From e1a71b9411af01d552de8b9d4563bdf4c1229e21 Mon Sep 17 00:00:00 2001 From: karan preet singh sasan Date: Wed, 29 Jul 2020 02:33:41 +0530 Subject: [PATCH] Adding CommandInjection Vulnerability levels --- .../sasanlabs/internal/utility/LevelEnum.java | 2 + .../CommandInjectionVulnerability.java | 200 +++++++++++++++--- .../PathTraversalVulnerability.java | 79 ++++++- .../types/VulnerabilitySubType.java | 4 +- src/main/resources/i18n/messages.properties | 2 + .../resources/i18n/messages_en_US.properties | 2 + 6 files changed, 247 insertions(+), 42 deletions(-) diff --git a/src/main/java/org/sasanlabs/internal/utility/LevelEnum.java b/src/main/java/org/sasanlabs/internal/utility/LevelEnum.java index cfa57546..361ddbe3 100755 --- a/src/main/java/org/sasanlabs/internal/utility/LevelEnum.java +++ b/src/main/java/org/sasanlabs/internal/utility/LevelEnum.java @@ -19,6 +19,8 @@ public enum LevelEnum { LEVEL_8, LEVEL_9, LEVEL_10, + LEVEL_11, + LEVEL_12, SECURE; public static LevelEnum getLevelEnumByName(String name) throws ServiceApplicationException { diff --git a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java index d5a536e2..7edfa68e 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionVulnerability.java @@ -3,10 +3,8 @@ import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; -import java.util.concurrent.TimeUnit; - -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; +import java.util.function.Supplier; +import java.util.regex.Pattern; import org.sasanlabs.internal.utility.LevelEnum; import org.sasanlabs.internal.utility.annotations.AttackVector; import org.sasanlabs.internal.utility.annotations.VulnerabilityLevel; @@ -19,46 +17,190 @@ import org.sasanlabs.vulnerability.types.VulnerabilitySubType; import org.sasanlabs.vulnerability.types.VulnerabilityType; - /** - * This class contains vulnerabilities related to Command Injection. - * For More information - * + * This class contains vulnerabilities related to Command Injection. For More information + * * @author KSASAN preetkaran20@gmail.com */ @VulnerableServiceRestEndPoint( descriptionLabel = "COMMAND_INJECTION_VULNERABILITY", value = "CommandInjectionVulnerability", type = {VulnerabilityType.COMMAND_INJECTION}) -public class CommandInjectionVulnerability implements ICustomVulnerableEndPoint{ +public class CommandInjectionVulnerability implements ICustomVulnerableEndPoint { + + private static final String IP_ADDRESS = "ipaddr"; + private static final Pattern SEMICOLON_SPACE_LOGICAL_AND_PATTERN = Pattern.compile("[;& ]"); + private static final Pattern IP_ADDRESS_PATTERN = + Pattern.compile("\\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\\.|$)){4}\\b"); - private static final String IP_ADDRESS = "ipaddr"; - private static final transient Logger LOGGER = LogManager.getLogger(CommandInjectionVulnerability.class); + private StringBuilder getResponseFromPingCommand(String ipAddress, Supplier predicate) + throws IOException { + boolean isWindows = System.getProperty("os.name").toLowerCase().startsWith("windows"); + StringBuilder stringBuilder = new StringBuilder(); + if (predicate.get()) { + Process process; + if (!isWindows) { + process = + new ProcessBuilder(new String[] {"bash", "-c", "ping -c 2 " + ipAddress}) + .redirectErrorStream(true) + .start(); + } else { + process = + new ProcessBuilder(new String[] {"cmd", "/c", "ping -n 2 " + ipAddress}) + .redirectErrorStream(true) + .start(); + } + try (BufferedReader bufferedReader = + new BufferedReader(new InputStreamReader(process.getInputStream()))) { + bufferedReader.lines().forEach(val -> stringBuilder.append(val).append("\n")); + } + } + return stringBuilder; + } - @AttackVector( + @AttackVector( vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, description = "JWT_URL_EXPOSING_SECURE_INFORMATION") @VulnerabilityLevel( value = LevelEnum.LEVEL_1, descriptionLabel = "URL_CONTAINING_JWT_TOKEN", - //htmlTemplate = "LEVEL_1/JWT_Level1", + // htmlTemplate = "LEVEL_1/JWT_Level1", + parameterName = IP_ADDRESS, + sampleValues = {""}) + public ResponseBean> getVulnerablePayloadLevel1( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = () -> ipAddress != null; + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_2, + descriptionLabel = "URL_CONTAINING_JWT_TOKEN", + // htmlTemplate = "LEVEL_1/JWT_Level1", + parameterName = IP_ADDRESS, + sampleValues = {""}) + public ResponseBean> getVulnerablePayloadLevel2( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = + () -> + ipAddress != null + && !SEMICOLON_SPACE_LOGICAL_AND_PATTERN + .matcher(parameterBean.getUrl()) + .find(); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + // Case Insensitive + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_3, + descriptionLabel = "URL_CONTAINING_JWT_TOKEN", + // htmlTemplate = "LEVEL_1/JWT_Level1", + parameterName = IP_ADDRESS, + sampleValues = {""}) + public ResponseBean> getVulnerablePayloadLevel3( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = + () -> + ipAddress != null + && !SEMICOLON_SPACE_LOGICAL_AND_PATTERN + .matcher(parameterBean.getUrl()) + .find() + && !parameterBean.getUrl().contains("%26") + && !parameterBean.getUrl().contains("%3B"); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + // e.g Attack + // http://localhost:9090/vulnerable/CommandInjectionVulnerability/LEVEL_3?ipaddr=192.168.0.1%20%7c%20cat%20/etc/passwd + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_4, + descriptionLabel = "URL_CONTAINING_JWT_TOKEN", + // htmlTemplate = "LEVEL_1/JWT_Level1", + parameterName = IP_ADDRESS, + sampleValues = {""}) + public ResponseBean> getVulnerablePayloadLevel4( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = + () -> + ipAddress != null + && !SEMICOLON_SPACE_LOGICAL_AND_PATTERN + .matcher(parameterBean.getUrl()) + .find() + && !parameterBean.getUrl().toUpperCase().contains("%26") + && !parameterBean.getUrl().toUpperCase().contains("%3B"); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_5, + descriptionLabel = "URL_CONTAINING_JWT_TOKEN", + // htmlTemplate = "LEVEL_1/JWT_Level1", + parameterName = IP_ADDRESS, + sampleValues = {""}) + public ResponseBean> getVulnerablePayloadLevel5( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + Supplier condition = + () -> + ipAddress != null + && !SEMICOLON_SPACE_LOGICAL_AND_PATTERN + .matcher(parameterBean.getUrl()) + .find() + && !parameterBean.getUrl().toUpperCase().contains("%26") + && !parameterBean.getUrl().toUpperCase().contains("%3B") + & !parameterBean.getUrl().toUpperCase().contains("%7C"); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand(ipAddress, condition).toString(), true)); + } + + @AttackVector( + vulnerabilityExposed = VulnerabilitySubType.COMMAND_INJECTION, + description = "JWT_URL_EXPOSING_SECURE_INFORMATION") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_6, + descriptionLabel = "URL_CONTAINING_JWT_TOKEN", + // htmlTemplate = "LEVEL_1/JWT_Level1", parameterName = IP_ADDRESS, sampleValues = {""}) - public ResponseBean> getVulnerablePayloadLevelUnsecure( - ParameterBean parameterBean) - throws ServiceApplicationException, IOException { - boolean isWindows = System.getProperty("os.name") - .toLowerCase().startsWith("windows"); - Process process; - if(!isWindows) { - process = new ProcessBuilder(new String[] { "bash", "-c", "ping -c 2 " + parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS)}).redirectErrorStream(true).start(); - } else { - process = new ProcessBuilder(new String[] { "cmd", "/c", "ping -n 2 " + parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS)}).redirectErrorStream(true).start(); - } - StringBuilder response = new StringBuilder(); - try(BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(process.getInputStream()))) { - bufferedReader.lines().forEach(val -> response.append(val).append("\n")); - } - return new ResponseBean>(new GenericVulnerabilityResponseBean(response.toString(), true)); + public ResponseBean> getVulnerablePayloadLevel6( + ParameterBean parameterBean) throws ServiceApplicationException, IOException { + String ipAddress = parameterBean.getQueryParamKeyValueMap().get(IP_ADDRESS); + return new ResponseBean>( + new GenericVulnerabilityResponseBean( + this.getResponseFromPingCommand( + ipAddress, + () -> + ipAddress != null + && IP_ADDRESS_PATTERN + .matcher(ipAddress) + .matches()) + .toString(), + true)); } } diff --git a/src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java index 955e5c8a..94d9c88b 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java @@ -153,7 +153,7 @@ public ResponseBean> getVulnerablePaylo @AttackVector( vulnerabilityExposed = {VulnerabilitySubType.PATH_TRAVERSAL}, description = - "PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED") + "PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( value = LevelEnum.LEVEL_5, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", @@ -163,6 +163,27 @@ public ResponseBean> getVulnerablePaylo public ResponseBean> getVulnerablePayloadLevel5( ParameterBean parameterBean) { String fileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); + return this.readFile( + () -> + !parameterBean.getUrl().contains("..") + && !parameterBean.getUrl().toLowerCase().contains("%2f") + && fileName != null, + fileName); + } + + @AttackVector( + vulnerabilityExposed = {VulnerabilitySubType.PATH_TRAVERSAL}, + description = + "PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_6, + descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", + htmlTemplate = "LEVEL_1/PathTraversal", + parameterName = URL_PARAM_KEY, + sampleValues = {SAMPLE_VALUE_FILE_NAME}) + public ResponseBean> getVulnerablePayloadLevel6( + ParameterBean parameterBean) { + String fileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); return this.readFile(() -> fileName != null && !fileName.contains(".."), fileName); } @@ -174,12 +195,12 @@ public ResponseBean> getVulnerablePaylo }, description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_6, + value = LevelEnum.LEVEL_7, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel6( + public ResponseBean> getVulnerablePayloadLevel7( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; @@ -208,12 +229,12 @@ public ResponseBean> getVulnerablePaylo description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_7, + value = LevelEnum.LEVEL_8, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel7( + public ResponseBean> getVulnerablePayloadLevel8( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; @@ -243,12 +264,12 @@ public ResponseBean> getVulnerablePaylo description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_8, + value = LevelEnum.LEVEL_9, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel8( + public ResponseBean> getVulnerablePayloadLevel9( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; @@ -278,12 +299,12 @@ public ResponseBean> getVulnerablePaylo description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_9, + value = LevelEnum.LEVEL_10, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel9( + public ResponseBean> getVulnerablePayloadLevel10( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; @@ -306,6 +327,42 @@ public ResponseBean> getVulnerablePaylo fileName); } + @AttackVector( + vulnerabilityExposed = { + VulnerabilitySubType.NULL_BYTE, + VulnerabilitySubType.PATH_TRAVERSAL + }, + description = + "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED") + @VulnerabilityLevel( + value = LevelEnum.LEVEL_11, + descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", + htmlTemplate = "LEVEL_1/PathTraversal", + parameterName = URL_PARAM_KEY, + sampleValues = {SAMPLE_VALUE_FILE_NAME}) + public ResponseBean> getVulnerablePayloadLevel11( + ParameterBean parameterBean) { + String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); + String fileName = null; + if (queryFileName != null) { + int indexOfNullByte = queryFileName.indexOf(NULL_BYTE_CHARACTER); + fileName = + indexOfNullByte >= 0 + ? queryFileName.substring(0, indexOfNullByte) + : queryFileName; + } + return this.readFile( + () -> + queryFileName != null + && !parameterBean.getUrl().contains("..") + && !parameterBean.getUrl().toLowerCase().contains("%2f") + && ALLOWED_FILE_NAMES.stream() + .anyMatch( + allowedFileName -> + queryFileName.contains(allowedFileName)), + fileName); + } + @AttackVector( vulnerabilityExposed = { VulnerabilitySubType.NULL_BYTE, @@ -314,12 +371,12 @@ public ResponseBean> getVulnerablePaylo description = "PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED") @VulnerabilityLevel( - value = LevelEnum.LEVEL_10, + value = LevelEnum.LEVEL_12, descriptionLabel = "PATH_TRAVERSAL_URL_CONTAINING_FILENAME", htmlTemplate = "LEVEL_1/PathTraversal", parameterName = URL_PARAM_KEY, sampleValues = {SAMPLE_VALUE_FILE_NAME}) - public ResponseBean> getVulnerablePayloadLevel10( + public ResponseBean> getVulnerablePayloadLevel12( ParameterBean parameterBean) { String queryFileName = parameterBean.getQueryParamKeyValueMap().get(URL_PARAM_KEY); String fileName = null; diff --git a/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java b/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java index 2b451ab5..1254c476 100644 --- a/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java +++ b/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java @@ -29,10 +29,10 @@ public enum VulnerabilitySubType { CLIENT_SIDE_VULNERABLE_JWT(VulnerabilityType.VULNERABLE_JWT_IMPLMENTATION), SERVER_SIDE_VULNERABLE_JWT(VulnerabilityType.VULNERABLE_JWT_IMPLMENTATION), INSECURE_CONFIGURATION_JWT(VulnerabilityType.VULNERABLE_JWT_IMPLMENTATION), - + PATH_TRAVERSAL(VulnerabilityType.PATH_TRAVERSAL), COMMAND_INJECTION(VulnerabilityType.COMMAND_INJECTION), - + // Combined Attacking Vulnerability NULL_BYTE(VulnerabilityType.NULL_BYTE); diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties index 8bb32cb9..db8c7b67 100755 --- a/src/main/resources/i18n/messages.properties +++ b/src/main/resources/i18n/messages.properties @@ -82,12 +82,14 @@ PATH_TRAVERSAL_URL_PARAM_DIRECTLY_INJECTED=\"fileName\" query param's value is d PATH_TRAVERSAL_URL_PARAM_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "../". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..", takes care of URL encoding too. PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended to path to read the file. PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "../". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..", takes care of URL encoding too. diff --git a/src/main/resources/i18n/messages_en_US.properties b/src/main/resources/i18n/messages_en_US.properties index 8bb32cb9..db8c7b67 100755 --- a/src/main/resources/i18n/messages_en_US.properties +++ b/src/main/resources/i18n/messages_en_US.properties @@ -82,12 +82,14 @@ PATH_TRAVERSAL_URL_PARAM_DIRECTLY_INJECTED=\"fileName\" query param's value is d PATH_TRAVERSAL_URL_PARAM_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "../". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..", takes care of URL encoding too. PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended to path to read the file. PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "../". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..", takes care of URL encoding too.