Exemplo n.º 1
0
        public void Similarity()
        {
            string text1 = "asldbcv3o9322lif;owq4o-u-4hf3fn4ofwh094f4qq43fqldadsa2GSUACUVAoo32g3f";
            string text2 = "xsbadkvivuvsd;ojve;rieorqro8@O*ho848oq34floowahoOAGAGAODOWWOoq38aqo3af";

            LettersDiffer differ = new LettersDiffer();

            differ.AddTask(text1, 0);
            differ.AddTask(text2, 0);
            double diffSimilarity = differ.DoDiff();
            double aseSimilarity  = ASESimilarityAlgorithm.CalculateSimilarity(text1, text2);

            Assert.AreEqual(aseSimilarity, diffSimilarity, 0.05, "Incorrect similarity factor");
        }
Exemplo n.º 2
0
        public bool ValueMatches(IDiffObject diffObject)
        {
            BaseTextDiffObject otherObject = diffObject as BaseTextDiffObject;
            bool equals = false;

            if (otherObject != null)
            {
                equals = this.ValueHash == otherObject.ValueHash;

                if (!equals && SimilarityFactor < 1)
                {
                    equals = ASESimilarityAlgorithm.CalculateSimilarity(this.Value, otherObject.Value) >= this.SimilarityFactor;
                }
            }
            return(equals);
        }
Exemplo n.º 3
0
        /// <summary>
        /// Checks is the value is equal. If not where applicable a collection of granular differences is outputed
        /// </summary>
        /// <param name="diffObject"></param>
        /// <param name="diffsForSelf"></param>
        /// <param name="diffsForArgument"></param>
        /// <param name="commonElements"></param>
        /// <returns></returns>
        public bool ValueMatches(IDiffObject diffObject, out IDiffObjectsCollection diffsForSelf, out IDiffObjectsCollection diffsForArgument, out IDiffObjectsCollection commonElements)
        {
            BaseTextDiffObject otherObject = diffObject as BaseTextDiffObject;

            diffsForSelf     = null;
            diffsForArgument = null;
            commonElements   = null;
            bool matches = false;

            if (otherObject != null)
            {
                matches = this.ValueHash == otherObject.ValueHash;

                if (!matches)
                {
                    double simFactor = ASESimilarityAlgorithm.CalculateSimilarity(this.Value, otherObject.Value);

                    LettersDiffer granularDiffer = InitGranularDiffer();

                    if (simFactor > 0 && granularDiffer != null)
                    {
                        //calculate granular differences
                        granularDiffer.AddTask(Value, Position);                         //imports the current word into a letters collection starting from the position of the current element
                        granularDiffer.AddTask(otherObject.Value, otherObject.Position);

                        double diffRatio = granularDiffer.DoDiff(0, 1);

                        diffsForSelf     = granularDiffer.GetResultingDifferences(0);
                        diffsForArgument = granularDiffer.GetResultingDifferences(1);
                        commonElements   = granularDiffer.GetResultingCommonElements(0);

                        matches = diffRatio >= this.SimilarityFactor;
                    }
                }
            }

            return(matches);
        }
Exemplo n.º 4
0
        /// <summary>
        /// Calculates if the current response is different than the original response
        /// </summary>
        /// <param name="responseInfo"></param>
        /// <returns></returns>
        private bool IsDifferentThanOriginalResponse(HttpResponseInfo responseInfo)
        {
            bool isDifferent;

            if (!_trackingReqInfo.ResponseStatus.Equals(responseInfo.Status.ToString()))
            {
                isDifferent = true;
            }
            else if (ResponseLengthIsSignificantlyDifferent(responseInfo, _trackingReqInfo))
            {
                isDifferent = true;
            }
            else             //calculate response similarity
            {
                byte[] oldRespBytes  = _dataStore.LoadResponseData(_trackingReqInfo.Id);
                string oldRespString = Constants.DefaultEncoding.GetString(oldRespBytes);

                double similarity = ASESimilarityAlgorithm.CalculateSimilarity(oldRespString, responseInfo.ToString());

                isDifferent = similarity < 0.98;
            }
            return(isDifferent);
        }
Exemplo n.º 5
0
        /// <summary>
        /// Diffs the response bodies
        /// </summary>
        /// <param name="result"></param>
        /// <param name="firstResponse"></param>
        /// <param name="secondResponse"></param>
        /// <param name="firstRespBasePos"></param>
        /// <param name="secondRespBasePos"></param>
        /// <returns></returns>
        private RequestsDifferResult DiffResponseBody(RequestsDifferResult result, string firstResponse, string secondResponse, int firstRespBasePos, int secondRespBasePos)
        {
            int firstResponseBodyStart  = FindResponseBodyStart(firstResponse);
            int secondResponseBodyStart = FindResponseBodyStart(secondResponse);

            string firstResponseBody  = firstResponse.Substring(firstResponseBodyStart);
            string secondResponseBody = secondResponse.Substring(secondResponseBodyStart);

            LinesDiffer linesDiffer = new LinesDiffer();             //this differ first compares the lines then the words then the letters

            linesDiffer.Properties.Sorted = false;

            linesDiffer.AddTask(firstResponseBody, firstRespBasePos + firstResponseBodyStart);
            linesDiffer.AddTask(secondResponseBody, secondRespBasePos + secondResponseBodyStart);

            result.BodyDiffSimilarity = linesDiffer.DoDiff();

            //calculate aproximate similarity as generated by appscan algorithm
            result.BodyAproximateSimilarity = ASESimilarityAlgorithm.CalculateSimilarity(firstResponseBody, secondResponseBody);

            result = AppendDiffs(result, linesDiffer);

            return(result);
        }
Exemplo n.º 6
0
        /// <summary>
        /// Validates a response and inserts a vulnerability
        /// </summary>
        /// <param name="rawRequest"></param>
        /// <param name="rawResponse"></param>
        /// <param name="requestUri"></param>
        /// <param name="parameterName"></param>
        /// <param name="entityId"></param>
        /// <param name="testDef"></param>
        /// <param name="payload"></param>
        /// <param name="mutatedRequestList"></param>
        /// <param name="testResponseList"></param>
        public bool ValidateTest(string rawRequest, string rawResponse, Uri requestUri,
                                 string parameterName, string entityId, CustomTestDef testDef, List <string> mutatedRequestList, List <string> testResponseList)
        {
            string validation = testDef.Validation.Trim();

            if (String.IsNullOrWhiteSpace(validation))
            {
                return(false);                                       //this is a callback test
            }
            bool found = false;

            bool isMultiValidationRule = IsMultiValidationRule(validation);

            if (!isMultiValidationRule)
            {
                for (int idx = 0; idx < mutatedRequestList.Count; idx++)
                {
                    string mutatedRequest = mutatedRequestList[idx];
                    string testResponse   = testResponseList[idx];
                    found |= ValidateSingleTest(rawRequest, rawResponse, requestUri, parameterName, entityId, testDef, mutatedRequest, testResponse);
                }
            }
            else
            {
                if (validation.StartsWith(JAVASCRIPT_FUNCTION_TAG))
                {
                    found = RunJavaScriptValidation(validation, testResponseList);
                }
                else if (validation.StartsWith(TAUTOLOGY_VERIFICATION_FUNC))
                {
                    if (testResponseList != null && testResponseList.Count % 3 == 0)
                    {
                        int encodingsCount = testResponseList.Count / 3;
                        for (int i = 0; i < encodingsCount && !found; i++)
                        {
                            int    first  = i;
                            int    second = i + encodingsCount;
                            int    third  = i + 2 * encodingsCount;
                            double firstAndThirdSimilarity  = ASESimilarityAlgorithm.CalculateSimilarity(testResponseList[first], testResponseList[third]);
                            double firstAndSecondSimilarity = ASESimilarityAlgorithm.CalculateSimilarity(testResponseList[first], testResponseList[second]);
                            found = firstAndThirdSimilarity - firstAndSecondSimilarity > 0.2; //first and third are more similar than first and second
                            if (found)
                            {
                                var newMutatedRequestList = new List <string>();
                                var newTestResponseList   = new List <string>();

                                newMutatedRequestList.Add(mutatedRequestList[first]);
                                newMutatedRequestList.Add(mutatedRequestList[second]);
                                newMutatedRequestList.Add(mutatedRequestList[third]);
                                newTestResponseList.Add(testResponseList[first]);
                                newTestResponseList.Add(testResponseList[second]);
                                newTestResponseList.Add(testResponseList[third]);

                                mutatedRequestList = newMutatedRequestList;
                                testResponseList   = newTestResponseList;
                            }
                        }
                    }
                    else
                    {
                        _testController.Log("INCORRECT NUMBER OF PAYLOADS FOR TAUTOLOGY VERIFICATION (MUST BE DIVISIBLE WITH 3)");
                    }
                }


                if (found)
                {
                    for (int i = 0; i < mutatedRequestList.Count; i++)
                    {
                        _testController.Log("MULTI-VALIDATION rule match on entity '{0}', test '{1}'", parameterName, testDef.Name);
                    }
                    _testController.HandleIssueFound(rawRequest, rawResponse, requestUri, testDef.Type, parameterName, mutatedRequestList, testResponseList, validation, "");
                }
            }

            return(found);
        }