public static void copyFindings(List <IO2Finding> o2Findings, string sourceFileName, string targetFolder, string targetFolderName, Func <IO2Finding, bool> condition)
        {
            targetFolder = Path.Combine(targetFolder, targetFolderName);
            Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder);
            Assert.That(Directory.Exists(targetFolder), "copyFindings: targetFolder did not exist " + targetFolder);
            var findingsWithNoTraces = new List <IO2Finding>();

            foreach (var o2Finding in o2Findings)
            {
                //if (o2Finding.o2Traces.Count == 0)
                if (condition(o2Finding))
                {
                    findingsWithNoTraces.Add(o2Finding);
                }
            }

            O2Cmd.log.write("copyFindings: There were {0} findings that matched the criteria ({1}) ", findingsWithNoTraces.Count, targetFolderName);
            if (findingsWithNoTraces.Count > 0)
            {
                var targetFile = Path.Combine(targetFolder, sourceFileName);
                XUtils_Findings_v0_1.saveFindings(findingsWithNoTraces, targetFile);
                Assert.That(File.Exists(targetFile), "Task 1: targetFile was not saved : " + targetFile);
                O2Cmd.log.write("copyFindings: Findings saved to " + targetFile);
            }
        }
Beispiel #2
0
        public string invokeStrutsRules_Variation_1_UsingPreCalculatedO2StrutsMappingFile()
        {
            var strutsMappingsFile = @"...\_OunceApplication\O2Data\....O2StrutsMapping";
            var baseO2FindingsFile = @"...\_OunceApplication\O2Data\....ozasmt";

            // make sure these files exist
            Assert.That(File.Exists(strutsMappingsFile), "Could not find file with strutsMappingsFile:\r\n    " + strutsMappingsFile);
            Assert.That(File.Exists(baseO2FindingsFile), "Could not find file with baseO2FindingsFile:\r\n    " + baseO2FindingsFile);

            // load the files
            var strutsMapping  = XUtils_Struts_v0_1.loadStrutsMappingsFromFile(strutsMappingsFile);
            var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile);

            // make sure the file where correctly loaded
            Assert.That(strutsMapping != null, "strutsMapping was null");
            Assert.That(baseO2Findings != null, "baseO2Findings was null");
            Assert.That(baseO2Findings.Count > 0, "baseO2Findings had no findings");

            // execute the struts rule
            var o2Results = XRule_Struts.strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(baseO2Findings, strutsMapping);

            // make sure we had results
            Assert.That(o2Results.Count > 0, "There were no results");

            // save results
            var fileWithSavedResults = XUtils_Findings_v0_1.saveFindings(o2Results);

            // make sure saved file exists
            Assert.That(fileWithSavedResults != null, "fileWithSavedResults was null");
            Assert.That(File.Exists(fileWithSavedResults), "fileWithSavedResults did not exist: " + fileWithSavedResults);

            return(string.Format("All OK. There were {0} results \r\nsaved to: {1}", o2Results.Count, fileWithSavedResults));
        }
Beispiel #3
0
        public string checkIf_loadMultipleOzasmtFiles_Worked()
        {
            var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(pathToOzastmFilesToLoad);

            Assert.That(o2Findings.Count > 0);
            return(string.Format("There were {0} findings loaded", o2Findings.Count));
        }
        public void task2_AdjustsStrutsFindings()
        {
            var validatorPatternIDText    = "validator: patternid=";
            var validatorValidContentText = "validator: valid-content";

            O2Cmd.log.write("TASK 2: AdjustsStrutsFindings");
            var strutsFindingsFolder = Path.Combine(folderWithArtifacts_Phase3, "Struts Mappings");

            if (false == Directory.Exists(strutsFindingsFolder))
            {
                return;
            }
            //Assert.That(Directory.Exists(strutsFindingsFolder), "strutsFindingsFolder did not exists: " + strutsFindingsFolder);

            foreach (var strutsFindingFile in Files.getFilesFromDir_returnFullPath(strutsFindingsFolder))
            {
                var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(strutsFindingFile);
                foreach (O2Finding o2Finding in o2Findings)
                {
                    var allTraces = OzasmtUtils.getListWithAllTraces(o2Finding);
                    foreach (var o2Trace in allTraces)
                    {
                        if (o2Trace.signature.StartsWith(validatorPatternIDText))
                        {
                            var pattern = o2Trace.signature.Replace(validatorPatternIDText, "");
                            if (pattern == "FREE_TEXT")
                            {
                                o2Finding.vulnType   = "Struts.CrossSiteScripting.NOT.Validated";
                                o2Finding.confidence = 1;
                                o2Finding.severity   = 0;
                            }
                            else
                            {
                                o2Finding.vulnType   = "Struts.CrossSiteScripting.Validated";
                                o2Finding.confidence = 1;
                                o2Finding.severity   = 2;
                            }
                            o2Finding.vulnType += " : " + pattern;
                            break;
                        }
                        else if (o2Trace.signature.StartsWith(validatorValidContentText))
                        {
                            var pattern = o2Trace.signature.Replace(validatorValidContentText, "");
                            o2Finding.vulnType   = "Struts.CrossSiteScripting.Validated.ValidContent";
                            o2Finding.confidence = 2;
                            o2Finding.severity   = 2;
                        }
                    }
//					validator: patternid=
                }
                //XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings);
                var targetFile = Path.Combine(folderWithArtifacts_Phase4, "Struts Mappings - " + Path.GetFileName(strutsFindingFile));
                XUtils_Findings_v0_1.saveFindings(o2Findings, targetFile);
                O2Cmd.log.write("Struts Mappings saved to: {0}", targetFile);
            }


            //foreach(var
        }
Beispiel #5
0
        public List <IO2Finding> takeDirectoryAndLoadAllAssessmentsWithStringInName()
        {
            var targetDirectory = pathToOzastmFilesToLoad;
            var filter          = "*webgoat*.ozasmt";
            var recursiveSearch = true;

            return(XUtils_Findings_v0_1.loadMultipleOzasmtFiles(targetDirectory, filter, recursiveSearch));
        }
Beispiel #6
0
        public static void Test()
        {
            var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile);
            var strutsMapping  = (KStrutsMappings)Serialize.getDeSerializedObjectFromBinaryFile(strutsMappingsFile, typeof(KStrutsMappings));

            var o2Findings = strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(baseO2Findings, strutsMapping);

            XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings);
        }
Beispiel #7
0
        public string showFindingsInGUI()
        {
            var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);

            Assert.That(o2Findings.Count > 0, "There were no findings loaded");

            XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings);
            return("number of findings loaded:" + o2Findings.Count);
        }
Beispiel #8
0
        public string  runPhase5()
        {
            var testAnalysisArtifacts = KAnalysisArtifacts.load(testAnalysisArtifactsFile);
            var result          = runPhase5(testAnalysisArtifacts);
            var finalO2Findings = XUtils_Findings_v0_1.loadFindingsFile(finalAssessmentFile);

            XUtils_Findings_v0_1.openFindingsInNewWindow(finalO2Findings);
            return(result);
        }
        public static List <IO2Finding> getAllTraces_LostSinks(string targetFolder)
        {
            var folderWith_LostSinks = Path.Combine(targetFolder, "FindingsWith_Traces_LostSinks");

            Assert.That(Directory.Exists(folderWith_LostSinks), "directory folderWith_LostSinks did not exist: " + folderWith_LostSinks);
            var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWith_LostSinks);

            O2Cmd.log.write("Findings with Lost Sinks: {0}", o2Findings.Count);
            return(o2Findings);
        }
Beispiel #10
0
        public string onlyShowInfos_Linq()
        {
            var onlyInfos = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile)
                            where o2Finding.severity == 3
                            select o2Finding;

            XUtils_Findings_v0_1.openFindingsInNewWindow(onlyInfos.ToList());

            return("# of Infos: " + onlyInfos.Count());
        }
        // note this should be the last one to run
        public void makeKnownFindingsTypeII(List <IO2Finding> o2Findings)
        {
            foreach (var o2Finding in o2Findings)
            {
                o2Finding.confidence = 2;
            }
            var saveAsTypeII = Path.Combine(folderWithArtifacts_Phase4, "all_Non_Processed_KnownSink_Findings_as_Type_II.ozasmt");

            XUtils_Findings_v0_1.saveFindings(o2Findings, saveAsTypeII);
        }
Beispiel #12
0
        public string onlyShowNoTraces()
        {
            var noTraces = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile)
                           where o2Finding.o2Traces.Count == 0
                           select o2Finding;

            XUtils_Findings_v0_1.openFindingsInNewWindow(noTraces.ToList());

            return("# of NoTraces: " + noTraces.Count());
        }
Beispiel #13
0
        public string removeAllNoTraces()
        {
            var onlyTraces = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile)
                             where o2Finding.o2Traces.Count > 0
                             select o2Finding;

            XUtils_Findings_v0_1.openFindingsInNewWindow(onlyTraces.ToList());

            return("# of onlyTraces: " + onlyTraces.Count());
        }
Beispiel #14
0
        public void task4_CalculateStrutsFindings()
        {
            O2Cmd.log.write("TASK #4: Calculate Struts Findings");
            // check if there are Struts Mappings
            var folderWithStrutsMappings = Path.Combine(folderWithArtifacts_Phase2, "Struts Mappings");

            if (Directory.Exists(folderWithStrutsMappings))
            {
                //Assert.That(Directory.Exists(folderWithStrutsMappings), "Directory with struts mappings did not exist: " + folderWithStrutsMappings);

                // check if we have the filtered findings files required
                var findingsWith_KnownSinks = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt");
                Assert.That(File.Exists(findingsWith_KnownSinks), "Could not find findingsWith_KnownSinks: " + findingsWith_KnownSinks);
                // load findings
                var o2Findings_KnownSinks = XUtils_Findings_v0_1.loadFindingsFile(findingsWith_KnownSinks);
                // extract just the ones needed for the struts mappings
                var o2Findings = new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2Findings_KnownSinks, "getParameter", "setAttribute");
                o2Findings.AddRange(new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2Findings_KnownSinks, "getAttribute", "print"));

                foreach (var strutsMappingsFile in Files.getFilesFromDir_returnFullPath(folderWithStrutsMappings))
                {
                    var fileName    = Path.GetFileName(strutsMappingsFile);
                    var projectName = Path.GetFileNameWithoutExtension(strutsMappingsFile);
                    O2Cmd.log.write("Processing file {0} from project {1}", fileName, projectName);

                    // load struts mappings
                    var strutsMapping = XUtils_Struts_v0_1.loadStrutsMappingsFromFile(strutsMappingsFile);
                    Assert.That(strutsMapping != null, "strutsMapping was null");

                    // execute the struts rule
                    var o2Results = XRule_Struts.strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(o2Findings, strutsMapping);

                    // make sure we had results
                    //Assert.That(o2Results.Count > 0 , "There were no results");

                    if (o2Results.Count == 0)
                    {
                        O2Cmd.log.error("there were no results in task4_CalculateStrutsFindings");
                    }
                    else
                    {
                        // save results
                        var targetFolder = Path.Combine(folderWithArtifacts_Phase3, "Struts Mappings");
                        Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder);
                        var fileWithSavedResults = Path.Combine(targetFolder, projectName + ".ozasmt");
                        XUtils_Findings_v0_1.saveFindings(o2Results, fileWithSavedResults);

                        // make sure saved file exists
                        Assert.That(File.Exists(fileWithSavedResults), "fileWithSavedResults did not exist: " + fileWithSavedResults);

                        O2Cmd.log.write("All OK. There were {0} results \r\nsaved to: {1}", o2Results.Count, fileWithSavedResults);
                    }
                }
            }
        }
Beispiel #15
0
        public List <IO2Finding> invokeMultipleXRules()
        {
            // executing findings from pathToOzastmFilesToLoad
            var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(pathToOzastmFilesToLoad);
            // run filter that gets only Traces
            var onlyTraces = new XRule_Findings_Filter().onlyTraces(o2Findings);
            // which have getParameter as source
            var results = new XRule_Findings_Filter().whereSource_Contains(onlyTraces, "getParameter");

            return(results);
        }
Beispiel #16
0
        public string RemoveAll3nodeGetSetVulns()
        {
            // Dinis note, if I understand this request correctly, the query is:
            // for all vulns that start in a get and end in set
            //      only show the ones that have more than 3 traces

            var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);
            var thread     = XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings, "Original list of loaded files");

            thread.Join(); // we have to do this to make sure we don't continue before the findings are loaded in the Findings Viewer

            // first lets see if this happens in the current list of loaded findings
            var getsAndSets = new List <IO2Finding>();

            foreach (O2Finding o2Finding in o2Findings)                                                                  // need to cast to O2Finding in order to have access to the prepopulated version of IO2Finding
            {
                if (o2Finding.Source.IndexOf("get") > -1 && o2Finding.Sink.IndexOf("set") > -1)
                {
                    getsAndSets.Add(o2Finding);
                }
            }
            Assert.That(getsAndSets.Count > 0, "There are no Get->Set pairs in the current loaded findings"); // Dinis note: on the WebGoat 6.0.ozasmt file I'm using there are 54 matches
            // show in GUI getsAndSets
            XUtils_Findings_v0_1.openFindingsInNewWindow(getsAndSets, "Findings with GetsAndSets").Join();    // added .Join() to ensure the load thread is completed

            // now check if there are findings with 3 traces
            var getsAndSetsWith3Traces = new List <IO2Finding>();

            foreach (O2Finding o2Finding in getsAndSets)
            {
                var allTracesFromFinding = OzasmtUtils.getListWithAllTraces(o2Finding);
                if (allTracesFromFinding.Count == 3)
                {
                    getsAndSetsWith3Traces.Add(o2Finding);
                }
            }

            Assert.That(getsAndSetsWith3Traces.Count > 0, "There were no getsAndSetsWith3Traces");
            // show in GUI getsAndSetsWith3Traces
            XUtils_Findings_v0_1.openFindingsInNewWindow(getsAndSetsWith3Traces, "Findings with getsAndSetsWith3Traces").Join(); // Dinis note: I get 4 findings that match this criteria

            // finally remove the getsAndSetsWith3Traces from the loaded findings
            foreach (var o2FindingToRemove in getsAndSetsWith3Traces)
            {
                o2Findings.Remove(o2FindingToRemove);
            }

            // and show the results (note how this window has less 3 findings than the first one that was loaded)
            XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings, "Original list without 3nodeGetSetVulns").Join();

            return("Number of findings after filter: " + o2Findings.Count);
        }       // this function could be greatly reduced by using LINQ (I'll do that later :)  )
Beispiel #17
0
        public List <IO2Finding> removeAllInfos_version_3()
        {
            // LINQ query
            var resultsLinq = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile)
                              where  OzasmtUtils.getSeverityFromId(o2Finding.severity) != "Info"                        // o2Finding.severity = 3 maps to "Info"
                              select o2Finding;

            // since we are using List<IO2Fiding> below, lets covert the LINQ result which is IEnumerable<IO2Finding> to List<IO2Finding>
            var results = resultsLinq.ToList();

            XUtils_Findings_v0_1.openFindingsInNewWindow(results);
            return(results);
        }
 public static void saveDictionaryWithMappedFindingsToFolder(Dictionary <string, List <IO2Finding> > mappedFindings, string targetFolder)
 {
     Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder);
     Assert.That(Directory.Exists(targetFolder), "Directory targetFolder did not exist: " + targetFolder);
     foreach (var mappedEntry in mappedFindings)
     {
         var findingsToSave = mappedEntry.Value;
         //var fileName = string.Format("{0} ({1} Findings).ozasmt", mappedEntry.Key , findingsToSave.Count); // can't do this if we wanto to easily consume these findings from the next phase
         var fileName = string.Format("{0}.ozasmt", mappedEntry.Key);
         O2Cmd.log.write("Creating file {0} with {0} findings", fileName, findingsToSave.Count);
         var targetFile = Path.Combine(targetFolder, fileName);
         XUtils_Findings_v0_1.saveFindings(findingsToSave, targetFile);
     }
 }
Beispiel #19
0
 // run sequence of filters on findings (note that (if 4th param == true) saveQuery will remove the matched
 // findings from tracesToFilter
 public void task2_filterFindings(KAnalysisArtifacts analysisArtifacts, List <IO2Finding> tracesToFilter, string targetFolder, string fileName)
 {
     foreach (var sourceSink in analysisArtifacts.phase_3.task2_sourceSink)
     {
         XUtils_Analysis.saveQuery(tracesToFilter, targetFolder, fileName, sourceSink.Source, sourceSink.Sink, sourceSink.RemoveMatches);
     }
     // save what was left (i.e. findings that didn't match the above filters) in a separate file
     if (tracesToFilter.Count > 0)
     {
         O2Cmd.log.write("After task2 filters there were {0} findings that matched no filter", tracesToFilter.Count);
         var targetFile = Path.Combine(targetFolder, "__NO FILTER__" + " - " + fileName + ".ozasmt");
         XUtils_Findings_v0_1.saveFindings(tracesToFilter, targetFile);
     }
 }
Beispiel #20
0
        // PHASE 5 : TASKS


        public void task1_createFinalAssessmentFile()
        {
            var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWithArtifacts_Phase4);

            O2Cmd.log.write("There are {0} findings for final assessment file", o2Findings.Count);

            // make them compatible with OSA
            OzasmtCompatibility.makeCompatibleWithOunceV6(o2Findings);
            finalAssessmentFile = Path.Combine(folderWithArtifacts_Phase5, "Final Set of Findings.ozasmt");
            XUtils_Findings_v0_1.saveFindings(o2Findings, finalAssessmentFile);

            O2Cmd.log.write("Final assessment file created: {0}", finalAssessmentFile);

            copyFinalAssessmentFileToWorkflowFolder();
        }
Beispiel #21
0
        public List <IO2Finding> removeAllInfos_version_2()
        {
            var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);

            var results = new List <IO2Finding>();

            foreach (O2Finding o2Finding in o2Findings)
            {
                if (OzasmtUtils.getSeverityFromId(o2Finding.severity) != "Info")
                {
                    results.Add(o2Finding);
                }
            }
            XUtils_Findings_v0_1.openFindingsInNewWindow(results);
            return(results);
        }
        public string runPhase2(IAnalysisArtifacts analysisArtifacts)
        {
            O2Cmd.log.write("\n\n*****  PHASE 2 ***");

            // setup expected target folders
            workflowFolder = analysisArtifacts.targetFolder;

            folderWithArtifacts_Phase1 = Path.Combine(workflowFolder, "Phase 1 - Artifacts");
            folderWithArtifacts_Phase2 = Path.Combine(workflowFolder, "Phase 2 - Artifacts");
            Files.checkIfDirectoryExistsAndCreateIfNot(folderWithArtifacts_Phase2);     // create Phase 2 folder (if required)

            // check if  required folders exist
            Assert.That(Directory.Exists(folderWithArtifacts_Phase1), "folderWithArtifacts_forPhase1 could not be found");
            Assert.That(Directory.Exists(folderWithArtifacts_Phase2), "folderWithArtifacts_forPhase2 could not be found");

            if (analysisArtifacts.phase_2.task1_SplitFindingsOnTrace)
            {
                foreach (var file in Files.getFilesFromDir_returnFullPath(folderWithArtifacts_Phase1))
                {
                    var fileName = Path.GetFileName(file);
                    // load findings
                    var o2FindingsInFile = XUtils_Findings_v0_1.loadFindingsFile(file);
                    // check if file was loaded ok
                    Assert.That(o2FindingsInFile != null, "o2FindingsInFile was null. file loaded :" + file);
                    // Assert.That(o2FindingsInFile.Count > 0, "There were no findings loaded from file: " + file);
                    O2Cmd.log.write("Loaded {0} findings from file {1}", o2FindingsInFile.Count, fileName);
                    task1_FilterFindings(o2FindingsInFile, fileName);
                    if (onlyRunTasksOnOneFile)
                    {
                        break;  // during development just use first file
                    }
                }
            }


            if (analysisArtifacts.phase_2.task2_createStrutsMappings)
            {
                task2_createStrutsMappings();
            }


            O2Cmd.log.write("\n\n**** : PHASE 2 Completed\n\n");

            return("Phase 1 completed");
        }
Beispiel #23
0
        // PHASE 3 : TASKS

        // since there are lot a lot of known sinks move them all into one file
        public void task1_handleKnownSinks()
        {
            // for now save these findings in the root of folderWithArtifacts_Phase3
            var folderWithAssessmentFiles = Path.Combine(folderWithArtifacts_Phase2, "FindingsWith_Traces_KnownSinks");

            Assert.That(Directory.Exists(folderWithAssessmentFiles), "Directory folderWithAssessmentFiles does not exist: " + folderWithAssessmentFiles);

            var o2Findings_WithKnownSinks = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWithAssessmentFiles);

            // save as 1 ozasmt file with all findings
            var targetFile = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt");

            XUtils_Findings_v0_1.saveFindings(o2Findings_WithKnownSinks, targetFile);

            // save as 1 ozasmt file per VulnType
            var targetFolder   = Path.Combine(folderWithArtifacts_Phase3, "Findings with KnownSinks (by VulnType)");
            var mappedFindings = XUtils_Analysis.getDictionaryWithFindingsMappedBy_VulType(o2Findings_WithKnownSinks);

            XUtils_Analysis.saveDictionaryWithMappedFindingsToFolder(mappedFindings, targetFolder);
        }
        // PHASE 4 : TASKS

        // Handle the Findings With Knonw Sinks
        public void task1_analyseFindingsWithKnownSinks()
        {
            // check if source findings file is there
            var fileWith_Findings_WithKnownSinks = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt");

            Assert.That(File.Exists(fileWith_Findings_WithKnownSinks), "fileWith_Findings_WithKnownSinks file did not exist: " + fileWith_Findings_WithKnownSinks);

            // load findings
            var o2Findings_WithKnownSinks = XUtils_Findings_v0_1.loadFindingsFile(fileWith_Findings_WithKnownSinks);

            Assert.That(o2Findings_WithKnownSinks.Count > 0, "There were no findings in o2Findings_WithKnownSinks object");



            // show findingds (while in analysis mode)
            //XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings_WithKnownSinks);

            analyzeFindingsOfVulnType_SqlInjection(o2Findings_WithKnownSinks, true);
            makeKnownFindingsTypeII(o2Findings_WithKnownSinks);
        }
Beispiel #25
0
        public string RemoveAllMaliciousTriggers()
        {
            var o2Findings     = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);
            var vulnNameToFind = "Vulnerability.Malicious.Trigger";

            // check that there are some o2Findings
            var withVulnName = from IO2Finding o2Finding in o2Findings
                               where o2Finding.vulnType == vulnNameToFind
                               select o2Finding;

            Assert.That(withVulnName.Count() > 0, "In the findings loaded, there was no Findings with vulnName = " + vulnNameToFind);

            // and since there are create a list of findings without vunlNameToFind
            var withoutVulnName = from IO2Finding o2Finding in o2Findings
                                  where o2Finding.vulnType != vulnNameToFind
                                  select o2Finding;

            XUtils_Findings_v0_1.openFindingsInNewWindow(withoutVulnName.ToList(), "withoutVulnName").Join();

            return("# of Findings without '" + vulnNameToFind + "': " + withoutVulnName.Count());
        }
        public static List <IO2Finding> saveQuery(List <IO2Finding> o2FindingsInFile, string targetFolder, string fileName, string sourceRegEx, string sinkRegex, string fileNamePrefix, string fileNamePostfix, bool removeFindingsFromSourceList)
        {
            O2Cmd.log.write("Executing query: Source = {0}  Sink = {1}", sourceRegEx, sinkRegex);
            var results = new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2FindingsInFile, sourceRegEx, sinkRegex);

            O2Cmd.log.write("   Query returned {0} results", results.Count);
            var targetFile = Path.Combine(targetFolder, fileNamePrefix + fileName + " - " + fileNamePostfix);

            if (false == targetFile.EndsWith(".ozasmt"))
            {
                targetFile += ".ozasmt";
            }
            if (results.Count > 0)
            {
                XUtils_Findings_v0_1.saveFindings(results, targetFile);
                if (removeFindingsFromSourceList)
                {
                    removeFindingsFromList(o2FindingsInFile, results);
                }
            }
            return(results);
        }
Beispiel #27
0
        public List <IO2Finding> removeAllInfos_version_1()
        {
            // load findings to process
            var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);

            Assert.That(o2Findings.Count > 0, "There were no findings loaded");

            // calculate results
            var results = new List <IO2Finding>();

            foreach (var o2Finding in o2Findings) // the type of var is IO2Finding
            {
                if (o2Finding.severity < 3)
                {
                    results.Add(o2Finding);
                }
            }

            // show findings in O2 GUI
            XUtils_Findings_v0_1.openFindingsInNewWindow(results);

            // return results
            return(results);
        }
Beispiel #28
0
        public string invokeStrutsRules_Variation_2_loadAllFiles()
        {
            string webAppRoot         = @"...\_OunceApplication\O2Data\xml config files";
            string baseO2FindingsFile = @"...\_OunceApplication\O2Data\OSA - ...  11-3-09 807PM.ozasmt";
            string webXml             = Path.Combine(webAppRoot, @"web.xml");
            string strutsConfigXml    = Path.Combine(webAppRoot, @"struts-config.xml");
            string tilesDefinitionXml = Path.Combine(webAppRoot, @"tiles-definitions.xml");
            string validationXml      = Path.Combine(webAppRoot, @"validation.xml");

            // make sure webAppRoot directory exists
            Assert.That(Directory.Exists(webAppRoot), "Could not find webAppRoot directory:\r\n    " + webAppRoot);

            // make sure files exist
            Assert.That(File.Exists(baseO2FindingsFile), "Could not find file with baseO2FindingsFile:\r\n    " + baseO2FindingsFile);
            Assert.That(File.Exists(webXml), "Could not find file with webXml:\r\n    " + webXml);
            Assert.That(File.Exists(strutsConfigXml), "Could not find file with strutsConfig:\r\n    " + strutsConfigXml);
            Assert.That(File.Exists(tilesDefinitionXml), "Could not find file with tilesDefinitionXml:\r\n    " + tilesDefinitionXml);
            //Assert.That(File.Exists(validationXml), "Could not find file with validationXml:\r\n    " + validationXml);  // Dinis note: in my local examples I don't have this file

            // load assessment file
            var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile);

            // make sure there were findings loaded
            Assert.That(baseO2Findings != null, "baseO2Findings == null");
            Assert.That(baseO2Findings.Count > 0, "there were no findings loaded in baseO2Findings");

            // create struts mapping object
            var strutsMappings = StrutsMappingsHelpers.calculateStrutsMapping(webXml, strutsConfigXml, tilesDefinitionXml, validationXml);

            // make sure struts mapping was loaded ok
            Assert.That(strutsMappings != null, "strutsMappings was null");
            Assert.That(strutsMappings.actionServlets.Count > 0, "in strutsMappings, actionServlets.Count ==0");

            // TaintSources and FinalSinks RegEx
            var taintSources_SourceRegEx = @"getParameter\(java.lang.String\)";
            var taintSources_SinkRegEx   = @"setAttribute\(java.lang.String";

            var finalSinks_SourceRegEx = @"getAttribute\(java.lang.String\)";
            var finalSinks_SinkRegEx   = @"print";

            // calcuate struts findings
            var xRuleStuts = new XUtils_Struts_Joins_V0_1()
            {
                findingsWith_BaseO2Findings = baseO2Findings,
                StrutsMappings           = strutsMappings,
                TaintSources_SourceRegEx = taintSources_SourceRegEx,
                TaintSources_SinkRegEx   = taintSources_SinkRegEx,
                FinalSinks_SourceRegEx   = finalSinks_SourceRegEx,
                FinalSinks_SinkRegEx     = finalSinks_SinkRegEx,
                JoinPointFilter          = XRule_Struts.joinPointFilter
            };

            xRuleStuts.calculateFindings();

            // get list of findings calculated
            var results = xRuleStuts.getResults();

            // make sure there are findings in the results list
            Assert.That(results.Count > 0, " there were no findings in the results list");
            return("All OK, number of results calculated: " + results.Count);
        }
        public void analyzeFindingsOfVulnType_SqlInjection(List <IO2Finding> o2Findings, bool removeFindingsFromSourceList)
        {
            // extract the Sql Injection ones
            var sqlInjectionFindings = XUtils_Analysis.getFindingsWithVulnType(o2Findings, "Vulnerability.Injection.SQL", removeFindingsFromSourceList);

            if (sqlInjectionFindings.Count == 0)
            {
                return;
            }
            // var fileWithSqlInjections = Path.Combine(folderWithArtifacts_Phase4, "Findings_with_SQL_Injection");
            //XUtils_Findings_v0_1.saveFindings(sqlInjectionFindings, fileWithSqlInjections);

            //Assert.That(File.Exists(fileWithSqlInjections), "fileWithSqlInjections was not created");
            var sqlInjectionValidators = new List <string> {
                "java.lang.Integer.<init>(int):void",
                "java.lang.Integer.valueOf(int):java.lang.Integer",
                "java.lang.String.valueOf(int):java.lang.String",
                ":java.util.DateTime"
            };
            var nonExploitable   = new List <IO2Finding>();
            var maybeExploitable = new List <IO2Finding>();

            foreach (O2Finding o2Finding in sqlInjectionFindings)
            {
                var validatorFound = "";
                foreach (var validator in sqlInjectionValidators)
                {
                    if (XUtils_Analysis.doesFindingHasTraceSignature(o2Finding, validator))
                    {
                        validatorFound = validator;
                        break;
                    }
                }
                // modify finding
                if (validatorFound != "")
                {
                    o2Finding.context = string.Format("found validator: {0}   ,   {1}", validatorFound, o2Finding.context);
                    nonExploitable.Add(o2Finding);
                    o2Finding.vulnType  += ".NotExploitable";
                    o2Finding.severity   = 3;
                    o2Finding.confidence = 1;
                }
                else
                {
                    maybeExploitable.Add(o2Finding);
                    o2Finding.vulnType  += ".MaybeExploitable.InternalMethod";
                    o2Finding.severity   = 0;
                    o2Finding.confidence = 2;
                }
            }

            var fileWith_NonExploitable = Path.Combine(folderWithArtifacts_Phase4, "NonExploitable_Findings_with_SQL_Injection.ozasmt");

            XUtils_Findings_v0_1.saveFindings(nonExploitable, fileWith_NonExploitable);

            var fileWith_MaybeExploitable = Path.Combine(folderWithArtifacts_Phase4, "MaybeExploitable_Findings_with_SQL_Injection.ozasmt");

            XUtils_Findings_v0_1.saveFindings(maybeExploitable, fileWith_MaybeExploitable);

            //XUtils_Findings_v0_1.openFindingsInNewWindow(nonExploitable).Join();
            //XUtils_Findings_v0_1.openFindingsInNewWindow(maybeExploitable).Join();
        }