-
Notifications
You must be signed in to change notification settings - Fork 0
/
BenchmarkTest01826.java
182 lines (165 loc) · 8.39 KB
/
BenchmarkTest01826.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
/**
* OWASP Benchmark Project v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Nick Sanidas
* @created 2015
*/
package org.owasp.benchmark.testcode;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet(value = "/crypto-02/BenchmarkTest01826")
public class BenchmarkTest01826 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie userCookie =
new javax.servlet.http.Cookie("BenchmarkTest01826", "someSecret");
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
userCookie.setSecure(true);
userCookie.setPath(request.getRequestURI());
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
response.addCookie(userCookie);
javax.servlet.RequestDispatcher rd =
request.getRequestDispatcher("/crypto-02/BenchmarkTest01826.html");
rd.include(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie[] theCookies = request.getCookies();
String param = "noCookieValueSupplied";
if (theCookies != null) {
for (javax.servlet.http.Cookie theCookie : theCookies) {
if (theCookie.getName().equals("BenchmarkTest01826")) {
param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8");
break;
}
}
}
String bar = doSomething(request, param);
// Code based on example from:
// http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/
// AES/GCM example from:
// https://javainterviewpoint.com/java-aes-256-gcm-encryption-and-decryption/
// 16-byte initialization vector
// byte[] iv = {
// (byte)0xB2, (byte)0x12, (byte)0xD5, (byte)0xB2,
// (byte)0x44, (byte)0x21, (byte)0xC3, (byte)0xC3,
// (byte)0xF3, (byte)0x3C, (byte)0x23, (byte)0xB9,
// (byte)0x9E, (byte)0xC5, (byte)0x77, (byte)0x0B033
// };
java.security.SecureRandom random = new java.security.SecureRandom();
byte[] iv = random.generateSeed(16);
try {
javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES/GCM/NOPADDING");
// Prepare the cipher to encrypt
javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("AES").generateKey();
javax.crypto.spec.GCMParameterSpec paramSpec =
new javax.crypto.spec.GCMParameterSpec(16 * 8, iv);
c.init(javax.crypto.Cipher.ENCRYPT_MODE, key, paramSpec);
// encrypt and store the results
byte[] input = {(byte) '?'};
Object inputParam = bar;
if (inputParam instanceof String) input = ((String) inputParam).getBytes();
if (inputParam instanceof java.io.InputStream) {
byte[] strInput = new byte[1000];
int i = ((java.io.InputStream) inputParam).read(strInput);
if (i == -1) {
response.getWriter()
.println(
"This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");
return;
}
input = java.util.Arrays.copyOf(strInput, i);
}
byte[] result = c.doFinal(input);
java.io.File fileTarget =
new java.io.File(
new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),
"passwordFile.txt");
java.io.FileWriter fw =
new java.io.FileWriter(fileTarget, true); // the true will append the new data
fw.write(
"secret_value="
+ org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true)
+ "\n");
fw.close();
response.getWriter()
.println(
"Sensitive value: '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' encrypted and stored<br/>");
} catch (java.security.NoSuchAlgorithmException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String) Test Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
} catch (javax.crypto.NoSuchPaddingException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String) Test Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
} catch (javax.crypto.IllegalBlockSizeException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String) Test Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
} catch (javax.crypto.BadPaddingException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String) Test Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
} catch (java.security.InvalidKeyException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String) Test Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
} catch (java.security.InvalidAlgorithmParameterException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String) Test Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
}
response.getWriter()
.println("Crypto Test javax.crypto.Cipher.getInstance(java.lang.String) executed");
} // end doPost
private static String doSomething(HttpServletRequest request, String param)
throws ServletException, IOException {
String bar = "safe!";
java.util.HashMap<String, Object> map38565 = new java.util.HashMap<String, Object>();
map38565.put("keyA-38565", "a_Value"); // put some stuff in the collection
map38565.put("keyB-38565", param); // put it in a collection
map38565.put("keyC", "another_Value"); // put some stuff in the collection
bar = (String) map38565.get("keyB-38565"); // get it back out
bar = (String) map38565.get("keyA-38565"); // get safe value back out
return bar;
}
}