Add missing source files and fix bugs.

OWASP-Benchmark · Feb 16, 2024 · 40da0fd · 40da0fd
1 parent 4b451c2
commit 40da0fd
Show file tree

Hide file tree

Showing 9 changed files with 319 additions and 7 deletions.
diff --git a/library/src/main/java/org/owasp/benchmarkutils/entities/JerseyTestCaseInput.java b/library/src/main/java/org/owasp/benchmarkutils/entities/JerseyTestCaseInput.java
@@ -0,0 +1,68 @@
+package org.owasp.benchmarkutils.entities;
+
+import org.apache.hc.client5.http.classic.methods.HttpPost;
+import org.apache.hc.client5.http.classic.methods.HttpUriRequestBase;
+import org.apache.hc.core5.http.io.entity.StringEntity;
+import org.eclipse.persistence.oxm.annotations.XmlDiscriminatorValue;
+
+@XmlDiscriminatorValue("Jersey")
+// @XmlType(name = "HttpPostTestCaseInput")
+public class JerseyTestCaseInput extends HttpTestCaseInput {
+
+    @Override
+    void buildQueryString() {
+        setQueryString("");
+    }
+
+    @Override
+    void buildHeaders(HttpUriRequestBase request) {
+        request.addHeader("Content-Type", "application/xml; charset=utf-8");
+        for (RequestVariable header : getHeaders()) {
+            String name = header.getName();
+            String value = header.getValue();
+            // System.out.println("Header:" + name + "=" + value);
+            request.addHeader(name, value);
+        }
+    }
+
+    @Override
+    void buildCookies(HttpUriRequestBase request) {
+        for (RequestVariable cookie : getCookies()) {
+            String name = cookie.getName();
+            String value = cookie.getValue();
+            // System.out.println("Cookie:" + name + "=" + value);
+            request.addHeader("Cookie", name + "=" + value);
+        }
+    }
+
+    @Override
+    void buildBodyParameters(HttpUriRequestBase request) {
+        String params = "<person>";
+        for (RequestVariable field : getFormParameters()) {
+            String name = field.getName();
+            String value = field.getValue();
+            params += "<" + name + ">" + escapeXML(value) + "</" + name + ">";
+        }
+        params += "</person>";
+        StringEntity paramsEnt = new StringEntity(params);
+        request.setEntity(paramsEnt);
+    }
+
+    private static String escapeXML(String value) {
+        value = value.replace("&", "&amp;");
+        value = value.replace("\"", "&quot;");
+        value = value.replace("'", "&apos;");
+        value = value.replace("<", "&lt;");
+        value = value.replace(">", "&gt;");
+
+        return value;
+    }
+
+    @Override
+    HttpUriRequestBase createRequestInstance(String url) {
+        // Apparently all Jersey Requests are POSTS. Never any query string params per buildQuery()
+        // above.
+        HttpPost httpPost = new HttpPost(url);
+        return httpPost;
+    }
+}
diff --git a/library/src/main/java/org/owasp/benchmarkutils/entities/ServletTestCaseInput.java b/library/src/main/java/org/owasp/benchmarkutils/entities/ServletTestCaseInput.java
@@ -0,0 +1,83 @@
+package org.owasp.benchmarkutils.entities;
+
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.hc.client5.http.classic.methods.HttpGet;
+import org.apache.hc.client5.http.classic.methods.HttpPost;
+import org.apache.hc.client5.http.classic.methods.HttpUriRequestBase;
+import org.apache.hc.client5.http.entity.UrlEncodedFormEntity;
+import org.apache.hc.core5.http.NameValuePair;
+import org.eclipse.persistence.oxm.annotations.XmlDiscriminatorValue;
+
+@XmlDiscriminatorValue("Servlet")
+public class ServletTestCaseInput extends HttpTestCaseInput {
+
+    @Override
+    void buildQueryString() {
+        setQueryString("");
+        boolean first = true;
+        for (RequestVariable field : getGetParameters()) {
+            if (first) {
+                setQueryString("?");
+                first = false;
+            } else {
+                setQueryString(getQueryString() + "&");
+            }
+            String name = field.getName();
+            String value = field.getValue();
+            // System.out.println(query);
+            setQueryString(getQueryString() + (name + "=" + urlEncode(value)));
+        }
+    }
+
+    @Override
+    void buildHeaders(HttpUriRequestBase request) {
+        // AJAX does: text/plain;charset=UTF-8, while HTML Form: application/x-www-form-urlencoded
+        // request.addHeader("Content-Type", ";charset=UTF-8"); --This BREAKS BenchmarkCrawling
+        request.addHeader(
+                "Content-Type", "application/x-www-form-urlencoded"); // Works for both though
+
+        for (RequestVariable header : getHeaders()) {
+            String name = header.getName();
+            String value = header.getValue();
+            // System.out.println("Header:" + name + "=" + value);
+            request.addHeader(name, value);
+        }
+    }
+
+    @Override
+    void buildCookies(HttpUriRequestBase request) {
+        for (RequestVariable cookie : getCookies()) {
+            String name = cookie.getName();
+            String value = cookie.getValue();
+            // Note: URL encoding of a space becomes a +, which is OK for Java, but
+            // not other languages. So after URLEncoding, replace all + with %20, which is the
+            // standard URL encoding for a space char.
+            request.addHeader("Cookie", name + "=" + urlEncode(value).replace("+", "%20"));
+        }
+    }
+
+    @Override
+    void buildBodyParameters(HttpUriRequestBase request) {
+        List<NameValuePair> fields = new ArrayList<>();
+        for (RequestVariable formParam : getFormParameters()) {
+            fields.add(formParam.getNameValuePair());
+        }
+
+        // Add the body parameters to the request if there were any
+        if (fields.size() > 0) {
+            request.setEntity(new UrlEncodedFormEntity(fields));
+        }
+    }
+
+    @Override
+    HttpUriRequestBase createRequestInstance(String url) {
+        HttpUriRequestBase httpUriRequestBase;
+        if (getQueryString().length() == 0) {
+            httpUriRequestBase = new HttpPost(url);
+        } else {
+            httpUriRequestBase = new HttpGet(url);
+        }
+        return httpUriRequestBase;
+    }
+}
diff --git a/library/src/main/java/org/owasp/benchmarkutils/entities/SpringTestCaseInput.java b/library/src/main/java/org/owasp/benchmarkutils/entities/SpringTestCaseInput.java
@@ -0,0 +1,67 @@
+package org.owasp.benchmarkutils.entities;
+
+import org.apache.hc.client5.http.classic.methods.HttpPost;
+import org.apache.hc.client5.http.classic.methods.HttpUriRequestBase;
+import org.apache.hc.core5.http.io.entity.StringEntity;
+import org.eclipse.persistence.oxm.annotations.XmlDiscriminatorValue;
+
+@XmlDiscriminatorValue("Spring")
+// @XmlType(name = "HttpPostTestCaseInput")
+public class SpringTestCaseInput extends HttpTestCaseInput {
+
+    @Override
+    void buildQueryString() {
+        setQueryString("");
+    }
+
+    @Override
+    void buildHeaders(HttpUriRequestBase request) {
+        request.addHeader("Content-type", "application/json"); // Should this add ;charset=utf-8?
+        // No: "Designating the encoding is somewhat redundant for JSON, since the default encoding
+        // for JSON is UTF-8."
+        for (RequestVariable header : getHeaders()) {
+            String name = header.getName();
+            String value = header.getValue();
+            System.out.println("Header:" + name + "=" + value);
+            request.addHeader(name, value);
+        }
+    }
+
+    @Override
+    void buildCookies(HttpUriRequestBase request) {
+        for (RequestVariable cookie : getCookies()) {
+            String name = cookie.getName();
+            String value = cookie.getValue();
+            // System.out.println("Cookie:" + name + "=" + value);
+            request.addHeader("Cookie", name + "=" + value);
+        }
+    }
+
+    @Override
+    void buildBodyParameters(HttpUriRequestBase request) {
+        boolean first = true;
+        String params = "{";
+        for (RequestVariable field : getFormParameters()) {
+            String name = field.getName();
+            String value = field.getValue();
+            // System.out.println(name+"="+value);
+            if (first) {
+                first = false;
+            } else {
+                params = params + ",";
+            }
+            params = params + String.format("\"%s\":\"%s\"", name, value.replace("\"", "\\\""));
+        }
+        params += "}";
+        StringEntity paramsEnt = new StringEntity(params);
+        request.setEntity(paramsEnt);
+    }
+
+    @Override
+    HttpUriRequestBase createRequestInstance(String url) {
+        // Apparently all Spring Requests are POSTS. Never any query string params per buildQuery()
+        // above.
+        HttpPost httpPost = new HttpPost(url);
+        return httpPost;
+    }
+}
diff --git a/library/src/main/java/org/owasp/benchmarkutils/entities/TestCaseInput.java b/library/src/main/java/org/owasp/benchmarkutils/entities/TestCaseInput.java
@@ -8,8 +8,9 @@
     CliFileExecutableTestCaseInput.class,
     ExecutableTestCaseInput.class,
     HttpTestCaseInput.class,
-    HttpGetTestCaseInput.class,
-    HttpPostTestCaseInput.class,
+    JerseyTestCaseInput.class,
+    ServletTestCaseInput.class,
+    SpringTestCaseInput.class,
     StdinExecutableTestCaseInput.class,
     TcpSocketTestCaseInput.class
 })

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/tools/BenchmarkCrawlerVerification.java b/plugin/src/main/java/org/owasp/benchmarkutils/tools/BenchmarkCrawlerVerification.java
@@ -178,8 +178,8 @@ protected void crawl(TestSuite testSuite) throws Exception {
                         // FIXME: A bit of a hack
                         CliRequest attackRequest = executableTestCaseInput.buildAttackRequest();
                         CliRequest safeRequest = executableTestCaseInput.buildSafeRequest();
-                        //		                attackExecutor = new CliExecutor(attackRequest);
-                        //		                safeExecutor = new CliExecutor(safeRequest);
+                        attackExecutor = new CliExecutor(attackRequest);
+                        safeExecutor = new CliExecutor(safeRequest);
 
                         // Send the next test case request with its attack payload
                         attackPayloadResponseInfo = execute(attackRequest);
@@ -479,7 +479,7 @@ public static void main(String[] args) {
         // thisInstance can be set from execute() or here, depending on how this class is invoked
         // (via maven or command line)
         if (thisInstance == null) {
-            thisInstance = new BenchmarkCrawler();
+            thisInstance = new BenchmarkCrawlerVerification();
         }
         thisInstance.processCommandLineArgs(args);
         thisInstance.load();

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/tools/CliExecutor.java b/plugin/src/main/java/org/owasp/benchmarkutils/tools/CliExecutor.java
@@ -0,0 +1,35 @@
+package org.owasp.benchmarkutils.tools;
+
+import java.util.ArrayList;
+import java.util.List;
+import org.owasp.benchmarkutils.entities.CliRequest;
+import org.owasp.benchmarkutils.entities.RequestVariable;
+
+public class CliExecutor implements TestExecutor {
+    CliRequest cliRequest;
+
+    public CliExecutor(CliRequest cliRequest) {
+        super();
+        this.cliRequest = cliRequest;
+    }
+
+    public CliRequest getCliRequest() {
+        return cliRequest;
+    }
+
+    public void setCliRequest(CliRequest cliRequest) {
+        this.cliRequest = cliRequest;
+    }
+
+    public String getExecutorDescription() {
+        List<String> commandTokens = new ArrayList<>();
+        commandTokens.add(cliRequest.getCommand());
+        for (RequestVariable requestVariable : cliRequest.getArgs()) {
+            commandTokens.add(
+                    String.format(
+                            "%s:%s%n", requestVariable.getName(), requestVariable.getValue()));
+        }
+
+        return commandTokens.toString();
+    }
+}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/tools/HttpExecutor.java b/plugin/src/main/java/org/owasp/benchmarkutils/tools/HttpExecutor.java
@@ -0,0 +1,53 @@
+package org.owasp.benchmarkutils.tools;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import org.apache.commons.io.IOUtils;
+import org.apache.hc.client5.http.classic.methods.HttpPost;
+import org.apache.hc.client5.http.classic.methods.HttpUriRequest;
+import org.apache.hc.core5.http.Header;
+import org.apache.hc.core5.http.HttpEntity;
+
+public class HttpExecutor implements TestExecutor {
+    HttpUriRequest httpRequest;
+
+    public HttpExecutor(HttpUriRequest httpRequest) {
+        super();
+        this.httpRequest = httpRequest;
+    }
+
+    public HttpUriRequest getHttpRequest() {
+        return httpRequest;
+    }
+
+    public void setHttpRequest(HttpUriRequest httpRequest) {
+        this.httpRequest = httpRequest;
+    }
+
+    public String getExecutorDescription() {
+        StringWriter stringWriter = new StringWriter();
+        PrintWriter out = new PrintWriter(stringWriter);
+
+        out.println(httpRequest.toString());
+        for (Header header : httpRequest.getHeaders()) {
+            out.printf("%s:%s%n", header.getName(), header.getValue());
+        }
+        if (httpRequest instanceof HttpPost) {
+            HttpPost postHttpRequest = (HttpPost) httpRequest;
+            out.println();
+            try {
+                HttpEntity entity = postHttpRequest.getEntity();
+                if (entity != null) {
+                    out.println(IOUtils.toString(entity.getContent(), StandardCharsets.UTF_8));
+                }
+            } catch (IOException e) {
+                System.out.println("ERROR: Could not parse HttpPost entities");
+                e.printStackTrace();
+            }
+        }
+        out.flush();
+        return stringWriter.toString();
+    }
+}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/tools/RegressionTesting.java b/plugin/src/main/java/org/owasp/benchmarkutils/tools/RegressionTesting.java
@@ -221,13 +221,13 @@ private static void printTestCaseDetails(TestCaseVerificationResults result, Log
         out.println(testCase.toString());
         out.println();
         out.println("Attack request:");
-        out.printf(result.getAttackTestExecutor().getExecutorDescription(), out);
+        out.println(result.getAttackTestExecutor().getExecutorDescription());
         out.println();
         out.printf("Attack response: [%d]:%n", attackResponseInfo.getStatusCode());
         out.println(attackResponseInfo == null ? "null" : attackResponseInfo.getResponseString());
         out.println();
         out.println("Safe request:");
-        out.printf(result.getSafeTestExecutor().getExecutorDescription(), out);
+        out.println(result.getSafeTestExecutor().getExecutorDescription());
         out.println();
         out.printf("Safe response: [%d]:%n", attackResponseInfo.getStatusCode());
         out.println(safeResponseInfo == null ? "null" : safeResponseInfo.getResponseString());

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/tools/TestExecutor.java b/plugin/src/main/java/org/owasp/benchmarkutils/tools/TestExecutor.java
@@ -0,0 +1,5 @@
+package org.owasp.benchmarkutils.tools;
+
+interface TestExecutor {
+    public String getExecutorDescription();
+}