Merge pull request SasanLabs#254 from SasanLabs/spotless

Immediate release for testing

src/main/java/org/sasanlabs/controller/VulnerableAppRestController.java

@@ -1,14 +1,14 @@
 package org.sasanlabs.controller;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
-import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.util.Arrays;
 import java.util.List;
 import org.sasanlabs.beans.AllEndPointsResponseBean;
 import org.sasanlabs.beans.ScannerMetaResponseBean;
 import org.sasanlabs.beans.ScannerResponseBean;
 import org.sasanlabs.internal.utility.FrameworkConstants;
+import org.sasanlabs.internal.utility.GenericUtils;
 import org.sasanlabs.internal.utility.JSONSerializationUtils;
 import org.sasanlabs.internal.utility.annotations.RequestParameterLocation;
 import org.sasanlabs.service.IEndPointsInformationProvider;
@@ -111,7 +111,6 @@ public String sitemapForPassiveScanners() throws JsonProcessingException, Unknow
                 new StringBuilder(
                         FrameworkConstants.GENERAL_XML_HEADER
                                 + FrameworkConstants.SITEMAP_URLSET_TAG_START);
-        String ipAddress = InetAddress.getLocalHost().getHostAddress();
         for (AllEndPointsResponseBean endPoint : allEndPoints) {
             endPoint.getLevelDescriptionSet()
                     .forEach(
@@ -122,7 +121,7 @@ public String sitemapForPassiveScanners() throws JsonProcessingException, Unknow
                                         .append(FrameworkConstants.SITEMAP_LOC_TAG_START)
                                         .append(FrameworkConstants.NEXT_LINE)
                                         .append(FrameworkConstants.HTTP)
-                                        .append(ipAddress)
+                                        .append(GenericUtils.LOCALHOST)
                                         .append(FrameworkConstants.COLON)
                                         .append(port)
                                         .append(FrameworkConstants.SLASH)

src/main/java/org/sasanlabs/internal/utility/GenericUtils.java

@@ -7,6 +7,8 @@
  */
 public class GenericUtils {
 
+    public static final String LOCALHOST = "127.0.0.1";
+
     /**
      * @deprecated
      * @param payload

src/main/java/org/sasanlabs/service/impl/EndPointsInformationProvider.java

@@ -2,7 +2,6 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import java.lang.reflect.Method;
-import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -15,6 +14,7 @@
 import org.sasanlabs.configuration.VulnerableAppProperties;
 import org.sasanlabs.internal.utility.EnvUtils;
 import org.sasanlabs.internal.utility.FrameworkConstants;
+import org.sasanlabs.internal.utility.GenericUtils;
 import org.sasanlabs.internal.utility.MessageBundle;
 import org.sasanlabs.internal.utility.annotations.AttackVector;
 import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping;
@@ -111,7 +111,6 @@ public List<ScannerResponseBean> getScannerRelatedEndPointInformation()
             throws JsonProcessingException, UnknownHostException {
         List<AllEndPointsResponseBean> allEndPointsResponseBeans = this.getSupportedEndPoints();
         List<ScannerResponseBean> scannerResponseBeans = new ArrayList<>();
-        String ipAddress = InetAddress.getLocalHost().getHostAddress();
         for (AllEndPointsResponseBean allEndPointsResponseBean : allEndPointsResponseBeans) {
             for (LevelResponseBean levelResponseBean :
                     allEndPointsResponseBean.getLevelDescriptionSet()) {
@@ -121,7 +120,7 @@ public List<ScannerResponseBean> getScannerRelatedEndPointInformation()
                             new ScannerResponseBean(
                                     new StringBuilder()
                                             .append(FrameworkConstants.HTTP)
-                                            .append(ipAddress)
+                                            .append(GenericUtils.LOCALHOST)
                                             .append(FrameworkConstants.COLON)
                                             .append(port)
                                             .append(FrameworkConstants.SLASH)

src/main/java/org/sasanlabs/service/vulnerability/openRedirect/ClientSideInjection.java

@@ -0,0 +1,3 @@
+package org.sasanlabs.service.vulnerability.openRedirect;
+
+public class ClientSideInjection {}

src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/Http3xxStatusCodeBasedInjection.java → src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java

@@ -1,4 +1,4 @@
-package org.sasanlabs.service.vulnerability.urlRedirection;
+package org.sasanlabs.service.vulnerability.openRedirect;
 
 import static org.sasanlabs.vulnerability.utils.Constants.NULL_BYTE_CHARACTER;
 

src/main/java/org/sasanlabs/service/vulnerability/openRedirect/MetaTagBasedInjection.java

@@ -0,0 +1,68 @@
+package org.sasanlabs.service.vulnerability.openRedirect;
+
+/**
+ * This class contains the vulnerabilities related to Open Redirects. Redirects implemented by this
+ * class are based on {@code Meta Tag}. <br>
+ * Important Links: <br>
+ * 1. <a href= "http://projects.webappsec.org/w/page/13246981/URL%20Redirector%20Abuse">WASC-38</a>
+ * <br>
+ * 2. <a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601</a><br>
+ * 3. <a href= "https://portswigger.net/kb/issues/00500100_open-redirection-reflected">Port
+ * Swigger's vulnerability documentation</a><br>
+ * 4. <a href="https://en.wikipedia.org/wiki/URL_redirection">Wiki link for describing the purpose
+ * of URL Redirection</a><br>
+ * 5. <a href="https://github.com/payloadbox/open-redirect-payload-list">Payloads for Open
+ * Redirect</a><br>
+ * 6. <a href="https://www.seroundtable.com/google-meta-refresh-redirects-work-25335.html">Meta tag
+ * based Redirects vs 3XX redirects</a><br>
+ * <br>
+ * Some myths: <a href=
+ * "https://security.stackexchange.com/questions/59517/are-url-shorteners-vulnerable-due-to-open-redirects">Are
+ * URL shorteners “vulnerable” due to open redirects? </a><br>
+ * <br>
+ * Note: as we have implemented entire architecture around the Ajax calls hence there is no direct
+ * way to provide the User Interface for URL Redirect Vulnerability hence these will be exposed as
+ * an API and user can follow instructions suggested in UI for exploiting this Vulnerability.
+ *
+ * @author [email protected] KSASAN
+ */
+// @VulnerableAppRestController(
+//        descriptionLabel = "OPEN_REDIRECTION_VULNERABILITY_META_TAG_BASED",
+//        value = "MetaTagBasedInjection",
+//        type = {VulnerabilityType.OPEN_REDIRECT})
+public class MetaTagBasedInjection {
+
+    //    private static final String META_TAG_PAYLOAD =
+    //            "<html><head><meta http-equiv=\"refresh\" content=\"10;%s\" /></head><body>
+    // VulnerableApp Job is Running %s </body></html>";
+    //
+    //    private static final String STATUS = "status";
+    //
+    //    @VulnerableAppRequestMapping(
+    //            value = LevelConstants.LEVEL_1,
+    //            descriptionLabel = "URL_REDIRECTION_URL_PARAMETER_INJECTION_INTO_META_TAG")
+    //    public ResponseEntity<String> getVulnerablePayloadLevel1(
+    //            @RequestParam(value = STATUS, required = false) String statusUrl) {
+    //        return new ResponseEntity<>(
+    //                String.format(
+    //                        META_TAG_PAYLOAD, statusUrl == null ? "" : "url=" + statusUrl, new
+    // Date()),
+    //                HttpStatus.OK);
+    //    }
+    //
+    //    @VulnerableAppRequestMapping(
+    //            value = LevelConstants.LEVEL_2,
+    //            descriptionLabel = "URL_REDIRECTION_URL_PARAMETER_INJECTION_INTO_META_TAG")
+    //    public ResponseEntity<String> getVulnerablePayloadLevel(
+    //            @RequestParam Map<String, String> queryParams) {
+    //        Iterator<Entry<String, String>> iterator = queryParams.entrySet().iterator();
+    //        String metaTag = "";
+    //        if (iterator.hasNext()) {
+    //            Entry<String, String> entry = iterator.next();
+    //            metaTag = String.format(META_TAG_PAYLOAD, entry.getValue());
+    //        }
+    //        return new ResponseEntity<>(
+    //                GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(metaTag),
+    // HttpStatus.OK);
+    //    }
+}

src/main/java/org/sasanlabs/service/vulnerability/openRedirect/RefreshHeaderBasedInjection.java

@@ -0,0 +1,3 @@
+package org.sasanlabs.service.vulnerability.openRedirect;
+
+public class RefreshHeaderBasedInjection {}

src/main/resources/i18n/messages.properties

@@ -94,6 +94,26 @@ OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADDED_TO_LOCATION_HEADER_BY_ADDING_DOMAIN_AS_
 
 
 ## Meta Tag based URL Redirection
+OPEN_REDIRECTION_VULNERABILITY_META_TAG_BASED=Open redirection vulnerabilities arise when an application incorporates user-controllable \
+data into the target of a redirection in an unsafe way.<br/> An attacker can construct a URL within the application that \
+causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.<br/> \
+The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to \
+the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain. \
+<br/><br/> An HTML meta element which specifies the time in seconds before the browser is to refresh the page. \
+Providing an alternate URI allows the element to be used as a timed URL redirector. \
+For example, in the following example the browser will redirect to example.com after 5 seconds: <br/> \
+          &lt;meta http-equiv=&quot;refresh&quot; content=&quot;5;url=http://example.com&quot;&gt; <br/><br/>\
+ Important Links:<ol>\
+ <li><a href="http://projects.webappsec.org/w/page/13246981/URL%20Redirector%20Abuse">WASC-38</a><br/></li>\
+ <li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601</a><br/></li>\
+ <li><a href="https://portswigger.net/kb/issues/00500100_open-redirection-reflected">Port Swigger's vulnerability documentation</a><br/></li>\
+ <li><a href="https://en.wikipedia.org/wiki/URL_redirection">Wiki link for describing the purpose of URL Redirection</a></li>\
+ <li><a href="https://github.com/payloadbox/open-redirect-payload-list">Open Redirection payload list</a></li>\
+ <li><a href="https://appsec-labs.com/portal/case-study-open-redirect/">Adding domain as prefix case study</a></li>\
+ </ol>\
+ Some myths: <a href="https://security.stackexchange.com/questions/59517/are-url-shorteners-vulnerable-due-to-open-redirects">Are URL shorteners \u201Cvulnerable\u201D due to open redirects?</a><br/>
+
+
 URL_REDIRECTION_META_TAG_BASED_INJECTION=Meta Tag based Url Redirection.
 URL_REDIRECTION_URL_PARAMETER_INJECTION_INTO_META_TAG=Url Parameter is directly added to Meta Tag.
 

src/main/resources/i18n/messages_en_US.properties

@@ -94,6 +94,26 @@ OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADDED_TO_LOCATION_HEADER_BY_ADDING_DOMAIN_AS_
 
 
 ## Meta Tag based URL Redirection
+OPEN_REDIRECTION_VULNERABILITY_META_TAG_BASED=Open redirection vulnerabilities arise when an application incorporates user-controllable \
+data into the target of a redirection in an unsafe way.<br/> An attacker can construct a URL within the application that \
+causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.<br/> \
+The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to \
+the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain. \
+<br/><br/> An HTML meta element which specifies the time in seconds before the browser is to refresh the page. \
+Providing an alternate URI allows the element to be used as a timed URL redirector. \
+For example, in the following example the browser will redirect to example.com after 5 seconds: <br/> \
+          &lt;meta http-equiv=&quot;refresh&quot; content=&quot;5;url=http://example.com&quot;&gt; <br/><br/>\
+ Important Links:<ol>\
+ <li><a href="http://projects.webappsec.org/w/page/13246981/URL%20Redirector%20Abuse">WASC-38</a><br/></li>\
+ <li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601</a><br/></li>\
+ <li><a href="https://portswigger.net/kb/issues/00500100_open-redirection-reflected">Port Swigger's vulnerability documentation</a><br/></li>\
+ <li><a href="https://en.wikipedia.org/wiki/URL_redirection">Wiki link for describing the purpose of URL Redirection</a></li>\
+ <li><a href="https://github.com/payloadbox/open-redirect-payload-list">Open Redirection payload list</a></li>\
+ <li><a href="https://appsec-labs.com/portal/case-study-open-redirect/">Adding domain as prefix case study</a></li>\
+ </ol>\
+ Some myths: <a href="https://security.stackexchange.com/questions/59517/are-url-shorteners-vulnerable-due-to-open-redirects">Are URL shorteners \u201Cvulnerable\u201D due to open redirects?</a><br/>
+
+
 URL_REDIRECTION_META_TAG_BASED_INJECTION=Meta Tag based Url Redirection.
 URL_REDIRECTION_URL_PARAMETER_INJECTION_INTO_META_TAG=Url Parameter is directly added to Meta Tag.
 

src/main/resources/static/templates/Http3xxStatusCodeBasedInjection/LEVEL_1/Http3xxStatusCodeBasedInjection.html

@@ -8,9 +8,9 @@
 		For Vulnerability scanning tools this might not be an issue as
 		scanning tools can work on Api calls but to illustrate this attack to
 		students/security enthusiasts we have provided a way to do the same.
-		Please Visit URL: <a id="placeholder"></a>
+		Please Visit URL: <a id="placeholder" target="_blank"></a>
 		<br /><br />  To think on why
-		redirection is required or in other words usecase of the attack,
+		redirection is required or in other words usecase of the redirection functionality,
 		consider a website which is having a login page and say you are logged
 		in into the website but now due to 10 minutes of inactivity, website
 		has forced logout and sent you to login page. Now when you login

src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.css

@@ -0,0 +1,9 @@
+#MetaTagBasedInjection {
+    color: black;
+    text-align: left;
+    font-size: 18px;
+    font-weight: normal;
+}
+#mindset {
+    font-weight: bold;
+}

src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.html

@@ -0,0 +1,21 @@
+<div id="MetaTagBasedInjection">
+	<div>
+		Interaction between frontend and backend is done using Ajax calls and
+		this generic structure applies everywhere across Owasp VulnerableApp.
+		Because of that all the http status code or header based redirects
+		doesn't work out of the box and hence we had not implemented it. 
+		<br /> <br />
+		For Vulnerability scanning tools this might not be an issue as
+		scanning tools can work on Api calls but to illustrate this attack to
+		students/security enthusiasts we have provided a way to do the same.
+		Please Visit URL: <a id="placeholder"></a>
+		<br /><br /> To think on why redirection using meta tag is required or in other words the usecase 
+		of url redirection functionality, consider a website which is having a functionality to show the 
+		progress/status of any background job and to achieve this website is refreshing the web page 
+		every 5 seconds.
+		<br />
+		<div id="mindset">
+		Now the URL given above can be considered as a url of the web page which is depicting the progress/status of the background job.
+		</div>
+	</div>
+</div>

src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.js

@@ -0,0 +1,7 @@
+function updatePlaceholderDiv() {
+  let placeholderAnchorElement = document.getElementById("placeholder");
+  placeholderAnchorElement.href = getUrlForVulnerabilityLevel() + "?returnTo=/";
+  placeholderAnchorElement.innerText = "Click here";
+}
+
+updatePlaceholderDiv();

src/main/resources/static/vulnerableApp.js

@@ -11,10 +11,6 @@ let currentKey;
 
 function _loadDynamicJSAndCSS(urlToFetchHtmlTemplate) {
   let dynamicScriptsElement = document.getElementById("dynamicScripts");
-  let jsElement = document.createElement("script");
-  jsElement.type = "module";
-  jsElement.src = urlToFetchHtmlTemplate + ".js?p=" + new Date().getTime();
-  dynamicScriptsElement.appendChild(jsElement);
   let cssElement = document.createElement("link");
   cssElement.href = urlToFetchHtmlTemplate + ".css";
   cssElement.type = "text/css";
@@ -26,6 +22,10 @@ function _loadDynamicJSAndCSS(urlToFetchHtmlTemplate) {
   } else {
     document.getElementById("hideHelp").style.display = "inline-block";
     document.getElementById("showHelp").style.display = "inline-block";
+    let jsElement = document.createElement("script");
+    jsElement.type = "module";
+    jsElement.src = urlToFetchHtmlTemplate + ".js?p=" + new Date().getTime();
+    dynamicScriptsElement.appendChild(jsElement);
   }
 }