diff --git a/src/main/java/org/sasanlabs/internal/utility/LevelEnum.java b/src/main/java/org/sasanlabs/internal/utility/LevelEnum.java index cfa57546..361ddbe3 100755 --- a/src/main/java/org/sasanlabs/internal/utility/LevelEnum.java +++ b/src/main/java/org/sasanlabs/internal/utility/LevelEnum.java @@ -19,6 +19,8 @@ public enum LevelEnum { LEVEL_8, LEVEL_9, LEVEL_10, + LEVEL_11, + LEVEL_12, SECURE; public static LevelEnum getLevelEnumByName(String name) throws ServiceApplicationException { diff --git a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java new file mode 100644 index 00000000..b93cbb29 --- /dev/null +++ b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java @@ -0,0 +1,209 @@ +package org.sasanlabs.service.vulnerability.commandInjection; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStreamReader; +import java.util.function.Supplier; +import java.util.regex.Pattern; +import org.sasanlabs.internal.utility.LevelEnum; +import org.sasanlabs.internal.utility.annotations.AttackVector; +import org.sasanlabs.internal.utility.annotations.VulnerabilityLevel; +import org.sasanlabs.internal.utility.annotations.VulnerableServiceRestEndPoint; +import org.sasanlabs.service.bean.ResponseBean; +import org.sasanlabs.service.exception.ServiceApplicationException; +import org.sasanlabs.service.vulnerability.ICustomVulnerableEndPoint; +import org.sasanlabs.service.vulnerability.ParameterBean; +import org.sasanlabs.service.vulnerability.bean.GenericVulnerabilityResponseBean; +import org.sasanlabs.vulnerability.types.VulnerabilitySubType; +import org.sasanlabs.vulnerability.types.VulnerabilityType; + +/** + * This class contains vulnerabilities related to Command Injection. For More information + * + * @author KSASAN preetkaran20@gmail.com + */ +@VulnerableServiceRestEndPoint( + descriptionLabel = "COMMAND_INJECTION_VULNERABILITY", + value = "CommandInjection", + type = {VulnerabilityType.COMMAND_INJECTION}) +public class CommandInjection implements ICustomVulnerableEndPoint { + + private static final String IP_ADDRESS = "ipaddress"; + private static final Pattern SEMICOLON_SPACE_LOGICAL_AND_PATTERN = Pattern.compile("[;& ]"); + private static final Pattern IP_ADDRESS_PATTERN = + Pattern.compile("\\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\\.|$)){4}\\b"); + + private StringBuilder getResponseFromPingCommand(String ipAddress, Supplier predicate) + throws IOException { + boolean isWindows = System.getProperty("os.name").toLowerCase().startsWith("windows"); + StringBuilder stringBuilder = new StringBuilder(); + if (predicate.get()) { + Process process; + if (!isWindows) { + process = + new ProcessBuilder(new String[] {"bash", "-c", "ping -c 2 " + ipAddress}) + .redirectErrorStream(true) + .start(); + } else { + process = + new ProcessBuilder(new String[] {"cmd", "/c", "ping -n 2 " + ipAddress}) + .redirectErrorStream(true) + .start(); + } + try (BufferedReader bufferedReader = + new BufferedReader(new InputStreamReader(process.getInputStream()))) { + bufferedReader.lines().forEach(val -> stringBuilder.append(val).append("\n")); + } + } + return stringBuilder; + } + + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_1, + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", + parameterName = IP_ADDRESS, + sampleValues = {"localhost"}) + public ResponseBean> getVulnerablePayloadLevel1( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = () -> ipAddress != null; + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = + "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_2, + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", + parameterName = IP_ADDRESS, + sampleValues = {"localhost"}) + public ResponseBean> getVulnerablePayloadLevel2( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = + () -> + ipAddress != null + && !SEMICOLON_SPACE_LOGICAL_AND_PATTERN + .matcher(parameterBean.getUrl()) + .find(); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + // Case Insensitive + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = + "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_3, + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", + parameterName = IP_ADDRESS, + sampleValues = {"localhost"}) + public ResponseBean> getVulnerablePayloadLevel3( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = + () -> + ipAddress != null + && !SEMICOLON_SPACE_LOGICAL_AND_PATTERN + .matcher(parameterBean.getUrl()) + .find() + && !parameterBean.getUrl().contains("%26") + && !parameterBean.getUrl().contains("%3B"); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + // e.g Attack + // http://localhost:9090/vulnerable/CommandInjectionVulnerability/LEVEL_3?ipaddress=192.168.0.1%20%7c%20cat%20/etc/passwd + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = + "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_4, + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", + parameterName = IP_ADDRESS, + sampleValues = {"localhost"}) + public ResponseBean> getVulnerablePayloadLevel4( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = + () -> + ipAddress != null + && !SEMICOLON_SPACE_LOGICAL_AND_PATTERN + .matcher(parameterBean.getUrl()) + .find() + && !parameterBean.getUrl().toUpperCase().contains("%26") + && !parameterBean.getUrl().toUpperCase().contains("%3B"); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = + "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_5, + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", + parameterName = IP_ADDRESS, + sampleValues = {"localhost"}) + public ResponseBean> getVulnerablePayloadLevel5( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = + () -> + ipAddress != null + && !SEMICOLON_SPACE_LOGICAL_AND_PATTERN + .matcher(parameterBean.getUrl()) + .find() + && !parameterBean.getUrl().toUpperCase().contains("%26") + && !parameterBean.getUrl().toUpperCase().contains("%3B") + & !parameterBean.getUrl().toUpperCase().contains("%7C"); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + @VulnerabilityLevel( + value = LevelEnum.LEVEL_6, + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", + parameterName = IP_ADDRESS, + sampleValues = {"localhost"}) + public ResponseBean> getVulnerablePayloadLevel6( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand( + ipAddress, + () -> + ipAddress != null + && (IP_ADDRESS_PATTERN + .matcher(ipAddress) + .matches() + || ipAddress.contentEquals( + "localhost"))) + .toString(), + true)); + } +} diff --git a/src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java index 955e5c8a..94d9c88b 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java @@ -153,7 +153,7 @@ public ResponseBean> getVulnerablePaylo @AttackVector( vulnerabilityExposed = {VulnerabilitySubType.PATH_TRAVERSAL}, description = - "PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED") + "PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( value = LevelEnum.LEVEL_5, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", @@ -163,6 +163,27 @@ public ResponseBean> getVulnerablePaylo public ResponseBean> getVulnerablePayloadLevel5( ParameterBean parameterBean) { String fileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); + return this.readFile( + () -> + !parameterBean.getUrl().contains("..") + && !parameterBean.getUrl().toLowerCase().contains("%2f") + && fileName != null, + fileName); + } + + @AttackVector( + vulnerabilityExposed = {VulnerabilitySubType.PATH_TRAVERSAL}, + description = + "PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_6, + descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", + htmlTemplate = "LEVEL_1/PathTraversal", + parameterName = URL_PARAM_KEY, + sampleValues = {SAMPLE_VALUE_FILE_NAME}) + public ResponseBean> getVulnerablePayloadLevel6( + ParameterBean parameterBean) { + String fileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); return this.readFile(() -> fileName != null && !fileName.contains(".."), fileName); } @@ -174,12 +195,12 @@ public ResponseBean> getVulnerablePaylo }, description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_6, + value = LevelEnum.LEVEL_7, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel6( + public ResponseBean> getVulnerablePayloadLevel7( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; @@ -208,12 +229,12 @@ public ResponseBean> getVulnerablePaylo description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_7, + value = LevelEnum.LEVEL_8, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel7( + public ResponseBean> getVulnerablePayloadLevel8( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; @@ -243,12 +264,12 @@ public ResponseBean> getVulnerablePaylo description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_8, + value = LevelEnum.LEVEL_9, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel8( + public ResponseBean> getVulnerablePayloadLevel9( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; @@ -278,12 +299,12 @@ public ResponseBean> getVulnerablePaylo description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_9, + value = LevelEnum.LEVEL_10, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel9( + public ResponseBean> getVulnerablePayloadLevel10( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; @@ -306,6 +327,42 @@ public ResponseBean> getVulnerablePaylo fileName); } + @AttackVector( + vulnerabilityExposed = { + VulnerabilitySubType.NULL_BYTE, + VulnerabilitySubType.PATH_TRAVERSAL + }, + description = + "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_11, + descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", + htmlTemplate = "LEVEL_1/PathTraversal", + parameterName = URL_PARAM_KEY, + sampleValues = {SAMPLE_VALUE_FILE_NAME}) + public ResponseBean> getVulnerablePayloadLevel11( + ParameterBean parameterBean) { + String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); + String fileName = null; + if (queryFileName != null) { + int indexOfNullByte = queryFileName.indexOf(NULL_BYTE_CHARACTER); + fileName = + indexOfNullByte >= 0 + ? queryFileName.substring(0, indexOfNullByte) + : queryFileName; + } + return this.readFile( + () -> + queryFileName != null + && !parameterBean.getUrl().contains("..") + && !parameterBean.getUrl().toLowerCase().contains("%2f") + && ALLOWED_FILE_NAMES.stream() + .anyMatch( + allowedFileName -> + queryFileName.contains(allowedFileName)), + fileName); + } + @AttackVector( vulnerabilityExposed = { VulnerabilitySubType.NULL_BYTE, @@ -314,12 +371,12 @@ public ResponseBean> getVulnerablePaylo description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_10, + value = LevelEnum.LEVEL_12, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel10( + public ResponseBean> getVulnerablePayloadLevel12( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; diff --git a/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java b/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java index 5e09f7c9..1254c476 100644 --- a/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java +++ b/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java @@ -30,10 +30,11 @@ public enum VulnerabilitySubType { SERVER_SIDE_VULNERABLE_JWT(VulnerabilityType.VULNERABLE_JWT_IMPLMENTATION), INSECURE_CONFIGURATION_JWT(VulnerabilityType.VULNERABLE_JWT_IMPLMENTATION), - // Combined Attacking Vulnerability - NULL_BYTE(VulnerabilityType.NULL_BYTE), + PATH_TRAVERSAL(VulnerabilityType.PATH_TRAVERSAL), + COMMAND_INJECTION(VulnerabilityType.COMMAND_INJECTION), - PATH_TRAVERSAL(VulnerabilityType.PATH_TRAVERSAL); + // Combined Attacking Vulnerability + NULL_BYTE(VulnerabilityType.NULL_BYTE); private VulnerabilityType vulnerabilityType; diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties index b304a6b9..d25a03e7 100755 --- a/src/main/resources/i18n/messages.properties +++ b/src/main/resources/i18n/messages.properties @@ -82,15 +82,37 @@ PATH_TRAVERSAL_URL_PARAM_DIRECTLY_INJECTED=\"fileName\" query param's value is d PATH_TRAVERSAL_URL_PARAM_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "../". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..", takes care of URL encoding too. PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended to path to read the file. PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "../". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..", takes care of URL encoding too. +# Command Injection Attack +COMMAND_INJECTION_VULNERABILITY=Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system \ +via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) \ +to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. \ +Command injection attacks are possible largely due to insufficient input validation.
\ +Important Links on Command Injection Vulnerability :
\ +
  1. CWE-77 \ +
  2. Owasp Wiki Link \ +
+ +COMMAND_INJECTION_URL_CONTAINING_IPADDRESS=IP Address is passed in the URL parameter named \"ipaddress\" + +#### Attack vectors +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED=\"ipaddress\" query param's value is directly executed. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\", \"%7C\", \"%7c\" or space characters are not present in it. + + # Local File Injection #URL_BASED_LFI_INJECTION=Url based Local File Injection attack. #LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file. diff --git a/src/main/resources/i18n/messages_en_US.properties b/src/main/resources/i18n/messages_en_US.properties index b304a6b9..d25a03e7 100755 --- a/src/main/resources/i18n/messages_en_US.properties +++ b/src/main/resources/i18n/messages_en_US.properties @@ -82,15 +82,37 @@ PATH_TRAVERSAL_URL_PARAM_DIRECTLY_INJECTED=\"fileName\" query param's value is d PATH_TRAVERSAL_URL_PARAM_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "../". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..", takes care of URL encoding too. PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended to path to read the file. PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "../". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..", takes care of URL encoding too. +# Command Injection Attack +COMMAND_INJECTION_VULNERABILITY=Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system \ +via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) \ +to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. \ +Command injection attacks are possible largely due to insufficient input validation.
\ +Important Links on Command Injection Vulnerability :
\ +
  1. CWE-77 \ +
  2. Owasp Wiki Link \ +
+ +COMMAND_INJECTION_URL_CONTAINING_IPADDRESS=IP Address is passed in the URL parameter named \"ipaddress\" + +#### Attack vectors +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED=\"ipaddress\" query param's value is directly executed. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\", \"%7C\", \"%7c\" or space characters are not present in it. + + # Local File Injection #URL_BASED_LFI_INJECTION=Url based Local File Injection attack. #LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file. diff --git a/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css b/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css index 5042e1c0..102d9d6b 100644 --- a/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css +++ b/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css @@ -1,11 +1,10 @@ #sqlinjection_level_1 { color: black; - text-align: justify; + text-align: center; } #carInformation { font-size: 15px; - visibility: hidden; } #checkIfCarPresentButton { diff --git a/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js b/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js index 438197a8..413d27a7 100644 --- a/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js +++ b/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js @@ -20,5 +20,4 @@ function fetchCarInfoCallBack(data) { document.getElementById("carInformation").innerHTML = "
Car is not Present
"; } - document.getElementById("carInformation").style.visibility = "visible"; } diff --git a/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.css b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.css new file mode 100644 index 00000000..85c867e2 --- /dev/null +++ b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.css @@ -0,0 +1,33 @@ +#ci_level_1 { + color: black; + text-align: center; +} + +#pingUtilityResponse { + font-size: 15px; +} + +#pingUtility { + display: flex; + flex-direction: column; +} + +#heading { + font-size: 20px; +} + +#input { + font-size: 15px; +} + +#pingBtn { + background: blueviolet; + display: inline-block; + padding: 8px 8px; + margin: 10px; + border: 2px solid transparent; + border-radius: 3px; + transition: 0.2s opacity; + color: #FFF; + font-size: 12px; +} \ No newline at end of file diff --git a/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.html b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.html new file mode 100644 index 00000000..f04f82af --- /dev/null +++ b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.html @@ -0,0 +1,13 @@ +
+
+
+
Welcome to Ping utility.
+
please enter IP address: + + +
+
+
+
+
+
\ No newline at end of file diff --git a/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js new file mode 100644 index 00000000..3e540180 --- /dev/null +++ b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js @@ -0,0 +1,15 @@ +function addingEventListenerToPingButton() { + document.getElementById("pingBtn").addEventListener("click", function() { + let url = getUrlForVulnerabilityLevel(); + doGetAjaxCall( + pingUtilityCallback, + url + "?ipaddress=" + document.getElementById("ipaddress").value, + true + ); + }); +} +addingEventListenerToPingButton(); + +function pingUtilityCallback(data) { + document.getElementById("pingUtilityResponse").innerHTML = data.content; +} diff --git a/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css b/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css index 55e5e981..e12a115c 100644 --- a/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css +++ b/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css @@ -1,11 +1,10 @@ #sqlinjection_level_1 { color: black; - text-align: justify; + text-align: center; } #carInformation { font-size: 15px; - visibility: hidden; } #fetchCarImageButton { diff --git a/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js b/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js index 5384ad06..cb6b9730 100644 --- a/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js +++ b/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js @@ -17,5 +17,4 @@ function fetchCarInfoCallBack(data) { document.getElementById("carInformation").innerHTML = ""; } - document.getElementById("carInformation").style.visibility = "visible"; } diff --git a/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css b/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css index 55e5e981..e12a115c 100644 --- a/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css +++ b/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css @@ -1,11 +1,10 @@ #sqlinjection_level_1 { color: black; - text-align: justify; + text-align: center; } #carInformation { font-size: 15px; - visibility: hidden; } #fetchCarImageButton { diff --git a/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js b/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js index 61cb7c17..4a4aeb14 100644 --- a/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js +++ b/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js @@ -15,5 +15,4 @@ addingEventListenerToFetchCarInfoButton(); function fetchCarInfoCallBack(data) { document.getElementById("carInformation").innerHTML = ""; - document.getElementById("carInformation").style.visibility = "visible"; } diff --git a/src/main/resources/static/vulnerableApp.css b/src/main/resources/static/vulnerableApp.css index 25842d11..a3b6f155 100755 --- a/src/main/resources/static/vulnerableApp.css +++ b/src/main/resources/static/vulnerableApp.css @@ -100,7 +100,7 @@ hr { height: 1px; border: 0; border-top: 1px solid black; - margin-left: 10% + margin-left: 10%; padding: 0; } @@ -117,7 +117,6 @@ hr { } #vulnPracticeBtn, #vulnLearnBtn { - display: flex; justify-items: left; display: inline-block; padding: 8px 8px;