-
Notifications
You must be signed in to change notification settings - Fork 0
/
BenchmarkTest01869.java
138 lines (120 loc) · 5.73 KB
/
BenchmarkTest01869.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
/**
* OWASP Benchmark Project v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Nick Sanidas
* @created 2015
*/
package org.owasp.benchmark.testcode;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet(value = "/weakrand-04/BenchmarkTest01869")
public class BenchmarkTest01869 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie userCookie =
new javax.servlet.http.Cookie("BenchmarkTest01869", "whatever");
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
userCookie.setSecure(true);
userCookie.setPath(request.getRequestURI());
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
response.addCookie(userCookie);
javax.servlet.RequestDispatcher rd =
request.getRequestDispatcher("/weakrand-04/BenchmarkTest01869.html");
rd.include(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie[] theCookies = request.getCookies();
String param = "noCookieValueSupplied";
if (theCookies != null) {
for (javax.servlet.http.Cookie theCookie : theCookies) {
if (theCookie.getName().equals("BenchmarkTest01869")) {
param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8");
break;
}
}
}
String bar = doSomething(request, param);
try {
java.security.SecureRandom secureRandomGenerator =
java.security.SecureRandom.getInstance("SHA1PRNG");
// Get 40 random bytes
byte[] randomBytes = new byte[40];
secureRandomGenerator.nextBytes(randomBytes);
String rememberMeKey =
org.owasp.esapi.ESAPI.encoder().encodeForBase64(randomBytes, true);
String user = "SafeByron";
String fullClassName = this.getClass().getName();
String testCaseNumber =
fullClassName.substring(
fullClassName.lastIndexOf('.') + 1 + "BenchmarkTest".length());
user += testCaseNumber;
String cookieName = "rememberMe" + testCaseNumber;
boolean foundUser = false;
javax.servlet.http.Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (int i = 0; !foundUser && i < cookies.length; i++) {
javax.servlet.http.Cookie cookie = cookies[i];
if (cookieName.equals(cookie.getName())) {
if (cookie.getValue()
.equals(request.getSession().getAttribute(cookieName))) {
foundUser = true;
}
}
}
}
if (foundUser) {
response.getWriter().println("Welcome back: " + user + "<br/>");
} else {
javax.servlet.http.Cookie rememberMe =
new javax.servlet.http.Cookie(cookieName, rememberMeKey);
rememberMe.setSecure(true);
rememberMe.setHttpOnly(true);
rememberMe.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet
// e.g., /benchmark/sql-01/BenchmarkTest01001
request.getSession().setAttribute(cookieName, rememberMeKey);
response.addCookie(rememberMe);
response.getWriter()
.println(
user
+ " has been remembered with cookie: "
+ rememberMe.getName()
+ " whose value is: "
+ rememberMe.getValue()
+ "<br/>");
}
} catch (java.security.NoSuchAlgorithmException e) {
System.out.println("Problem executing SecureRandom.nextBytes() - TestCase");
throw new ServletException(e);
} finally {
response.getWriter()
.println(
"Randomness Test java.security.SecureRandom.nextBytes(byte[]) executed");
}
} // end doPost
private static String doSomething(HttpServletRequest request, String param)
throws ServletException, IOException {
String bar = org.apache.commons.lang.StringEscapeUtils.escapeHtml(param);
return bar;
}
}