Fix crawler to issue GETs when it should, instead of all POSTs.

davewichers · davewichers · commit ef7ec5f317c6 · 2021-02-19T13:20:00.000-05:00
diff --git a/src/main/java/org/owasp/benchmark/tools/BenchmarkCrawler.java b/src/main/java/org/owasp/benchmark/tools/BenchmarkCrawler.java
@@ -21,18 +21,28 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.List;
 
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+
 import org.apache.commons.lang.time.StopWatch;
 import org.apache.http.HttpEntity;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.methods.HttpRequestBase;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
+import org.apache.http.ssl.SSLContextBuilder;
 import org.apache.http.util.EntityUtils;
 
 import org.owasp.benchmark.helpers.Utils;
@@ -53,7 +63,7 @@ protected void init() {
 	}
 
 	protected void crawl(InputStream http) throws Exception {
-		CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(Utils.getSSLFactory()).build();
+		CloseableHttpClient httpclient = createAcceptSelfSignedCertificateClient();
 		long start = System.currentTimeMillis();
 
 		List<AbstractTestCaseRequest> requests = Utils.parseHttpFile(http);
@@ -76,16 +86,37 @@ protected void crawl(InputStream http) throws Exception {
 				+ " v" + testSuiteVersion + " took " + seconds + " seconds");
 	}
 
+	// This method taken directly from: https://memorynotfound.com/ignore-certificate-errors-apache-httpclient/
+	static CloseableHttpClient createAcceptSelfSignedCertificateClient()
+			throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException {
+
+		// use the TrustSelfSignedStrategy to allow Self Signed Certificates
+		SSLContext sslContext = SSLContextBuilder
+				.create()
+				.loadTrustMaterial(new TrustSelfSignedStrategy())
+				.build();
+
+		// we can optionally disable hostname verification.
+		// if you don't want to further weaken the security, you don't have to include this.
+		HostnameVerifier allowAllHosts = new NoopHostnameVerifier();
+
+		// create an SSL Socket Factory to use the SSLContext with the trust self signed certificate strategy
+		// and allow all hosts verifier.
+		SSLConnectionSocketFactory connectionFactory = new SSLConnectionSocketFactory(sslContext, allowAllHosts);
+
+		// finally create the HttpClient using HttpClient factory methods and assign the ssl socket factory
+		return HttpClients
+				.custom()
+				.setSSLSocketFactory(connectionFactory)
+				.build();
+	}
+
 	/**
-	 * Issue the requested request, measure the time required to execute, then
-	 * output both to stdout and the global
-	 * variable timeString the URL tested, the time required to execute and the
-	 * response code.
+	 * Issue the requested request, measure the time required to execute, then output both to stdout and the
+	 * global variable timeString the URL tested, the time required to execute and the response code.
 	 * 
-	 * @param httpclient
-	 *            - The HTTP client to use to make the request
-	 * @param request
-	 *            - THe HTTP request to issue
+	 * @param httpclient - The HTTP client to use to make the request
+	 * @param request - THe HTTP request to issue
 	 * @throws IOException
 	 */
 	protected ResponseInfo sendRequest(CloseableHttpClient httpclient, AbstractTestCaseRequest requestTC) {
diff --git a/src/main/java/org/owasp/benchmark/tools/ServletTestCaseRequest.java b/src/main/java/org/owasp/benchmark/tools/ServletTestCaseRequest.java
@@ -26,6 +26,7 @@
 import org.apache.http.NameValuePair;
 import org.apache.http.client.entity.UrlEncodedFormEntity;
 import org.apache.http.client.methods.HttpEntityEnclosingRequestBase;
+import org.apache.http.client.methods.HttpGet;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.methods.HttpRequestBase;
 import org.apache.http.message.BasicNameValuePair;
@@ -59,8 +60,9 @@ void buildQueryString() {
 
 	@Override
 	HttpRequestBase createRequestInstance(String URL) {
-		HttpPost httpPost = new HttpPost(URL);
-		return httpPost;
+		// If there are query parameters, this must be a GET, otherwise a POST.
+		if (getQuery().length() == 0) return new HttpPost(URL);
+		  else return new HttpGet(URL);
 	}
 
 	@Override
@@ -79,6 +81,10 @@ void buildCookies(HttpRequestBase request) {
 		for (Node cookie : getCookies()) {
 			String name = XMLCrawler.getAttributeValue("name", cookie);
 			String value = XMLCrawler.getAttributeValue("value", cookie);
+			// Note: URL encoding of a space becomes a +, which is OK for URL params, but
+			// not in a cookie, as the + doesn't get decoded properly. So have to replace
+			// all spaces with %20 instead (at least for NodeJS). Will this break Java?
+			value = value.replaceAll(" ", "%20");
 			request.addHeader("Cookie", name + "=" + URLEncoder.encode(value));
 		}
 	}
@@ -93,12 +99,14 @@ void buildBodyParameters(HttpRequestBase request) {
 			NameValuePair nvp = new BasicNameValuePair(name, value);
 			fields.add(nvp);
 		}
-		try {
-			((HttpEntityEnclosingRequestBase) request).setEntity(new UrlEncodedFormEntity(fields));
-		} catch (UnsupportedEncodingException e) {
-			System.out.println("Error encoding URL." + e.getMessage());
+		// Add the body parameters to the request if there were any
+		if (fields.size() > 0) {
+			try {
+				((HttpEntityEnclosingRequestBase) request).setEntity(new UrlEncodedFormEntity(fields));
+			} catch (UnsupportedEncodingException e) {
+				System.out.println("Error encoding URL." + e.getMessage());
+			}
 		}
-
 	}
 
 }
