Merge pull request diffblue#478 from diffblue/owen-jones-diffblue/webgoat-script-extra-lesson

Add CrossSiteScriptingLesson5a to WebGoat script

Author: owen-jones-diffblue

benchmarks/GENUINE/WebGoat.sh

@@ -5,8 +5,10 @@ if [ -z "$SECURITY_SCANNER_HOME" ]; then
     exit 1
 fi
 
-LESSONS_WHICH_WORK='SqlInjectionLesson5a SqlInjectionLesson5b SqlInjectionLesson6a SqlInjectionLesson12a SqlInjectionChallenge Assignment5 Assignment6 CrossSiteScriptingLesson5a SimpleXXE BlindSendFileAssignment'
-LESSONS_WHICH_DO_NOT_WORK='CrossSiteScriptingLesson5a Assignment3 ContentTypeAssignment VulnerableComponentsLesson MissingFunctionACUsers'
+# Two sets of lessons which work depending on which rules file to use
+LESSONS_WHICH_WORK_SQL='SqlInjectionLesson5a SqlInjectionLesson5b SqlInjectionLesson6a SqlInjectionLesson12a SqlInjectionChallenge Assignment5 Assignment6 SimpleXXE BlindSendFileAssignment'
+LESSONS_WHICH_WORK_XSS='CrossSiteScriptingLesson5a'
+LESSONS_WHICH_DO_NOT_WORK='Assignment3 ContentTypeAssignment VulnerableComponentsLesson MissingFunctionACUsers'
 
 # Stop script if a command does not succeed
 set -e
@@ -50,10 +52,25 @@ fi
 # Run security-analyser on each lesson which works separately
 cd $SECURITY_SCANNER_HOME
 
-for LESSON in $LESSONS_WHICH_WORK
+for LESSON in $LESSONS_WHICH_WORK_SQL
 do
 	python3 $SCRIPT_DIR/../../driver/run.py \
-	-C $SCRIPT_DIR/WebGoatRules.json \
+	-C $SCRIPT_DIR/WebGoatRulesSQL.json \
+	-I $DEPLOY_DIR \
+	-L $DEPLOY_DIR \
+	-R $OUTPUT_DIR/WebGoat/results/$LESSON \
+	-T $OUTPUT_DIR/WebGoat/temp \
+	--name WebGoat \
+	--use-models-library \
+	--timeout 10000000  --verbosity 9 --rebuild \
+	--do-not-use-precise-access-paths \
+	--entry-point Main.$LESSON
+done
+
+for LESSON in $LESSONS_WHICH_WORK_XSS
+do
+	python3 $SCRIPT_DIR/../../driver/run.py \
+	-C $SCRIPT_DIR/WebGoatRulesXSS.json \
 	-I $DEPLOY_DIR \
 	-L $DEPLOY_DIR \
 	-R $OUTPUT_DIR/WebGoat/results/$LESSON \

benchmarks/GENUINE/WebGoatRulesSQL.json

@@ -0,0 +1,198 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+    [
+      {
+        "comment": "Incoming accountName is potentially dangerous.",
+        "class": "Main",
+        "method": "makeTainted:(Ljava/lang/String;)Ljava/lang/String;",
+        "result": {
+          "location": "returns",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "comment": "Appending a potentially tainted string into the StringBuilder instance. Making the builder tainted.",
+        "class": "java.lang.StringBuilder",
+        "method": "append:(Ljava/lang/String;)Ljava/lang/StringBuilder;",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted string builder"
+        }
+      },
+      {
+        "comment": "Conversion of potentially tainted data in the StringBuilder to a potentially tainted string.",
+        "class": "java.lang.StringBuilder",
+        "method": "toString:()Ljava/lang/String;",
+        "input": {
+          "location": "this",
+          "taint": "Tainted string builder"
+        },
+        "result": {
+          "location": "return_value",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "comment": "Appends StringBuilder-built tainted string into the StringBuffer for returning.",
+        "class": "java.lang.StringBuffer",
+        "method": "append:(Ljava/lang/String;)Ljava/lang/StringBuffer;",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted string buffer"
+        }
+      },
+      {
+        "comment": "A string obtained from a tainted StringBuffer is tainted.",
+        "class": "java.lang.StringBuffer",
+        "method": "toString:()Ljava/lang/String;",
+        "input": {
+          "location": "this",
+          "taint": "Tainted string buffer"
+        },
+        "result": {
+          "location": "return_value",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "comment": "An SQL statement is tainted by a tainted string.",
+        "class": "java.sql.Connection",
+        "method": "prepareStatement:(Ljava/lang/String;)Ljava/sql/PreparedStatement;",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "return_value",
+          "taint": "Tainted SQL statement"
+        }
+      },
+      {
+        "comment": "An SQL statement is tainted by a tainted string.",
+        "class": "java.sql.PreparedStatement",
+        "method": "setString:(ILjava/lang/String;)V",
+        "input": {
+          "location": "arg2",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted SQL statement"
+        }
+      },
+      
+      
+      {
+        "comment": "A StringReader instance becomes tainted by initialisation on a tainted string.",
+        "class": "java.io.StringReader",
+        "method": "<init>:(Ljava/lang/String;)V",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted string reader"
+        }
+      },
+      {
+        "comment": "A StringReader instance becomes wrapped by HierarchicalStreamReader.",
+        "class": "com.thoughtworks.xstream.io.HierarchicalStreamDriver",
+        "method": "createReader:(Ljava/io/StringReader;)Lcom/thoughtworks/xstream/io/HierarchicalStreamReader;",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted string reader"
+        },
+        "result": {
+          "location": "return_value",
+          "taint": "Tainted string reader"
+        }
+      },
+      {
+        "comment": "A string reader is 'unmarshaled' into a tainted object.",
+        "class": "com.thoughtworks.xstream.MarshallingStrategy",
+        "method": "unmarshal:(Ljava/lang/Object;Lcom/thoughtworks/xstream/io/HierarchicalStreamReader;Lcom/thoughtworks/xstream/converters/DataHolder;Lcom/thoughtworks/xstream/converters/ConverterLookup;Lcom/thoughtworks/xstream/mapper/Mapper;)Ljava/lang/Object;",
+        "input": {
+          "location": "arg2",
+          "taint": "Tainted string reader"
+        },
+        "result": {
+          "location": "return_value",
+          "taint": "Tainted object"
+        }
+      },
+      {
+        "comment": "A tainted XML string is parsed into a tainted object.",
+        "class": "com.thoughtworks.xstream.XStream",
+        "method": "fromXML:(Ljava/lang/String;)Ljava/lang/Object;",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "return_value",
+          "taint": "Tainted object"
+        }
+      },
+      {
+        "comment": "Calling 'toString' on a tainted object is a tainted string.",
+        "class": "java.lang.Object",
+        "method": "toString:()Ljava/lang/String;",
+        "input": {
+          "location": "this",
+          "taint": "Tainted object"
+        },
+        "result": {
+          "location": "return_value",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "comment": "Result builder becomes tainted by a tainted string.",
+        "class": "javax.xml.stream.XMLInputFactory",
+        "method": "createXMLStreamReader:(Ljava/io/Reader;)Ljavax/xml/stream/XMLStreamReader;",
+        "sinkTarget": {
+          "location": "arg1",
+          "taint": "Tainted string reader"
+        }
+      },
+      {
+        "comment": "Executing a tainted query is a sink.",
+        "class": "java.sql.PreparedStatement",
+        "method": "executeQuery:()Ljava/sql/ResultSet;",
+        "sinkTarget": {
+          "location": "this",
+          "taint": "Tainted SQL statement"
+        }
+      },
+      {
+        "comment": "Executing a tainted query is a sink.",
+        "class": "java.sql.Statement",
+        "method": "executeQuery:(Ljava/lang/String;)Ljava/sql/ResultSet;",
+        "sinkTarget": {
+          "location": "arg1",
+          "taint": "Tainted string"
+        }
+      },
+ 
+ 
+      {
+        "comment": "ARTIFICIAL sink (for debug purposes; not used directly in Webgoat).",
+        "class": "org.owasp.webgoat.plugin.challenge3.Assignment3",
+        "method": "sink:(Ljava/lang/String;)V",
+        "sinkTarget": {
+          "location": "arg0",
+          "taint": "Tainted string"
+        }
+      }
+    ]
+}

benchmarks/GENUINE/WebGoatRules.json renamed to benchmarks/GENUINE/WebGoatRulesXSS.json

@@ -168,7 +168,7 @@
       {
         "comment": "Result builder becomes tainted by a tainted string.",
         "class": "org.owasp.webgoat.assignments.AttackResult$AttackResultBuilder",
-        "method": "output_XXXXXX:(Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult$AttackResultBuilder;",
+        "method": "output:(Ljava/lang/String;)Lorg/owasp/webgoat/assignments/AttackResult$AttackResultBuilder;",
         "sinkTarget": {
           "location": "arg1",
           "taint": "Tainted string"
@@ -177,7 +177,7 @@
       {
         "comment": "Result builder becomes tainted by a tainted string.",
         "class": "org.owasp.webgoat.assignments.AttackResult$AttackResultBuilder",
-        "method": "feedbackArgs_XXXXXX:([Ljava/lang/Object;)Lorg/owasp/webgoat/assignments/AttackResult$AttackResultBuilder;",
+        "method": "feedbackArgs:([Ljava/lang/Object;)Lorg/owasp/webgoat/assignments/AttackResult$AttackResultBuilder;",
         "sinkTarget": {
           "location": "arg1",
           "taint": "Tainted array"