public string invokeStrutsRules_Variation_1_UsingPreCalculatedO2StrutsMappingFile() { var strutsMappingsFile = @"...\_OunceApplication\O2Data\....O2StrutsMapping"; var baseO2FindingsFile = @"...\_OunceApplication\O2Data\....ozasmt"; // make sure these files exist Assert.That(File.Exists(strutsMappingsFile), "Could not find file with strutsMappingsFile:\r\n " + strutsMappingsFile); Assert.That(File.Exists(baseO2FindingsFile), "Could not find file with baseO2FindingsFile:\r\n " + baseO2FindingsFile); // load the files var strutsMapping = XUtils_Struts_v0_1.loadStrutsMappingsFromFile(strutsMappingsFile); var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile); // make sure the file where correctly loaded Assert.That(strutsMapping != null, "strutsMapping was null"); Assert.That(baseO2Findings != null, "baseO2Findings was null"); Assert.That(baseO2Findings.Count > 0, "baseO2Findings had no findings"); // execute the struts rule var o2Results = XRule_Struts.strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(baseO2Findings, strutsMapping); // make sure we had results Assert.That(o2Results.Count > 0, "There were no results"); // save results var fileWithSavedResults = XUtils_Findings_v0_1.saveFindings(o2Results); // make sure saved file exists Assert.That(fileWithSavedResults != null, "fileWithSavedResults was null"); Assert.That(File.Exists(fileWithSavedResults), "fileWithSavedResults did not exist: " + fileWithSavedResults); return(string.Format("All OK. There were {0} results \r\nsaved to: {1}", o2Results.Count, fileWithSavedResults)); }
public static void copyFindings(List <IO2Finding> o2Findings, string sourceFileName, string targetFolder, string targetFolderName, Func <IO2Finding, bool> condition) { targetFolder = Path.Combine(targetFolder, targetFolderName); Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder); Assert.That(Directory.Exists(targetFolder), "copyFindings: targetFolder did not exist " + targetFolder); var findingsWithNoTraces = new List <IO2Finding>(); foreach (var o2Finding in o2Findings) { //if (o2Finding.o2Traces.Count == 0) if (condition(o2Finding)) { findingsWithNoTraces.Add(o2Finding); } } O2Cmd.log.write("copyFindings: There were {0} findings that matched the criteria ({1}) ", findingsWithNoTraces.Count, targetFolderName); if (findingsWithNoTraces.Count > 0) { var targetFile = Path.Combine(targetFolder, sourceFileName); XUtils_Findings_v0_1.saveFindings(findingsWithNoTraces, targetFile); Assert.That(File.Exists(targetFile), "Task 1: targetFile was not saved : " + targetFile); O2Cmd.log.write("copyFindings: Findings saved to " + targetFile); } }
public void task2_AdjustsStrutsFindings() { var validatorPatternIDText = "validator: patternid="; var validatorValidContentText = "validator: valid-content"; O2Cmd.log.write("TASK 2: AdjustsStrutsFindings"); var strutsFindingsFolder = Path.Combine(folderWithArtifacts_Phase3, "Struts Mappings"); if (false == Directory.Exists(strutsFindingsFolder)) { return; } //Assert.That(Directory.Exists(strutsFindingsFolder), "strutsFindingsFolder did not exists: " + strutsFindingsFolder); foreach (var strutsFindingFile in Files.getFilesFromDir_returnFullPath(strutsFindingsFolder)) { var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(strutsFindingFile); foreach (O2Finding o2Finding in o2Findings) { var allTraces = OzasmtUtils.getListWithAllTraces(o2Finding); foreach (var o2Trace in allTraces) { if (o2Trace.signature.StartsWith(validatorPatternIDText)) { var pattern = o2Trace.signature.Replace(validatorPatternIDText, ""); if (pattern == "FREE_TEXT") { o2Finding.vulnType = "Struts.CrossSiteScripting.NOT.Validated"; o2Finding.confidence = 1; o2Finding.severity = 0; } else { o2Finding.vulnType = "Struts.CrossSiteScripting.Validated"; o2Finding.confidence = 1; o2Finding.severity = 2; } o2Finding.vulnType += " : " + pattern; break; } else if (o2Trace.signature.StartsWith(validatorValidContentText)) { var pattern = o2Trace.signature.Replace(validatorValidContentText, ""); o2Finding.vulnType = "Struts.CrossSiteScripting.Validated.ValidContent"; o2Finding.confidence = 2; o2Finding.severity = 2; } } // validator: patternid= } //XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings); var targetFile = Path.Combine(folderWithArtifacts_Phase4, "Struts Mappings - " + Path.GetFileName(strutsFindingFile)); XUtils_Findings_v0_1.saveFindings(o2Findings, targetFile); O2Cmd.log.write("Struts Mappings saved to: {0}", targetFile); } //foreach(var }
// note this should be the last one to run public void makeKnownFindingsTypeII(List <IO2Finding> o2Findings) { foreach (var o2Finding in o2Findings) { o2Finding.confidence = 2; } var saveAsTypeII = Path.Combine(folderWithArtifacts_Phase4, "all_Non_Processed_KnownSink_Findings_as_Type_II.ozasmt"); XUtils_Findings_v0_1.saveFindings(o2Findings, saveAsTypeII); }
public void task4_CalculateStrutsFindings() { O2Cmd.log.write("TASK #4: Calculate Struts Findings"); // check if there are Struts Mappings var folderWithStrutsMappings = Path.Combine(folderWithArtifacts_Phase2, "Struts Mappings"); if (Directory.Exists(folderWithStrutsMappings)) { //Assert.That(Directory.Exists(folderWithStrutsMappings), "Directory with struts mappings did not exist: " + folderWithStrutsMappings); // check if we have the filtered findings files required var findingsWith_KnownSinks = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt"); Assert.That(File.Exists(findingsWith_KnownSinks), "Could not find findingsWith_KnownSinks: " + findingsWith_KnownSinks); // load findings var o2Findings_KnownSinks = XUtils_Findings_v0_1.loadFindingsFile(findingsWith_KnownSinks); // extract just the ones needed for the struts mappings var o2Findings = new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2Findings_KnownSinks, "getParameter", "setAttribute"); o2Findings.AddRange(new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2Findings_KnownSinks, "getAttribute", "print")); foreach (var strutsMappingsFile in Files.getFilesFromDir_returnFullPath(folderWithStrutsMappings)) { var fileName = Path.GetFileName(strutsMappingsFile); var projectName = Path.GetFileNameWithoutExtension(strutsMappingsFile); O2Cmd.log.write("Processing file {0} from project {1}", fileName, projectName); // load struts mappings var strutsMapping = XUtils_Struts_v0_1.loadStrutsMappingsFromFile(strutsMappingsFile); Assert.That(strutsMapping != null, "strutsMapping was null"); // execute the struts rule var o2Results = XRule_Struts.strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(o2Findings, strutsMapping); // make sure we had results //Assert.That(o2Results.Count > 0 , "There were no results"); if (o2Results.Count == 0) { O2Cmd.log.error("there were no results in task4_CalculateStrutsFindings"); } else { // save results var targetFolder = Path.Combine(folderWithArtifacts_Phase3, "Struts Mappings"); Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder); var fileWithSavedResults = Path.Combine(targetFolder, projectName + ".ozasmt"); XUtils_Findings_v0_1.saveFindings(o2Results, fileWithSavedResults); // make sure saved file exists Assert.That(File.Exists(fileWithSavedResults), "fileWithSavedResults did not exist: " + fileWithSavedResults); O2Cmd.log.write("All OK. There were {0} results \r\nsaved to: {1}", o2Results.Count, fileWithSavedResults); } } } }
public static void saveDictionaryWithMappedFindingsToFolder(Dictionary <string, List <IO2Finding> > mappedFindings, string targetFolder) { Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder); Assert.That(Directory.Exists(targetFolder), "Directory targetFolder did not exist: " + targetFolder); foreach (var mappedEntry in mappedFindings) { var findingsToSave = mappedEntry.Value; //var fileName = string.Format("{0} ({1} Findings).ozasmt", mappedEntry.Key , findingsToSave.Count); // can't do this if we wanto to easily consume these findings from the next phase var fileName = string.Format("{0}.ozasmt", mappedEntry.Key); O2Cmd.log.write("Creating file {0} with {0} findings", fileName, findingsToSave.Count); var targetFile = Path.Combine(targetFolder, fileName); XUtils_Findings_v0_1.saveFindings(findingsToSave, targetFile); } }
// run sequence of filters on findings (note that (if 4th param == true) saveQuery will remove the matched // findings from tracesToFilter public void task2_filterFindings(KAnalysisArtifacts analysisArtifacts, List <IO2Finding> tracesToFilter, string targetFolder, string fileName) { foreach (var sourceSink in analysisArtifacts.phase_3.task2_sourceSink) { XUtils_Analysis.saveQuery(tracesToFilter, targetFolder, fileName, sourceSink.Source, sourceSink.Sink, sourceSink.RemoveMatches); } // save what was left (i.e. findings that didn't match the above filters) in a separate file if (tracesToFilter.Count > 0) { O2Cmd.log.write("After task2 filters there were {0} findings that matched no filter", tracesToFilter.Count); var targetFile = Path.Combine(targetFolder, "__NO FILTER__" + " - " + fileName + ".ozasmt"); XUtils_Findings_v0_1.saveFindings(tracesToFilter, targetFile); } }
// PHASE 5 : TASKS public void task1_createFinalAssessmentFile() { var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWithArtifacts_Phase4); O2Cmd.log.write("There are {0} findings for final assessment file", o2Findings.Count); // make them compatible with OSA OzasmtCompatibility.makeCompatibleWithOunceV6(o2Findings); finalAssessmentFile = Path.Combine(folderWithArtifacts_Phase5, "Final Set of Findings.ozasmt"); XUtils_Findings_v0_1.saveFindings(o2Findings, finalAssessmentFile); O2Cmd.log.write("Final assessment file created: {0}", finalAssessmentFile); copyFinalAssessmentFileToWorkflowFolder(); }
// PHASE 3 : TASKS // since there are lot a lot of known sinks move them all into one file public void task1_handleKnownSinks() { // for now save these findings in the root of folderWithArtifacts_Phase3 var folderWithAssessmentFiles = Path.Combine(folderWithArtifacts_Phase2, "FindingsWith_Traces_KnownSinks"); Assert.That(Directory.Exists(folderWithAssessmentFiles), "Directory folderWithAssessmentFiles does not exist: " + folderWithAssessmentFiles); var o2Findings_WithKnownSinks = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWithAssessmentFiles); // save as 1 ozasmt file with all findings var targetFile = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt"); XUtils_Findings_v0_1.saveFindings(o2Findings_WithKnownSinks, targetFile); // save as 1 ozasmt file per VulnType var targetFolder = Path.Combine(folderWithArtifacts_Phase3, "Findings with KnownSinks (by VulnType)"); var mappedFindings = XUtils_Analysis.getDictionaryWithFindingsMappedBy_VulType(o2Findings_WithKnownSinks); XUtils_Analysis.saveDictionaryWithMappedFindingsToFolder(mappedFindings, targetFolder); }
public static List <IO2Finding> saveQuery(List <IO2Finding> o2FindingsInFile, string targetFolder, string fileName, string sourceRegEx, string sinkRegex, string fileNamePrefix, string fileNamePostfix, bool removeFindingsFromSourceList) { O2Cmd.log.write("Executing query: Source = {0} Sink = {1}", sourceRegEx, sinkRegex); var results = new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2FindingsInFile, sourceRegEx, sinkRegex); O2Cmd.log.write(" Query returned {0} results", results.Count); var targetFile = Path.Combine(targetFolder, fileNamePrefix + fileName + " - " + fileNamePostfix); if (false == targetFile.EndsWith(".ozasmt")) { targetFile += ".ozasmt"; } if (results.Count > 0) { XUtils_Findings_v0_1.saveFindings(results, targetFile); if (removeFindingsFromSourceList) { removeFindingsFromList(o2FindingsInFile, results); } } return(results); }
public void analyzeFindingsOfVulnType_SqlInjection(List <IO2Finding> o2Findings, bool removeFindingsFromSourceList) { // extract the Sql Injection ones var sqlInjectionFindings = XUtils_Analysis.getFindingsWithVulnType(o2Findings, "Vulnerability.Injection.SQL", removeFindingsFromSourceList); if (sqlInjectionFindings.Count == 0) { return; } // var fileWithSqlInjections = Path.Combine(folderWithArtifacts_Phase4, "Findings_with_SQL_Injection"); //XUtils_Findings_v0_1.saveFindings(sqlInjectionFindings, fileWithSqlInjections); //Assert.That(File.Exists(fileWithSqlInjections), "fileWithSqlInjections was not created"); var sqlInjectionValidators = new List <string> { "java.lang.Integer.<init>(int):void", "java.lang.Integer.valueOf(int):java.lang.Integer", "java.lang.String.valueOf(int):java.lang.String", ":java.util.DateTime" }; var nonExploitable = new List <IO2Finding>(); var maybeExploitable = new List <IO2Finding>(); foreach (O2Finding o2Finding in sqlInjectionFindings) { var validatorFound = ""; foreach (var validator in sqlInjectionValidators) { if (XUtils_Analysis.doesFindingHasTraceSignature(o2Finding, validator)) { validatorFound = validator; break; } } // modify finding if (validatorFound != "") { o2Finding.context = string.Format("found validator: {0} , {1}", validatorFound, o2Finding.context); nonExploitable.Add(o2Finding); o2Finding.vulnType += ".NotExploitable"; o2Finding.severity = 3; o2Finding.confidence = 1; } else { maybeExploitable.Add(o2Finding); o2Finding.vulnType += ".MaybeExploitable.InternalMethod"; o2Finding.severity = 0; o2Finding.confidence = 2; } } var fileWith_NonExploitable = Path.Combine(folderWithArtifacts_Phase4, "NonExploitable_Findings_with_SQL_Injection.ozasmt"); XUtils_Findings_v0_1.saveFindings(nonExploitable, fileWith_NonExploitable); var fileWith_MaybeExploitable = Path.Combine(folderWithArtifacts_Phase4, "MaybeExploitable_Findings_with_SQL_Injection.ozasmt"); XUtils_Findings_v0_1.saveFindings(maybeExploitable, fileWith_MaybeExploitable); //XUtils_Findings_v0_1.openFindingsInNewWindow(nonExploitable).Join(); //XUtils_Findings_v0_1.openFindingsInNewWindow(maybeExploitable).Join(); }