Script for installing and analysing WebGoat

Includes some fixes to the readme for WebGoat. The script must be run
with the SECURITY_SCANNER_HOME environment variable set to the path of
the cmake directory that should be used, e.g. the path to
cmake-build-relDebugWithInfo .

Author: Owen Jones

benchmarks/GENUINE/README.txt

@@ -34,14 +34,10 @@ Install guide for Ubuntu:
 
   1. git clone [email protected]:WebGoat/WebGoat.git
   2. cd WebGoat
-  3. git checkout develop
-  4. Add handling of exception 'SQLException' to the method 'completed' in file:
-        /webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
-     So, the updated should be line 34 and it should look like this:
-        public AttackResult completed(@RequestParam String ip) throws SQLException {
-  5. mvn clean install -DskipTests
-  6. Create the following files representing the entry point to WebGoat:
-        ./WebGoat/__MAIN__/src/main/java/Main.java:
+  3. git checkout a922c00
+  4. mvn clean install -DskipTests
+  5. Create the following files representing the entry point to WebGoat:
+        ./__MAIN__/src/main/java/Main.java:
                 /*
                 Lessons considered in this file:
                     [Sql Injection] Assignment6, registerNewUser
@@ -281,7 +277,7 @@ Install guide for Ubuntu:
 
         Uncomment one of the blocks (depending on what lesson you want to analyse).
 
-        ./WebGoat/__MAIN__/pom.xml:
+        ./__MAIN__/pom.xml:
                 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
                     <modelVersion>4.0.0</modelVersion>
@@ -348,7 +344,7 @@ Install guide for Ubuntu:
                     </dependencies>
                 </project>
 
-        ./WebGoat/__MAIN__/build.py:
+        ./__MAIN__/build.py:
                 import os
                 import shutil
 
@@ -359,12 +355,13 @@ Install guide for Ubuntu:
                     shutil.rmtree("./target/classes/org")
                 if os.path.isfile("./target/__MAIN__-8.0.0.M3.jar"):
                     os.remove("./target/__MAIN__-8.0.0.M3.jar")
-        
-  6. cd __MAIN__
-  7. python3 ./build.py
-  8. cd ..
+
+  6. copy ../../LIBRARIES/models/model/src/main/java/org to ./__MAIN__/src/main/java/
+  7. cd __MAIN__
+  8. python3 ./build.py
   9. cd ..
- 10. rm -rf ./webgoat-container
+ 10. cd ..
+ 11. rm -rf ./webgoat-container
 
 The WebGoat does not seem to have a deployment step. Fortunately, the whole
 app is relatively small, so we can load everything for each lesson. It means

benchmarks/GENUINE/WebGoat.sh

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+
+if [ -z "$SECURITY_SCANNER_HOME" ]; then
+    echo "Need to set SECURITY_SCANNER_HOME to cmake directory"
+    exit 1
+fi
+
+set -u
+set -x
+
+# 1. git clone [email protected]:WebGoat/WebGoat.git
+git clone [email protected]:WebGoat/WebGoat.git
+
+#  2. cd WebGoat
+cd WebGoat
+
+#  3. git checkout develop
+git checkout a922c00
+
+#  4. mvn clean install -DskipTests
+mvn clean install -DskipTests
+
+#  5. Create the following files representing the entry point to WebGoat:
+mkdir -p __MAIN__/src/main/java
+cp ../WebGoat_sh_files/Main.java __MAIN__/src/main/java/Main.java
+cp ../WebGoat_sh_files/pom.xml __MAIN__/pom.xml
+
+#  6. copy ../../LIBRARIES/models/model/src/main/java/org to ./__MAIN__/src/main/java/
+cp -r ../../LIBRARIES/models/model/src/main/java/org __MAIN__/src/main/java/
+
+#  7. cd __MAIN__
+cd __MAIN__
+
+#  8. python3 ./build.py
+if [ -d "./target" ]; then
+    rm -rf ./target
+fi
+mvn clean package
+if [ -d "./target/classes/org" ]; then
+    rm -rf ./target/classes/org
+fi
+if [ -e "./target/__MAIN__-8.0.0.M3.jar" ]; then
+    rm ./target/__MAIN__-8.0.0.M3.jar
+fi
+
+#  9. cd ..
+# 10. cd ..
+# 11. rm -rf ./webgoat-container
+rm -rf ../../webgoat-container
+
+# Build and install security-analyser
+cd ../../../../
+
+(cd $SECURITY_SCANNER_HOME && make install)
+
+# Run security-analyser on each lesson separately
+cd dist
+
+# [Sql Injection]
+python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/SqlInjectionLesson5a/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.SqlInjectionLesson5a
+python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/SqlInjectionLesson5b/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.SqlInjectionLesson5b
+python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/SqlInjectionLesson6a/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.SqlInjectionLesson6a
+python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/SqlInjectionLesson12a/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.SqlInjectionLesson12a
+python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/SqlInjectionChallenge/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.SqlInjectionChallenge
+python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/Assignment5/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.Assignment5
+python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/Assignment6/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.Assignment6
+
+# [XSS]
+# python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/CrossSiteScriptingLesson5a/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.CrossSiteScriptingLesson5a
+
+# [XXE]
+# python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/Assignment3/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.Assignment3
+python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/SimpleXXE/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.SimpleXXE
+# python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/ContentTypeAssignment/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.ContentTypeAssignment
+python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/BlindSendFileAssignment/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.BlindSendFileAssignment
+
+# [Remaining]
+
+# python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/VulnerableComponentsLesson/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.VulnerableComponentsLesson
+# python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/MissingFunctionACUsers/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.MissingFunctionACUsers

benchmarks/GENUINE/WebGoat_sh_files/Main.java

@@ -0,0 +1,234 @@
+/*
+Lessons considered in this file:
+    [Sql Injection] Assignment6, registerNewUser
+    [Sql Injection] Assignment5, login
+    [Sql Injection] SqlInjectionLesson12a, completed
+    [Sql Injection] SqlInjectionLesson5a, completed
+    [Sql Injection] SqlInjectionLesson5b, completed
+    [Sql Injection] SqlInjectionLesson6a, completed
+    [Sql Injection] SqlInjectionChallenge, registerNewUser
+
+    [XXE] Assignment3, createNewComment
+    [XXE] SimpleXXE, createNewComment
+    [XXE] ContentTypeAssignment, createNewUser
+    [XXE] BlindSendFileAssignment, addComment
+
+    [XSS] CrossSiteScriptingLesson5a, completed
+
+    [Insecure Deserialization] VulnerableComponentsLesson, completed
+
+    [Sensitive Data Exposure] MissingFunctionACUsers, usersService
+
+    [Email Redirection] Assignment7, sendPasswordResetLink
+    [Email Redirection] Assignment9, sendPasswordResetLink
+*/
+
+import javax.servlet.http.HttpServletRequest;
+import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a;
+import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5b;
+import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson6a;
+import org.owasp.webgoat.plugin.mitigation.SqlInjectionLesson12a;
+import org.owasp.webgoat.plugin.advanced.SqlInjectionChallenge;
+import org.owasp.webgoat.plugin.challenge5.challenge6.Assignment5;
+import org.owasp.webgoat.plugin.challenge6.Assignment6;
+import org.owasp.webgoat.plugin.CrossSiteScriptingLesson5a;
+import org.owasp.webgoat.plugin.challenge3.Assignment3;
+import org.owasp.webgoat.plugin.SimpleXXE;
+import org.owasp.webgoat.plugin.ContentTypeAssignment;
+import org.owasp.webgoat.plugin.BlindSendFileAssignment;
+import org.owasp.webgoat.plugin.VulnerableComponentsLesson;
+import org.owasp.webgoat.plugin.MissingFunctionACUsers;
+import org.cprover.CProver;
+
+public class Main {
+
+    static String makeTainted(String accountName) {
+        return accountName;
+    }
+
+    public static void main(String[] args) {
+        // [Sql Injection]
+
+        SqlInjectionLesson5a(args);
+        SqlInjectionLesson5b(args);
+        SqlInjectionLesson6a(args);
+        SqlInjectionLesson12a(args);
+        SqlInjectionChallenge(args);
+        Assignment5(args);
+        Assignment6(args);
+
+        // [XSS]
+
+        // CrossSiteScriptingLesson5a(args);
+
+        // [XXE]
+
+        // Assignment3(args);
+        SimpleXXE(args);
+        // ContentTypeAssignment(args);
+        BlindSendFileAssignment(args);
+
+        // [Remaining]
+
+        // VulnerableComponentsLesson(args);
+        // MissingFunctionACUsers(args);
+    }
+
+    public static void SqlInjectionLesson5a(String[] args) {
+        // WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java
+        String test = makeTainted("dave");
+        SqlInjectionLesson5a obj = CProver.nondetWithNull();
+        obj.completed(test);
+    }
+
+    public static void SqlInjectionLesson5b(String[] args) {
+        // WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5b.java
+        String test = makeTainted("dave");
+        SqlInjectionLesson5b obj = CProver.nondetWithNull();
+        try {
+            obj.completed(test, null);
+        }
+        catch(java.io.IOException e) {
+        }
+    }
+
+    public static void SqlInjectionLesson6a(String[] args) {
+        // WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6a.java
+        String test = makeTainted(args[0]);
+        SqlInjectionLesson6a obj = CProver.nondetWithNull();
+        try {
+            obj.completed(test);
+        }
+        catch(java.io.IOException e) {
+        }
+    }
+
+    public static void SqlInjectionLesson12a(String[] args) {
+        // WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
+        String arg0 = makeTainted(args[0]);
+        SqlInjectionLesson12a obj = CProver.nondetWithNull();
+        try {
+            obj.completed(arg0);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void SqlInjectionChallenge(String[] args) {
+        // WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
+        String arg0 = makeTainted(args[0]);
+        String arg1 = makeTainted(args[1]);
+        String arg2 = makeTainted(args[2]);
+        SqlInjectionChallenge obj = CProver.nondetWithNull();
+        try {
+            obj.registerNewUser(arg0, arg1, arg2);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void Assignment5(String[] args) {
+        // WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java
+        String arg0 = makeTainted(args[0]);
+        String arg1 = makeTainted(args[1]);
+        Assignment5 obj = CProver.nondetWithNull();
+        try {
+            obj.login(arg0, arg1);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void Assignment6(String[] args) {
+        // WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java
+        String arg0 = makeTainted(args[0]);
+        String arg1 = makeTainted(args[1]);
+        String arg2 = makeTainted(args[2]);
+        Assignment6 obj = CProver.nondetWithNull();
+        try {
+            obj.registerNewUser(arg0, arg1, arg2);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void CrossSiteScriptingLesson5a(String[] args) {
+        // WebGoat/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
+        String arg0 = makeTainted(args[0]);
+        CrossSiteScriptingLesson5a obj = CProver.nondetWithNull();
+        try {
+            obj.completed(1, 2, 3, 4, arg0, 5, null);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void Assignment3(String[] args) {
+        // WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java
+        String arg0 = makeTainted(args[0]);
+        String arg1 = makeTainted(args[1]);
+        Assignment3 obj = CProver.nondetWithNull();
+        try {
+            obj.createNewComment(arg0, arg1);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void SimpleXXE(String[] args) {
+        // WebGoat/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
+        String arg0 = makeTainted(args[0]);
+        SimpleXXE obj = CProver.nondetWithNull();
+        try {
+            obj.createNewComment(arg0);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void ContentTypeAssignment(String[] args) {
+        // WebGoat/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
+        String arg0 = makeTainted(args[0]);
+        String arg1 = args[1];
+        ContentTypeAssignment obj = CProver.nondetWithNull();
+        try {
+            obj.createNewUser(arg0, arg1);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void BlindSendFileAssignment(String[] args) {
+        // WebGoat/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
+        String arg0 = makeTainted(args[0]);
+        BlindSendFileAssignment obj = CProver.nondetWithNull();
+        try {
+            obj.addComment(arg0);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void VulnerableComponentsLesson(String[] args) {
+        // WebGoat/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java
+        String arg0 = makeTainted(args[0]);
+        VulnerableComponentsLesson obj = CProver.nondetWithNull();
+        try {
+            obj.completed(arg0);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void MissingFunctionACUsers(String[] args) {
+        // WebGoat/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACUsers.java
+        HttpServletRequest arg0 = CProver.nondetWithNull();
+        MissingFunctionACUsers obj = CProver.nondetWithNull();
+        try {
+            obj.usersService(arg0);
+        }
+        catch(Exception e) {
+        }
+    }
+
+}

benchmarks/GENUINE/WebGoat_sh_files/build.py

@@ -0,0 +1,10 @@
+import os
+import shutil
+
+if os.path.isdir("./target"):
+    shutil.rmtree("./target")
+os.system("mvn clean package")
+if os.path.isdir("./target/classes/org"):
+    shutil.rmtree("./target/classes/org")
+if os.path.isfile("./target/__MAIN__-8.0.0.M3.jar"):
+    os.remove("./target/__MAIN__-8.0.0.M3.jar")