This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
/**
* OWASP Benchmark Project v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/packageorg.owasp.benchmark.testcode;importjava.io.IOException;importjavax.servlet.ServletException;importjavax.servlet.annotation.WebServlet;importjavax.servlet.http.HttpServlet;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;@WebServlet(value="/crypto-01/BenchmarkTest00943")publicclassBenchmarkTest00943extendsHttpServlet{privatestaticfinallongserialVersionUID=1L;@OverridepublicvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{response.setContentType("text/html;charset=UTF-8");javax.servlet.http.CookieuserCookie=newjavax.servlet.http.Cookie("BenchmarkTest00943","someSecret");userCookie.setMaxAge(60*3);// Store cookie for 3 minutesuserCookie.setPath(request.getRequestURI());userCookie.setDomain(newjava.net.URL(request.getRequestURL().toString()).getHost());response.addCookie(userCookie);javax.servlet.RequestDispatcherrd=request.getRequestDispatcher("/crypto-01/BenchmarkTest00943.html");rd.include(request,response);}@OverridepublicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{response.setContentType("text/html;charset=UTF-8");javax.servlet.http.Cookie[]theCookies=request.getCookies();Stringparam="noCookieValueSupplied";if(theCookies!=null){for(javax.servlet.http.CookietheCookie:theCookies){if(theCookie.getName().equals("BenchmarkTest00943")){param=java.net.URLDecoder.decode(theCookie.getValue(),"UTF-8");break;}}}Stringbar=newTest().doSomething(request,param);// Code based on example from:// http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/try{javax.crypto.Cipherc=org.owasp.benchmark.helpers.Utils.getCipher();// encrypt and store the resultsbyte[]input={(byte)'?'};ObjectinputParam=bar;if(inputParaminstanceofString)input=((String)inputParam).getBytes();if(inputParaminstanceofjava.io.InputStream){byte[]strInput=newbyte[1000];inti=((java.io.InputStream)inputParam).read(strInput);if(i==-1){response.getWriter().println("This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");return;}input=java.util.Arrays.copyOf(strInput,i);}byte[]result=c.doFinal(input);java.io.FilefileTarget=newjava.io.File(newjava.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),"passwordFile.txt");java.io.FileWriterfw=newjava.io.FileWriter(fileTarget,true);// the true will append the new datafw.write("secret_value="+org.owasp.esapi.ESAPI.encoder().encodeForBase64(result,true)+"\n");fw.close();response.getWriter().println("Sensitive value: '"+org.owasp.esapi.ESAPI.encoder().encodeForHTML(newString(input))+"' encrypted and stored<br/>");}catch(javax.crypto.IllegalBlockSizeExceptione){response.getWriter().println("Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");e.printStackTrace(response.getWriter());thrownewServletException(e);}catch(javax.crypto.BadPaddingExceptione){response.getWriter().println("Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");e.printStackTrace(response.getWriter());thrownewServletException(e);}response.getWriter().println("Crypto Test javax.crypto.Cipher.getInstance(java.lang.String,java.lang.String) executed");}// end doPostprivateclassTest{publicStringdoSomething(HttpServletRequestrequest,Stringparam)throwsServletException,IOException{Stringbar="";if(param!=null){java.util.List<String>valuesList=newjava.util.ArrayList<String>();valuesList.add("safe");valuesList.add(param);valuesList.add("moresafe");valuesList.remove(0);// remove the 1st safe valuebar=valuesList.get(0);// get the param value}returnbar;}}// end innerclass Test}// end DataflowThruInnerClass
classNotCompliant{publicvoidsetCookie(Stringfield,Stringvalue){Cookiecookie=newCookie(field,value);cookie.setMaxAge(60*3);// Store cookie for 3 minutesresponse.addCookie(cookie);response.addCookie(userCookie);javax.servlet.RequestDispatcherrd=request.getRequestDispatcher("/weakrand-00/BenchmarkTest00078.html");rd.include(request,response)}}