From bced3c5b66dd530676760b3f2f46dfae63a4ecbd Mon Sep 17 00:00:00 2001 From: karan preet singh sasan Date: Sun, 2 Aug 2020 02:13:05 +0530 Subject: [PATCH] UI changes for Command Injection --- ...lnerability.java => CommandInjection.java} | 61 +++++++++---------- src/main/resources/i18n/messages.properties | 10 +++ .../resources/i18n/messages_en_US.properties | 10 +++ .../LEVEL_1/SQLInjection_Level1.css | 3 +- .../LEVEL_1/SQLInjection_Level1.js | 1 - .../CommandInjection/LEVEL_1/CI_Level1.css | 33 ++++++++++ .../CommandInjection/LEVEL_1/CI_Level1.html | 13 ++++ .../CommandInjection/LEVEL_1/CI_Level1.js | 17 ++++++ .../LEVEL_1/SQLInjection_Level1.css | 3 +- .../LEVEL_1/SQLInjection_Level1.js | 1 - .../LEVEL_1/SQLInjection_Level1.css | 3 +- .../LEVEL_1/SQLInjection_Level1.js | 1 - src/main/resources/static/vulnerableApp.css | 3 +- 13 files changed, 116 insertions(+), 43 deletions(-) rename src/main/java/org/sasanlabs/service/vulnerability/commandInjection/{CommandInjectionVulnerability.java => CommandInjection.java} (82%) create mode 100644 src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.css create mode 100644 src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.html create mode 100644 src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js diff --git a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java similarity index 82% rename from src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java rename to src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java index 7edfa68e..ebbc2df8 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java @@ -25,11 +25,11 @@ */ @VulnerableServiceRestEndPoint( descriptionLabel = "COMMAND_INJECTION_VULNERABILITY", - value = "CommandInjectionVulnerability", + value = "CommandInjection", type = {VulnerabilityType.COMMAND_INJECTION}) -public class CommandInjectionVulnerability implements ICustomVulnerableEndPoint { +public class CommandInjection implements ICustomVulnerableEndPoint { - private static final String IP_ADDRESS = "ipaddr"; + private static final String IP_ADDRESS = "ipaddress"; private static final Pattern SEMICOLON_SPACE_LOGICAL_AND_PATTERN = Pattern.compile("[;& ]"); private static final Pattern IP_ADDRESS_PATTERN = Pattern.compile("\\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\\.|$)){4}\\b"); @@ -61,13 +61,13 @@ private StringBuilder getResponseFromPingCommand(String ipAddress, Supplier> getVulnerablePayloadLevel1( ParameterBean parameterBean) throws ServiceApplicationException, IOException { String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); @@ -79,13 +79,13 @@ public ResponseBean> getVulnerablePaylo @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT") @VulnerabilityLevel( value = LevelEnum.LEVEL_2, - descriptionLabel = "URL_CONTAINING_JWT_TOKEN", - // htmlTemplate = "LEVEL_1/JWT_Level1", + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, - sampleValues = {""}) + sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel2( ParameterBean parameterBean) throws ServiceApplicationException, IOException { String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); @@ -103,13 +103,13 @@ public ResponseBean> getVulnerablePaylo // Case Insensitive @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT") @VulnerabilityLevel( value = LevelEnum.LEVEL_3, - descriptionLabel = "URL_CONTAINING_JWT_TOKEN", - // htmlTemplate = "LEVEL_1/JWT_Level1", + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, - sampleValues = {""}) + sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel3( ParameterBean parameterBean) throws ServiceApplicationException, IOException { String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); @@ -127,16 +127,16 @@ public ResponseBean> getVulnerablePaylo } // e.g Attack - // http://localhost:9090/vulnerable/CommandInjectionVulnerability/LEVEL_3?ipaddr=192.168.0.1%20%7c%20cat%20/etc/passwd + // http://localhost:9090/vulnerable/CommandInjectionVulnerability/LEVEL_3?ipaddress=192.168.0.1%20%7c%20cat%20/etc/passwd @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT") @VulnerabilityLevel( value = LevelEnum.LEVEL_4, - descriptionLabel = "URL_CONTAINING_JWT_TOKEN", - // htmlTemplate = "LEVEL_1/JWT_Level1", + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, - sampleValues = {""}) + sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel4( ParameterBean parameterBean) throws ServiceApplicationException, IOException { String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); @@ -155,13 +155,13 @@ public ResponseBean> getVulnerablePaylo @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + description = "COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT") @VulnerabilityLevel( value = LevelEnum.LEVEL_5, - descriptionLabel = "URL_CONTAINING_JWT_TOKEN", - // htmlTemplate = "LEVEL_1/JWT_Level1", + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, - sampleValues = {""}) + sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel5( ParameterBean parameterBean) throws ServiceApplicationException, IOException { String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); @@ -179,15 +179,12 @@ public ResponseBean> getVulnerablePaylo this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); } - @AttackVector( - vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, - description = "JWT_URL_EXPOSING_SECURE_INFORMATION") @VulnerabilityLevel( value = LevelEnum.LEVEL_6, - descriptionLabel = "URL_CONTAINING_JWT_TOKEN", - // htmlTemplate = "LEVEL_1/JWT_Level1", + descriptionLabel = "COMMAND_INJECTION_URL_CONTAINING_IPADDRESS", + htmlTemplate = "LEVEL_1/CI_Level1", parameterName = IP_ADDRESS, - sampleValues = {""}) + sampleValues = {"localhost"}) public ResponseBean> getVulnerablePayloadLevel6( ParameterBean parameterBean) throws ServiceApplicationException, IOException { String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); @@ -197,9 +194,9 @@ public ResponseBean> getVulnerablePaylo ipAddress, () -> ipAddress != null - && IP_ADDRESS_PATTERN + && (IP_ADDRESS_PATTERN .matcher(ipAddress) - .matches()) + .matches() || ipAddress.contentEquals("localhost"))) .toString(), true)); } diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties index db8c7b67..d25a03e7 100755 --- a/src/main/resources/i18n/messages.properties +++ b/src/main/resources/i18n/messages.properties @@ -103,6 +103,16 @@ Important Links on Command Injection Vulnerability :
\
  • Owasp Wiki Link \ +COMMAND_INJECTION_URL_CONTAINING_IPADDRESS=IP Address is passed in the URL parameter named \"ipaddress\" + +#### Attack vectors +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED=\"ipaddress\" query param's value is directly executed. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\", \"%7C\", \"%7c\" or space characters are not present in it. + + # Local File Injection #URL_BASED_LFI_INJECTION=Url based Local File Injection attack. #LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file. diff --git a/src/main/resources/i18n/messages_en_US.properties b/src/main/resources/i18n/messages_en_US.properties index db8c7b67..d25a03e7 100755 --- a/src/main/resources/i18n/messages_en_US.properties +++ b/src/main/resources/i18n/messages_en_US.properties @@ -103,6 +103,16 @@ Important Links on Command Injection Vulnerability :
    \
  • Owasp Wiki Link \ +COMMAND_INJECTION_URL_CONTAINING_IPADDRESS=IP Address is passed in the URL parameter named \"ipaddress\" + +#### Attack vectors +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED=\"ipaddress\" query param's value is directly executed. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\", \"%7C\", \"%7c\" or space characters are not present in it. + + # Local File Injection #URL_BASED_LFI_INJECTION=Url based Local File Injection attack. #LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file. diff --git a/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css b/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css index 5042e1c0..102d9d6b 100644 --- a/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css +++ b/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css @@ -1,11 +1,10 @@ #sqlinjection_level_1 { color: black; - text-align: justify; + text-align: center; } #carInformation { font-size: 15px; - visibility: hidden; } #checkIfCarPresentButton { diff --git a/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js b/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js index 438197a8..413d27a7 100644 --- a/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js +++ b/src/main/resources/static/templates/BlindSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js @@ -20,5 +20,4 @@ function fetchCarInfoCallBack(data) { document.getElementById("carInformation").innerHTML = "
    Car is not Present
    "; } - document.getElementById("carInformation").style.visibility = "visible"; } diff --git a/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.css b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.css new file mode 100644 index 00000000..85c867e2 --- /dev/null +++ b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.css @@ -0,0 +1,33 @@ +#ci_level_1 { + color: black; + text-align: center; +} + +#pingUtilityResponse { + font-size: 15px; +} + +#pingUtility { + display: flex; + flex-direction: column; +} + +#heading { + font-size: 20px; +} + +#input { + font-size: 15px; +} + +#pingBtn { + background: blueviolet; + display: inline-block; + padding: 8px 8px; + margin: 10px; + border: 2px solid transparent; + border-radius: 3px; + transition: 0.2s opacity; + color: #FFF; + font-size: 12px; +} \ No newline at end of file diff --git a/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.html b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.html new file mode 100644 index 00000000..f04f82af --- /dev/null +++ b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.html @@ -0,0 +1,13 @@ +
    +
    +
    +
    Welcome to Ping utility.
    +
    please enter IP address: + + +
    +
    +
    +
    +
    +
    \ No newline at end of file diff --git a/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js new file mode 100644 index 00000000..32e3e69b --- /dev/null +++ b/src/main/resources/static/templates/CommandInjection/LEVEL_1/CI_Level1.js @@ -0,0 +1,17 @@ +function addingEventListenerToPingButton() { + document + .getElementById("pingBtn") + .addEventListener("click", function() { + let url = getUrlForVulnerabilityLevel(); + doGetAjaxCall( + pingUtilityCallback, + url + "?ipaddress=" + document.getElementById("ipaddress").value, + true + ); + }); +} +addingEventListenerToPingButton(); + +function pingUtilityCallback(data) { + document.getElementById("pingUtilityResponse").innerHTML = data.content; +} diff --git a/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css b/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css index 55e5e981..e12a115c 100644 --- a/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css +++ b/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css @@ -1,11 +1,10 @@ #sqlinjection_level_1 { color: black; - text-align: justify; + text-align: center; } #carInformation { font-size: 15px; - visibility: hidden; } #fetchCarImageButton { diff --git a/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js b/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js index 5384ad06..cb6b9730 100644 --- a/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js +++ b/src/main/resources/static/templates/ErrorBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js @@ -17,5 +17,4 @@ function fetchCarInfoCallBack(data) { document.getElementById("carInformation").innerHTML = ""; } - document.getElementById("carInformation").style.visibility = "visible"; } diff --git a/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css b/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css index 55e5e981..e12a115c 100644 --- a/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css +++ b/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.css @@ -1,11 +1,10 @@ #sqlinjection_level_1 { color: black; - text-align: justify; + text-align: center; } #carInformation { font-size: 15px; - visibility: hidden; } #fetchCarImageButton { diff --git a/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js b/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js index 61cb7c17..4a4aeb14 100644 --- a/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js +++ b/src/main/resources/static/templates/UnionBasedSQLInjectionVulnerability/LEVEL_1/SQLInjection_Level1.js @@ -15,5 +15,4 @@ addingEventListenerToFetchCarInfoButton(); function fetchCarInfoCallBack(data) { document.getElementById("carInformation").innerHTML = ""; - document.getElementById("carInformation").style.visibility = "visible"; } diff --git a/src/main/resources/static/vulnerableApp.css b/src/main/resources/static/vulnerableApp.css index 25842d11..a3b6f155 100755 --- a/src/main/resources/static/vulnerableApp.css +++ b/src/main/resources/static/vulnerableApp.css @@ -100,7 +100,7 @@ hr { height: 1px; border: 0; border-top: 1px solid black; - margin-left: 10% + margin-left: 10%; padding: 0; } @@ -117,7 +117,6 @@ hr { } #vulnPracticeBtn, #vulnLearnBtn { - display: flex; justify-items: left; display: inline-block; padding: 8px 8px;