public static void copyFindings(List <IO2Finding> o2Findings, string sourceFileName, string targetFolder, string targetFolderName, Func <IO2Finding, bool> condition) { targetFolder = Path.Combine(targetFolder, targetFolderName); Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder); Assert.That(Directory.Exists(targetFolder), "copyFindings: targetFolder did not exist " + targetFolder); var findingsWithNoTraces = new List <IO2Finding>(); foreach (var o2Finding in o2Findings) { //if (o2Finding.o2Traces.Count == 0) if (condition(o2Finding)) { findingsWithNoTraces.Add(o2Finding); } } O2Cmd.log.write("copyFindings: There were {0} findings that matched the criteria ({1}) ", findingsWithNoTraces.Count, targetFolderName); if (findingsWithNoTraces.Count > 0) { var targetFile = Path.Combine(targetFolder, sourceFileName); XUtils_Findings_v0_1.saveFindings(findingsWithNoTraces, targetFile); Assert.That(File.Exists(targetFile), "Task 1: targetFile was not saved : " + targetFile); O2Cmd.log.write("copyFindings: Findings saved to " + targetFile); } }
public string invokeStrutsRules_Variation_1_UsingPreCalculatedO2StrutsMappingFile() { var strutsMappingsFile = @"...\_OunceApplication\O2Data\....O2StrutsMapping"; var baseO2FindingsFile = @"...\_OunceApplication\O2Data\....ozasmt"; // make sure these files exist Assert.That(File.Exists(strutsMappingsFile), "Could not find file with strutsMappingsFile:\r\n " + strutsMappingsFile); Assert.That(File.Exists(baseO2FindingsFile), "Could not find file with baseO2FindingsFile:\r\n " + baseO2FindingsFile); // load the files var strutsMapping = XUtils_Struts_v0_1.loadStrutsMappingsFromFile(strutsMappingsFile); var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile); // make sure the file where correctly loaded Assert.That(strutsMapping != null, "strutsMapping was null"); Assert.That(baseO2Findings != null, "baseO2Findings was null"); Assert.That(baseO2Findings.Count > 0, "baseO2Findings had no findings"); // execute the struts rule var o2Results = XRule_Struts.strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(baseO2Findings, strutsMapping); // make sure we had results Assert.That(o2Results.Count > 0, "There were no results"); // save results var fileWithSavedResults = XUtils_Findings_v0_1.saveFindings(o2Results); // make sure saved file exists Assert.That(fileWithSavedResults != null, "fileWithSavedResults was null"); Assert.That(File.Exists(fileWithSavedResults), "fileWithSavedResults did not exist: " + fileWithSavedResults); return(string.Format("All OK. There were {0} results \r\nsaved to: {1}", o2Results.Count, fileWithSavedResults)); }
public string checkIf_loadMultipleOzasmtFiles_Worked() { var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(pathToOzastmFilesToLoad); Assert.That(o2Findings.Count > 0); return(string.Format("There were {0} findings loaded", o2Findings.Count)); }
public void task2_AdjustsStrutsFindings() { var validatorPatternIDText = "validator: patternid="; var validatorValidContentText = "validator: valid-content"; O2Cmd.log.write("TASK 2: AdjustsStrutsFindings"); var strutsFindingsFolder = Path.Combine(folderWithArtifacts_Phase3, "Struts Mappings"); if (false == Directory.Exists(strutsFindingsFolder)) { return; } //Assert.That(Directory.Exists(strutsFindingsFolder), "strutsFindingsFolder did not exists: " + strutsFindingsFolder); foreach (var strutsFindingFile in Files.getFilesFromDir_returnFullPath(strutsFindingsFolder)) { var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(strutsFindingFile); foreach (O2Finding o2Finding in o2Findings) { var allTraces = OzasmtUtils.getListWithAllTraces(o2Finding); foreach (var o2Trace in allTraces) { if (o2Trace.signature.StartsWith(validatorPatternIDText)) { var pattern = o2Trace.signature.Replace(validatorPatternIDText, ""); if (pattern == "FREE_TEXT") { o2Finding.vulnType = "Struts.CrossSiteScripting.NOT.Validated"; o2Finding.confidence = 1; o2Finding.severity = 0; } else { o2Finding.vulnType = "Struts.CrossSiteScripting.Validated"; o2Finding.confidence = 1; o2Finding.severity = 2; } o2Finding.vulnType += " : " + pattern; break; } else if (o2Trace.signature.StartsWith(validatorValidContentText)) { var pattern = o2Trace.signature.Replace(validatorValidContentText, ""); o2Finding.vulnType = "Struts.CrossSiteScripting.Validated.ValidContent"; o2Finding.confidence = 2; o2Finding.severity = 2; } } // validator: patternid= } //XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings); var targetFile = Path.Combine(folderWithArtifacts_Phase4, "Struts Mappings - " + Path.GetFileName(strutsFindingFile)); XUtils_Findings_v0_1.saveFindings(o2Findings, targetFile); O2Cmd.log.write("Struts Mappings saved to: {0}", targetFile); } //foreach(var }
public List <IO2Finding> takeDirectoryAndLoadAllAssessmentsWithStringInName() { var targetDirectory = pathToOzastmFilesToLoad; var filter = "*webgoat*.ozasmt"; var recursiveSearch = true; return(XUtils_Findings_v0_1.loadMultipleOzasmtFiles(targetDirectory, filter, recursiveSearch)); }
public static void Test() { var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile); var strutsMapping = (KStrutsMappings)Serialize.getDeSerializedObjectFromBinaryFile(strutsMappingsFile, typeof(KStrutsMappings)); var o2Findings = strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(baseO2Findings, strutsMapping); XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings); }
public string showFindingsInGUI() { var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile); Assert.That(o2Findings.Count > 0, "There were no findings loaded"); XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings); return("number of findings loaded:" + o2Findings.Count); }
public string runPhase5() { var testAnalysisArtifacts = KAnalysisArtifacts.load(testAnalysisArtifactsFile); var result = runPhase5(testAnalysisArtifacts); var finalO2Findings = XUtils_Findings_v0_1.loadFindingsFile(finalAssessmentFile); XUtils_Findings_v0_1.openFindingsInNewWindow(finalO2Findings); return(result); }
public static List <IO2Finding> getAllTraces_LostSinks(string targetFolder) { var folderWith_LostSinks = Path.Combine(targetFolder, "FindingsWith_Traces_LostSinks"); Assert.That(Directory.Exists(folderWith_LostSinks), "directory folderWith_LostSinks did not exist: " + folderWith_LostSinks); var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWith_LostSinks); O2Cmd.log.write("Findings with Lost Sinks: {0}", o2Findings.Count); return(o2Findings); }
public string onlyShowInfos_Linq() { var onlyInfos = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile) where o2Finding.severity == 3 select o2Finding; XUtils_Findings_v0_1.openFindingsInNewWindow(onlyInfos.ToList()); return("# of Infos: " + onlyInfos.Count()); }
// note this should be the last one to run public void makeKnownFindingsTypeII(List <IO2Finding> o2Findings) { foreach (var o2Finding in o2Findings) { o2Finding.confidence = 2; } var saveAsTypeII = Path.Combine(folderWithArtifacts_Phase4, "all_Non_Processed_KnownSink_Findings_as_Type_II.ozasmt"); XUtils_Findings_v0_1.saveFindings(o2Findings, saveAsTypeII); }
public string onlyShowNoTraces() { var noTraces = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile) where o2Finding.o2Traces.Count == 0 select o2Finding; XUtils_Findings_v0_1.openFindingsInNewWindow(noTraces.ToList()); return("# of NoTraces: " + noTraces.Count()); }
public string removeAllNoTraces() { var onlyTraces = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile) where o2Finding.o2Traces.Count > 0 select o2Finding; XUtils_Findings_v0_1.openFindingsInNewWindow(onlyTraces.ToList()); return("# of onlyTraces: " + onlyTraces.Count()); }
public void task4_CalculateStrutsFindings() { O2Cmd.log.write("TASK #4: Calculate Struts Findings"); // check if there are Struts Mappings var folderWithStrutsMappings = Path.Combine(folderWithArtifacts_Phase2, "Struts Mappings"); if (Directory.Exists(folderWithStrutsMappings)) { //Assert.That(Directory.Exists(folderWithStrutsMappings), "Directory with struts mappings did not exist: " + folderWithStrutsMappings); // check if we have the filtered findings files required var findingsWith_KnownSinks = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt"); Assert.That(File.Exists(findingsWith_KnownSinks), "Could not find findingsWith_KnownSinks: " + findingsWith_KnownSinks); // load findings var o2Findings_KnownSinks = XUtils_Findings_v0_1.loadFindingsFile(findingsWith_KnownSinks); // extract just the ones needed for the struts mappings var o2Findings = new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2Findings_KnownSinks, "getParameter", "setAttribute"); o2Findings.AddRange(new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2Findings_KnownSinks, "getAttribute", "print")); foreach (var strutsMappingsFile in Files.getFilesFromDir_returnFullPath(folderWithStrutsMappings)) { var fileName = Path.GetFileName(strutsMappingsFile); var projectName = Path.GetFileNameWithoutExtension(strutsMappingsFile); O2Cmd.log.write("Processing file {0} from project {1}", fileName, projectName); // load struts mappings var strutsMapping = XUtils_Struts_v0_1.loadStrutsMappingsFromFile(strutsMappingsFile); Assert.That(strutsMapping != null, "strutsMapping was null"); // execute the struts rule var o2Results = XRule_Struts.strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(o2Findings, strutsMapping); // make sure we had results //Assert.That(o2Results.Count > 0 , "There were no results"); if (o2Results.Count == 0) { O2Cmd.log.error("there were no results in task4_CalculateStrutsFindings"); } else { // save results var targetFolder = Path.Combine(folderWithArtifacts_Phase3, "Struts Mappings"); Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder); var fileWithSavedResults = Path.Combine(targetFolder, projectName + ".ozasmt"); XUtils_Findings_v0_1.saveFindings(o2Results, fileWithSavedResults); // make sure saved file exists Assert.That(File.Exists(fileWithSavedResults), "fileWithSavedResults did not exist: " + fileWithSavedResults); O2Cmd.log.write("All OK. There were {0} results \r\nsaved to: {1}", o2Results.Count, fileWithSavedResults); } } } }
public List <IO2Finding> invokeMultipleXRules() { // executing findings from pathToOzastmFilesToLoad var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(pathToOzastmFilesToLoad); // run filter that gets only Traces var onlyTraces = new XRule_Findings_Filter().onlyTraces(o2Findings); // which have getParameter as source var results = new XRule_Findings_Filter().whereSource_Contains(onlyTraces, "getParameter"); return(results); }
public string RemoveAll3nodeGetSetVulns() { // Dinis note, if I understand this request correctly, the query is: // for all vulns that start in a get and end in set // only show the ones that have more than 3 traces var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile); var thread = XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings, "Original list of loaded files"); thread.Join(); // we have to do this to make sure we don't continue before the findings are loaded in the Findings Viewer // first lets see if this happens in the current list of loaded findings var getsAndSets = new List <IO2Finding>(); foreach (O2Finding o2Finding in o2Findings) // need to cast to O2Finding in order to have access to the prepopulated version of IO2Finding { if (o2Finding.Source.IndexOf("get") > -1 && o2Finding.Sink.IndexOf("set") > -1) { getsAndSets.Add(o2Finding); } } Assert.That(getsAndSets.Count > 0, "There are no Get->Set pairs in the current loaded findings"); // Dinis note: on the WebGoat 6.0.ozasmt file I'm using there are 54 matches // show in GUI getsAndSets XUtils_Findings_v0_1.openFindingsInNewWindow(getsAndSets, "Findings with GetsAndSets").Join(); // added .Join() to ensure the load thread is completed // now check if there are findings with 3 traces var getsAndSetsWith3Traces = new List <IO2Finding>(); foreach (O2Finding o2Finding in getsAndSets) { var allTracesFromFinding = OzasmtUtils.getListWithAllTraces(o2Finding); if (allTracesFromFinding.Count == 3) { getsAndSetsWith3Traces.Add(o2Finding); } } Assert.That(getsAndSetsWith3Traces.Count > 0, "There were no getsAndSetsWith3Traces"); // show in GUI getsAndSetsWith3Traces XUtils_Findings_v0_1.openFindingsInNewWindow(getsAndSetsWith3Traces, "Findings with getsAndSetsWith3Traces").Join(); // Dinis note: I get 4 findings that match this criteria // finally remove the getsAndSetsWith3Traces from the loaded findings foreach (var o2FindingToRemove in getsAndSetsWith3Traces) { o2Findings.Remove(o2FindingToRemove); } // and show the results (note how this window has less 3 findings than the first one that was loaded) XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings, "Original list without 3nodeGetSetVulns").Join(); return("Number of findings after filter: " + o2Findings.Count); } // this function could be greatly reduced by using LINQ (I'll do that later :) )
public List <IO2Finding> removeAllInfos_version_3() { // LINQ query var resultsLinq = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile) where OzasmtUtils.getSeverityFromId(o2Finding.severity) != "Info" // o2Finding.severity = 3 maps to "Info" select o2Finding; // since we are using List<IO2Fiding> below, lets covert the LINQ result which is IEnumerable<IO2Finding> to List<IO2Finding> var results = resultsLinq.ToList(); XUtils_Findings_v0_1.openFindingsInNewWindow(results); return(results); }
public static void saveDictionaryWithMappedFindingsToFolder(Dictionary <string, List <IO2Finding> > mappedFindings, string targetFolder) { Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder); Assert.That(Directory.Exists(targetFolder), "Directory targetFolder did not exist: " + targetFolder); foreach (var mappedEntry in mappedFindings) { var findingsToSave = mappedEntry.Value; //var fileName = string.Format("{0} ({1} Findings).ozasmt", mappedEntry.Key , findingsToSave.Count); // can't do this if we wanto to easily consume these findings from the next phase var fileName = string.Format("{0}.ozasmt", mappedEntry.Key); O2Cmd.log.write("Creating file {0} with {0} findings", fileName, findingsToSave.Count); var targetFile = Path.Combine(targetFolder, fileName); XUtils_Findings_v0_1.saveFindings(findingsToSave, targetFile); } }
// run sequence of filters on findings (note that (if 4th param == true) saveQuery will remove the matched // findings from tracesToFilter public void task2_filterFindings(KAnalysisArtifacts analysisArtifacts, List <IO2Finding> tracesToFilter, string targetFolder, string fileName) { foreach (var sourceSink in analysisArtifacts.phase_3.task2_sourceSink) { XUtils_Analysis.saveQuery(tracesToFilter, targetFolder, fileName, sourceSink.Source, sourceSink.Sink, sourceSink.RemoveMatches); } // save what was left (i.e. findings that didn't match the above filters) in a separate file if (tracesToFilter.Count > 0) { O2Cmd.log.write("After task2 filters there were {0} findings that matched no filter", tracesToFilter.Count); var targetFile = Path.Combine(targetFolder, "__NO FILTER__" + " - " + fileName + ".ozasmt"); XUtils_Findings_v0_1.saveFindings(tracesToFilter, targetFile); } }
// PHASE 5 : TASKS public void task1_createFinalAssessmentFile() { var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWithArtifacts_Phase4); O2Cmd.log.write("There are {0} findings for final assessment file", o2Findings.Count); // make them compatible with OSA OzasmtCompatibility.makeCompatibleWithOunceV6(o2Findings); finalAssessmentFile = Path.Combine(folderWithArtifacts_Phase5, "Final Set of Findings.ozasmt"); XUtils_Findings_v0_1.saveFindings(o2Findings, finalAssessmentFile); O2Cmd.log.write("Final assessment file created: {0}", finalAssessmentFile); copyFinalAssessmentFileToWorkflowFolder(); }
public List <IO2Finding> removeAllInfos_version_2() { var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile); var results = new List <IO2Finding>(); foreach (O2Finding o2Finding in o2Findings) { if (OzasmtUtils.getSeverityFromId(o2Finding.severity) != "Info") { results.Add(o2Finding); } } XUtils_Findings_v0_1.openFindingsInNewWindow(results); return(results); }
public string runPhase2(IAnalysisArtifacts analysisArtifacts) { O2Cmd.log.write("\n\n***** PHASE 2 ***"); // setup expected target folders workflowFolder = analysisArtifacts.targetFolder; folderWithArtifacts_Phase1 = Path.Combine(workflowFolder, "Phase 1 - Artifacts"); folderWithArtifacts_Phase2 = Path.Combine(workflowFolder, "Phase 2 - Artifacts"); Files.checkIfDirectoryExistsAndCreateIfNot(folderWithArtifacts_Phase2); // create Phase 2 folder (if required) // check if required folders exist Assert.That(Directory.Exists(folderWithArtifacts_Phase1), "folderWithArtifacts_forPhase1 could not be found"); Assert.That(Directory.Exists(folderWithArtifacts_Phase2), "folderWithArtifacts_forPhase2 could not be found"); if (analysisArtifacts.phase_2.task1_SplitFindingsOnTrace) { foreach (var file in Files.getFilesFromDir_returnFullPath(folderWithArtifacts_Phase1)) { var fileName = Path.GetFileName(file); // load findings var o2FindingsInFile = XUtils_Findings_v0_1.loadFindingsFile(file); // check if file was loaded ok Assert.That(o2FindingsInFile != null, "o2FindingsInFile was null. file loaded :" + file); // Assert.That(o2FindingsInFile.Count > 0, "There were no findings loaded from file: " + file); O2Cmd.log.write("Loaded {0} findings from file {1}", o2FindingsInFile.Count, fileName); task1_FilterFindings(o2FindingsInFile, fileName); if (onlyRunTasksOnOneFile) { break; // during development just use first file } } } if (analysisArtifacts.phase_2.task2_createStrutsMappings) { task2_createStrutsMappings(); } O2Cmd.log.write("\n\n**** : PHASE 2 Completed\n\n"); return("Phase 1 completed"); }
// PHASE 3 : TASKS // since there are lot a lot of known sinks move them all into one file public void task1_handleKnownSinks() { // for now save these findings in the root of folderWithArtifacts_Phase3 var folderWithAssessmentFiles = Path.Combine(folderWithArtifacts_Phase2, "FindingsWith_Traces_KnownSinks"); Assert.That(Directory.Exists(folderWithAssessmentFiles), "Directory folderWithAssessmentFiles does not exist: " + folderWithAssessmentFiles); var o2Findings_WithKnownSinks = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWithAssessmentFiles); // save as 1 ozasmt file with all findings var targetFile = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt"); XUtils_Findings_v0_1.saveFindings(o2Findings_WithKnownSinks, targetFile); // save as 1 ozasmt file per VulnType var targetFolder = Path.Combine(folderWithArtifacts_Phase3, "Findings with KnownSinks (by VulnType)"); var mappedFindings = XUtils_Analysis.getDictionaryWithFindingsMappedBy_VulType(o2Findings_WithKnownSinks); XUtils_Analysis.saveDictionaryWithMappedFindingsToFolder(mappedFindings, targetFolder); }
// PHASE 4 : TASKS // Handle the Findings With Knonw Sinks public void task1_analyseFindingsWithKnownSinks() { // check if source findings file is there var fileWith_Findings_WithKnownSinks = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt"); Assert.That(File.Exists(fileWith_Findings_WithKnownSinks), "fileWith_Findings_WithKnownSinks file did not exist: " + fileWith_Findings_WithKnownSinks); // load findings var o2Findings_WithKnownSinks = XUtils_Findings_v0_1.loadFindingsFile(fileWith_Findings_WithKnownSinks); Assert.That(o2Findings_WithKnownSinks.Count > 0, "There were no findings in o2Findings_WithKnownSinks object"); // show findingds (while in analysis mode) //XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings_WithKnownSinks); analyzeFindingsOfVulnType_SqlInjection(o2Findings_WithKnownSinks, true); makeKnownFindingsTypeII(o2Findings_WithKnownSinks); }
public string RemoveAllMaliciousTriggers() { var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile); var vulnNameToFind = "Vulnerability.Malicious.Trigger"; // check that there are some o2Findings var withVulnName = from IO2Finding o2Finding in o2Findings where o2Finding.vulnType == vulnNameToFind select o2Finding; Assert.That(withVulnName.Count() > 0, "In the findings loaded, there was no Findings with vulnName = " + vulnNameToFind); // and since there are create a list of findings without vunlNameToFind var withoutVulnName = from IO2Finding o2Finding in o2Findings where o2Finding.vulnType != vulnNameToFind select o2Finding; XUtils_Findings_v0_1.openFindingsInNewWindow(withoutVulnName.ToList(), "withoutVulnName").Join(); return("# of Findings without '" + vulnNameToFind + "': " + withoutVulnName.Count()); }
public static List <IO2Finding> saveQuery(List <IO2Finding> o2FindingsInFile, string targetFolder, string fileName, string sourceRegEx, string sinkRegex, string fileNamePrefix, string fileNamePostfix, bool removeFindingsFromSourceList) { O2Cmd.log.write("Executing query: Source = {0} Sink = {1}", sourceRegEx, sinkRegex); var results = new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2FindingsInFile, sourceRegEx, sinkRegex); O2Cmd.log.write(" Query returned {0} results", results.Count); var targetFile = Path.Combine(targetFolder, fileNamePrefix + fileName + " - " + fileNamePostfix); if (false == targetFile.EndsWith(".ozasmt")) { targetFile += ".ozasmt"; } if (results.Count > 0) { XUtils_Findings_v0_1.saveFindings(results, targetFile); if (removeFindingsFromSourceList) { removeFindingsFromList(o2FindingsInFile, results); } } return(results); }
public List <IO2Finding> removeAllInfos_version_1() { // load findings to process var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile); Assert.That(o2Findings.Count > 0, "There were no findings loaded"); // calculate results var results = new List <IO2Finding>(); foreach (var o2Finding in o2Findings) // the type of var is IO2Finding { if (o2Finding.severity < 3) { results.Add(o2Finding); } } // show findings in O2 GUI XUtils_Findings_v0_1.openFindingsInNewWindow(results); // return results return(results); }
public string invokeStrutsRules_Variation_2_loadAllFiles() { string webAppRoot = @"...\_OunceApplication\O2Data\xml config files"; string baseO2FindingsFile = @"...\_OunceApplication\O2Data\OSA - ... 11-3-09 807PM.ozasmt"; string webXml = Path.Combine(webAppRoot, @"web.xml"); string strutsConfigXml = Path.Combine(webAppRoot, @"struts-config.xml"); string tilesDefinitionXml = Path.Combine(webAppRoot, @"tiles-definitions.xml"); string validationXml = Path.Combine(webAppRoot, @"validation.xml"); // make sure webAppRoot directory exists Assert.That(Directory.Exists(webAppRoot), "Could not find webAppRoot directory:\r\n " + webAppRoot); // make sure files exist Assert.That(File.Exists(baseO2FindingsFile), "Could not find file with baseO2FindingsFile:\r\n " + baseO2FindingsFile); Assert.That(File.Exists(webXml), "Could not find file with webXml:\r\n " + webXml); Assert.That(File.Exists(strutsConfigXml), "Could not find file with strutsConfig:\r\n " + strutsConfigXml); Assert.That(File.Exists(tilesDefinitionXml), "Could not find file with tilesDefinitionXml:\r\n " + tilesDefinitionXml); //Assert.That(File.Exists(validationXml), "Could not find file with validationXml:\r\n " + validationXml); // Dinis note: in my local examples I don't have this file // load assessment file var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile); // make sure there were findings loaded Assert.That(baseO2Findings != null, "baseO2Findings == null"); Assert.That(baseO2Findings.Count > 0, "there were no findings loaded in baseO2Findings"); // create struts mapping object var strutsMappings = StrutsMappingsHelpers.calculateStrutsMapping(webXml, strutsConfigXml, tilesDefinitionXml, validationXml); // make sure struts mapping was loaded ok Assert.That(strutsMappings != null, "strutsMappings was null"); Assert.That(strutsMappings.actionServlets.Count > 0, "in strutsMappings, actionServlets.Count ==0"); // TaintSources and FinalSinks RegEx var taintSources_SourceRegEx = @"getParameter\(java.lang.String\)"; var taintSources_SinkRegEx = @"setAttribute\(java.lang.String"; var finalSinks_SourceRegEx = @"getAttribute\(java.lang.String\)"; var finalSinks_SinkRegEx = @"print"; // calcuate struts findings var xRuleStuts = new XUtils_Struts_Joins_V0_1() { findingsWith_BaseO2Findings = baseO2Findings, StrutsMappings = strutsMappings, TaintSources_SourceRegEx = taintSources_SourceRegEx, TaintSources_SinkRegEx = taintSources_SinkRegEx, FinalSinks_SourceRegEx = finalSinks_SourceRegEx, FinalSinks_SinkRegEx = finalSinks_SinkRegEx, JoinPointFilter = XRule_Struts.joinPointFilter }; xRuleStuts.calculateFindings(); // get list of findings calculated var results = xRuleStuts.getResults(); // make sure there are findings in the results list Assert.That(results.Count > 0, " there were no findings in the results list"); return("All OK, number of results calculated: " + results.Count); }
public void analyzeFindingsOfVulnType_SqlInjection(List <IO2Finding> o2Findings, bool removeFindingsFromSourceList) { // extract the Sql Injection ones var sqlInjectionFindings = XUtils_Analysis.getFindingsWithVulnType(o2Findings, "Vulnerability.Injection.SQL", removeFindingsFromSourceList); if (sqlInjectionFindings.Count == 0) { return; } // var fileWithSqlInjections = Path.Combine(folderWithArtifacts_Phase4, "Findings_with_SQL_Injection"); //XUtils_Findings_v0_1.saveFindings(sqlInjectionFindings, fileWithSqlInjections); //Assert.That(File.Exists(fileWithSqlInjections), "fileWithSqlInjections was not created"); var sqlInjectionValidators = new List <string> { "java.lang.Integer.<init>(int):void", "java.lang.Integer.valueOf(int):java.lang.Integer", "java.lang.String.valueOf(int):java.lang.String", ":java.util.DateTime" }; var nonExploitable = new List <IO2Finding>(); var maybeExploitable = new List <IO2Finding>(); foreach (O2Finding o2Finding in sqlInjectionFindings) { var validatorFound = ""; foreach (var validator in sqlInjectionValidators) { if (XUtils_Analysis.doesFindingHasTraceSignature(o2Finding, validator)) { validatorFound = validator; break; } } // modify finding if (validatorFound != "") { o2Finding.context = string.Format("found validator: {0} , {1}", validatorFound, o2Finding.context); nonExploitable.Add(o2Finding); o2Finding.vulnType += ".NotExploitable"; o2Finding.severity = 3; o2Finding.confidence = 1; } else { maybeExploitable.Add(o2Finding); o2Finding.vulnType += ".MaybeExploitable.InternalMethod"; o2Finding.severity = 0; o2Finding.confidence = 2; } } var fileWith_NonExploitable = Path.Combine(folderWithArtifacts_Phase4, "NonExploitable_Findings_with_SQL_Injection.ozasmt"); XUtils_Findings_v0_1.saveFindings(nonExploitable, fileWith_NonExploitable); var fileWith_MaybeExploitable = Path.Combine(folderWithArtifacts_Phase4, "MaybeExploitable_Findings_with_SQL_Injection.ozasmt"); XUtils_Findings_v0_1.saveFindings(maybeExploitable, fileWith_MaybeExploitable); //XUtils_Findings_v0_1.openFindingsInNewWindow(nonExploitable).Join(); //XUtils_Findings_v0_1.openFindingsInNewWindow(maybeExploitable).Join(); }