Add new test cases for server-based sanitization against reflected XSS

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.java

@@ -0,0 +1,54 @@
+/**
+ * OWASP Benchmark Project v1.2
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Nick Sanidas
+ * @created 2015
+ */
+package org.owasp.benchmark.testcode;
+
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@WebServlet(value = "/xss-00/BenchmarkTest02741")
+public class BenchmarkTest02741 extends SanitizingHttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        response.setContentType("text/html;charset=UTF-8");
+        response.setHeader("X-XSS-Protection", "0");
+
+        String param = request.getParameter("email");
+        if (param == null) param = "";
+        String sanitizeParam = sanitizeAttribute(param);
+
+        String htmlResponse = "<html>";
+        htmlResponse +=
+                "<head></head><body><div class=\"col-sm-4\">\n"
+                        + " <input type=\"password\" class=\"form-control\" id=\"password\" placeholder=\"Password\""
+                        + " name='password' th:value='"
+                        + sanitizeParam
+                        + "'/>"
+                        + " </div></body>";
+        htmlResponse += "</html>";
+
+        response.getWriter().println(htmlResponse);
+    }
+}

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02741.xml

@@ -0,0 +1,7 @@
+<test-metadata>
+    <benchmark-version>1.2</benchmark-version>
+    <category>xss</category>
+    <test-number>02741</test-number>
+    <vulnerability>false</vulnerability>
+    <cwe>79</cwe>
+</test-metadata>

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02742.java

@@ -0,0 +1,53 @@
+/**
+ * OWASP Benchmark Project v1.2
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Nick Sanidas
+ * @created 2015
+ */
+package org.owasp.benchmark.testcode;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@WebServlet(value = "/xss-00/BenchmarkTest02742")
+public class BenchmarkTest02742 extends SanitizingHttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        response.setContentType("text/html;charset=UTF-8");
+        response.setHeader("X-XSS-Protection", "0");
+
+        String param = request.getParameter("email");
+        if (param == null) param = "";
+        String sanitizeParam = sanitizeTag(param);
+
+        String htmlResponse = "<html>";
+        htmlResponse +=
+                "<head></head><body><div class=\"col-sm-4\">\n"
+                        + " <input type=\"password\" class=\"form-control\" id=\"password\" placeholder=\"Password\""
+                        + " name='password' th:value='"
+                        + sanitizeParam
+                        + "'/>"
+                        + " </div></body>";
+        htmlResponse += "</html>";
+
+        response.getWriter().println(htmlResponse);
+    }
+}

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02742.xml

@@ -0,0 +1,7 @@
+<test-metadata>
+    <benchmark-version>1.2</benchmark-version>
+    <category>xss</category>
+    <test-number>02742</test-number>
+    <vulnerability>true</vulnerability>
+    <cwe>79</cwe>
+</test-metadata>

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02743.java

@@ -0,0 +1,40 @@
+package org.owasp.benchmark.testcode;
+
+import java.io.IOException;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@WebServlet(value = "/xss-00/BenchmarkTest02743")
+public class BenchmarkTest02743 extends SanitizingHttpServlet {
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        response.setContentType("text/html;charset=UTF-8");
+        response.setHeader("X-XSS-Protection", "0");
+
+        String param = request.getParameter("email");
+        if (param == null) param = "";
+        Pattern p =
+                Pattern.compile(
+                        "^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}$", Pattern.CASE_INSENSITIVE);
+        Matcher m = p.matcher(param);
+        boolean b = m.find();
+        String sanitizeParam = newSanitizedValue(param);
+
+        String htmlRespone = "<html><head></head><body><script>";
+        if (param != null && param.trim().length() != 0 && b) {
+
+            htmlRespone += "alert(\"Our reply will be sent to your email: " + sanitizeParam + "\")";
+        } else {
+            htmlRespone += "alert(\"the provided email is not correct: " + sanitizeParam + "\")";
+        }
+        htmlRespone += "</script></body></html>";
+        response.getWriter().println(htmlRespone);
+    }
+}

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02743.xml

@@ -0,0 +1,7 @@
+<test-metadata>
+    <benchmark-version>1.2</benchmark-version>
+    <category>xss</category>
+    <test-number>02743</test-number>
+    <vulnerability>true</vulnerability>
+    <cwe>79</cwe>
+</test-metadata>

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02744.java

@@ -0,0 +1,38 @@
+package org.owasp.benchmark.testcode;
+
+import java.io.IOException;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@WebServlet(value = "/xss-00/BenchmarkTest02744")
+public class BenchmarkTest02744 extends SanitizingHttpServlet {
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        response.setContentType("text/html;charset=UTF-8");
+        response.setHeader("X-XSS-Protection", "0");
+        String param = request.getParameter("email");
+        if (param == null) param = "";
+        Pattern p =
+                Pattern.compile(
+                        "^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}$", Pattern.CASE_INSENSITIVE);
+        Matcher m = p.matcher(param);
+        boolean b = m.find();
+        String sanitizeParam = newSanitizedValue(param);
+
+        String htmlRespone = "<html><head></head><body><p>";
+        if (param != null && param.trim().length() != 0 && b) {
+            htmlRespone += "Our reply will be sent to your email: " + sanitizeParam;
+        } else {
+            htmlRespone += "the provided email is not correct: " + sanitizeParam;
+        }
+        htmlRespone += "</p></body></html>";
+        response.getWriter().println(htmlRespone);
+    }
+}

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02744.xml

@@ -0,0 +1,7 @@
+<test-metadata>
+    <benchmark-version>1.2</benchmark-version>
+    <category>xss</category>
+    <test-number>02744</test-number>
+    <vulnerability>false</vulnerability>
+    <cwe>79</cwe>
+</test-metadata>

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02745.java

@@ -0,0 +1,47 @@
+/**
+ * OWASP Benchmark Project v1.2
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Nick Sanidas
+ * @created 2015
+ */
+package org.owasp.benchmark.testcode;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@WebServlet(value = "/xss-00/BenchmarkTest02745")
+public class BenchmarkTest02745 extends SanitizingHttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        response.setContentType("text/html;charset=UTF-8");
+        response.setHeader("X-XSS-Protection", "0");
+
+        String param = request.getParameter("email");
+        if (param == null) param = "";
+        String sanitizeParam = sanitizeAttribute(param);
+
+        String htmlResponse = "<html>";
+        htmlResponse += "<head></head><body>" + sanitizeParam + "</body>";
+        htmlResponse += "</html>";
+
+        response.getWriter().println(htmlResponse);
+    }
+}

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02745.xml

@@ -0,0 +1,7 @@
+<test-metadata>
+    <benchmark-version>1.2</benchmark-version>
+    <category>xss</category>
+    <test-number>02745</test-number>
+    <vulnerability>true</vulnerability>
+    <cwe>79</cwe>
+</test-metadata>

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02746.java

@@ -0,0 +1,47 @@
+/**
+ * OWASP Benchmark Project v1.2
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Nick Sanidas
+ * @created 2015
+ */
+package org.owasp.benchmark.testcode;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@WebServlet(value = "/xss-00/BenchmarkTest02746")
+public class BenchmarkTest02746 extends SanitizingHttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        response.setContentType("text/html;charset=UTF-8");
+        response.setHeader("X-XSS-Protection", "0");
+
+        String param = request.getParameter("email");
+        if (param == null) param = "";
+        String sanitizeParam = sanitizeTag(param);
+
+        String htmlResponse = "<html>";
+        htmlResponse += "<head></head><body>" + sanitizeParam + "</body>";
+        htmlResponse += "</html>";
+
+        response.getWriter().println(htmlResponse);
+    }
+}

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02746.xml

@@ -0,0 +1,7 @@
+<test-metadata>
+    <benchmark-version>1.2</benchmark-version>
+    <category>xss</category>
+    <test-number>02746</test-number>
+    <vulnerability>false</vulnerability>
+    <cwe>79</cwe>
+</test-metadata>

src/main/java/org/owasp/benchmark/testcode/Intermediate.java

@@ -0,0 +1,56 @@
+/**
+ * OWASP Benchmark Project v1.2
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Nick Sanidas
+ * @created 2015
+ */
+package org.owasp.benchmark.testcode;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class Intermediate extends HttpServlet {
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        doPost(request, response);
+    }
+
+    protected String sanitizeAttribute(String parameter) {
+        String parameter1 = parameter;
+        parameter1 = parameter1.replaceAll("'", "&#39;");
+        parameter1 = parameter1.replaceAll("\"", "&quot;");
+        parameter1 = parameter1.replaceAll("&", "&amp;");
+        return parameter1;
+    }
+
+    protected String sanitizeTag(String parameter) {
+        String parameter1 = parameter;
+        parameter1 = parameter1.replaceAll("&", "&amp;");
+        parameter1 = parameter1.replaceAll("<", "\\u003C");
+        parameter1 = parameter1.replaceAll(">", "\\u003E");
+        return parameter1;
+    }
+
+    protected String newSanitizedValue(String parameter) {
+        parameter = parameter.replaceAll("&", "&amp;");
+        parameter = parameter.replaceAll("<", "&lt;");
+        parameter = parameter.replaceAll(">", "&gt;");
+        return parameter;
+    }
+}