public string invokeStrutsRules_Variation_1_UsingPreCalculatedO2StrutsMappingFile()
{
var strutsMappingsFile = @"...\_OunceApplication\O2Data\....O2StrutsMapping";
var baseO2FindingsFile = @"...\_OunceApplication\O2Data\....ozasmt";
// make sure these files exist
Assert.That(File.Exists(strutsMappingsFile), "Could not find file with strutsMappingsFile:\r\n " + strutsMappingsFile);
Assert.That(File.Exists(baseO2FindingsFile), "Could not find file with baseO2FindingsFile:\r\n " + baseO2FindingsFile);
// load the files
var strutsMapping = XUtils_Struts_v0_1.loadStrutsMappingsFromFile(strutsMappingsFile);
var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile);
// make sure the file where correctly loaded
Assert.That(strutsMapping != null, "strutsMapping was null");
Assert.That(baseO2Findings != null, "baseO2Findings was null");
Assert.That(baseO2Findings.Count > 0, "baseO2Findings had no findings");
// execute the struts rule
var o2Results = XRule_Struts.strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(baseO2Findings, strutsMapping);
// make sure we had results
Assert.That(o2Results.Count > 0, "There were no results");
// save results
var fileWithSavedResults = XUtils_Findings_v0_1.saveFindings(o2Results);
// make sure saved file exists
Assert.That(fileWithSavedResults != null, "fileWithSavedResults was null");
Assert.That(File.Exists(fileWithSavedResults), "fileWithSavedResults did not exist: " + fileWithSavedResults);
return(string.Format("All OK. There were {0} results \r\nsaved to: {1}", o2Results.Count, fileWithSavedResults));
}
public static void copyFindings(List <IO2Finding> o2Findings, string sourceFileName, string targetFolder, string targetFolderName, Func <IO2Finding, bool> condition)
{
targetFolder = Path.Combine(targetFolder, targetFolderName);
Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder);
Assert.That(Directory.Exists(targetFolder), "copyFindings: targetFolder did not exist " + targetFolder);
var findingsWithNoTraces = new List <IO2Finding>();
foreach (var o2Finding in o2Findings)
{
//if (o2Finding.o2Traces.Count == 0)
if (condition(o2Finding))
{
findingsWithNoTraces.Add(o2Finding);
}
}
O2Cmd.log.write("copyFindings: There were {0} findings that matched the criteria ({1}) ", findingsWithNoTraces.Count, targetFolderName);
if (findingsWithNoTraces.Count > 0)
{
var targetFile = Path.Combine(targetFolder, sourceFileName);
XUtils_Findings_v0_1.saveFindings(findingsWithNoTraces, targetFile);
Assert.That(File.Exists(targetFile), "Task 1: targetFile was not saved : " + targetFile);
O2Cmd.log.write("copyFindings: Findings saved to " + targetFile);
}
}
public void task2_AdjustsStrutsFindings()
{
var validatorPatternIDText = "validator: patternid=";
var validatorValidContentText = "validator: valid-content";
O2Cmd.log.write("TASK 2: AdjustsStrutsFindings");
var strutsFindingsFolder = Path.Combine(folderWithArtifacts_Phase3, "Struts Mappings");
if (false == Directory.Exists(strutsFindingsFolder))
{
return;
}
//Assert.That(Directory.Exists(strutsFindingsFolder), "strutsFindingsFolder did not exists: " + strutsFindingsFolder);
foreach (var strutsFindingFile in Files.getFilesFromDir_returnFullPath(strutsFindingsFolder))
{
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(strutsFindingFile);
foreach (O2Finding o2Finding in o2Findings)
{
var allTraces = OzasmtUtils.getListWithAllTraces(o2Finding);
foreach (var o2Trace in allTraces)
{
if (o2Trace.signature.StartsWith(validatorPatternIDText))
{
var pattern = o2Trace.signature.Replace(validatorPatternIDText, "");
if (pattern == "FREE_TEXT")
{
o2Finding.vulnType = "Struts.CrossSiteScripting.NOT.Validated";
o2Finding.confidence = 1;
o2Finding.severity = 0;
}
else
{
o2Finding.vulnType = "Struts.CrossSiteScripting.Validated";
o2Finding.confidence = 1;
o2Finding.severity = 2;
}
o2Finding.vulnType += " : " + pattern;
break;
}
else if (o2Trace.signature.StartsWith(validatorValidContentText))
{
var pattern = o2Trace.signature.Replace(validatorValidContentText, "");
o2Finding.vulnType = "Struts.CrossSiteScripting.Validated.ValidContent";
o2Finding.confidence = 2;
o2Finding.severity = 2;
}
}
// validator: patternid=
}
//XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings);
var targetFile = Path.Combine(folderWithArtifacts_Phase4, "Struts Mappings - " + Path.GetFileName(strutsFindingFile));
XUtils_Findings_v0_1.saveFindings(o2Findings, targetFile);
O2Cmd.log.write("Struts Mappings saved to: {0}", targetFile);
}
//foreach(var
}
// note this should be the last one to run
public void makeKnownFindingsTypeII(List <IO2Finding> o2Findings)
{
foreach (var o2Finding in o2Findings)
{
o2Finding.confidence = 2;
}
var saveAsTypeII = Path.Combine(folderWithArtifacts_Phase4, "all_Non_Processed_KnownSink_Findings_as_Type_II.ozasmt");
XUtils_Findings_v0_1.saveFindings(o2Findings, saveAsTypeII);
}
public void task4_CalculateStrutsFindings()
{
O2Cmd.log.write("TASK #4: Calculate Struts Findings");
// check if there are Struts Mappings
var folderWithStrutsMappings = Path.Combine(folderWithArtifacts_Phase2, "Struts Mappings");
if (Directory.Exists(folderWithStrutsMappings))
{
//Assert.That(Directory.Exists(folderWithStrutsMappings), "Directory with struts mappings did not exist: " + folderWithStrutsMappings);
// check if we have the filtered findings files required
var findingsWith_KnownSinks = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt");
Assert.That(File.Exists(findingsWith_KnownSinks), "Could not find findingsWith_KnownSinks: " + findingsWith_KnownSinks);
// load findings
var o2Findings_KnownSinks = XUtils_Findings_v0_1.loadFindingsFile(findingsWith_KnownSinks);
// extract just the ones needed for the struts mappings
var o2Findings = new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2Findings_KnownSinks, "getParameter", "setAttribute");
o2Findings.AddRange(new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2Findings_KnownSinks, "getAttribute", "print"));
foreach (var strutsMappingsFile in Files.getFilesFromDir_returnFullPath(folderWithStrutsMappings))
{
var fileName = Path.GetFileName(strutsMappingsFile);
var projectName = Path.GetFileNameWithoutExtension(strutsMappingsFile);
O2Cmd.log.write("Processing file {0} from project {1}", fileName, projectName);
// load struts mappings
var strutsMapping = XUtils_Struts_v0_1.loadStrutsMappingsFromFile(strutsMappingsFile);
Assert.That(strutsMapping != null, "strutsMapping was null");
// execute the struts rule
var o2Results = XRule_Struts.strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(o2Findings, strutsMapping);
// make sure we had results
//Assert.That(o2Results.Count > 0 , "There were no results");
if (o2Results.Count == 0)
{
O2Cmd.log.error("there were no results in task4_CalculateStrutsFindings");
}
else
{
// save results
var targetFolder = Path.Combine(folderWithArtifacts_Phase3, "Struts Mappings");
Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder);
var fileWithSavedResults = Path.Combine(targetFolder, projectName + ".ozasmt");
XUtils_Findings_v0_1.saveFindings(o2Results, fileWithSavedResults);
// make sure saved file exists
Assert.That(File.Exists(fileWithSavedResults), "fileWithSavedResults did not exist: " + fileWithSavedResults);
O2Cmd.log.write("All OK. There were {0} results \r\nsaved to: {1}", o2Results.Count, fileWithSavedResults);
}
}
}
}
public static void saveDictionaryWithMappedFindingsToFolder(Dictionary <string, List <IO2Finding> > mappedFindings, string targetFolder)
{
Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder);
Assert.That(Directory.Exists(targetFolder), "Directory targetFolder did not exist: " + targetFolder);
foreach (var mappedEntry in mappedFindings)
{
var findingsToSave = mappedEntry.Value;
//var fileName = string.Format("{0} ({1} Findings).ozasmt", mappedEntry.Key , findingsToSave.Count); // can't do this if we wanto to easily consume these findings from the next phase
var fileName = string.Format("{0}.ozasmt", mappedEntry.Key);
O2Cmd.log.write("Creating file {0} with {0} findings", fileName, findingsToSave.Count);
var targetFile = Path.Combine(targetFolder, fileName);
XUtils_Findings_v0_1.saveFindings(findingsToSave, targetFile);
}
}
// run sequence of filters on findings (note that (if 4th param == true) saveQuery will remove the matched
// findings from tracesToFilter
public void task2_filterFindings(KAnalysisArtifacts analysisArtifacts, List <IO2Finding> tracesToFilter, string targetFolder, string fileName)
{
foreach (var sourceSink in analysisArtifacts.phase_3.task2_sourceSink)
{
XUtils_Analysis.saveQuery(tracesToFilter, targetFolder, fileName, sourceSink.Source, sourceSink.Sink, sourceSink.RemoveMatches);
}
// save what was left (i.e. findings that didn't match the above filters) in a separate file
if (tracesToFilter.Count > 0)
{
O2Cmd.log.write("After task2 filters there were {0} findings that matched no filter", tracesToFilter.Count);
var targetFile = Path.Combine(targetFolder, "__NO FILTER__" + " - " + fileName + ".ozasmt");
XUtils_Findings_v0_1.saveFindings(tracesToFilter, targetFile);
}
}
// PHASE 5 : TASKS
public void task1_createFinalAssessmentFile()
{
var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWithArtifacts_Phase4);
O2Cmd.log.write("There are {0} findings for final assessment file", o2Findings.Count);
// make them compatible with OSA
OzasmtCompatibility.makeCompatibleWithOunceV6(o2Findings);
finalAssessmentFile = Path.Combine(folderWithArtifacts_Phase5, "Final Set of Findings.ozasmt");
XUtils_Findings_v0_1.saveFindings(o2Findings, finalAssessmentFile);
O2Cmd.log.write("Final assessment file created: {0}", finalAssessmentFile);
copyFinalAssessmentFileToWorkflowFolder();
}
// PHASE 3 : TASKS
// since there are lot a lot of known sinks move them all into one file
public void task1_handleKnownSinks()
{
// for now save these findings in the root of folderWithArtifacts_Phase3
var folderWithAssessmentFiles = Path.Combine(folderWithArtifacts_Phase2, "FindingsWith_Traces_KnownSinks");
Assert.That(Directory.Exists(folderWithAssessmentFiles), "Directory folderWithAssessmentFiles does not exist: " + folderWithAssessmentFiles);
var o2Findings_WithKnownSinks = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWithAssessmentFiles);
// save as 1 ozasmt file with all findings
var targetFile = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt");
XUtils_Findings_v0_1.saveFindings(o2Findings_WithKnownSinks, targetFile);
// save as 1 ozasmt file per VulnType
var targetFolder = Path.Combine(folderWithArtifacts_Phase3, "Findings with KnownSinks (by VulnType)");
var mappedFindings = XUtils_Analysis.getDictionaryWithFindingsMappedBy_VulType(o2Findings_WithKnownSinks);
XUtils_Analysis.saveDictionaryWithMappedFindingsToFolder(mappedFindings, targetFolder);
}
public static List <IO2Finding> saveQuery(List <IO2Finding> o2FindingsInFile, string targetFolder, string fileName, string sourceRegEx, string sinkRegex, string fileNamePrefix, string fileNamePostfix, bool removeFindingsFromSourceList)
{
O2Cmd.log.write("Executing query: Source = {0} Sink = {1}", sourceRegEx, sinkRegex);
var results = new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2FindingsInFile, sourceRegEx, sinkRegex);
O2Cmd.log.write(" Query returned {0} results", results.Count);
var targetFile = Path.Combine(targetFolder, fileNamePrefix + fileName + " - " + fileNamePostfix);
if (false == targetFile.EndsWith(".ozasmt"))
{
targetFile += ".ozasmt";
}
if (results.Count > 0)
{
XUtils_Findings_v0_1.saveFindings(results, targetFile);
if (removeFindingsFromSourceList)
{
removeFindingsFromList(o2FindingsInFile, results);
}
}
return(results);
}
public void analyzeFindingsOfVulnType_SqlInjection(List <IO2Finding> o2Findings, bool removeFindingsFromSourceList)
{
// extract the Sql Injection ones
var sqlInjectionFindings = XUtils_Analysis.getFindingsWithVulnType(o2Findings, "Vulnerability.Injection.SQL", removeFindingsFromSourceList);
if (sqlInjectionFindings.Count == 0)
{
return;
}
// var fileWithSqlInjections = Path.Combine(folderWithArtifacts_Phase4, "Findings_with_SQL_Injection");
//XUtils_Findings_v0_1.saveFindings(sqlInjectionFindings, fileWithSqlInjections);
//Assert.That(File.Exists(fileWithSqlInjections), "fileWithSqlInjections was not created");
var sqlInjectionValidators = new List <string> {
"java.lang.Integer.<init>(int):void",
"java.lang.Integer.valueOf(int):java.lang.Integer",
"java.lang.String.valueOf(int):java.lang.String",
":java.util.DateTime"
};
var nonExploitable = new List <IO2Finding>();
var maybeExploitable = new List <IO2Finding>();
foreach (O2Finding o2Finding in sqlInjectionFindings)
{
var validatorFound = "";
foreach (var validator in sqlInjectionValidators)
{
if (XUtils_Analysis.doesFindingHasTraceSignature(o2Finding, validator))
{
validatorFound = validator;
break;
}
}
// modify finding
if (validatorFound != "")
{
o2Finding.context = string.Format("found validator: {0} , {1}", validatorFound, o2Finding.context);
nonExploitable.Add(o2Finding);
o2Finding.vulnType += ".NotExploitable";
o2Finding.severity = 3;
o2Finding.confidence = 1;
}
else
{
maybeExploitable.Add(o2Finding);
o2Finding.vulnType += ".MaybeExploitable.InternalMethod";
o2Finding.severity = 0;
o2Finding.confidence = 2;
}
}
var fileWith_NonExploitable = Path.Combine(folderWithArtifacts_Phase4, "NonExploitable_Findings_with_SQL_Injection.ozasmt");
XUtils_Findings_v0_1.saveFindings(nonExploitable, fileWith_NonExploitable);
var fileWith_MaybeExploitable = Path.Combine(folderWithArtifacts_Phase4, "MaybeExploitable_Findings_with_SQL_Injection.ozasmt");
XUtils_Findings_v0_1.saveFindings(maybeExploitable, fileWith_MaybeExploitable);
//XUtils_Findings_v0_1.openFindingsInNewWindow(nonExploitable).Join();
//XUtils_Findings_v0_1.openFindingsInNewWindow(maybeExploitable).Join();
}
