Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 69 additions & 0 deletions java1.vuln
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@

package org.owasp.benchmark.testcode;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(value = "/cmdi-00/BenchmarkTest00006")
public class bad1 extends HttpServlet {

private static final long serialVersionUID = 1L;

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request, response);
}

@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");

String param = "";
if (request.getHeader("BenchmarkTest00006") != null) {
param = request.getHeader("BenchmarkTest00006");
}

// URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().
param = java.net.URLDecoder.decode(param, "UTF-8");

ScriptEngineManager factory = new ScriptEngineManager();
ScriptEngine engine = factory.getEngineByName("JavaScript");

String script = createTaintedScript(param);

//ruleid: tainted-code-injection-from-http-request
engine.eval(script); //Bad things can happen here.

String script2 = "this is a hardcoded script";
// ok: tainted-code-injection-from-http-request
engine.eval(script2); //Bad things can happen here.

FacesContext context = FacesContext.getCurrentInstance();
ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
ELContext elContext = context.getELContext();
//ruleid: tainted-code-injection-from-http-request
ValueExpression vex = expressionFactory.createValueExpression(elContext, "expression" + param, String.class);

String result = evaluateExpression("expression" + param);

}

public String createTaintedScript(String param){
return "this is some script" + param;
}

public String evaluateExpression(String expression) {
FacesContext context = FacesContext.getCurrentInstance();
ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
ELContext elContext = context.getELContext();
// proruleid: tainted-code-injection-from-http-request
ValueExpression vex = expressionFactory.createValueExpression(elContext, expression, String.class);
return (String) vex.getValue(elContext);
}
2 changes: 1 addition & 1 deletion requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ itsdangerous==2.0.1
Jinja2==3.0.1
lxml==4.8.0
MarkupSafe==2.0.1
requests==2.27.1
requests==2.26.1
urllib3==1.26.8
waitress==2.1.1
Werkzeug==2.0.1
69 changes: 69 additions & 0 deletions vuln.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@

package org.owasp.benchmark.testcode;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(value = "/cmdi-00/BenchmarkTest00006")
public class bad1 extends HttpServlet {

private static final long serialVersionUID = 1L;

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request, response);
}

@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");

String param = "";
if (request.getHeader("BenchmarkTest00006") != null) {
param = request.getHeader("BenchmarkTest00006");
}

// URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().
param = java.net.URLDecoder.decode(param, "UTF-8");

ScriptEngineManager factory = new ScriptEngineManager();
ScriptEngine engine = factory.getEngineByName("JavaScript");

String script = createTaintedScript(param);

//ruleid: tainted-code-injection-from-http-request
engine.eval(script); //Bad things can happen here.

String script2 = "this is a hardcoded script";
// ok: tainted-code-injection-from-http-request
engine.eval(script2); //Bad things can happen here.

FacesContext context = FacesContext.getCurrentInstance();
ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
ELContext elContext = context.getELContext();
//ruleid: tainted-code-injection-from-http-request
ValueExpression vex = expressionFactory.createValueExpression(elContext, "expression" + param, String.class);

String result = evaluateExpression("expression" + param);

}

public String createTaintedScript(String param){
return "this is some script" + param;
}

public String evaluateExpression(String expression) {
FacesContext context = FacesContext.getCurrentInstance();
ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
ELContext elContext = context.getELContext();
// proruleid: tainted-code-injection-from-http-request
ValueExpression vex = expressionFactory.createValueExpression(elContext, expression, String.class);
return (String) vex.getValue(elContext);
}