UI changes for Command Injection

src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java → src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java

@@ -25,11 +25,11 @@
  */
 @VulnerableServiceRestEndPoint(
         descriptionLabel = "COMMAND_INJECTION_VULNERABILITY",
-        value = "CommandInjectionVulnerability",
+        value = "CommandInjection",
         type = {VulnerabilityType.COMMAND_INJECTION})
-public class CommandInjectionVulnerability implements ICustomVulnerableEndPoint {
+public class CommandInjection implements ICustomVulnerableEndPoint {
 
-    private static final String IP_ADDRESS = "ipaddr";
+    private static final String IP_ADDRESS = "ipaddress";
     private static final Pattern SEMICOLON_SPACE_LOGICAL_AND_PATTERN = Pattern.compile("[;& ]");
     private static final Pattern IP_ADDRESS_PATTERN =
             Pattern.compile("\\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\\.|$)){4}\\b");
@@ -61,13 +61,13 @@ private StringBuilder getResponseFromPingCommand(String ipAddress, Supplier<Bool
 
     @AttackVector(
             vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION,
-            description = "JWT_URL_EXPOSING_SECURE_INFORMATION")
+            description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED")
     @VulnerabilityLevel(
             value = LevelEnum.LEVEL_1,
-            descriptionLabel = "URL_CONTAINING_JWT_TOKEN",
-            // htmlTemplate = "LEVEL_1/JWT_Level1",
+            descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS",
+            htmlTemplate = "LEVEL_1/CI_Level1",
             parameterName = IP_ADDRESS,
-            sampleValues = {""})
+            sampleValues = {"localhost"})
     public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevel1(
             ParameterBean parameterBean) throws ServiceApplicationException, IOException {
         String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS);
@@ -79,13 +79,13 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
 
     @AttackVector(
             vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION,
-            description = "JWT_URL_EXPOSING_SECURE_INFORMATION")
+            description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT")
     @VulnerabilityLevel(
             value = LevelEnum.LEVEL_2,
-            descriptionLabel = "URL_CONTAINING_JWT_TOKEN",
-            // htmlTemplate = "LEVEL_1/JWT_Level1",
+            descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS",
+           htmlTemplate = "LEVEL_1/CI_Level1",
             parameterName = IP_ADDRESS,
-            sampleValues = {""})
+            sampleValues = {"localhost"})
     public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevel2(
             ParameterBean parameterBean) throws ServiceApplicationException, IOException {
         String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS);
@@ -103,13 +103,13 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
     // Case Insensitive
     @AttackVector(
             vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION,
-            description = "JWT_URL_EXPOSING_SECURE_INFORMATION")
+            description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT")
     @VulnerabilityLevel(
             value = LevelEnum.LEVEL_3,
-            descriptionLabel = "URL_CONTAINING_JWT_TOKEN",
-            // htmlTemplate = "LEVEL_1/JWT_Level1",
+            descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS",
+           htmlTemplate = "LEVEL_1/CI_Level1",
             parameterName = IP_ADDRESS,
-            sampleValues = {""})
+            sampleValues = {"localhost"})
     public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevel3(
             ParameterBean parameterBean) throws ServiceApplicationException, IOException {
         String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS);
@@ -127,16 +127,16 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
     }
 
     // e.g Attack
-    // http://localhost:9090/vulnerable/CommandInjectionVulnerability/LEVEL_3?ipaddr=192.168.0.1%20%7c%20cat%20/etc/passwd
+    // http://localhost:9090/vulnerable/CommandInjectionVulnerability/LEVEL_3?ipaddress=192.168.0.1%20%7c%20cat%20/etc/passwd
     @AttackVector(
             vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION,
-            description = "JWT_URL_EXPOSING_SECURE_INFORMATION")
+            description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT")
     @VulnerabilityLevel(
             value = LevelEnum.LEVEL_4,
-            descriptionLabel = "URL_CONTAINING_JWT_TOKEN",
-            // htmlTemplate = "LEVEL_1/JWT_Level1",
+            descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS",
+           htmlTemplate = "LEVEL_1/CI_Level1",
             parameterName = IP_ADDRESS,
-            sampleValues = {""})
+            sampleValues = {"localhost"})
     public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevel4(
             ParameterBean parameterBean) throws ServiceApplicationException, IOException {
         String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS);
@@ -155,13 +155,13 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
 
     @AttackVector(
             vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION,
-            description = "JWT_URL_EXPOSING_SECURE_INFORMATION")
+            description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT")
     @VulnerabilityLevel(
             value = LevelEnum.LEVEL_5,
-            descriptionLabel = "URL_CONTAINING_JWT_TOKEN",
-            // htmlTemplate = "LEVEL_1/JWT_Level1",
+            descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS",
+           htmlTemplate = "LEVEL_1/CI_Level1",
             parameterName = IP_ADDRESS,
-            sampleValues = {""})
+            sampleValues = {"localhost"})
     public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevel5(
             ParameterBean parameterBean) throws ServiceApplicationException, IOException {
         String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS);
@@ -179,15 +179,12 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
                         this.getResponseFromPingCommand(ipAddress, condition).toString(), true));
     }
 
-    @AttackVector(
-            vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION,
-            description = "JWT_URL_EXPOSING_SECURE_INFORMATION")
     @VulnerabilityLevel(
             value = LevelEnum.LEVEL_6,
-            descriptionLabel = "URL_CONTAINING_JWT_TOKEN",
-            // htmlTemplate = "LEVEL_1/JWT_Level1",
+            descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS",
+           htmlTemplate = "LEVEL_1/CI_Level1",
             parameterName = IP_ADDRESS,
-            sampleValues = {""})
+            sampleValues = {"localhost"})
     public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevel6(
             ParameterBean parameterBean) throws ServiceApplicationException, IOException {
         String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS);
@@ -197,9 +194,9 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
                                         ipAddress,
                                         () ->
                                                 ipAddress != null
-                                                        && IP_ADDRESS_PATTERN
+                                                        && (IP_ADDRESS_PATTERN
                                                                 .matcher(ipAddress)
-                                                                .matches())
+                                                                .matches() || ipAddress.contentEquals("localhost")))
                                 .toString(),
                         true));
     }

src/main/resources/i18n/messages.properties

@@ -103,6 +103,16 @@ Important Links on Command Injection Vulnerability :<br/>\
  <li> <a href="https://owasp.org/www-community/attacks/Command_Injection">Owasp Wiki Link</a> \
 </ol>
 
+COMMAND_INJECTION_URL_CONTAINING_IPADDRESS=IP Address is passed in the URL parameter named \"ipaddress\"
+
+#### Attack vectors
+COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED=\"ipaddress\" query param's value is directly executed.
+COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\" or space characters are not present in it.
+COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\" or space characters are not present in it.
+COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\" or space characters are not present in it.
+COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\", \"%7C\", \"%7c\" or space characters are not present in it.
+
+
 # Local File Injection
 #URL_BASED_LFI_INJECTION=Url based Local File Injection attack.
 #LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file.

src/main/resources/i18n/messages_en_US.properties

@@ -103,6 +103,16 @@ Important Links on Command Injection Vulnerability :<br/>\
  <li> <a href="https://owasp.org/www-community/attacks/Command_Injection">Owasp Wiki Link</a> \
 </ol>
 
+COMMAND_INJECTION_URL_CONTAINING_IPADDRESS=IP Address is passed in the URL parameter named \"ipaddress\"
+
+#### Attack vectors
+COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED=\"ipaddress\" query param's value is directly executed.
+COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\" or space characters are not present in it.
+COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\" or space characters are not present in it.
+COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\" or space characters are not present in it.
+COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\", \"%7C\", \"%7c\" or space characters are not present in it.
+
+
 # Local File Injection
 #URL_BASED_LFI_INJECTION=Url based Local File Injection attack.
 #LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file.

src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css

@@ -1,11 +1,10 @@
 #sqlinjection_level_1 {
     color: black;
-    text-align: justify;
+    text-align: center;
 }
 
 #carInformation {
     font-size: 15px;
-    visibility: hidden;
 }
 
 #checkIfCarPresentButton {

src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js

@@ -20,5 +20,4 @@ function fetchCarInfoCallBack(data) {
     document.getElementById("carInformation").innerHTML =
       "<div>Car is not Present</div>";
   }
-  document.getElementById("carInformation").style.visibility = "visible";
 }

src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.css

@@ -0,0 +1,33 @@
+#ci_level_1 {
+    color: black;
+    text-align: center;
+}
+
+#pingUtilityResponse {
+    font-size: 15px;
+}
+
+#pingUtility {
+    display: flex;
+    flex-direction: column;
+}
+
+#heading {
+	font-size: 20px;
+}
+
+#input {
+	font-size: 15px;
+}
+
+#pingBtn {
+    background: blueviolet;
+    display: inline-block;
+    padding: 8px 8px;
+    margin: 10px;
+    border: 2px solid transparent;
+    border-radius: 3px;
+    transition: 0.2s opacity;
+    color: #FFF;
+    font-size: 12px;
+}

src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.html

@@ -0,0 +1,13 @@
+<div id="ci_level_1">
+	<div>
+		<div id="pingUtility">
+			<div id="heading">Welcome to Ping utility.</div>
+			<div id="input">please enter IP address:
+				<input type="text" id="ipaddress"/>
+				<button id="pingBtn">Click here</button>
+			</div>
+		</div>
+		<div id="pingUtilityResponse">
+		</div>
+	</div>
+</div>

src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js

@@ -0,0 +1,17 @@
+function addingEventListenerToPingButton() {
+  document
+    .getElementById("pingBtn")
+    .addEventListener("click", function() {
+      let url = getUrlForVulnerabilityLevel();
+      doGetAjaxCall(
+        pingUtilityCallback,
+        url + "?ipaddress=" + document.getElementById("ipaddress").value,
+        true
+      );
+    });
+}
+addingEventListenerToPingButton();
+
+function pingUtilityCallback(data) {
+  document.getElementById("pingUtilityResponse").innerHTML = data.content;
+}

src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css

@@ -1,11 +1,10 @@
 #sqlinjection_level_1 {
     color: black;
-    text-align: justify;
+    text-align: center;
 }
 
 #carInformation {
     font-size: 15px;
-    visibility: hidden;
 }
 
 #fetchCarImageButton {

src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js

@@ -17,5 +17,4 @@ function fetchCarInfoCallBack(data) {
     document.getElementById("carInformation").innerHTML =
       "<img src='" + data.carInformation.imagePath + "' width='900'/>";
   }
-  document.getElementById("carInformation").style.visibility = "visible";
 }

src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css

@@ -1,11 +1,10 @@
 #sqlinjection_level_1 {
     color: black;
-    text-align: justify;
+    text-align: center;
 }
 
 #carInformation {
     font-size: 15px;
-    visibility: hidden;
 }
 
 #fetchCarImageButton {

src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js

@@ -15,5 +15,4 @@ addingEventListenerToFetchCarInfoButton();
 function fetchCarInfoCallBack(data) {
   document.getElementById("carInformation").innerHTML =
     "<img src='" + data.imagePath + "' width='900'/>";
-  document.getElementById("carInformation").style.visibility = "visible";
 }

src/main/resources/static/vulnerableApp.css

@@ -100,7 +100,7 @@ hr {
     height: 1px;
     border: 0;
     border-top: 1px solid black;
-    margin-left: 10%
+    margin-left: 10%;
     padding: 0;
 }
 
@@ -117,7 +117,6 @@ hr {
 }
 
 #vulnPracticeBtn, #vulnLearnBtn {
-    display: flex;
     justify-items: left;
     display: inline-block;
     padding: 8px 8px;