use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse in project sechub by mercedes-benz.
the class SarifV1JSONImporterTest method sarif_2_1_0_owasp_zap_can_be_imported_and_contains_cwe_webvulnerability_with_parts.
@Test
void sarif_2_1_0_owasp_zap_can_be_imported_and_contains_cwe_webvulnerability_with_parts() throws Exception {
/* @formatter:off */
/* prepare */
SerecoMetaData result = importerToTest.importResult(sarif_2_1_0_owasp_zap);
/* execute */
List<SerecoVulnerability> vulnerabilities = result.getVulnerabilities();
/* test */
SerecoWebRequest expectedRequest = new SerecoWebRequest();
expectedRequest.setMethod("GET");
expectedRequest.setProtocol("HTTP");
expectedRequest.setVersion("1.1");
expectedRequest.setTarget("https://127.0.0.1:8080/greeting?name=%3C%2Fp%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cp%3E");
Map<String, String> requestHeaders = expectedRequest.getHeaders();
requestHeaders.put("Cache-Control", "no-cache");
requestHeaders.put("Content-Length", "0");
requestHeaders.put("Cookie", "JSESSIONID=38AA1F7A61982DF1073D7F43A3707798; locale=de");
requestHeaders.put("Host", "127.0.0.1:8080");
requestHeaders.put("Pragma", "no-cache");
requestHeaders.put("Referer", "https://127.0.0.1:8080/hello");
requestHeaders.put("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0");
SerecoWebResponse expectedResponse = new SerecoWebResponse();
expectedResponse.setStatusCode(200);
expectedResponse.getBody().setText("<!DOCTYPE HTML>\n" + "<html>\n" + "<head>\n" + " <title>Getting Started: Serving Web Content</title>\n" + " <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n" + "</head>\n" + "<body>\n" + " <!-- unsecure text used (th:utext instead th:text)- to create vulnerability (XSS) -->\n" + " <!-- simple usage: http://localhost:8080/greeting?name=Test2</p><script>;alert(\"hallo\")</script> -->\n" + " <p >XSS attackable parameter output: </p><script>alert(1);</script><p>!</p>\n" + "</body>\n" + "</html>");
Map<String, String> responseHeaders = expectedResponse.getHeaders();
responseHeaders.put("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate");
responseHeaders.put("Content-Language", "en-US");
responseHeaders.put("Content-Security-Policy", "script-src 'self'");
responseHeaders.put("Content-Type", "text/html;charset=UTF-8");
responseHeaders.put("Date", "Thu, 11 Nov 2021 09:56:20 GMT");
responseHeaders.put("Expires", "0");
responseHeaders.put("Pragma", "no-cache");
responseHeaders.put("Referrer-Policy", "no-referrer");
responseHeaders.put("Set-Cookie", "locale=de; HttpOnly; SameSite=strict");
responseHeaders.put("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains");
responseHeaders.put("X-Content-Type-Options", "nosniff");
responseHeaders.put("X-Frame-Options", "DENY");
responseHeaders.put("X-XSS-Protection", "1; mode=block");
expectedResponse.setProtocol("HTTP");
expectedResponse.setVersion("1.1");
expectedResponse.setStatusCode(200);
expectedResponse.setReasonPhrase("");
SerecoVulnerability firstCSSvulnerability = assertVulnerabilities(vulnerabilities).hasVulnerabilities(14).verifyVulnerability().classifiedBy().cwe(79).and().withSeverity(SerecoSeverity.HIGH).withType("Cross Site Scripting (Reflected)").withScanType(ScanType.WEB_SCAN).assertContainedAndReturn();
assertWebRequest(firstCSSvulnerability, expectedRequest);
assertWebResponse(firstCSSvulnerability, expectedResponse);
assertVulnerabilities(vulnerabilities).verifyVulnerability().classifiedBy().cwe(79).and().withSeverity(SerecoSeverity.HIGH).withType("Cross Site Scripting (Reflected)").withScanType(ScanType.WEB_SCAN).isExactDefinedWebVulnerability().withWebRequest(expectedRequest).withWebResponse(expectedResponse).isContained();
/* @formatter:on */
}
use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse in project sechub by mercedes-benz.
the class SarifV1JSONImporter method handleWebResponse.
private void handleWebResponse(Result result, SerecoWeb serecoWeb) {
SerecoWebResponse serecoReponse = serecoWeb.getResponse();
WebResponse sarifWebResponse = result.getWebResponse();
serecoReponse.setProtocol(sarifWebResponse.getProtocol());
serecoReponse.setVersion(sarifWebResponse.getVersion());
serecoReponse.setReasonPhrase(sarifWebResponse.getReasonPhrase());
serecoReponse.setStatusCode(sarifWebResponse.getStatusCode());
serecoReponse.setNoResponseReceived(sarifWebResponse.isNoResponseReceived());
serecoReponse.getHeaders().putAll(sarifWebResponse.getHeaders());
/* body */
SerecoWebBody serecoWebResponseBody = serecoReponse.getBody();
com.mercedesbenz.sechub.sarif.model.Body sarifWebResponseBody = sarifWebResponse.getBody();
serecoWebResponseBody.setText(sarifWebResponseBody.getText());
serecoWebResponseBody.setBinary(sarifWebResponseBody.getBinary());
}
use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse in project sechub by mercedes-benz.
the class SerecoProductResultTransformer method appendWebData.
private void appendWebData(UUID sechubJobUUID, SerecoVulnerability vulnerability, SecHubFinding finding) {
SecHubReportWeb sechubWeb = new SecHubReportWeb();
SecHubReportWebRequest sechubRequest = sechubWeb.getRequest();
SerecoWeb serecoWeb = vulnerability.getWeb();
if (serecoWeb == null) {
LOG.error("Web scan, but vulnerability has no web object inside - must skip finding {} for report with uuid=", finding.getId(), sechubJobUUID);
return;
}
/* request */
SerecoWebRequest serecoRequest = serecoWeb.getRequest();
sechubRequest.setProtocol(serecoRequest.getProtocol());
sechubRequest.setVersion(serecoRequest.getVersion());
sechubRequest.setTarget(serecoRequest.getTarget());
sechubRequest.setMethod(serecoRequest.getMethod());
sechubRequest.getHeaders().putAll(serecoRequest.getHeaders());
sechubRequest.getBody().setText(serecoRequest.getBody().getText());
sechubRequest.getBody().setBinary(serecoRequest.getBody().getBinary());
/* response */
SerecoWebResponse serecoResponse = serecoWeb.getResponse();
SecHubReportWebResponse sechubResponse = sechubWeb.getResponse();
sechubResponse.setStatusCode(serecoResponse.getStatusCode());
sechubResponse.setReasonPhrase(serecoResponse.getReasonPhrase());
sechubResponse.setProtocol(serecoResponse.getProtocol());
sechubResponse.setVersion(serecoResponse.getVersion());
sechubResponse.getHeaders().putAll(serecoResponse.getHeaders());
sechubResponse.getBody().setText(serecoResponse.getBody().getText());
sechubResponse.getBody().setBinary(serecoResponse.getBody().getBinary());
/* attack */
SerecoWebAttack serecoAttack = serecoWeb.getAttack();
SecHubReportWebAttack sechubAttack = sechubWeb.getAttack();
sechubAttack.setVector(serecoAttack.getVector());
SerecoWebEvidence serecoEvidence = serecoAttack.getEvidence();
if (serecoEvidence != null) {
SecHubReportWebEvidence sechubEvidence = new SecHubReportWebEvidence();
sechubEvidence.setSnippet(serecoEvidence.getSnippet());
SerecoWebBodyLocation serecoBodyLocation = serecoEvidence.getBodyLocation();
if (serecoBodyLocation != null) {
SecHubReportWebBodyLocation sechubBodyLocation = new SecHubReportWebBodyLocation();
sechubBodyLocation.setStartLine((serecoBodyLocation.getStartLine()));
sechubEvidence.setBodyLocation(sechubBodyLocation);
}
sechubAttack.setEvidence(sechubEvidence);
}
finding.setWeb(sechubWeb);
}
use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse in project sechub by mercedes-benz.
the class AssertVulnerabilities method assertWebResponse.
public static void assertWebResponse(SerecoVulnerability toInspect, SerecoWebResponse expectedResponse) {
SerecoWeb vulnerabilityWeb = toInspect.getWeb();
if (vulnerabilityWeb == null) {
fail("vulnerability web is null!");
}
SerecoWebResponse foundResponse = vulnerabilityWeb.getResponse();
if (!expectedResponse.equals(foundResponse)) {
SerecoWebBody body1 = expectedResponse.getBody();
SerecoWebBody body2 = foundResponse.getBody();
internalAssertEquals(expectedResponse.getHeaders(), foundResponse.getHeaders(), "headers not as expected");
internalAssertEquals(body1, body2, "body not as expected");
assertEquals("protocol", expectedResponse.getProtocol(), foundResponse.getProtocol());
assertEquals("version", expectedResponse.getVersion(), foundResponse.getVersion());
assertEquals("reasonPhrase", expectedResponse.getReasonPhrase(), foundResponse.getReasonPhrase());
assertEquals("statusCode", expectedResponse.getStatusCode(), foundResponse.getStatusCode());
fail("not equal but not detectable");
}
}
use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse in project sechub by mercedes-benz.
the class VulnerabilityTestDescriptionBuilder method describe.
public String describe(SerecoVulnerability vulnerability) {
if (vulnerability == null) {
return "null";
}
StringBuilder sb = new StringBuilder();
/* first row */
if (vulnerability.getSeverity() != null) {
sb.append("severity=");
sb.append(vulnerability.getSeverity());
}
if (vulnerability.getClassification() != null) {
sb.append(",cwe=");
sb.append(vulnerability.getClassification().getCwe());
}
if (vulnerability.getType() != null) {
sb.append(",type=");
sb.append(vulnerability.getType());
}
sb.append("\n");
/* additional rows */
if (vulnerability.getScanType() != null) {
sb.append("- scanType:");
sb.append(vulnerability.getScanType());
sb.append("\n");
}
if (vulnerability.getCode() != null) {
sb.append("- code:");
sb.append("\n");
SerecoCodeCallStackElement callstackElement = vulnerability.getCode();
String indention = INDENTION;
while (callstackElement != null) {
sb.append(indention);
sb.append("- location:");
sb.append(callstackElement.getLocation());
sb.append(", line:");
sb.append(callstackElement.getLine());
sb.append(", column:");
sb.append(callstackElement.getColumn());
sb.append("\n");
sb.append(indention);
sb.append("- relevant:");
if (callstackElement.getRelevantPart() != null) {
sb.append(callstackElement.getRelevantPart());
}
sb.append("\n");
sb.append(indention);
sb.append("- source:");
if (callstackElement.getSource() != null) {
sb.append(callstackElement.getSource());
}
sb.append("\n");
indention = indention + INDENTION;
callstackElement = callstackElement.getCalls();
}
sb.append("\n");
}
SerecoWeb web = vulnerability.getWeb();
if (web != null) {
SerecoWebAttack attack = web.getAttack();
if (attack != null) {
sb.append(INDENTION);
sb.append("- attack:");
sb.append(attack);
sb.append("\n");
}
SerecoWebRequest request = web.getRequest();
if (request != null) {
sb.append(INDENTION);
sb.append("- request:");
sb.append(request);
sb.append("\n");
}
SerecoWebResponse response = web.getResponse();
if (response != null) {
sb.append(INDENTION);
sb.append("- response:");
sb.append(response);
sb.append("\n");
}
}
if (vulnerability.getDescription() != null) {
sb.append("- description:");
sb.append(vulnerability.getDescription());
sb.append("\n");
}
if (vulnerability.getClassification() != null) {
sb.append("- classification:");
sb.append(vulnerability.getClassification());
sb.append("\n");
}
/* code parts not inside toString */
return sb.toString();
}
Aggregations