-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathBenchmark00684.java
More file actions
150 lines (137 loc) · 6.93 KB
/
Benchmark00684.java
File metadata and controls
150 lines (137 loc) · 6.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
/**
* OWASP Benchmark Project v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Nick Sanidas
* @created 2015
*/
package org.owasp.benchmark.testcode;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet(value = "/crypto-00/Benchmark00684")
public class Benchmark00684 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
String[] values = request.getParameterValues("Benchmark00684");
String param;
if (values != null && values.length > 0) param = values[0];
else param = "";
String bar = org.owasp.esapi.ESAPI.encoder().encodeForHTML(param);
// Code based on example from:
// http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/
// 8-byte initialization vector
// byte[] iv = {
// (byte)0xB2, (byte)0x12, (byte)0xD5, (byte)0xB2,
// (byte)0x44, (byte)0x21, (byte)0xC3, (byte)0xC3033
// };
java.security.SecureRandom random = new java.security.SecureRandom();
byte[] iv = random.generateSeed(16); // AES uses a 16-byte (128-bit) block size
try {
javax.crypto.Cipher c =
javax.crypto.Cipher.getInstance(
"AES/CBC/PKCS5PADDING", java.security.Security.getProvider("SunJCE"));
// Prepare the cipher to encrypt
javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("AES").generateKey();
java.security.spec.AlgorithmParameterSpec paramSpec =
new javax.crypto.spec.IvParameterSpec(iv);
c.init(javax.crypto.Cipher.ENCRYPT_MODE, key, paramSpec);
// encrypt and store the results
byte[] input = {(byte) '?'};
Object inputParam = bar;
if (inputParam instanceof String) input = ((String) inputParam).getBytes();
if (inputParam instanceof java.io.InputStream) {
byte[] strInput = new byte[1000];
int i = ((java.io.InputStream) inputParam).read(strInput);
if (i == -1) {
response.getWriter()
.println(
"This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");
return;
}
input = java.util.Arrays.copyOf(strInput, i);
}
byte[] result = c.doFinal(input);
java.io.File fileTarget =
new java.io.File(
new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),
"passwordFile.txt");
java.io.FileWriter fw =
new java.io.FileWriter(fileTarget, true); // the true will append the new data
fw.write(
"secret_value="
+ org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true)
+ "\n");
fw.close();
response.getWriter()
.println(
"Sensitive value: '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' encrypted and stored<br/>");
} catch (java.security.NoSuchAlgorithmException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
} catch (javax.crypto.NoSuchPaddingException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
} catch (javax.crypto.IllegalBlockSizeException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
} catch (javax.crypto.BadPaddingException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
} catch (java.security.InvalidKeyException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
} catch (java.security.InvalidAlgorithmParameterException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
}
response.getWriter()
.println(
"Crypto javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) executed");
}
}