Search in sources :

Example 1 with SerecoWebResponse

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse in project sechub by mercedes-benz.

the class SarifV1JSONImporterTest method sarif_2_1_0_owasp_zap_can_be_imported_and_contains_cwe_webvulnerability_with_parts.

@Test
void sarif_2_1_0_owasp_zap_can_be_imported_and_contains_cwe_webvulnerability_with_parts() throws Exception {
    /* @formatter:off */
    /* prepare */
    SerecoMetaData result = importerToTest.importResult(sarif_2_1_0_owasp_zap);
    /* execute */
    List<SerecoVulnerability> vulnerabilities = result.getVulnerabilities();
    /* test */
    SerecoWebRequest expectedRequest = new SerecoWebRequest();
    expectedRequest.setMethod("GET");
    expectedRequest.setProtocol("HTTP");
    expectedRequest.setVersion("1.1");
    expectedRequest.setTarget("https://127.0.0.1:8080/greeting?name=%3C%2Fp%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cp%3E");
    Map<String, String> requestHeaders = expectedRequest.getHeaders();
    requestHeaders.put("Cache-Control", "no-cache");
    requestHeaders.put("Content-Length", "0");
    requestHeaders.put("Cookie", "JSESSIONID=38AA1F7A61982DF1073D7F43A3707798; locale=de");
    requestHeaders.put("Host", "127.0.0.1:8080");
    requestHeaders.put("Pragma", "no-cache");
    requestHeaders.put("Referer", "https://127.0.0.1:8080/hello");
    requestHeaders.put("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0");
    SerecoWebResponse expectedResponse = new SerecoWebResponse();
    expectedResponse.setStatusCode(200);
    expectedResponse.getBody().setText("<!DOCTYPE HTML>\n" + "<html>\n" + "<head>\n" + "    <title>Getting Started: Serving Web Content</title>\n" + "    <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n" + "</head>\n" + "<body>\n" + "    <!-- unsecure text used (th:utext instead th:text)- to create vulnerability (XSS) -->\n" + "    <!-- simple usage: http://localhost:8080/greeting?name=Test2</p><script>;alert(\"hallo\")</script> -->\n" + "    <p >XSS attackable parameter output: </p><script>alert(1);</script><p>!</p>\n" + "</body>\n" + "</html>");
    Map<String, String> responseHeaders = expectedResponse.getHeaders();
    responseHeaders.put("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate");
    responseHeaders.put("Content-Language", "en-US");
    responseHeaders.put("Content-Security-Policy", "script-src 'self'");
    responseHeaders.put("Content-Type", "text/html;charset=UTF-8");
    responseHeaders.put("Date", "Thu, 11 Nov 2021 09:56:20 GMT");
    responseHeaders.put("Expires", "0");
    responseHeaders.put("Pragma", "no-cache");
    responseHeaders.put("Referrer-Policy", "no-referrer");
    responseHeaders.put("Set-Cookie", "locale=de; HttpOnly; SameSite=strict");
    responseHeaders.put("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains");
    responseHeaders.put("X-Content-Type-Options", "nosniff");
    responseHeaders.put("X-Frame-Options", "DENY");
    responseHeaders.put("X-XSS-Protection", "1; mode=block");
    expectedResponse.setProtocol("HTTP");
    expectedResponse.setVersion("1.1");
    expectedResponse.setStatusCode(200);
    expectedResponse.setReasonPhrase("");
    SerecoVulnerability firstCSSvulnerability = assertVulnerabilities(vulnerabilities).hasVulnerabilities(14).verifyVulnerability().classifiedBy().cwe(79).and().withSeverity(SerecoSeverity.HIGH).withType("Cross Site Scripting (Reflected)").withScanType(ScanType.WEB_SCAN).assertContainedAndReturn();
    assertWebRequest(firstCSSvulnerability, expectedRequest);
    assertWebResponse(firstCSSvulnerability, expectedResponse);
    assertVulnerabilities(vulnerabilities).verifyVulnerability().classifiedBy().cwe(79).and().withSeverity(SerecoSeverity.HIGH).withType("Cross Site Scripting (Reflected)").withScanType(ScanType.WEB_SCAN).isExactDefinedWebVulnerability().withWebRequest(expectedRequest).withWebResponse(expectedResponse).isContained();
/* @formatter:on */
}
Also used : SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest) SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability) SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse) SerecoMetaData(com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData) Test(org.junit.jupiter.api.Test)

Example 2 with SerecoWebResponse

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse in project sechub by mercedes-benz.

the class SarifV1JSONImporter method handleWebResponse.

private void handleWebResponse(Result result, SerecoWeb serecoWeb) {
    SerecoWebResponse serecoReponse = serecoWeb.getResponse();
    WebResponse sarifWebResponse = result.getWebResponse();
    serecoReponse.setProtocol(sarifWebResponse.getProtocol());
    serecoReponse.setVersion(sarifWebResponse.getVersion());
    serecoReponse.setReasonPhrase(sarifWebResponse.getReasonPhrase());
    serecoReponse.setStatusCode(sarifWebResponse.getStatusCode());
    serecoReponse.setNoResponseReceived(sarifWebResponse.isNoResponseReceived());
    serecoReponse.getHeaders().putAll(sarifWebResponse.getHeaders());
    /* body */
    SerecoWebBody serecoWebResponseBody = serecoReponse.getBody();
    com.mercedesbenz.sechub.sarif.model.Body sarifWebResponseBody = sarifWebResponse.getBody();
    serecoWebResponseBody.setText(sarifWebResponseBody.getText());
    serecoWebResponseBody.setBinary(sarifWebResponseBody.getBinary());
}
Also used : WebResponse(com.mercedesbenz.sechub.sarif.model.WebResponse) SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse) SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse) SerecoWebBody(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBody)

Example 3 with SerecoWebResponse

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse in project sechub by mercedes-benz.

the class SerecoProductResultTransformer method appendWebData.

private void appendWebData(UUID sechubJobUUID, SerecoVulnerability vulnerability, SecHubFinding finding) {
    SecHubReportWeb sechubWeb = new SecHubReportWeb();
    SecHubReportWebRequest sechubRequest = sechubWeb.getRequest();
    SerecoWeb serecoWeb = vulnerability.getWeb();
    if (serecoWeb == null) {
        LOG.error("Web scan, but vulnerability has no web object inside - must skip finding {} for report with uuid=", finding.getId(), sechubJobUUID);
        return;
    }
    /* request */
    SerecoWebRequest serecoRequest = serecoWeb.getRequest();
    sechubRequest.setProtocol(serecoRequest.getProtocol());
    sechubRequest.setVersion(serecoRequest.getVersion());
    sechubRequest.setTarget(serecoRequest.getTarget());
    sechubRequest.setMethod(serecoRequest.getMethod());
    sechubRequest.getHeaders().putAll(serecoRequest.getHeaders());
    sechubRequest.getBody().setText(serecoRequest.getBody().getText());
    sechubRequest.getBody().setBinary(serecoRequest.getBody().getBinary());
    /* response */
    SerecoWebResponse serecoResponse = serecoWeb.getResponse();
    SecHubReportWebResponse sechubResponse = sechubWeb.getResponse();
    sechubResponse.setStatusCode(serecoResponse.getStatusCode());
    sechubResponse.setReasonPhrase(serecoResponse.getReasonPhrase());
    sechubResponse.setProtocol(serecoResponse.getProtocol());
    sechubResponse.setVersion(serecoResponse.getVersion());
    sechubResponse.getHeaders().putAll(serecoResponse.getHeaders());
    sechubResponse.getBody().setText(serecoResponse.getBody().getText());
    sechubResponse.getBody().setBinary(serecoResponse.getBody().getBinary());
    /* attack */
    SerecoWebAttack serecoAttack = serecoWeb.getAttack();
    SecHubReportWebAttack sechubAttack = sechubWeb.getAttack();
    sechubAttack.setVector(serecoAttack.getVector());
    SerecoWebEvidence serecoEvidence = serecoAttack.getEvidence();
    if (serecoEvidence != null) {
        SecHubReportWebEvidence sechubEvidence = new SecHubReportWebEvidence();
        sechubEvidence.setSnippet(serecoEvidence.getSnippet());
        SerecoWebBodyLocation serecoBodyLocation = serecoEvidence.getBodyLocation();
        if (serecoBodyLocation != null) {
            SecHubReportWebBodyLocation sechubBodyLocation = new SecHubReportWebBodyLocation();
            sechubBodyLocation.setStartLine((serecoBodyLocation.getStartLine()));
            sechubEvidence.setBodyLocation(sechubBodyLocation);
        }
        sechubAttack.setEvidence(sechubEvidence);
    }
    finding.setWeb(sechubWeb);
}
Also used : SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence) SecHubReportWebEvidence(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence) SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest) SecHubReportWebAttack(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack) SecHubReportWebRequest(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest) SecHubReportWebBodyLocation(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebBodyLocation) SecHubReportWeb(com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb) SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse) SecHubReportWebResponse(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse) SerecoWebBodyLocation(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)

Example 4 with SerecoWebResponse

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse in project sechub by mercedes-benz.

the class AssertVulnerabilities method assertWebResponse.

public static void assertWebResponse(SerecoVulnerability toInspect, SerecoWebResponse expectedResponse) {
    SerecoWeb vulnerabilityWeb = toInspect.getWeb();
    if (vulnerabilityWeb == null) {
        fail("vulnerability web is null!");
    }
    SerecoWebResponse foundResponse = vulnerabilityWeb.getResponse();
    if (!expectedResponse.equals(foundResponse)) {
        SerecoWebBody body1 = expectedResponse.getBody();
        SerecoWebBody body2 = foundResponse.getBody();
        internalAssertEquals(expectedResponse.getHeaders(), foundResponse.getHeaders(), "headers not as expected");
        internalAssertEquals(body1, body2, "body not as expected");
        assertEquals("protocol", expectedResponse.getProtocol(), foundResponse.getProtocol());
        assertEquals("version", expectedResponse.getVersion(), foundResponse.getVersion());
        assertEquals("reasonPhrase", expectedResponse.getReasonPhrase(), foundResponse.getReasonPhrase());
        assertEquals("statusCode", expectedResponse.getStatusCode(), foundResponse.getStatusCode());
        fail("not equal but not detectable");
    }
}
Also used : SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse) SerecoWebBody(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBody) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)

Example 5 with SerecoWebResponse

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse in project sechub by mercedes-benz.

the class VulnerabilityTestDescriptionBuilder method describe.

public String describe(SerecoVulnerability vulnerability) {
    if (vulnerability == null) {
        return "null";
    }
    StringBuilder sb = new StringBuilder();
    /* first row */
    if (vulnerability.getSeverity() != null) {
        sb.append("severity=");
        sb.append(vulnerability.getSeverity());
    }
    if (vulnerability.getClassification() != null) {
        sb.append(",cwe=");
        sb.append(vulnerability.getClassification().getCwe());
    }
    if (vulnerability.getType() != null) {
        sb.append(",type=");
        sb.append(vulnerability.getType());
    }
    sb.append("\n");
    /* additional rows */
    if (vulnerability.getScanType() != null) {
        sb.append("- scanType:");
        sb.append(vulnerability.getScanType());
        sb.append("\n");
    }
    if (vulnerability.getCode() != null) {
        sb.append("- code:");
        sb.append("\n");
        SerecoCodeCallStackElement callstackElement = vulnerability.getCode();
        String indention = INDENTION;
        while (callstackElement != null) {
            sb.append(indention);
            sb.append("- location:");
            sb.append(callstackElement.getLocation());
            sb.append(", line:");
            sb.append(callstackElement.getLine());
            sb.append(", column:");
            sb.append(callstackElement.getColumn());
            sb.append("\n");
            sb.append(indention);
            sb.append("- relevant:");
            if (callstackElement.getRelevantPart() != null) {
                sb.append(callstackElement.getRelevantPart());
            }
            sb.append("\n");
            sb.append(indention);
            sb.append("- source:");
            if (callstackElement.getSource() != null) {
                sb.append(callstackElement.getSource());
            }
            sb.append("\n");
            indention = indention + INDENTION;
            callstackElement = callstackElement.getCalls();
        }
        sb.append("\n");
    }
    SerecoWeb web = vulnerability.getWeb();
    if (web != null) {
        SerecoWebAttack attack = web.getAttack();
        if (attack != null) {
            sb.append(INDENTION);
            sb.append("- attack:");
            sb.append(attack);
            sb.append("\n");
        }
        SerecoWebRequest request = web.getRequest();
        if (request != null) {
            sb.append(INDENTION);
            sb.append("- request:");
            sb.append(request);
            sb.append("\n");
        }
        SerecoWebResponse response = web.getResponse();
        if (response != null) {
            sb.append(INDENTION);
            sb.append("- response:");
            sb.append(response);
            sb.append("\n");
        }
    }
    if (vulnerability.getDescription() != null) {
        sb.append("- description:");
        sb.append(vulnerability.getDescription());
        sb.append("\n");
    }
    if (vulnerability.getClassification() != null) {
        sb.append("- classification:");
        sb.append(vulnerability.getClassification());
        sb.append("\n");
    }
    /* code parts not inside toString */
    return sb.toString();
}
Also used : SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest) SerecoCodeCallStackElement(com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement) SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)

Aggregations

SerecoWebResponse (com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse)5 SerecoWeb (com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)3 SerecoWebRequest (com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest)3 SerecoWebAttack (com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack)2 SerecoWebBody (com.mercedesbenz.sechub.sereco.metadata.SerecoWebBody)2 SecHubReportWeb (com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb)1 SecHubReportWebAttack (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack)1 SecHubReportWebBodyLocation (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebBodyLocation)1 SecHubReportWebEvidence (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence)1 SecHubReportWebRequest (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest)1 SecHubReportWebResponse (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse)1 WebResponse (com.mercedesbenz.sechub.sarif.model.WebResponse)1 SerecoCodeCallStackElement (com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)1 SerecoMetaData (com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)1 SerecoVulnerability (com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)1 SerecoWebBodyLocation (com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation)1 SerecoWebEvidence (com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence)1 Test (org.junit.jupiter.api.Test)1