public void Similarity()
{
string text1 = "asldbcv3o9322lif;owq4o-u-4hf3fn4ofwh094f4qq43fqldadsa2GSUACUVAoo32g3f";
string text2 = "xsbadkvivuvsd;ojve;rieorqro8@O*ho848oq34floowahoOAGAGAODOWWOoq38aqo3af";
LettersDiffer differ = new LettersDiffer();
differ.AddTask(text1, 0);
differ.AddTask(text2, 0);
double diffSimilarity = differ.DoDiff();
double aseSimilarity = ASESimilarityAlgorithm.CalculateSimilarity(text1, text2);
Assert.AreEqual(aseSimilarity, diffSimilarity, 0.05, "Incorrect similarity factor");
}
public bool ValueMatches(IDiffObject diffObject)
{
BaseTextDiffObject otherObject = diffObject as BaseTextDiffObject;
bool equals = false;
if (otherObject != null)
{
equals = this.ValueHash == otherObject.ValueHash;
if (!equals && SimilarityFactor < 1)
{
equals = ASESimilarityAlgorithm.CalculateSimilarity(this.Value, otherObject.Value) >= this.SimilarityFactor;
}
}
return(equals);
}
/// <summary>
/// Checks is the value is equal. If not where applicable a collection of granular differences is outputed
/// </summary>
/// <param name="diffObject"></param>
/// <param name="diffsForSelf"></param>
/// <param name="diffsForArgument"></param>
/// <param name="commonElements"></param>
/// <returns></returns>
public bool ValueMatches(IDiffObject diffObject, out IDiffObjectsCollection diffsForSelf, out IDiffObjectsCollection diffsForArgument, out IDiffObjectsCollection commonElements)
{
BaseTextDiffObject otherObject = diffObject as BaseTextDiffObject;
diffsForSelf = null;
diffsForArgument = null;
commonElements = null;
bool matches = false;
if (otherObject != null)
{
matches = this.ValueHash == otherObject.ValueHash;
if (!matches)
{
double simFactor = ASESimilarityAlgorithm.CalculateSimilarity(this.Value, otherObject.Value);
LettersDiffer granularDiffer = InitGranularDiffer();
if (simFactor > 0 && granularDiffer != null)
{
//calculate granular differences
granularDiffer.AddTask(Value, Position); //imports the current word into a letters collection starting from the position of the current element
granularDiffer.AddTask(otherObject.Value, otherObject.Position);
double diffRatio = granularDiffer.DoDiff(0, 1);
diffsForSelf = granularDiffer.GetResultingDifferences(0);
diffsForArgument = granularDiffer.GetResultingDifferences(1);
commonElements = granularDiffer.GetResultingCommonElements(0);
matches = diffRatio >= this.SimilarityFactor;
}
}
}
return(matches);
}
/// <summary>
/// Calculates if the current response is different than the original response
/// </summary>
/// <param name="responseInfo"></param>
/// <returns></returns>
private bool IsDifferentThanOriginalResponse(HttpResponseInfo responseInfo)
{
bool isDifferent;
if (!_trackingReqInfo.ResponseStatus.Equals(responseInfo.Status.ToString()))
{
isDifferent = true;
}
else if (ResponseLengthIsSignificantlyDifferent(responseInfo, _trackingReqInfo))
{
isDifferent = true;
}
else //calculate response similarity
{
byte[] oldRespBytes = _dataStore.LoadResponseData(_trackingReqInfo.Id);
string oldRespString = Constants.DefaultEncoding.GetString(oldRespBytes);
double similarity = ASESimilarityAlgorithm.CalculateSimilarity(oldRespString, responseInfo.ToString());
isDifferent = similarity < 0.98;
}
return(isDifferent);
}
/// <summary>
/// Diffs the response bodies
/// </summary>
/// <param name="result"></param>
/// <param name="firstResponse"></param>
/// <param name="secondResponse"></param>
/// <param name="firstRespBasePos"></param>
/// <param name="secondRespBasePos"></param>
/// <returns></returns>
private RequestsDifferResult DiffResponseBody(RequestsDifferResult result, string firstResponse, string secondResponse, int firstRespBasePos, int secondRespBasePos)
{
int firstResponseBodyStart = FindResponseBodyStart(firstResponse);
int secondResponseBodyStart = FindResponseBodyStart(secondResponse);
string firstResponseBody = firstResponse.Substring(firstResponseBodyStart);
string secondResponseBody = secondResponse.Substring(secondResponseBodyStart);
LinesDiffer linesDiffer = new LinesDiffer(); //this differ first compares the lines then the words then the letters
linesDiffer.Properties.Sorted = false;
linesDiffer.AddTask(firstResponseBody, firstRespBasePos + firstResponseBodyStart);
linesDiffer.AddTask(secondResponseBody, secondRespBasePos + secondResponseBodyStart);
result.BodyDiffSimilarity = linesDiffer.DoDiff();
//calculate aproximate similarity as generated by appscan algorithm
result.BodyAproximateSimilarity = ASESimilarityAlgorithm.CalculateSimilarity(firstResponseBody, secondResponseBody);
result = AppendDiffs(result, linesDiffer);
return(result);
}
/// <summary>
/// Validates a response and inserts a vulnerability
/// </summary>
/// <param name="rawRequest"></param>
/// <param name="rawResponse"></param>
/// <param name="requestUri"></param>
/// <param name="parameterName"></param>
/// <param name="entityId"></param>
/// <param name="testDef"></param>
/// <param name="payload"></param>
/// <param name="mutatedRequestList"></param>
/// <param name="testResponseList"></param>
public bool ValidateTest(string rawRequest, string rawResponse, Uri requestUri,
string parameterName, string entityId, CustomTestDef testDef, List <string> mutatedRequestList, List <string> testResponseList)
{
string validation = testDef.Validation.Trim();
if (String.IsNullOrWhiteSpace(validation))
{
return(false); //this is a callback test
}
bool found = false;
bool isMultiValidationRule = IsMultiValidationRule(validation);
if (!isMultiValidationRule)
{
for (int idx = 0; idx < mutatedRequestList.Count; idx++)
{
string mutatedRequest = mutatedRequestList[idx];
string testResponse = testResponseList[idx];
found |= ValidateSingleTest(rawRequest, rawResponse, requestUri, parameterName, entityId, testDef, mutatedRequest, testResponse);
}
}
else
{
if (validation.StartsWith(JAVASCRIPT_FUNCTION_TAG))
{
found = RunJavaScriptValidation(validation, testResponseList);
}
else if (validation.StartsWith(TAUTOLOGY_VERIFICATION_FUNC))
{
if (testResponseList != null && testResponseList.Count % 3 == 0)
{
int encodingsCount = testResponseList.Count / 3;
for (int i = 0; i < encodingsCount && !found; i++)
{
int first = i;
int second = i + encodingsCount;
int third = i + 2 * encodingsCount;
double firstAndThirdSimilarity = ASESimilarityAlgorithm.CalculateSimilarity(testResponseList[first], testResponseList[third]);
double firstAndSecondSimilarity = ASESimilarityAlgorithm.CalculateSimilarity(testResponseList[first], testResponseList[second]);
found = firstAndThirdSimilarity - firstAndSecondSimilarity > 0.2; //first and third are more similar than first and second
if (found)
{
var newMutatedRequestList = new List <string>();
var newTestResponseList = new List <string>();
newMutatedRequestList.Add(mutatedRequestList[first]);
newMutatedRequestList.Add(mutatedRequestList[second]);
newMutatedRequestList.Add(mutatedRequestList[third]);
newTestResponseList.Add(testResponseList[first]);
newTestResponseList.Add(testResponseList[second]);
newTestResponseList.Add(testResponseList[third]);
mutatedRequestList = newMutatedRequestList;
testResponseList = newTestResponseList;
}
}
}
else
{
_testController.Log("INCORRECT NUMBER OF PAYLOADS FOR TAUTOLOGY VERIFICATION (MUST BE DIVISIBLE WITH 3)");
}
}
if (found)
{
for (int i = 0; i < mutatedRequestList.Count; i++)
{
_testController.Log("MULTI-VALIDATION rule match on entity '{0}', test '{1}'", parameterName, testDef.Name);
}
_testController.HandleIssueFound(rawRequest, rawResponse, requestUri, testDef.Type, parameterName, mutatedRequestList, testResponseList, validation, "");
}
}
return(found);
}
