Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Unit tests for Http3 xx status code based injection vulnerability#374

Merged
preetkaran20 merged 9 commits into
SasanLabs:masterfrom
ehizman:Http3_xx_status_code_based_injection_vulnerability_fix
Jul 18, 2022
Merged

Unit tests for Http3 xx status code based injection vulnerability#374
preetkaran20 merged 9 commits into
SasanLabs:masterfrom
ehizman:Http3_xx_status_code_based_injection_vulnerability_fix

Conversation

@ehizman

@ehizman ehizman commented Jul 16, 2022

Copy link
Copy Markdown
Contributor

No description provided.

vulnerabilityExposed = {VulnerabilityType.OPEN_REDIRECT_3XX_STATUS_CODE},
description =
"OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_OR_DOMAIN_IS_SAME")
"OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_WWW_OR_DOMAIN_IS_SAME")

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ehis, we need to update in:

  1. https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/resources/i18n/messages.properties
  2. https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/resources/i18n/messages_en_US.properties
    as well. Actually these strings are locale specific strings so if we don't update them then we will not be able to run the project. I would suggest to please build and run the project after the change to see if everything is running as expected.

@preetkaran20 preetkaran20 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the strings to message.properties files as well.

verify(http3xxStatusCodeBasedInjection, times(1))
.getVulnerablePayloadLevel6(requestEntity, "somedomain.com");
} catch (URISyntaxException | MalformedURLException exception) {
exception.printStackTrace();

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is better to throw error.

assertThat(responseEntity.getStatusCode()).isEqualTo(HttpStatus.OK);
assertThat(responseEntity.getHeaders().get(LOCATION_HEADER_KEY)).isEqualTo(null);
verify(http3xxStatusCodeBasedInjection, times(1))
.getVulnerablePayloadLevel5(requestEntity, (char) 0 + "//www.somedomain.com");

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Try using null character present in Constants file.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay. Noted

"Level 2- test that the returnTo query parameter's value is not added to the Location header when it starts with http")
void
test_That_ReturnToQueryParameterValue_IsNotAddedToLocationHeader_WhenItStartsWith_Http_Level2() {
try {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to add try/catch

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay. Noted

import org.mockito.Mockito;
import org.springframework.http.*;

class Http3xxStatusCodeBasedInjectionTest {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great test coverage @ehizman.

requestEntity, redirectUrl);
assertThat(responseEntity.getStatusCode()).isEqualTo(HttpStatus.FOUND);
assertThat(responseEntity.getHeaders().get(LOCATION_HEADER_KEY)).contains("/");
verify(http3xxStatusCodeBasedInjection, times(1))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as we have called this method at line 651 so this should be giving 1 time invocation. we can ignore this check.

requestEntity, redirectUrl);
assertThat(responseEntity.getStatusCode()).isEqualTo(HttpStatus.OK);
assertThat(responseEntity.getHeaders().get(LOCATION_HEADER_KEY)).isEqualTo(null);
verify(http3xxStatusCodeBasedInjection, times(1))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same we have called this method

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @preetkaran20 ,
I need some clarity, should I remove the verify checks?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes as you have called the method from test case only so checking the verify doesn't give any benefit.

@preetkaran20 preetkaran20 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall looks good. only one cosmetic change.

- added vulnerability description to messages.properties
- removed verify assertions
@preetkaran20 preetkaran20 merged commit 4104fbb into SasanLabs:master Jul 18, 2022
@preetkaran20

Copy link
Copy Markdown
Member

Thank you !!!

@ehizman

ehizman commented Jul 18, 2022 via email

Copy link
Copy Markdown
Contributor Author

@ehizman ehizman deleted the Http3_xx_status_code_based_injection_vulnerability_fix branch August 6, 2022 11:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants