().encodeForHTML(fileName)); - - } catch (Exception e) { - System.out.println("Couldn't open FileOutputStream on file: '" + fileName + "'"); - // System.out.println("File exception caught and swallowed: " + e.getMessage()); - } finally { - if (fos != null) { - try { - fos.close(); - fos = null; - } catch (Exception e) { - // we tried... - } - } - } - } -} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java deleted file mode 100644 index 501535c..0000000 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java +++ /dev/null @@ -1,119 +0,0 @@ -/** - * OWASP Benchmark v1.2 - * - *
This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For - * details, please see https://owasp.org/www-project-benchmark/. - * - *
The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms - * of the GNU General Public License as published by the Free Software Foundation, version 2. - * - *
The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
- * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- * PURPOSE. See the GNU General Public License for more details.
- *
- * @author Dave Wichers
- * @created 2015
- */
-package org.owasp.benchmark.testcode;
-
-import java.io.IOException;
-import javax.servlet.ServletException;
-import javax.servlet.annotation.WebServlet;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-@WebServlet(value = "/hash-00/BenchmarkTest00003")
-public class BenchmarkTest00003 extends HttpServlet {
-
- private static final long serialVersionUID = 1L;
-
- @Override
- public void doGet(HttpServletRequest request, HttpServletResponse response)
- throws ServletException, IOException {
- response.setContentType("text/html;charset=UTF-8");
- javax.servlet.http.Cookie userCookie =
- new javax.servlet.http.Cookie("BenchmarkTest00003", "someSecret");
- userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
- userCookie.setSecure(true);
- userCookie.setPath(request.getRequestURI());
- userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
- response.addCookie(userCookie);
- javax.servlet.RequestDispatcher rd =
- request.getRequestDispatcher("/hash-00/BenchmarkTest00003.html");
- rd.include(request, response);
- }
-
- @Override
- public void doPost(HttpServletRequest request, HttpServletResponse response)
- throws ServletException, IOException {
- // some code
- response.setContentType("text/html;charset=UTF-8");
-
- javax.servlet.http.Cookie[] theCookies = request.getCookies();
-
- String param = "noCookieValueSupplied";
- if (theCookies != null) {
- for (javax.servlet.http.Cookie theCookie : theCookies) {
- if (theCookie.getName().equals("BenchmarkTest00003")) {
- param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8");
- break;
- }
- }
- }
-
- try {
- java.util.Properties benchmarkprops = new java.util.Properties();
- benchmarkprops.load(
- this.getClass().getClassLoader().getResourceAsStream("benchmark.properties"));
- String algorithm = benchmarkprops.getProperty("hashAlg1", "SHA512");
- java.security.MessageDigest md = java.security.MessageDigest.getInstance(algorithm);
- byte[] input = {(byte) '?'};
- Object inputParam = param;
- if (inputParam instanceof String) input = ((String) inputParam).getBytes();
- if (inputParam instanceof java.io.InputStream) {
- byte[] strInput = new byte[1000];
- int i = ((java.io.InputStream) inputParam).read(strInput);
- if (i == -1) {
- response.getWriter()
- .println(
- "This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");
- return;
- }
- input = java.util.Arrays.copyOf(strInput, i);
- }
- md.update(input);
-
- byte[] result = md.digest();
- java.io.File fileTarget =
- new java.io.File(
- new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),
- "passwordFile.txt");
- java.io.FileWriter fw =
- new java.io.FileWriter(fileTarget, true); // the true will append the new data
- fw.write(
- "hash_value="
- + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true)
- + "\n");
- fw.close();
- response.getWriter()
- .println(
- "Sensitive value '"
- + org.owasp
- .esapi
- .ESAPI
- .encoder()
- .encodeForHTML(new String(input))
- + "' hashed and stored
");
-
- } catch (java.security.NoSuchAlgorithmException e) {
- System.out.println("Problem executing hash - TestCase");
- throw new ServletException(e);
- }
-
- response.getWriter()
- .println(
- "Hash Test java.security.MessageDigest.getInstance(java.lang.String) executed");
- }
-}
diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java
deleted file mode 100644
index beaa3b2..0000000
--- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/**
- * OWASP Benchmark v1.2
- *
- *
This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For - * details, please see https://owasp.org/www-project-benchmark/. - * - *
The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms - * of the GNU General Public License as published by the Free Software Foundation, version 2. - * - *
The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY - * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU General Public License for more details. - * - * @author Dave Wichers - * @created 2015 - */ -package org.owasp.benchmark.testcode; - -import java.io.IOException; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -@WebServlet(value = "/trustbound-00/BenchmarkTest00004") -public class BenchmarkTest00004 extends HttpServlet { - - private static final long serialVersionUID = 1L; - - @Override - public void doGet(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - response.setContentType("text/html;charset=UTF-8"); - javax.servlet.http.Cookie userCookie = - new javax.servlet.http.Cookie("BenchmarkTest00004", "color"); - userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes - userCookie.setSecure(true); - userCookie.setPath(request.getRequestURI()); - userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost()); - response.addCookie(userCookie); - javax.servlet.RequestDispatcher rd = - request.getRequestDispatcher("/trustbound-00/BenchmarkTest00004.html"); - rd.include(request, response); - } - - @Override - public void doPost(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - // some code - response.setContentType("text/html;charset=UTF-8"); - - javax.servlet.http.Cookie[] theCookies = request.getCookies(); - - String param = "noCookieValueSupplied"; - if (theCookies != null) { - for (javax.servlet.http.Cookie theCookie : theCookies) { - if (theCookie.getName().equals("BenchmarkTest00004")) { - param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8"); - break; - } - } - } - - // javax.servlet.http.HttpSession.setAttribute(java.lang.String^,java.lang.Object) - request.getSession().setAttribute(param, "10340"); - - response.getWriter() - .println( - "Item: '" - + org.owasp.benchmark.helpers.Utils.encodeForHTML(param) - + "' with value: '10340' saved in session."); - } -} diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java deleted file mode 100644 index 1531169..0000000 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java +++ /dev/null @@ -1,122 +0,0 @@ -/** - * OWASP Benchmark v1.2 - * - *
This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For - * details, please see https://owasp.org/www-project-benchmark/. - * - *
The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms - * of the GNU General Public License as published by the Free Software Foundation, version 2. - * - *
The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
- * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- * PURPOSE. See the GNU General Public License for more details.
- *
- * @author Dave Wichers
- * @created 2015
- */
-package org.owasp.benchmark.testcode;
-
-import java.io.IOException;
-import javax.servlet.ServletException;
-import javax.servlet.annotation.WebServlet;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-@WebServlet(value = "/crypto-00/BenchmarkTest00005")
-public class BenchmarkTest00005 extends HttpServlet {
-
- private static final long serialVersionUID = 1L;
-
- @Override
- public void doGet(HttpServletRequest request, HttpServletResponse response)
- throws ServletException, IOException {
- doPost(request, response);
- }
-
- @Override
- public void doPost(HttpServletRequest request, HttpServletResponse response)
- throws ServletException, IOException {
- // some code
- response.setContentType("text/html;charset=UTF-8");
-
- String param = "";
- if (request.getHeader("BenchmarkTest00005") != null) {
- param = request.getHeader("BenchmarkTest00005");
- }
-
- // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().
- param = java.net.URLDecoder.decode(param, "UTF-8");
-
- // Code based on example from:
- // http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/
- // 8-byte initialization vector
- // byte[] iv = {
- // (byte)0xB2, (byte)0x12, (byte)0xD5, (byte)0xB2,
- // (byte)0x44, (byte)0x21, (byte)0xC3, (byte)0xC3033
- // };
- java.security.SecureRandom random = new java.security.SecureRandom();
- byte[] iv = random.generateSeed(8); // DES requires 8 byte keys
-
- try {
- javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding");
-
- // Prepare the cipher to encrypt
- javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey();
- java.security.spec.AlgorithmParameterSpec paramSpec =
- new javax.crypto.spec.IvParameterSpec(iv);
- c.init(javax.crypto.Cipher.ENCRYPT_MODE, key, paramSpec);
-
- // encrypt and store the results
- byte[] input = {(byte) '?'};
- Object inputParam = param;
- if (inputParam instanceof String) input = ((String) inputParam).getBytes();
- if (inputParam instanceof java.io.InputStream) {
- byte[] strInput = new byte[1000];
- int i = ((java.io.InputStream) inputParam).read(strInput);
- if (i == -1) {
- response.getWriter()
- .println(
- "This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");
- return;
- }
- input = java.util.Arrays.copyOf(strInput, i);
- }
- byte[] result = c.doFinal(input);
-
- java.io.File fileTarget =
- new java.io.File(
- new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),
- "passwordFile.txt");
- java.io.FileWriter fw =
- new java.io.FileWriter(fileTarget, true); // the true will append the new data
- fw.write(
- "secret_value="
- + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true)
- + "\n");
- fw.close();
- response.getWriter()
- .println(
- "Sensitive value: '"
- + org.owasp
- .esapi
- .ESAPI
- .encoder()
- .encodeForHTML(new String(input))
- + "' encrypted and stored
");
-
- } catch (java.security.NoSuchAlgorithmException
- | javax.crypto.NoSuchPaddingException
- | javax.crypto.IllegalBlockSizeException
- | javax.crypto.BadPaddingException
- | java.security.InvalidKeyException
- | java.security.InvalidAlgorithmParameterException e) {
- response.getWriter()
- .println(
- "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
- e.printStackTrace();
- throw new ServletException(e);
- }
- }
-}