From 4b6876ee98896755b1c10883c787c490528ea735 Mon Sep 17 00:00:00 2001 From: karan preet singh sasan Date: Mon, 27 Jul 2020 01:55:28 +0530 Subject: [PATCH 1/5] Adding Command Injection Vulnerability Skeleton --- .../CommandInjectionVulnerability.java | 57 +++++++++++++++++++ .../types/VulnerabilitySubType.java | 9 +-- src/main/resources/i18n/messages.properties | 10 ++++ .../resources/i18n/messages_en_US.properties | 10 ++++ 4 files changed, 82 insertions(+), 4 deletions(-) create mode 100644 src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java diff --git a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java new file mode 100644 index 00000000..0c7a2c1e --- /dev/null +++ b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java @@ -0,0 +1,57 @@ +package org.sasanlabs.service.vulnerability.commandInjection; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStreamReader; + +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.sasanlabs.internal.utility.LevelEnum; +import org.sasanlabs.internal.utility.annotations.AttackVector; +import org.sasanlabs.internal.utility.annotations.VulnerabilityLevel; +import org.sasanlabs.internal.utility.annotations.VulnerableServiceRestEndPoint; +import org.sasanlabs.service.bean.ResponseBean; +import org.sasanlabs.service.exception.ServiceApplicationException; +import org.sasanlabs.service.vulnerability.ICustomVulnerableEndPoint; +import org.sasanlabs.service.vulnerability.ParameterBean; +import org.sasanlabs.service.vulnerability.bean.GenericVulnerabilityResponseBean; +import org.sasanlabs.vulnerability.types.VulnerabilitySubType; +import org.sasanlabs.vulnerability.types.VulnerabilityType; + + +/** + * This class contains vulnerabilities related to Command Injection. + * For More information + * + * @author KSASAN preetkaran20@gmail.com + */ +@VulnerableServiceRestEndPoint( + descriptionLabel = "COMMAND_INJECTION_VULNERABILITY", + value = "CommandInjectionVulnerability", + type = {VulnerabilityType.COMMAND_INJECTION}) +public class CommandInjectionVulnerability implements ICustomVulnerableEndPoint{ + + private static final String IP_ADDRESS = "ipaddr"; + private static final transient Logger LOGGER = LogManager.getLogger(CommandInjectionVulnerability.class); + + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_1, + descriptionLabel = "URL_CONTAINING_JWT_TOKEN", + //htmlTemplate = "LEVEL_1/JWT_Level1", + parameterName = IP_ADDRESS, + sampleValues = {""}) + public ResponseBean> getVulnerablePayloadLevelUnsecure( + ParameterBean parameterBean) + throws ServiceApplicationException, IOException { + Process process = Runtime.getRuntime().exec("ping " + parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS) + " -c 2"); + (new BufferedReader(new InputStreamReader(process.getInputStream()))).lines().forEach(val -> LOGGER.info(val)); + (new BufferedReader(new InputStreamReader(process.getErrorStream()))).lines().forEach(val -> LOGGER.info(val)); + + return new ResponseBean>(new GenericVulnerabilityResponseBean()); + } + + +} diff --git a/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java b/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java index 5e09f7c9..2b451ab5 100644 --- a/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java +++ b/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java @@ -29,11 +29,12 @@ public enum VulnerabilitySubType { CLIENT_SIDE_VULNERABLE_JWT(VulnerabilityType.VULNERABLE_JWT_IMPLMENTATION), SERVER_SIDE_VULNERABLE_JWT(VulnerabilityType.VULNERABLE_JWT_IMPLMENTATION), INSECURE_CONFIGURATION_JWT(VulnerabilityType.VULNERABLE_JWT_IMPLMENTATION), - + + PATH_TRAVERSAL(VulnerabilityType.PATH_TRAVERSAL), + COMMAND_INJECTION(VulnerabilityType.COMMAND_INJECTION), + // Combined Attacking Vulnerability - NULL_BYTE(VulnerabilityType.NULL_BYTE), - - PATH_TRAVERSAL(VulnerabilityType.PATH_TRAVERSAL); + NULL_BYTE(VulnerabilityType.NULL_BYTE); private VulnerabilityType vulnerabilityType; diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties index b304a6b9..8bb32cb9 100755 --- a/src/main/resources/i18n/messages.properties +++ b/src/main/resources/i18n/messages.properties @@ -91,6 +91,16 @@ PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIR PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..", takes care of URL encoding too. +# Command Injection Attack +COMMAND_INJECTION_VULNERABILITY=Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system \ +via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) \ +to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. \ +Command injection attacks are possible largely due to insufficient input validation.
\ +Important Links on Command Injection Vulnerability :
\ +
  1. CWE-77 \ +
  2. Owasp Wiki Link \ +
+ # Local File Injection #URL_BASED_LFI_INJECTION=Url based Local File Injection attack. #LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file. diff --git a/src/main/resources/i18n/messages_en_US.properties b/src/main/resources/i18n/messages_en_US.properties index b304a6b9..8bb32cb9 100755 --- a/src/main/resources/i18n/messages_en_US.properties +++ b/src/main/resources/i18n/messages_en_US.properties @@ -91,6 +91,16 @@ PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIR PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..", takes care of URL encoding too. +# Command Injection Attack +COMMAND_INJECTION_VULNERABILITY=Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system \ +via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) \ +to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. \ +Command injection attacks are possible largely due to insufficient input validation.
\ +Important Links on Command Injection Vulnerability :
\ +
  1. CWE-77 \ +
  2. Owasp Wiki Link \ +
+ # Local File Injection #URL_BASED_LFI_INJECTION=Url based Local File Injection attack. #LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file. From ba21c849d5d7e3745fc9867a89a9f0cea2bac681 Mon Sep 17 00:00:00 2001 From: karan preet singh sasan Date: Mon, 27 Jul 2020 02:54:32 +0530 Subject: [PATCH 2/5] Adding Process Builder for better execution --- .../CommandInjectionVulnerability.java | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java index 0c7a2c1e..d5a536e2 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java @@ -3,6 +3,7 @@ import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; +import java.util.concurrent.TimeUnit; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -46,12 +47,18 @@ public class CommandInjectionVulnerability implements ICustomVulnerableEndPoint{ public ResponseBean> getVulnerablePayloadLevelUnsecure( ParameterBean parameterBean) throws ServiceApplicationException, IOException { - Process process = Runtime.getRuntime().exec("ping " + parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS) + " -c 2"); - (new BufferedReader(new InputStreamReader(process.getInputStream()))).lines().forEach(val -> LOGGER.info(val)); - (new BufferedReader(new InputStreamReader(process.getErrorStream()))).lines().forEach(val -> LOGGER.info(val)); - - return new ResponseBean>(new GenericVulnerabilityResponseBean()); + boolean isWindows = System.getProperty("os.name") + .toLowerCase().startsWith("windows"); + Process process; + if(!isWindows) { + process = new ProcessBuilder(new String[] { "bash", "-c", "ping -c 2 " + parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS)}).redirectErrorStream(true).start(); + } else { + process = new ProcessBuilder(new String[] { "cmd", "/c", "ping -n 2 " + parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS)}).redirectErrorStream(true).start(); + } + StringBuilder response = new StringBuilder(); + try(BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(process.getInputStream()))) { + bufferedReader.lines().forEach(val -> response.append(val).append("\n")); + } + return new ResponseBean>(new GenericVulnerabilityResponseBean(response.toString(), true)); } - - } From e1a71b9411af01d552de8b9d4563bdf4c1229e21 Mon Sep 17 00:00:00 2001 From: karan preet singh sasan Date: Wed, 29 Jul 2020 02:33:41 +0530 Subject: [PATCH 3/5] Adding CommandInjection Vulnerability levels --- .../sasanlabs/internal/utility/LevelEnum.java | 2 + .../CommandInjectionVulnerability.java | 200 +++++++++++++++--- .../PathTraversalVulnerability.java | 79 ++++++- .../types/VulnerabilitySubType.java | 4 +- src/main/resources/i18n/messages.properties | 2 + .../resources/i18n/messages_en_US.properties | 2 + 6 files changed, 247 insertions(+), 42 deletions(-) diff --git a/src/main/java/org/sasanlabs/internal/utility/LevelEnum.java b/src/main/java/org/sasanlabs/internal/utility/LevelEnum.java index cfa57546..361ddbe3 100755 --- a/src/main/java/org/sasanlabs/internal/utility/LevelEnum.java +++ b/src/main/java/org/sasanlabs/internal/utility/LevelEnum.java @@ -19,6 +19,8 @@ public enum LevelEnum { LEVEL_8, LEVEL_9, LEVEL_10, + LEVEL_11, + LEVEL_12, SECURE; public static LevelEnum getLevelEnumByName(String name) throws ServiceApplicationException { diff --git a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java index d5a536e2..7edfa68e 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java @@ -3,10 +3,8 @@ import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; -import java.util.concurrent.TimeUnit; - -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; +import java.util.function.Supplier; +import java.util.regex.Pattern; import org.sasanlabs.internal.utility.LevelEnum; import org.sasanlabs.internal.utility.annotations.AttackVector; import org.sasanlabs.internal.utility.annotations.VulnerabilityLevel; @@ -19,46 +17,190 @@ import org.sasanlabs.vulnerability.types.VulnerabilitySubType; import org.sasanlabs.vulnerability.types.VulnerabilityType; - /** - * This class contains vulnerabilities related to Command Injection. - * For More information - * + * This class contains vulnerabilities related to Command Injection. For More information + * * @author KSASAN preetkaran20@gmail.com */ @VulnerableServiceRestEndPoint( descriptionLabel = "COMMAND_INJECTION_VULNERABILITY", value = "CommandInjectionVulnerability", type = {VulnerabilityType.COMMAND_INJECTION}) -public class CommandInjectionVulnerability implements ICustomVulnerableEndPoint{ +public class CommandInjectionVulnerability implements ICustomVulnerableEndPoint { + + private static final String IP_ADDRESS = "ipaddr"; + private static final Pattern SEMICOLON_SPACE_LOGICAL_AND_PATTERN = Pattern.compile("[;& ]"); + private static final Pattern IP_ADDRESS_PATTERN = + Pattern.compile("\\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\\.|$)){4}\\b"); - private static final String IP_ADDRESS = "ipaddr"; - private static final transient Logger LOGGER = LogManager.getLogger(CommandInjectionVulnerability.class); + private StringBuilder getResponseFromPingCommand(String ipAddress, Supplier predicate) + throws IOException { + boolean isWindows = System.getProperty("os.name").toLowerCase().startsWith("windows"); + StringBuilder stringBuilder = new StringBuilder(); + if (predicate.get()) { + Process process; + if (!isWindows) { + process = + new ProcessBuilder(new String[] {"bash", "-c", "ping -c 2 " + ipAddress}) + .redirectErrorStream(true) + .start(); + } else { + process = + new ProcessBuilder(new String[] {"cmd", "/c", "ping -n 2 " + ipAddress}) + .redirectErrorStream(true) + .start(); + } + try (BufferedReader bufferedReader = + new BufferedReader(new InputStreamReader(process.getInputStream()))) { + bufferedReader.lines().forEach(val -> stringBuilder.append(val).append("\n")); + } + } + return stringBuilder; + } - @AttackVector( + @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, description = "JWT_URL_EXPOSING_SECURE_INFORMATION") @VulnerabilityLevel( value = LevelEnum.LEVEL_1, descriptionLabel = "URL_CONTAINING_JWT_TOKEN", - //htmlTemplate = "LEVEL_1/JWT_Level1", + // htmlTemplate = "LEVEL_1/JWT_Level1", + parameterName = IP_ADDRESS, + sampleValues = {""}) + public ResponseBean> getVulnerablePayloadLevel1( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = () -> ipAddress != null; + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_2, + descriptionLabel = "URL_CONTAINING_JWT_TOKEN", + // htmlTemplate = "LEVEL_1/JWT_Level1", + parameterName = IP_ADDRESS, + sampleValues = {""}) + public ResponseBean> getVulnerablePayloadLevel2( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = + () -> + ipAddress != null + && !SEMICOLON_SPACE_LOGICAL_AND_PATTERN + .matcher(parameterBean.getUrl()) + .find(); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + // Case Insensitive + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_3, + descriptionLabel = "URL_CONTAINING_JWT_TOKEN", + // htmlTemplate = "LEVEL_1/JWT_Level1", + parameterName = IP_ADDRESS, + sampleValues = {""}) + public ResponseBean> getVulnerablePayloadLevel3( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = + () -> + ipAddress != null + && !SEMICOLON_SPACE_LOGICAL_AND_PATTERN + .matcher(parameterBean.getUrl()) + .find() + && !parameterBean.getUrl().contains("%26") + && !parameterBean.getUrl().contains("%3B"); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + // e.g Attack + // http://localhost:9090/vulnerable/CommandInjectionVulnerability/LEVEL_3?ipaddr=192.168.0.1%20%7c%20cat%20/etc/passwd + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_4, + descriptionLabel = "URL_CONTAINING_JWT_TOKEN", + // htmlTemplate = "LEVEL_1/JWT_Level1", + parameterName = IP_ADDRESS, + sampleValues = {""}) + public ResponseBean> getVulnerablePayloadLevel4( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = + () -> + ipAddress != null + && !SEMICOLON_SPACE_LOGICAL_AND_PATTERN + .matcher(parameterBean.getUrl()) + .find() + && !parameterBean.getUrl().toUpperCase().contains("%26") + && !parameterBean.getUrl().toUpperCase().contains("%3B"); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_5, + descriptionLabel = "URL_CONTAINING_JWT_TOKEN", + // htmlTemplate = "LEVEL_1/JWT_Level1", + parameterName = IP_ADDRESS, + sampleValues = {""}) + public ResponseBean> getVulnerablePayloadLevel5( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = + () -> + ipAddress != null + && !SEMICOLON_SPACE_LOGICAL_AND_PATTERN + .matcher(parameterBean.getUrl()) + .find() + && !parameterBean.getUrl().toUpperCase().contains("%26") + && !parameterBean.getUrl().toUpperCase().contains("%3B") + & !parameterBean.getUrl().toUpperCase().contains("%7C"); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_6, + descriptionLabel = "URL_CONTAINING_JWT_TOKEN", + // htmlTemplate = "LEVEL_1/JWT_Level1", parameterName = IP_ADDRESS, sampleValues = {""}) - public ResponseBean> getVulnerablePayloadLevelUnsecure( - ParameterBean parameterBean) - throws ServiceApplicationException, IOException { - boolean isWindows = System.getProperty("os.name") - .toLowerCase().startsWith("windows"); - Process process; - if(!isWindows) { - process = new ProcessBuilder(new String[] { "bash", "-c", "ping -c 2 " + parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS)}).redirectErrorStream(true).start(); - } else { - process = new ProcessBuilder(new String[] { "cmd", "/c", "ping -n 2 " + parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS)}).redirectErrorStream(true).start(); - } - StringBuilder response = new StringBuilder(); - try(BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(process.getInputStream()))) { - bufferedReader.lines().forEach(val -> response.append(val).append("\n")); - } - return new ResponseBean>(new GenericVulnerabilityResponseBean(response.toString(), true)); + public ResponseBean> getVulnerablePayloadLevel6( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand( + ipAddress, + () -> + ipAddress != null + && IP_ADDRESS_PATTERN + .matcher(ipAddress) + .matches()) + .toString(), + true)); } } diff --git a/src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java index 955e5c8a..94d9c88b 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java @@ -153,7 +153,7 @@ public ResponseBean> getVulnerablePaylo @AttackVector( vulnerabilityExposed = {VulnerabilitySubType.PATH_TRAVERSAL}, description = - "PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED") + "PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( value = LevelEnum.LEVEL_5, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", @@ -163,6 +163,27 @@ public ResponseBean> getVulnerablePaylo public ResponseBean> getVulnerablePayloadLevel5( ParameterBean parameterBean) { String fileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); + return this.readFile( + () -> + !parameterBean.getUrl().contains("..") + && !parameterBean.getUrl().toLowerCase().contains("%2f") + && fileName != null, + fileName); + } + + @AttackVector( + vulnerabilityExposed = {VulnerabilitySubType.PATH_TRAVERSAL}, + description = + "PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_6, + descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", + htmlTemplate = "LEVEL_1/PathTraversal", + parameterName = URL_PARAM_KEY, + sampleValues = {SAMPLE_VALUE_FILE_NAME}) + public ResponseBean> getVulnerablePayloadLevel6( + ParameterBean parameterBean) { + String fileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); return this.readFile(() -> fileName != null && !fileName.contains(".."), fileName); } @@ -174,12 +195,12 @@ public ResponseBean> getVulnerablePaylo }, description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_6, + value = LevelEnum.LEVEL_7, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel6( + public ResponseBean> getVulnerablePayloadLevel7( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; @@ -208,12 +229,12 @@ public ResponseBean> getVulnerablePaylo description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_7, + value = LevelEnum.LEVEL_8, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel7( + public ResponseBean> getVulnerablePayloadLevel8( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; @@ -243,12 +264,12 @@ public ResponseBean> getVulnerablePaylo description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_8, + value = LevelEnum.LEVEL_9, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel8( + public ResponseBean> getVulnerablePayloadLevel9( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; @@ -278,12 +299,12 @@ public ResponseBean> getVulnerablePaylo description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_9, + value = LevelEnum.LEVEL_10, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel9( + public ResponseBean> getVulnerablePayloadLevel10( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; @@ -306,6 +327,42 @@ public ResponseBean> getVulnerablePaylo fileName); } + @AttackVector( + vulnerabilityExposed = { + VulnerabilitySubType.NULL_BYTE, + VulnerabilitySubType.PATH_TRAVERSAL + }, + description = + "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_11, + descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", + htmlTemplate = "LEVEL_1/PathTraversal", + parameterName = URL_PARAM_KEY, + sampleValues = {SAMPLE_VALUE_FILE_NAME}) + public ResponseBean> getVulnerablePayloadLevel11( + ParameterBean parameterBean) { + String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); + String fileName = null; + if (queryFileName != null) { + int indexOfNullByte = queryFileName.indexOf(NULL_BYTE_CHARACTER); + fileName = + indexOfNullByte >= 0 + ? queryFileName.substring(0, indexOfNullByte) + : queryFileName; + } + return this.readFile( + () -> + queryFileName != null + && !parameterBean.getUrl().contains("..") + && !parameterBean.getUrl().toLowerCase().contains("%2f") + && ALLOWED_FILE_NAMES.stream() + .anyMatch( + allowedFileName -> + queryFileName.contains(allowedFileName)), + fileName); + } + @AttackVector( vulnerabilityExposed = { VulnerabilitySubType.NULL_BYTE, @@ -314,12 +371,12 @@ public ResponseBean> getVulnerablePaylo description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_10, + value = LevelEnum.LEVEL_12, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel10( + public ResponseBean> getVulnerablePayloadLevel12( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; diff --git a/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java b/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java index 2b451ab5..1254c476 100644 --- a/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java +++ b/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java @@ -29,10 +29,10 @@ public enum VulnerabilitySubType { CLIENT_SIDE_VULNERABLE_JWT(VulnerabilityType.VULNERABLE_JWT_IMPLMENTATION), SERVER_SIDE_VULNERABLE_JWT(VulnerabilityType.VULNERABLE_JWT_IMPLMENTATION), INSECURE_CONFIGURATION_JWT(VulnerabilityType.VULNERABLE_JWT_IMPLMENTATION), - + PATH_TRAVERSAL(VulnerabilityType.PATH_TRAVERSAL), COMMAND_INJECTION(VulnerabilityType.COMMAND_INJECTION), - + // Combined Attacking Vulnerability NULL_BYTE(VulnerabilityType.NULL_BYTE); diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties index 8bb32cb9..db8c7b67 100755 --- a/src/main/resources/i18n/messages.properties +++ b/src/main/resources/i18n/messages.properties @@ -82,12 +82,14 @@ PATH_TRAVERSAL_URL_PARAM_DIRECTLY_INJECTED=\"fileName\" query param's value is d PATH_TRAVERSAL_URL_PARAM_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "../". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..", takes care of URL encoding too. PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended to path to read the file. PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "../". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..", takes care of URL encoding too. diff --git a/src/main/resources/i18n/messages_en_US.properties b/src/main/resources/i18n/messages_en_US.properties index 8bb32cb9..db8c7b67 100755 --- a/src/main/resources/i18n/messages_en_US.properties +++ b/src/main/resources/i18n/messages_en_US.properties @@ -82,12 +82,14 @@ PATH_TRAVERSAL_URL_PARAM_DIRECTLY_INJECTED=\"fileName\" query param's value is d PATH_TRAVERSAL_URL_PARAM_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "../". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..", takes care of URL encoding too. PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended to path to read the file. PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "../". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..", takes care of URL encoding too. From bced3c5b66dd530676760b3f2f46dfae63a4ecbd Mon Sep 17 00:00:00 2001 From: karan preet singh sasan Date: Sun, 2 Aug 2020 02:13:05 +0530 Subject: [PATCH 4/5] UI changes for Command Injection --- ...lnerability.java => CommandInjection.java} | 61 +++++++++---------- src/main/resources/i18n/messages.properties | 10 +++ .../resources/i18n/messages_en_US.properties | 10 +++ .../LEVEL_1/SQLInjection_Level1.css | 3 +- .../LEVEL_1/SQLInjection_Level1.js | 1 - .../CommandInjection/LEVEL_1/CI_Level1.css | 33 ++++++++++ .../CommandInjection/LEVEL_1/CI_Level1.html | 13 ++++ .../CommandInjection/LEVEL_1/CI_Level1.js | 17 ++++++ .../LEVEL_1/SQLInjection_Level1.css | 3 +- .../LEVEL_1/SQLInjection_Level1.js | 1 - .../LEVEL_1/SQLInjection_Level1.css | 3 +- .../LEVEL_1/SQLInjection_Level1.js | 1 - src/main/resources/static/vulnerableApp.css | 3 +- 13 files changed, 116 insertions(+), 43 deletions(-) rename src/main/java/org/sasanlabs/service/vulnerability/commandInjection/{CommandInjectionVulnerability.java => CommandInjection.java} (82%) create mode 100644 src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.css create mode 100644 src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.html create mode 100644 src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js diff --git a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java similarity index 82% rename from src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java rename to src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java index 7edfa68e..ebbc2df8 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java @@ -25,11 +25,11 @@ */ @VulnerableServiceRestEndPoint( descriptionLabel = "COMMAND_INJECTION_VULNERABILITY", - value = "CommandInjectionVulnerability", + value = "CommandInjection", type = {VulnerabilityType.COMMAND_INJECTION}) -public class CommandInjectionVulnerability implements ICustomVulnerableEndPoint { +public class CommandInjection implements ICustomVulnerableEndPoint { - private static final String IP_ADDRESS = "ipaddr"; + private static final String IP_ADDRESS = "ipaddress"; private static final Pattern SEMICOLON_SPACE_LOGICAL_AND_PATTERN = Pattern.compile("[;& ]"); private static final Pattern IP_ADDRESS_PATTERN = Pattern.compile("\\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\\.|$)){4}\\b"); @@ -61,13 +61,13 @@ private StringBuilder getResponseFromPingCommand(String ipAddress, Supplier> getVulnerablePayloadLevel1( ParameterBean parameterBean) throws ServiceApplicationException, IOException { String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); @@ -79,13 +79,13 @@ public ResponseBean> getVulnerablePaylo @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT") @VulnerabilityLevel( value = LevelEnum.LEVEL_2, - descriptionLabel = "URL_CONTAINING_JWT_TOKEN", - // htmlTemplate = "LEVEL_1/JWT_Level1", + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, - sampleValues = {""}) + sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel2( ParameterBean parameterBean) throws ServiceApplicationException, IOException { String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); @@ -103,13 +103,13 @@ public ResponseBean> getVulnerablePaylo // Case Insensitive @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT") @VulnerabilityLevel( value = LevelEnum.LEVEL_3, - descriptionLabel = "URL_CONTAINING_JWT_TOKEN", - // htmlTemplate = "LEVEL_1/JWT_Level1", + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, - sampleValues = {""}) + sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel3( ParameterBean parameterBean) throws ServiceApplicationException, IOException { String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); @@ -127,16 +127,16 @@ public ResponseBean> getVulnerablePaylo } // e.g Attack - // http://localhost:9090/vulnerable/CommandInjectionVulnerability/LEVEL_3?ipaddr=192.168.0.1%20%7c%20cat%20/etc/passwd + // http://localhost:9090/vulnerable/CommandInjectionVulnerability/LEVEL_3?ipaddress=192.168.0.1%20%7c%20cat%20/etc/passwd @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT") @VulnerabilityLevel( value = LevelEnum.LEVEL_4, - descriptionLabel = "URL_CONTAINING_JWT_TOKEN", - // htmlTemplate = "LEVEL_1/JWT_Level1", + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, - sampleValues = {""}) + sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel4( ParameterBean parameterBean) throws ServiceApplicationException, IOException { String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); @@ -155,13 +155,13 @@ public ResponseBean> getVulnerablePaylo @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT") @VulnerabilityLevel( value = LevelEnum.LEVEL_5, - descriptionLabel = "URL_CONTAINING_JWT_TOKEN", - // htmlTemplate = "LEVEL_1/JWT_Level1", + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, - sampleValues = {""}) + sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel5( ParameterBean parameterBean) throws ServiceApplicationException, IOException { String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); @@ -179,15 +179,12 @@ public ResponseBean> getVulnerablePaylo this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); } - @AttackVector( - vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "JWT_URL_EXPOSING_SECURE_INFORMATION") @VulnerabilityLevel( value = LevelEnum.LEVEL_6, - descriptionLabel = "URL_CONTAINING_JWT_TOKEN", - // htmlTemplate = "LEVEL_1/JWT_Level1", + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, - sampleValues = {""}) + sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel6( ParameterBean parameterBean) throws ServiceApplicationException, IOException { String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); @@ -197,9 +194,9 @@ public ResponseBean> getVulnerablePaylo ipAddress, () -> ipAddress != null - && IP_ADDRESS_PATTERN + && (IP_ADDRESS_PATTERN .matcher(ipAddress) - .matches()) + .matches() || ipAddress.contentEquals("localhost"))) .toString(), true)); } diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties index db8c7b67..d25a03e7 100755 --- a/src/main/resources/i18n/messages.properties +++ b/src/main/resources/i18n/messages.properties @@ -103,6 +103,16 @@ Important Links on Command Injection Vulnerability :
\
  • Owasp Wiki Link \ +COMMAND_INJECTION_URL_CONTAINING_IPADDRESS=IP Address is passed in the URL parameter named \"ipaddress\" + +#### Attack vectors +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED=\"ipaddress\" query param's value is directly executed. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\", \"%7C\", \"%7c\" or space characters are not present in it. + + # Local File Injection #URL_BASED_LFI_INJECTION=Url based Local File Injection attack. #LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file. diff --git a/src/main/resources/i18n/messages_en_US.properties b/src/main/resources/i18n/messages_en_US.properties index db8c7b67..d25a03e7 100755 --- a/src/main/resources/i18n/messages_en_US.properties +++ b/src/main/resources/i18n/messages_en_US.properties @@ -103,6 +103,16 @@ Important Links on Command Injection Vulnerability :
    \
  • Owasp Wiki Link \ +COMMAND_INJECTION_URL_CONTAINING_IPADDRESS=IP Address is passed in the URL parameter named \"ipaddress\" + +#### Attack vectors +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED=\"ipaddress\" query param's value is directly executed. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\", \"%7C\", \"%7c\" or space characters are not present in it. + + # Local File Injection #URL_BASED_LFI_INJECTION=Url based Local File Injection attack. #LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file. diff --git a/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css b/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css index 5042e1c0..102d9d6b 100644 --- a/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css +++ b/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css @@ -1,11 +1,10 @@ #sqlinjection_level_1 { color: black; - text-align: justify; + text-align: center; } #carInformation { font-size: 15px; - visibility: hidden; } #checkIfCarPresentButton { diff --git a/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js b/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js index 438197a8..413d27a7 100644 --- a/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js +++ b/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js @@ -20,5 +20,4 @@ function fetchCarInfoCallBack(data) { document.getElementById("carInformation").innerHTML = "
    Car is not Present
    "; } - document.getElementById("carInformation").style.visibility = "visible"; } diff --git a/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.css b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.css new file mode 100644 index 00000000..85c867e2 --- /dev/null +++ b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.css @@ -0,0 +1,33 @@ +#ci_level_1 { + color: black; + text-align: center; +} + +#pingUtilityResponse { + font-size: 15px; +} + +#pingUtility { + display: flex; + flex-direction: column; +} + +#heading { + font-size: 20px; +} + +#input { + font-size: 15px; +} + +#pingBtn { + background: blueviolet; + display: inline-block; + padding: 8px 8px; + margin: 10px; + border: 2px solid transparent; + border-radius: 3px; + transition: 0.2s opacity; + color: #FFF; + font-size: 12px; +} \ No newline at end of file diff --git a/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.html b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.html new file mode 100644 index 00000000..f04f82af --- /dev/null +++ b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.html @@ -0,0 +1,13 @@ +
    +
    +
    +
    Welcome to Ping utility.
    +
    please enter IP address: + + +
    +
    +
    +
    +
    +
    \ No newline at end of file diff --git a/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js new file mode 100644 index 00000000..32e3e69b --- /dev/null +++ b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js @@ -0,0 +1,17 @@ +function addingEventListenerToPingButton() { + document + .getElementById("pingBtn") + .addEventListener("click", function() { + let url = getUrlForVulnerabilityLevel(); + doGetAjaxCall( + pingUtilityCallback, + url + "?ipaddress=" + document.getElementById("ipaddress").value, + true + ); + }); +} +addingEventListenerToPingButton(); + +function pingUtilityCallback(data) { + document.getElementById("pingUtilityResponse").innerHTML = data.content; +} diff --git a/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css b/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css index 55e5e981..e12a115c 100644 --- a/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css +++ b/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css @@ -1,11 +1,10 @@ #sqlinjection_level_1 { color: black; - text-align: justify; + text-align: center; } #carInformation { font-size: 15px; - visibility: hidden; } #fetchCarImageButton { diff --git a/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js b/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js index 5384ad06..cb6b9730 100644 --- a/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js +++ b/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js @@ -17,5 +17,4 @@ function fetchCarInfoCallBack(data) { document.getElementById("carInformation").innerHTML = ""; } - document.getElementById("carInformation").style.visibility = "visible"; } diff --git a/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css b/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css index 55e5e981..e12a115c 100644 --- a/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css +++ b/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css @@ -1,11 +1,10 @@ #sqlinjection_level_1 { color: black; - text-align: justify; + text-align: center; } #carInformation { font-size: 15px; - visibility: hidden; } #fetchCarImageButton { diff --git a/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js b/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js index 61cb7c17..4a4aeb14 100644 --- a/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js +++ b/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js @@ -15,5 +15,4 @@ addingEventListenerToFetchCarInfoButton(); function fetchCarInfoCallBack(data) { document.getElementById("carInformation").innerHTML = ""; - document.getElementById("carInformation").style.visibility = "visible"; } diff --git a/src/main/resources/static/vulnerableApp.css b/src/main/resources/static/vulnerableApp.css index 25842d11..a3b6f155 100755 --- a/src/main/resources/static/vulnerableApp.css +++ b/src/main/resources/static/vulnerableApp.css @@ -100,7 +100,7 @@ hr { height: 1px; border: 0; border-top: 1px solid black; - margin-left: 10% + margin-left: 10%; padding: 0; } @@ -117,7 +117,6 @@ hr { } #vulnPracticeBtn, #vulnLearnBtn { - display: flex; justify-items: left; display: inline-block; padding: 8px 8px; From 5de1c2b699b417e2b108b3da285afb5276b039b6 Mon Sep 17 00:00:00 2001 From: karan preet singh sasan Date: Sun, 2 Aug 2020 02:14:30 +0530 Subject: [PATCH 5/5] UI changes for Command Injection --- .../commandInjection/CommandInjection.java | 28 +++++++++++-------- .../CommandInjection/LEVEL_1/CI_Level1.js | 18 ++++++------ 2 files changed, 25 insertions(+), 21 deletions(-) diff --git a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java index ebbc2df8..b93cbb29 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java @@ -79,11 +79,12 @@ public ResponseBean> getVulnerablePaylo @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT") + description = + "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT") @VulnerabilityLevel( value = LevelEnum.LEVEL_2, descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", - htmlTemplate = "LEVEL_1/CI_Level1", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel2( @@ -103,11 +104,12 @@ public ResponseBean> getVulnerablePaylo // Case Insensitive @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT") + description = + "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT") @VulnerabilityLevel( value = LevelEnum.LEVEL_3, descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", - htmlTemplate = "LEVEL_1/CI_Level1", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel3( @@ -130,11 +132,12 @@ public ResponseBean> getVulnerablePaylo // http://localhost:9090/vulnerable/CommandInjectionVulnerability/LEVEL_3?ipaddress=192.168.0.1%20%7c%20cat%20/etc/passwd @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT") + description = + "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT") @VulnerabilityLevel( value = LevelEnum.LEVEL_4, descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", - htmlTemplate = "LEVEL_1/CI_Level1", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel4( @@ -155,11 +158,12 @@ public ResponseBean> getVulnerablePaylo @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT") + description = + "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT") @VulnerabilityLevel( value = LevelEnum.LEVEL_5, descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", - htmlTemplate = "LEVEL_1/CI_Level1", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel5( @@ -182,7 +186,7 @@ public ResponseBean> getVulnerablePaylo @VulnerabilityLevel( value = LevelEnum.LEVEL_6, descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", - htmlTemplate = "LEVEL_1/CI_Level1", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel6( @@ -195,8 +199,10 @@ public ResponseBean> getVulnerablePaylo () -> ipAddress != null && (IP_ADDRESS_PATTERN - .matcher(ipAddress) - .matches() || ipAddress.contentEquals("localhost"))) + .matcher(ipAddress) + .matches() + || ipAddress.contentEquals( + "localhost"))) .toString(), true)); } diff --git a/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js index 32e3e69b..3e540180 100644 --- a/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js +++ b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js @@ -1,14 +1,12 @@ function addingEventListenerToPingButton() { - document - .getElementById("pingBtn") - .addEventListener("click", function() { - let url = getUrlForVulnerabilityLevel(); - doGetAjaxCall( - pingUtilityCallback, - url + "?ipaddress=" + document.getElementById("ipaddress").value, - true - ); - }); + document.getElementById("pingBtn").addEventListener("click", function() { + let url = getUrlForVulnerabilityLevel(); + doGetAjaxCall( + pingUtilityCallback, + url + "?ipaddress=" + document.getElementById("ipaddress").value, + true + ); + }); } addingEventListenerToPingButton();