From cd5f33b65b20e75e24cb85622026bae9c269632e Mon Sep 17 00:00:00 2001 From: 13Anthony <147270663+13Anthony@users.noreply.github.com> Date: Fri, 17 Nov 2023 21:56:17 +0100 Subject: [PATCH 01/10] Fix: only pushing tests (#451) * Fix: only pushing tests * fixing indentation issues --------- Co-authored-by: Karan Preet Singh Sasan --- ...rorBasedSQLInjectionVulnerabilityTest.java | 146 ++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerabilityTest.java diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerabilityTest.java new file mode 100644 index 00000000..a665b754 --- /dev/null +++ b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerabilityTest.java @@ -0,0 +1,146 @@ +package org.sasanlabs.service.vulnerability.sqlInjection; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.Mockito.doReturn; +import static org.mockito.Mockito.eq; +import static org.mockito.Mockito.verify; + +import java.io.IOException; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.Mockito; +import org.sasanlabs.vulnerability.utils.Constants; +import org.springframework.http.HttpStatus; +import org.springframework.http.ResponseEntity; +import org.springframework.jdbc.core.JdbcTemplate; +import org.springframework.jdbc.core.PreparedStatementCreator; +import org.springframework.jdbc.core.PreparedStatementSetter; +import org.springframework.jdbc.core.ResultSetExtractor; + +class ErrorBasedSQLInjectionVulnerabilityTest { + + private ErrorBasedSQLInjectionVulnerability errorBasedSQLInjectionVulnerability; + private JdbcTemplate template; + + @BeforeEach + void setUp() { + template = Mockito.mock(JdbcTemplate.class); + + // Mock database + doReturn(null) + .when(template) + .query(anyString(), (ResultSetExtractor) any()); + doReturn(null) + .when(template) + .query( + anyString(), + (PreparedStatementSetter) any(), + (ResultSetExtractor) any()); + + errorBasedSQLInjectionVulnerability = new ErrorBasedSQLInjectionVulnerability(template); + } + + @Test + void doesCarInformationExistsLevel1_ExpectParamEscaped() throws IOException { + // Act + final Map queryParams = Collections.singletonMap("id", "1"); + errorBasedSQLInjectionVulnerability.doesCarInformationExistsLevel1(queryParams); + + // Assert + verify(template) + .query( + eq("select * from cars where id=1"), + (ResultSetExtractor) any()); + } + + @Test + void doesCarInformationExistsLevel2_ExpectParamEscaped() throws IOException { + // Act + final Map queryParams = Collections.singletonMap("id", "1"); + errorBasedSQLInjectionVulnerability.doesCarInformationExistsLevel2(queryParams); + + // Assert + verify(template) + .query( + eq("select * from cars where id='1'"), + (ResultSetExtractor) any()); + } + + @Test + void doesCarInformationExistsLevel3_ExpectParamEscaped() throws IOException { + // Act + final Map queryParams = Collections.singletonMap("id", "1'"); + errorBasedSQLInjectionVulnerability.doesCarInformationExistsLevel3(queryParams); + + // Assert + verify(template) + .query( + eq("select * from cars where id='1'"), + (ResultSetExtractor) any()); + } + + @Test + void doesCarInformationExistsLevel4_ExpectValidResponse() { + // Arrange + Map queryParams = new HashMap<>(); + queryParams.put(Constants.ID, "1'"); + + // Mock the response entity + ResponseEntity mockResponseEntity = + ResponseEntity.status(HttpStatus.OK).body("Sample response"); + doReturn(mockResponseEntity) + .when(template) + .query( + Mockito.any(PreparedStatementCreator.class), + Mockito.any(PreparedStatementSetter.class), + Mockito.any(ResultSetExtractor.class)); + + // Act + ResponseEntity response = + errorBasedSQLInjectionVulnerability.doesCarInformationExistsLevel4(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals("Sample response", response.getBody()); + verify(template) + .query( + Mockito.any(PreparedStatementCreator.class), + Mockito.any(PreparedStatementSetter.class), + Mockito.any(ResultSetExtractor.class)); + } + + @Test + void doesCarInformationExistsLevel5_ExpectValidResponse() { + // Arrange + Map queryParams = new HashMap<>(); + queryParams.put(Constants.ID, "1"); + + // Mock the response entity + ResponseEntity mockResponseEntity = + ResponseEntity.status(HttpStatus.OK).body("Sample response"); + doReturn(mockResponseEntity) + .when(template) + .query( + Mockito.any(PreparedStatementCreator.class), + Mockito.any(PreparedStatementSetter.class), + Mockito.any(ResultSetExtractor.class)); + + // Act + ResponseEntity response = + errorBasedSQLInjectionVulnerability.doesCarInformationExistsLevel5(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals("Sample response", response.getBody()); + verify(template) + .query( + Mockito.any(PreparedStatementCreator.class), + Mockito.any(PreparedStatementSetter.class), + Mockito.any(ResultSetExtractor.class)); + } +} From 2916763e5462226629867d9a8cf5949f58fd69fa Mon Sep 17 00:00:00 2001 From: SeheX <147345361+SeheX@users.noreply.github.com> Date: Wed, 29 Nov 2023 08:03:40 +0100 Subject: [PATCH 02/10] Pushing test for Persistent XSS in HTML (#455) Pushing test for Persistent XSS in HTML Co-authored-by: Dominik Knut Co-authored-by: Karan Preet Singh Sasan --- ...rsistentXSSInHTMLTagVulnerabilityTest.java | 379 ++++++++++++++++++ 1 file changed, 379 insertions(+) create mode 100644 src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java diff --git a/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java new file mode 100644 index 00000000..6e034c8e --- /dev/null +++ b/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java @@ -0,0 +1,379 @@ +package org.sasanlabs.service.vulnerability.xss.reflected; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.mockito.Mockito.*; + +import java.util.Arrays; +import java.util.Collections; +import java.util.Map; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.ArgumentCaptor; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import org.sasanlabs.service.vulnerability.xss.persistent.PersistentXSSInHTMLTagVulnerability; +import org.sasanlabs.service.vulnerability.xss.persistent.Post; +import org.sasanlabs.service.vulnerability.xss.persistent.PostRepository; +import org.springframework.http.HttpStatus; +import org.springframework.http.ResponseEntity; + +public class PersistentXSSInHTMLTagVulnerabilityTest { + @Mock private PostRepository postRepository; + + private PersistentXSSInHTMLTagVulnerability vulnerability; + + @BeforeEach + public void setup() { + MockitoAnnotations.initMocks(this); + vulnerability = new PersistentXSSInHTMLTagVulnerability(postRepository); + } + + @Test + public void testGetVulnerablePayloadLevel1() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel1(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel1WithXSSInAttributeValue() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", "Click me"); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel1(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals( + "Click me", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel2() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel2(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel3() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel3(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel4() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel4(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel5() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel5(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel6() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel7() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel7(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel5WithNullByte() { + // Prepare test data with NullByte + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel5(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved (assuming it's not modified) + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel6WithNullByte() { + // Prepare test data with NullByte + Map queryParams = + Collections.singletonMap("comment", "\u0000"); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved (assuming it's not modified) + assertEquals("\u0000", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel4WithResponseStatusAssertions() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel4(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + public void testGetVulnerablePayloadLevel6WithHtmlEscaping() { + Post post = new Post(); + post.setContent(""); + + when(postRepository.findByLevelIdentifier("LEVEL_6")).thenReturn(Arrays.asList(post)); + + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the modified content of the post being saved (HTML escaped) + assertEquals( + "
<img src='x' onerror='alert(1)'>
", + response.getBody()); + + // Assert on the HTTP response status code + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + public void testGetVulnerablePayloadLevel2_WithPatternReplacement() { + Post post = new Post(); + post.setContent(""); + + when(postRepository.findByLevelIdentifier("LEVEL_2")).thenReturn(Arrays.asList(post)); + + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel2(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the modified content of the post being saved (pattern replaced) + assertEquals("
src='x' onerror='alert(1)'>
", response.getBody()); + + // Assert on the HTTP response status code + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + public void testGetVulnerablePayloadLevel3_WithResponseContentAssertions() { + Post post = new Post(); + post.setContent(""); + + when(postRepository.findByLevelIdentifier("LEVEL_3")).thenReturn(Arrays.asList(post)); + + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel3(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the content of the response + assertEquals("
>alert('XSS')
", response.getBody()); + + // Assert on the HTTP response status code + assertEquals(HttpStatus.OK, response.getStatusCode()); + } +} From 395d2fa6a7518a97c197966101de25e2c9c10e68 Mon Sep 17 00:00:00 2001 From: Karan Preet Singh Sasan Date: Sun, 3 Dec 2023 10:51:25 -0800 Subject: [PATCH 03/10] Adding codecov Adding code cov --- .github/workflows/gradle.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index 58e1c59c..5ced09fc 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -24,3 +24,7 @@ jobs: run: chmod +x gradlew - name: Build with Gradle run: ./gradlew build + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} From f0fa69c4b9d7efbd3136e594e649cc9673aed6d9 Mon Sep 17 00:00:00 2001 From: Karan Preet Singh Sasan Date: Sun, 3 Dec 2023 10:55:44 -0800 Subject: [PATCH 04/10] Update README.md to add codecov badge (#461) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 06cd7ebf..369d04ed 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # ![OWASP VulnerableApp](https://raw.githubusercontent.com/SasanLabs/VulnerableApp/master/docs/logos/Coloured/iconColoured.png) OWASP VulnerableApp -![OWASP Incubator](https://img.shields.io/badge/owasp-incubator-blue.svg) ![](https://img.shields.io/github/v/release/SasanLabs/VulnerableApp?style=flat) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ![Java CI with Gradle](https://github.com/SasanLabs/VulnerableApp/workflows/Java%20CI%20with%20Gradle/badge.svg) [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com) [![Docker Pulls](https://badgen.net/docker/pulls/sasanlabs/owasp-vulnerableapp?icon=docker&label=pulls)](https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp/) +![OWASP Incubator](https://img.shields.io/badge/owasp-incubator-blue.svg) ![](https://img.shields.io/github/v/release/SasanLabs/VulnerableApp?style=flat) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ![Java CI with Gradle](https://github.com/SasanLabs/VulnerableApp/workflows/Java%20CI%20with%20Gradle/badge.svg) [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com) [![Docker Pulls](https://badgen.net/docker/pulls/sasanlabs/owasp-vulnerableapp?icon=docker&label=pulls)](https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp/) [![codecov](https://codecov.io/gh/SasanLabs/VulnerableApp/graph/badge.svg?token=DTS3PA8WXZ)](https://codecov.io/gh/SasanLabs/VulnerableApp) As Web Applications are becoming popular these days, there comes a dire need to secure them. Although there are several Vulnerability Scanning Tools, however while developing these tools, developers need to test them. Moreover, they also need to know how well the Vulnerability Scanning tool is performing. As of now, there are little or no such vulnerable applications existing for testing such tools. There are Deliberately Vulnerable Applications existing in the market but they are not written with such an intent and hence lag extensibility, e.g. adding new vulnerabilities is quite difficult. Hence, developers resort to writing their own vulnerable applications, which usually causes productivity loss and the pain of reworking. From b1fad117d5e435da634b0dfd82c0d5c3756c8939 Mon Sep 17 00:00:00 2001 From: tkomlodi <6026319+tkomlodi@users.noreply.github.com> Date: Sun, 3 Dec 2023 14:19:54 -0500 Subject: [PATCH 05/10] Fixed file upload tmp directory creation when root directory is not writtable by application #449. (#453) --- .../vulnerability/fileupload/UnrestrictedFileUpload.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/sasanlabs/service/vulnerability/fileupload/UnrestrictedFileUpload.java b/src/main/java/org/sasanlabs/service/vulnerability/fileupload/UnrestrictedFileUpload.java index 0e05276f..adb5f95d 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/fileupload/UnrestrictedFileUpload.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/fileupload/UnrestrictedFileUpload.java @@ -92,10 +92,10 @@ public UnrestrictedFileUpload() throws IOException, URISyntaxException { "If you are running vulnerableApp as a Jar then UnrestrictedFileUpload will not work. " + "For more information: https://github.com/SasanLabs/VulnerableApp/issues/255", e); - if (root != null) { + if (root == null || !root.toFile().exists()) { root = Files.createTempDirectory(null); } - if (contentDispositionRoot != null) { + if (contentDispositionRoot == null || !contentDispositionRoot.toFile().exists()) { contentDispositionRoot = Files.createTempDirectory(null); } } From c6e007f4c6790e9461dbd214c91c20d845438aaf Mon Sep 17 00:00:00 2001 From: Karan Preet Singh Sasan Date: Sun, 3 Dec 2023 12:56:15 -0800 Subject: [PATCH 06/10] Update build.gradle (#462) --- build.gradle | 67 +++++++++++++++++++++++++++++----------------------- 1 file changed, 37 insertions(+), 30 deletions(-) diff --git a/build.gradle b/build.gradle index 3a93c844..a32df2a4 100644 --- a/build.gradle +++ b/build.gradle @@ -62,36 +62,40 @@ spotless { } jib { - from { - image = 'openjdk:8-jre-alpine' - platforms { - - platform { - architecture = 'amd64' - os = 'linux' - } - platform { - architecture = 'arm64' - os = 'linux' - } - platform { - architecture = '386' - os = 'linux' - } - platform { - architecture = 's390x' - os = 'linux' - } - platform { - architecture = 'ppc64le' - os = 'linux' - } - } - - } - to { - image = 'sasanlabs/owasp-vulnerableapp:unreleased' - } + to { + image = 'sasanlabs/owasp-vulnerableapp:unreleased' + } + + // Set up multi-platform build only if the task is not :jibDockerBuild + if (!project.gradle.startParameter.taskNames.contains("jibDockerBuild")) { + logger.info("JIB: Enabling Multi-Platform Images") + + from { + image = 'openjdk:8-jre-alpine' + platforms { + platform { + architecture = 'amd64' + os = 'linux' + } + platform { + architecture = 'arm64' + os = 'linux' + } + platform { + architecture = '386' + os = 'linux' + } + platform { + architecture = 's390x' + os = 'linux' + } + platform { + architecture = 'ppc64le' + os = 'linux' + } + } + } + } } jacoco { @@ -115,6 +119,7 @@ tasks.register('GenerateSampleVulnerability'){ } println 'Copy of html/css/js files is completed' println 'SampleVulnerability is generated !!!' + enabled = false } dependencies { @@ -149,6 +154,8 @@ dependencies { implementation group: 'commons-io', name: 'commons-io', version: '2.7' implementation group: 'io.github.sasanlabs', name: 'facade-schema', version: '1.0.1' + + implementation group: 'commons-fileupload', name: 'commons-fileupload', version: '1.5' } test { From f1429d4f84956d0c90fd75065815f4158b0e9967 Mon Sep 17 00:00:00 2001 From: Karan Preet Singh Sasan Date: Sun, 3 Dec 2023 17:31:07 -0800 Subject: [PATCH 07/10] Adding reddit troubleshooting link for application (#463) --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 369d04ed..a4a3d0cf 100644 --- a/README.md +++ b/README.md @@ -92,6 +92,10 @@ In case you are stuck with any of the steps or understanding anything related to 2. [Overview of Owasp-VulnerableApp - Blogspot post](https://hussaina-begum.blogspot.com/2020/10/an-extensible-vulnerable-application.html) 3. [Introduction to Owasp VulnerableApp by Kenji Nakajima](https://jpn.nec.com/cybersecurity/blog/220520/index.html) +### Troubleshooting references + +1. [Reddit exploiting SQL Injection Vulnerability](https://www.reddit.com/r/hacking/comments/11wtf17/owasp_vulnerableappfacade_sql_injection/) + ### Readme in other languages 1. [Russian](https://github.com/SasanLabs/VulnerableApp/tree/master/docs/i18n/ru/README.md) From 7f38cb3042ffbbce08c89e757d6a68f175491c76 Mon Sep 17 00:00:00 2001 From: Karan Preet Singh Sasan Date: Sun, 3 Dec 2023 17:33:00 -0800 Subject: [PATCH 08/10] Update README.md --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index a4a3d0cf..9991f66e 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,6 @@ In case you are stuck with any of the steps or understanding anything related to 3. [Introduction to Owasp VulnerableApp by Kenji Nakajima](https://jpn.nec.com/cybersecurity/blog/220520/index.html) ### Troubleshooting references - 1. [Reddit exploiting SQL Injection Vulnerability](https://www.reddit.com/r/hacking/comments/11wtf17/owasp_vulnerableappfacade_sql_injection/) ### Readme in other languages From f5045a402bdde5b0b38b445869ef1eaa53f0c1f7 Mon Sep 17 00:00:00 2001 From: richard66033 <104577745+richard66033@users.noreply.github.com> Date: Mon, 4 Dec 2023 20:54:21 +0100 Subject: [PATCH 09/10] Add test for PathTraversal class (#456) * Add test for PathTraversal class --------- Co-authored-by: Richard Sirovic Co-authored-by: Karan Preet Singh Sasan --- .../pathTraversal/PathTraversalTest.java | 451 ++++++++++++++++++ 1 file changed, 451 insertions(+) create mode 100644 src/test/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalTest.java diff --git a/src/test/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalTest.java b/src/test/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalTest.java new file mode 100644 index 00000000..ed779b9c --- /dev/null +++ b/src/test/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalTest.java @@ -0,0 +1,451 @@ +package org.sasanlabs.service.vulnerability.pathTraversal; + +import static org.junit.jupiter.api.Assertions.*; + +import java.net.URI; +import java.net.URISyntaxException; +import java.util.HashMap; +import java.util.Map; +import org.junit.jupiter.api.Test; +import org.mockito.InjectMocks; +import org.sasanlabs.service.vulnerability.bean.GenericVulnerabilityResponseBean; +import org.springframework.http.HttpMethod; +import org.springframework.http.HttpStatus; +import org.springframework.http.RequestEntity; +import org.springframework.http.ResponseEntity; + +class PathTraversalVulnerabilityTest { + @InjectMocks + private PathTraversalVulnerability pathTraversalVulnerability = + new PathTraversalVulnerability(); + + @Test + void testGetVulnerablePayloadLevel1WithNullFileName() { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel1(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel1WithWrongFileName() { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "../"); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel1(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertTrue(response.getBody().getIsValid()); + assertNotNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel1() { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel1(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel2WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel2(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel2WithWrongURL() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = new RequestEntity<>(HttpMethod.GET, new URI("../")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel2(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel2() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel2(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel3WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel3(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel3WithWrongURL() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = new RequestEntity<>(HttpMethod.GET, new URI("..")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel3(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel3() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel3(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel4WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel4(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel4WithWrongURL() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = new RequestEntity<>(HttpMethod.GET, new URI("%2f")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel4(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel4() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel4(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel5WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel5(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel5WithWrongURLAndFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("%2f/..")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel5(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel5() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel5(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel6WithNullFileName() { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel6(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel6WithWrongFileName() { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", ".."); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel6(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel6() { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel6(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel7WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel7(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel7() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel7(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel8WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel8(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel8WithWrongURLAndFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = new RequestEntity<>(HttpMethod.GET, new URI("../")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel8(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel8() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel8(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel9WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel9(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel9WithWrongURLAndFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = new RequestEntity<>(HttpMethod.GET, new URI("..")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel9(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel9() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel9(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel10WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel10(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel10WithWrongURLAndFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("%2f/..")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel10(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel10() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel10(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel11WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel11(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel11WithWrongURLAndFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = new RequestEntity<>(HttpMethod.GET, new URI("2f/..")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel11(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel11() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel11(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel12WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel12(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel12WithWrongFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", ".."); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel12(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel12() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel12(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } +} From a867b67849d883d7c99e5728f9545db5f4d60117 Mon Sep 17 00:00:00 2001 From: Karan Preet Singh Sasan Date: Mon, 4 Dec 2023 18:10:29 -0800 Subject: [PATCH 10/10] Update UserInfo.json --- .../scripts/PathTraversal/UserInfo.json | 62 +++++++++++-------- 1 file changed, 36 insertions(+), 26 deletions(-) diff --git a/src/main/resources/scripts/PathTraversal/UserInfo.json b/src/main/resources/scripts/PathTraversal/UserInfo.json index a41871ac..38da741d 100755 --- a/src/main/resources/scripts/PathTraversal/UserInfo.json +++ b/src/main/resources/scripts/PathTraversal/UserInfo.json @@ -1,27 +1,37 @@ [ - { - "Name" : "NirraIshq", - "Branch": "Jigri Yaar", - "From": "Punjab" - }, - { - "Name" : "Jayant Mittal", - "Branch": "Mechanical", - "From": "Matili" - }, - { - "Name" : "Amit Kumar", - "Branch": "Civil", - "From": "Suratgarh" - }, - { - "Name" : "Karn Singh", - "Branch": "Computer Science", - "From": "Chandigarh" - }, - { - "Name" : "Onkar Singh", - "Branch": "Computer Science", - "From": "Raisinghnagar" - } -] \ No newline at end of file + { + "Name":"NirraIshq", + "Branch":"Jigri Yaar", + "From":"Punjab" + }, + { + "Name":"Jayant Mittal", + "Branch":"Mechanical", + "From":"Matili" + }, + { + "Name":"Amit Kumar", + "Branch":"Civil", + "From":"Suratgarh" + }, + { + "Name":"Karn Singh", + "Branch":"Computer Science", + "From":"Chandigarh" + }, + { + "Name":"Onkar Singh", + "Branch":"Computer Science", + "From":"Raisinghnagar" + }, + { + "Name":"Subharthi Kundu", + "Branch":"Computer Science", + "From":"Delhi" + }, + { + "Name":"Canada Paajis", + "Branch":"Computer Science", + "From":"Surrey" + } +]