From 8129d2cb7e1632cf14a7c9be6ca912c3ce9c35f4 Mon Sep 17 00:00:00 2001 From: Ken Dyck Date: Fri, 29 Oct 2021 14:00:35 -0400 Subject: [PATCH 1/2] Add new test. --- .../testcode/BenchmarkTest02741.java | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.java diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.java new file mode 100644 index 0000000000..7647a1cd77 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.java @@ -0,0 +1,76 @@ +/** + * OWASP Benchmark Project v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Ken Dyck + * @created 2021 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/sqli-06/BenchmarkTest02741") +public class BenchmarkTest02741 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + response.setContentType("text/html;charset=UTF-8"); + + org.owasp.benchmark.helpers.SeparateClassRequest scr = + new org.owasp.benchmark.helpers.SeparateClassRequest(request); + String param = scr.getTheValue("BenchmarkTest02741"); + + String bar = doSomething(request, param); + + String sql = "INSERT INTO users (username, password) VALUES ('foo','" + bar + "')"; + + try { + java.sql.Statement statement = + org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement(); + int count = statement.executeUpdate(sql); + org.owasp.benchmark.helpers.DatabaseHelper.outputUpdateComplete(sql, response); + } catch (java.sql.SQLException e) { + if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { + response.getWriter().println("Error processing request."); + return; + } else throw new ServletException(e); + } + } // end doPost + + private static String doSomething(HttpServletRequest request, String param) + throws ServletException, IOException { + + String bar; + + // Simple if statement that assigns param to bar on true condition + int num = 196; + if ((500 / 42) + num > 200) bar = param; + else bar = "This should never happen"; + + return bar; + } +} From 15f73b43d9f4bf57c428b430a623c7e99d8c52ad Mon Sep 17 00:00:00 2001 From: Ken Dyck Date: Mon, 6 Dec 2021 13:14:55 -0500 Subject: [PATCH 2/2] Add test XML file for 2741 --- .../org/owasp/benchmark/testcode/BenchmarkTest02741.xml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.xml diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.xml b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.xml new file mode 100644 index 0000000000..760e65f6e0 --- /dev/null +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.xml @@ -0,0 +1,7 @@ + + 1.2 + sqli + 02741 + false + 89 +