public string invokeStrutsRules_Variation_1_UsingPreCalculatedO2StrutsMappingFile()
{
var strutsMappingsFile = @"...\_OunceApplication\O2Data\....O2StrutsMapping";
var baseO2FindingsFile = @"...\_OunceApplication\O2Data\....ozasmt";
// make sure these files exist
Assert.That(File.Exists(strutsMappingsFile), "Could not find file with strutsMappingsFile:\r\n " + strutsMappingsFile);
Assert.That(File.Exists(baseO2FindingsFile), "Could not find file with baseO2FindingsFile:\r\n " + baseO2FindingsFile);
// load the files
var strutsMapping = XUtils_Struts_v0_1.loadStrutsMappingsFromFile(strutsMappingsFile);
var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile);
// make sure the file where correctly loaded
Assert.That(strutsMapping != null, "strutsMapping was null");
Assert.That(baseO2Findings != null, "baseO2Findings was null");
Assert.That(baseO2Findings.Count > 0, "baseO2Findings had no findings");
// execute the struts rule
var o2Results = XRule_Struts.strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(baseO2Findings, strutsMapping);
// make sure we had results
Assert.That(o2Results.Count > 0, "There were no results");
// save results
var fileWithSavedResults = XUtils_Findings_v0_1.saveFindings(o2Results);
// make sure saved file exists
Assert.That(fileWithSavedResults != null, "fileWithSavedResults was null");
Assert.That(File.Exists(fileWithSavedResults), "fileWithSavedResults did not exist: " + fileWithSavedResults);
return(string.Format("All OK. There were {0} results \r\nsaved to: {1}", o2Results.Count, fileWithSavedResults));
}
public void task2_AdjustsStrutsFindings()
{
var validatorPatternIDText = "validator: patternid=";
var validatorValidContentText = "validator: valid-content";
O2Cmd.log.write("TASK 2: AdjustsStrutsFindings");
var strutsFindingsFolder = Path.Combine(folderWithArtifacts_Phase3, "Struts Mappings");
if (false == Directory.Exists(strutsFindingsFolder))
{
return;
}
//Assert.That(Directory.Exists(strutsFindingsFolder), "strutsFindingsFolder did not exists: " + strutsFindingsFolder);
foreach (var strutsFindingFile in Files.getFilesFromDir_returnFullPath(strutsFindingsFolder))
{
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(strutsFindingFile);
foreach (O2Finding o2Finding in o2Findings)
{
var allTraces = OzasmtUtils.getListWithAllTraces(o2Finding);
foreach (var o2Trace in allTraces)
{
if (o2Trace.signature.StartsWith(validatorPatternIDText))
{
var pattern = o2Trace.signature.Replace(validatorPatternIDText, "");
if (pattern == "FREE_TEXT")
{
o2Finding.vulnType = "Struts.CrossSiteScripting.NOT.Validated";
o2Finding.confidence = 1;
o2Finding.severity = 0;
}
else
{
o2Finding.vulnType = "Struts.CrossSiteScripting.Validated";
o2Finding.confidence = 1;
o2Finding.severity = 2;
}
o2Finding.vulnType += " : " + pattern;
break;
}
else if (o2Trace.signature.StartsWith(validatorValidContentText))
{
var pattern = o2Trace.signature.Replace(validatorValidContentText, "");
o2Finding.vulnType = "Struts.CrossSiteScripting.Validated.ValidContent";
o2Finding.confidence = 2;
o2Finding.severity = 2;
}
}
// validator: patternid=
}
//XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings);
var targetFile = Path.Combine(folderWithArtifacts_Phase4, "Struts Mappings - " + Path.GetFileName(strutsFindingFile));
XUtils_Findings_v0_1.saveFindings(o2Findings, targetFile);
O2Cmd.log.write("Struts Mappings saved to: {0}", targetFile);
}
//foreach(var
}
public string showFindingsInGUI()
{
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);
Assert.That(o2Findings.Count > 0, "There were no findings loaded");
XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings);
return("number of findings loaded:" + o2Findings.Count);
}
public string runPhase5()
{
var testAnalysisArtifacts = KAnalysisArtifacts.load(testAnalysisArtifactsFile);
var result = runPhase5(testAnalysisArtifacts);
var finalO2Findings = XUtils_Findings_v0_1.loadFindingsFile(finalAssessmentFile);
XUtils_Findings_v0_1.openFindingsInNewWindow(finalO2Findings);
return(result);
}
public static void Test()
{
var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile);
var strutsMapping = (KStrutsMappings)Serialize.getDeSerializedObjectFromBinaryFile(strutsMappingsFile, typeof(KStrutsMappings));
var o2Findings = strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(baseO2Findings, strutsMapping);
XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings);
}
public string onlyShowNoTraces()
{
var noTraces = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile)
where o2Finding.o2Traces.Count == 0
select o2Finding;
XUtils_Findings_v0_1.openFindingsInNewWindow(noTraces.ToList());
return("# of NoTraces: " + noTraces.Count());
}
public string removeAllNoTraces()
{
var onlyTraces = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile)
where o2Finding.o2Traces.Count > 0
select o2Finding;
XUtils_Findings_v0_1.openFindingsInNewWindow(onlyTraces.ToList());
return("# of onlyTraces: " + onlyTraces.Count());
}
public string onlyShowInfos_Linq()
{
var onlyInfos = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile)
where o2Finding.severity == 3
select o2Finding;
XUtils_Findings_v0_1.openFindingsInNewWindow(onlyInfos.ToList());
return("# of Infos: " + onlyInfos.Count());
}
public void task4_CalculateStrutsFindings()
{
O2Cmd.log.write("TASK #4: Calculate Struts Findings");
// check if there are Struts Mappings
var folderWithStrutsMappings = Path.Combine(folderWithArtifacts_Phase2, "Struts Mappings");
if (Directory.Exists(folderWithStrutsMappings))
{
//Assert.That(Directory.Exists(folderWithStrutsMappings), "Directory with struts mappings did not exist: " + folderWithStrutsMappings);
// check if we have the filtered findings files required
var findingsWith_KnownSinks = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt");
Assert.That(File.Exists(findingsWith_KnownSinks), "Could not find findingsWith_KnownSinks: " + findingsWith_KnownSinks);
// load findings
var o2Findings_KnownSinks = XUtils_Findings_v0_1.loadFindingsFile(findingsWith_KnownSinks);
// extract just the ones needed for the struts mappings
var o2Findings = new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2Findings_KnownSinks, "getParameter", "setAttribute");
o2Findings.AddRange(new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2Findings_KnownSinks, "getAttribute", "print"));
foreach (var strutsMappingsFile in Files.getFilesFromDir_returnFullPath(folderWithStrutsMappings))
{
var fileName = Path.GetFileName(strutsMappingsFile);
var projectName = Path.GetFileNameWithoutExtension(strutsMappingsFile);
O2Cmd.log.write("Processing file {0} from project {1}", fileName, projectName);
// load struts mappings
var strutsMapping = XUtils_Struts_v0_1.loadStrutsMappingsFromFile(strutsMappingsFile);
Assert.That(strutsMapping != null, "strutsMapping was null");
// execute the struts rule
var o2Results = XRule_Struts.strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(o2Findings, strutsMapping);
// make sure we had results
//Assert.That(o2Results.Count > 0 , "There were no results");
if (o2Results.Count == 0)
{
O2Cmd.log.error("there were no results in task4_CalculateStrutsFindings");
}
else
{
// save results
var targetFolder = Path.Combine(folderWithArtifacts_Phase3, "Struts Mappings");
Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder);
var fileWithSavedResults = Path.Combine(targetFolder, projectName + ".ozasmt");
XUtils_Findings_v0_1.saveFindings(o2Results, fileWithSavedResults);
// make sure saved file exists
Assert.That(File.Exists(fileWithSavedResults), "fileWithSavedResults did not exist: " + fileWithSavedResults);
O2Cmd.log.write("All OK. There were {0} results \r\nsaved to: {1}", o2Results.Count, fileWithSavedResults);
}
}
}
}
public string RemoveAll3nodeGetSetVulns()
{
// Dinis note, if I understand this request correctly, the query is:
// for all vulns that start in a get and end in set
// only show the ones that have more than 3 traces
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);
var thread = XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings, "Original list of loaded files");
thread.Join(); // we have to do this to make sure we don't continue before the findings are loaded in the Findings Viewer
// first lets see if this happens in the current list of loaded findings
var getsAndSets = new List <IO2Finding>();
foreach (O2Finding o2Finding in o2Findings) // need to cast to O2Finding in order to have access to the prepopulated version of IO2Finding
{
if (o2Finding.Source.IndexOf("get") > -1 && o2Finding.Sink.IndexOf("set") > -1)
{
getsAndSets.Add(o2Finding);
}
}
Assert.That(getsAndSets.Count > 0, "There are no Get->Set pairs in the current loaded findings"); // Dinis note: on the WebGoat 6.0.ozasmt file I'm using there are 54 matches
// show in GUI getsAndSets
XUtils_Findings_v0_1.openFindingsInNewWindow(getsAndSets, "Findings with GetsAndSets").Join(); // added .Join() to ensure the load thread is completed
// now check if there are findings with 3 traces
var getsAndSetsWith3Traces = new List <IO2Finding>();
foreach (O2Finding o2Finding in getsAndSets)
{
var allTracesFromFinding = OzasmtUtils.getListWithAllTraces(o2Finding);
if (allTracesFromFinding.Count == 3)
{
getsAndSetsWith3Traces.Add(o2Finding);
}
}
Assert.That(getsAndSetsWith3Traces.Count > 0, "There were no getsAndSetsWith3Traces");
// show in GUI getsAndSetsWith3Traces
XUtils_Findings_v0_1.openFindingsInNewWindow(getsAndSetsWith3Traces, "Findings with getsAndSetsWith3Traces").Join(); // Dinis note: I get 4 findings that match this criteria
// finally remove the getsAndSetsWith3Traces from the loaded findings
foreach (var o2FindingToRemove in getsAndSetsWith3Traces)
{
o2Findings.Remove(o2FindingToRemove);
}
// and show the results (note how this window has less 3 findings than the first one that was loaded)
XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings, "Original list without 3nodeGetSetVulns").Join();
return("Number of findings after filter: " + o2Findings.Count);
} // this function could be greatly reduced by using LINQ (I'll do that later :) )
public List <IO2Finding> removeAllInfos_version_3()
{
// LINQ query
var resultsLinq = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile)
where OzasmtUtils.getSeverityFromId(o2Finding.severity) != "Info" // o2Finding.severity = 3 maps to "Info"
select o2Finding;
// since we are using List<IO2Fiding> below, lets covert the LINQ result which is IEnumerable<IO2Finding> to List<IO2Finding>
var results = resultsLinq.ToList();
XUtils_Findings_v0_1.openFindingsInNewWindow(results);
return(results);
}
public List <IO2Finding> removeAllInfos_version_2()
{
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);
var results = new List <IO2Finding>();
foreach (O2Finding o2Finding in o2Findings)
{
if (OzasmtUtils.getSeverityFromId(o2Finding.severity) != "Info")
{
results.Add(o2Finding);
}
}
XUtils_Findings_v0_1.openFindingsInNewWindow(results);
return(results);
}
public string runPhase2(IAnalysisArtifacts analysisArtifacts)
{
O2Cmd.log.write("\n\n***** PHASE 2 ***");
// setup expected target folders
workflowFolder = analysisArtifacts.targetFolder;
folderWithArtifacts_Phase1 = Path.Combine(workflowFolder, "Phase 1 - Artifacts");
folderWithArtifacts_Phase2 = Path.Combine(workflowFolder, "Phase 2 - Artifacts");
Files.checkIfDirectoryExistsAndCreateIfNot(folderWithArtifacts_Phase2); // create Phase 2 folder (if required)
// check if required folders exist
Assert.That(Directory.Exists(folderWithArtifacts_Phase1), "folderWithArtifacts_forPhase1 could not be found");
Assert.That(Directory.Exists(folderWithArtifacts_Phase2), "folderWithArtifacts_forPhase2 could not be found");
if (analysisArtifacts.phase_2.task1_SplitFindingsOnTrace)
{
foreach (var file in Files.getFilesFromDir_returnFullPath(folderWithArtifacts_Phase1))
{
var fileName = Path.GetFileName(file);
// load findings
var o2FindingsInFile = XUtils_Findings_v0_1.loadFindingsFile(file);
// check if file was loaded ok
Assert.That(o2FindingsInFile != null, "o2FindingsInFile was null. file loaded :" + file);
// Assert.That(o2FindingsInFile.Count > 0, "There were no findings loaded from file: " + file);
O2Cmd.log.write("Loaded {0} findings from file {1}", o2FindingsInFile.Count, fileName);
task1_FilterFindings(o2FindingsInFile, fileName);
if (onlyRunTasksOnOneFile)
{
break; // during development just use first file
}
}
}
if (analysisArtifacts.phase_2.task2_createStrutsMappings)
{
task2_createStrutsMappings();
}
O2Cmd.log.write("\n\n**** : PHASE 2 Completed\n\n");
return("Phase 1 completed");
}
// PHASE 4 : TASKS
// Handle the Findings With Knonw Sinks
public void task1_analyseFindingsWithKnownSinks()
{
// check if source findings file is there
var fileWith_Findings_WithKnownSinks = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt");
Assert.That(File.Exists(fileWith_Findings_WithKnownSinks), "fileWith_Findings_WithKnownSinks file did not exist: " + fileWith_Findings_WithKnownSinks);
// load findings
var o2Findings_WithKnownSinks = XUtils_Findings_v0_1.loadFindingsFile(fileWith_Findings_WithKnownSinks);
Assert.That(o2Findings_WithKnownSinks.Count > 0, "There were no findings in o2Findings_WithKnownSinks object");
// show findingds (while in analysis mode)
//XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings_WithKnownSinks);
analyzeFindingsOfVulnType_SqlInjection(o2Findings_WithKnownSinks, true);
makeKnownFindingsTypeII(o2Findings_WithKnownSinks);
}
public string RemoveAllMaliciousTriggers()
{
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);
var vulnNameToFind = "Vulnerability.Malicious.Trigger";
// check that there are some o2Findings
var withVulnName = from IO2Finding o2Finding in o2Findings
where o2Finding.vulnType == vulnNameToFind
select o2Finding;
Assert.That(withVulnName.Count() > 0, "In the findings loaded, there was no Findings with vulnName = " + vulnNameToFind);
// and since there are create a list of findings without vunlNameToFind
var withoutVulnName = from IO2Finding o2Finding in o2Findings
where o2Finding.vulnType != vulnNameToFind
select o2Finding;
XUtils_Findings_v0_1.openFindingsInNewWindow(withoutVulnName.ToList(), "withoutVulnName").Join();
return("# of Findings without '" + vulnNameToFind + "': " + withoutVulnName.Count());
}
public List <IO2Finding> removeAllInfos_version_1()
{
// load findings to process
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);
Assert.That(o2Findings.Count > 0, "There were no findings loaded");
// calculate results
var results = new List <IO2Finding>();
foreach (var o2Finding in o2Findings) // the type of var is IO2Finding
{
if (o2Finding.severity < 3)
{
results.Add(o2Finding);
}
}
// show findings in O2 GUI
XUtils_Findings_v0_1.openFindingsInNewWindow(results);
// return results
return(results);
}
public string invokeStrutsRules_Variation_2_loadAllFiles()
{
string webAppRoot = @"...\_OunceApplication\O2Data\xml config files";
string baseO2FindingsFile = @"...\_OunceApplication\O2Data\OSA - ... 11-3-09 807PM.ozasmt";
string webXml = Path.Combine(webAppRoot, @"web.xml");
string strutsConfigXml = Path.Combine(webAppRoot, @"struts-config.xml");
string tilesDefinitionXml = Path.Combine(webAppRoot, @"tiles-definitions.xml");
string validationXml = Path.Combine(webAppRoot, @"validation.xml");
// make sure webAppRoot directory exists
Assert.That(Directory.Exists(webAppRoot), "Could not find webAppRoot directory:\r\n " + webAppRoot);
// make sure files exist
Assert.That(File.Exists(baseO2FindingsFile), "Could not find file with baseO2FindingsFile:\r\n " + baseO2FindingsFile);
Assert.That(File.Exists(webXml), "Could not find file with webXml:\r\n " + webXml);
Assert.That(File.Exists(strutsConfigXml), "Could not find file with strutsConfig:\r\n " + strutsConfigXml);
Assert.That(File.Exists(tilesDefinitionXml), "Could not find file with tilesDefinitionXml:\r\n " + tilesDefinitionXml);
//Assert.That(File.Exists(validationXml), "Could not find file with validationXml:\r\n " + validationXml); // Dinis note: in my local examples I don't have this file
// load assessment file
var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile);
// make sure there were findings loaded
Assert.That(baseO2Findings != null, "baseO2Findings == null");
Assert.That(baseO2Findings.Count > 0, "there were no findings loaded in baseO2Findings");
// create struts mapping object
var strutsMappings = StrutsMappingsHelpers.calculateStrutsMapping(webXml, strutsConfigXml, tilesDefinitionXml, validationXml);
// make sure struts mapping was loaded ok
Assert.That(strutsMappings != null, "strutsMappings was null");
Assert.That(strutsMappings.actionServlets.Count > 0, "in strutsMappings, actionServlets.Count ==0");
// TaintSources and FinalSinks RegEx
var taintSources_SourceRegEx = @"getParameter\(java.lang.String\)";
var taintSources_SinkRegEx = @"setAttribute\(java.lang.String";
var finalSinks_SourceRegEx = @"getAttribute\(java.lang.String\)";
var finalSinks_SinkRegEx = @"print";
// calcuate struts findings
var xRuleStuts = new XUtils_Struts_Joins_V0_1()
{
findingsWith_BaseO2Findings = baseO2Findings,
StrutsMappings = strutsMappings,
TaintSources_SourceRegEx = taintSources_SourceRegEx,
TaintSources_SinkRegEx = taintSources_SinkRegEx,
FinalSinks_SourceRegEx = finalSinks_SourceRegEx,
FinalSinks_SinkRegEx = finalSinks_SinkRegEx,
JoinPointFilter = XRule_Struts.joinPointFilter
};
xRuleStuts.calculateFindings();
// get list of findings calculated
var results = xRuleStuts.getResults();
// make sure there are findings in the results list
Assert.That(results.Count > 0, " there were no findings in the results list");
return("All OK, number of results calculated: " + results.Count);
}