Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 69 additions & 0 deletions javablcktest.vuln
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@

package org.owasp.benchmark.testcode;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(value = "/cmdi-00/BenchmarkTest00006")
public class bad1 extends HttpServlet {

private static final long serialVersionUID = 1L;

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request, response);
}

@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");

String param = "";
if (request.getHeader("BenchmarkTest00006") != null) {
param = request.getHeader("BenchmarkTest00006");
}

// URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().
param = java.net.URLDecoder.decode(param, "UTF-8");

ScriptEngineManager factory = new ScriptEngineManager();
ScriptEngine engine = factory.getEngineByName("JavaScript");

String script = createTaintedScript(param);

//ruleid: tainted-code-injection-from-http-request
engine.eval(script); //Bad things can happen here.
Comment on lines +39 to +42

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Stop evaluating request headers as JavaScript

Request header BenchmarkTest00006 is decoded and directly concatenated into script, which is then passed to engine.eval(...). A client can supply arbitrary JavaScript in that header to execute on the server, enabling remote code execution on every POST/GET request. Guarding the script creation with validation or avoiding eval on user input is needed to prevent this injection path.

Useful? React with 👍 / 👎.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: User input directly evaluated as JavaScript code

User-controlled input from the HTTP header BenchmarkTest00006 flows through createTaintedScript() and is passed directly to engine.eval() without sanitization. This allows attackers to execute arbitrary JavaScript code on the server by crafting malicious header values, leading to remote code execution.

Additional Locations (1)

Fix in Cursor Fix in Web


String script2 = "this is a hardcoded script";
// ok: tainted-code-injection-from-http-request
engine.eval(script2); //Bad things can happen here.

FacesContext context = FacesContext.getCurrentInstance();
ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
ELContext elContext = context.getELContext();
//ruleid: tainted-code-injection-from-http-request
ValueExpression vex = expressionFactory.createValueExpression(elContext, "expression" + param, String.class);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: User input evaluated in Expression Language injection

User-controlled input from the HTTP header is concatenated into JSF Expression Language strings and passed to createValueExpression() and evaluateExpression(). An attacker can inject malicious EL expressions that get evaluated, potentially leading to remote code execution, data access, or server compromise through EL injection attacks.

Additional Locations (2)

Fix in Cursor Fix in Web


String result = evaluateExpression("expression" + param);
Comment on lines +50 to +54

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid creating JSF expressions from untrusted headers

The same unvalidated header value is appended to an EL string and fed into ExpressionFactory.createValueExpression, with evaluateExpression executing the expression. An attacker can craft the header to run arbitrary server-side EL code whenever this servlet handles a request. Sanitize or reject user-supplied data before building EL expressions to avoid expression injection.

Useful? React with 👍 / 👎.


}

public String createTaintedScript(String param){
return "this is some script" + param;
}

public String evaluateExpression(String expression) {
FacesContext context = FacesContext.getCurrentInstance();
ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
ELContext elContext = context.getELContext();
// proruleid: tainted-code-injection-from-http-request
ValueExpression vex = expressionFactory.createValueExpression(elContext, expression, String.class);
return (String) vex.getValue(elContext);
}