From f181dabeeca9b459b114732886e5ce138a669d05 Mon Sep 17 00:00:00 2001 From: Benjamin Duso Date: Thu, 17 Mar 2022 15:59:06 -0400 Subject: [PATCH 1/6] This is a bulk commit with all of the text changes --- README.md | 3 +++ .../verademo/commands/IgnoreCommand.java | 4 ++-- .../verademo/commands/ListenCommand.java | 4 ++-- .../commands/RemoveAccountCommand.java | 4 ++-- .../verademo/controller/BlabController.java | 8 ++++---- .../verademo/controller/ToolsController.java | 8 ++++---- .../verademo/controller/UserController.java | 20 +++++++++---------- .../veracode/verademo/utils/Constants.java | 4 ++-- .../veracode/verademo/utils/UserFactory.java | 4 ++-- 9 files changed, 31 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index dbf9232d..c1465ba3 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,6 @@ +Notice +This project is intentionally vulnerable! It contains known vulnerabilities and security errors in its code and is meant as an example project for software security scanning tools such as Veracode. Please do not report vulnerabilities in this project; the odds are they’re there on purpose :) . + # VeraDemo - Blab-a-Gag ## About diff --git a/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java b/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java index 55a153ab..e477b431 100644 --- a/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java +++ b/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java @@ -40,12 +40,12 @@ public void execute(String blabberUsername) { ResultSet result = sqlStatement.executeQuery(sqlQuery); result.next(); - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ String event = username + " is now ignoring " + blabberUsername + " (" + result.getString(1) + ")"; sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")"; logger.info(sqlQuery); sqlStatement.execute(sqlQuery); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); diff --git a/app/src/main/java/com/veracode/verademo/commands/ListenCommand.java b/app/src/main/java/com/veracode/verademo/commands/ListenCommand.java index 25b6e688..eeac893a 100644 --- a/app/src/main/java/com/veracode/verademo/commands/ListenCommand.java +++ b/app/src/main/java/com/veracode/verademo/commands/ListenCommand.java @@ -40,12 +40,12 @@ public void execute(String blabberUsername) { ResultSet result = sqlStatement.executeQuery(sqlQuery); result.next(); - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ String event = username + " started listening to " + blabberUsername + " (" + result.getString(1) + ")"; sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")"; logger.info(sqlQuery); sqlStatement.execute(sqlQuery); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); diff --git a/app/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java b/app/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java index 63a65a57..4ea339e3 100644 --- a/app/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java +++ b/app/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java @@ -42,7 +42,7 @@ public void execute(String blabberUsername) { ResultSet result = sqlStatement.executeQuery(sqlQuery); result.next(); - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ String event = "Removed account for blabber " + result.getString(1); sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')"; logger.info(sqlQuery); @@ -51,7 +51,7 @@ public void execute(String blabberUsername) { sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'"; logger.info(sqlQuery); sqlStatement.execute(sqlQuery); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ } catch (SQLException e) { e.printStackTrace(); diff --git a/app/src/main/java/com/veracode/verademo/controller/BlabController.java b/app/src/main/java/com/veracode/verademo/controller/BlabController.java index 759405db..5f01e327 100644 --- a/app/src/main/java/com/veracode/verademo/controller/BlabController.java +++ b/app/src/main/java/com/veracode/verademo/controller/BlabController.java @@ -446,7 +446,7 @@ public String showBlabbers( Connection connect = null; PreparedStatement blabberQuery = null; - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ String blabbersSql = "SELECT users.username," + " users.blab_name," + " users.created_at," + " SUM(if(listeners.listener=?, 1, 0)) as listeners," + " SUM(if(listeners.status='Active',1,0)) as listening" @@ -465,7 +465,7 @@ public String showBlabbers( blabberQuery.setString(1, username); blabberQuery.setString(2, username); ResultSet blabbersResults = blabberQuery.executeQuery(); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ List blabbers = new ArrayList(); while (blabbersResults.next()) { @@ -539,12 +539,12 @@ public String processBlabbers( Class.forName("com.mysql.jdbc.Driver"); connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ Class cmdClass = Class.forName("com.veracode.verademo.commands." + ucfirst(command) + "Command"); BlabberCommand cmdObj = (BlabberCommand) cmdClass.getDeclaredConstructor(Connection.class, String.class) .newInstance(connect, username); cmdObj.execute(blabberUsername); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ nextView = Utils.redirect("blabbers"); diff --git a/app/src/main/java/com/veracode/verademo/controller/ToolsController.java b/app/src/main/java/com/veracode/verademo/controller/ToolsController.java index b47715da..055c35b4 100644 --- a/app/src/main/java/com/veracode/verademo/controller/ToolsController.java +++ b/app/src/main/java/com/veracode/verademo/controller/ToolsController.java @@ -49,9 +49,9 @@ private String ping(String host) { logger.info("Pinging: " + host); try { - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ proc = Runtime.getRuntime().exec(new String[] { "bash", "-c", "ping -c1 " + host }); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ proc.waitFor(5, TimeUnit.SECONDS); InputStreamReader isr = new InputStreamReader(proc.getInputStream()); @@ -79,9 +79,9 @@ private String fortune(String fortuneFile) { String output = ""; Process proc; try { - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ proc = Runtime.getRuntime().exec(new String[] { "bash", "-c", cmd }); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ proc.waitFor(5, TimeUnit.SECONDS); InputStreamReader isr = new InputStreamReader(proc.getInputStream()); diff --git a/app/src/main/java/com/veracode/verademo/controller/UserController.java b/app/src/main/java/com/veracode/verademo/controller/UserController.java index 257a5165..bf389b7a 100644 --- a/app/src/main/java/com/veracode/verademo/controller/UserController.java +++ b/app/src/main/java/com/veracode/verademo/controller/UserController.java @@ -155,7 +155,7 @@ public String processLogin( Class.forName("com.mysql.jdbc.Driver"); connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ // Execute the query logger.info("Creating the Statement"); String sqlQuery = "select username, password, password_hint, created_at, last_login, real_name, blab_name from users where username='" @@ -163,7 +163,7 @@ public String processLogin( sqlStatement = connect.createStatement(); logger.info("Execute the Statement"); ResultSet result = sqlStatement.executeQuery(sqlQuery); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ // Did we find exactly 1 user that matched? if (result.first()) { @@ -357,7 +357,7 @@ public String processRegisterFinish( Class.forName("com.mysql.jdbc.Driver"); connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ // Execute the query String mysqlCurrentDateTime = (new SimpleDateFormat("yyyy-MM-dd HH:mm:ss")) .format(Calendar.getInstance().getTime()); @@ -373,7 +373,7 @@ public String processRegisterFinish( sqlStatement = connect.createStatement(); sqlStatement.execute(query.toString()); logger.info(query.toString()); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ emailUser(username); } catch (SQLException | ClassNotFoundException ex) { @@ -415,9 +415,9 @@ private void emailUser(String username) { message.setFrom(new InternetAddress(from)); message.addRecipient(Message.RecipientType.TO, new InternetAddress(to)); - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ message.setSubject(env.getProperty("mail.subject.new_user") + " " + username); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ message.setText("A new VeraDemo user registered: " + username); @@ -471,13 +471,13 @@ public String showProfile( // Get the audit trail for this user ArrayList events = new ArrayList(); - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ String sqlMyEvents = "select event from users_history where blabber=\"" + username + "\" ORDER BY eventid DESC; "; logger.info(sqlMyEvents); Statement sqlStatement = connect.createStatement(); ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ while (userHistoryResult.next()) { events.add(userHistoryResult.getString(1)); @@ -888,9 +888,9 @@ public void emailExceptionsToAdmin(Throwable t) { message.setFrom(new InternetAddress(from)); message.addRecipient(Message.RecipientType.TO, new InternetAddress(to)); - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ message.setSubject("Error detected: " + t.getMessage()); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ message.setText(t.getMessage() + "
" + properties.getProperty("test") + displayErrorForWeb(t)); diff --git a/app/src/main/java/com/veracode/verademo/utils/Constants.java b/app/src/main/java/com/veracode/verademo/utils/Constants.java index d40b1a45..57837bbd 100644 --- a/app/src/main/java/com/veracode/verademo/utils/Constants.java +++ b/app/src/main/java/com/veracode/verademo/utils/Constants.java @@ -9,9 +9,9 @@ public class Constants { private final String JDBC_PORT = "3306"; private final String JDBC_DATABASE = "blab"; private final String JDBC_USER = "blab"; - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ private final String JDBC_PASSWORD = "z2^E6J4$;u;d"; - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ private String hostname; private String port; diff --git a/app/src/main/java/com/veracode/verademo/utils/UserFactory.java b/app/src/main/java/com/veracode/verademo/utils/UserFactory.java index 36c7d6dd..ce078ee4 100644 --- a/app/src/main/java/com/veracode/verademo/utils/UserFactory.java +++ b/app/src/main/java/com/veracode/verademo/utils/UserFactory.java @@ -38,11 +38,11 @@ public static User createFromRequest(HttpServletRequest req) { InputStream decodedstream = Base64.getDecoder().wrap(stream); ObjectInputStream in; try { - /* START BAD CODE */ + /* START EXAMPLE VULNERABILITY */ in = new ObjectInputStream(decodedstream); User user = (User) in.readObject(); in.close(); - /* END BAD CODE */ + /* END EXAMPLE VULNERABILITY */ return user; From 9dc8da5dc8b1b18581a9a34abbf4ce817e71f49f Mon Sep 17 00:00:00 2001 From: Benjamin Duso Date: Fri, 18 Mar 2022 13:32:50 -0400 Subject: [PATCH 2/6] second commit (3/18/22) to update formatting --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c1465ba3..d7c852b6 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ -Notice -This project is intentionally vulnerable! It contains known vulnerabilities and security errors in its code and is meant as an example project for software security scanning tools such as Veracode. Please do not report vulnerabilities in this project; the odds are they’re there on purpose :) . - # VeraDemo - Blab-a-Gag +:information_source: Notice +This project is intentionally vulnerable! It contains known vulnerabilities and security errors in its code and is meant as an example project for software security scanning tools such as Veracode. Please do not report vulnerabilities in this project; the odds are they’re there on purpose :) . + ## About Blab-a-Gag is a fairly simple forum type application which allows: From fcc0738b7db083891568ca018579f0bfe125ac01 Mon Sep 17 00:00:00 2001 From: Benjamin Duso Date: Fri, 18 Mar 2022 13:34:43 -0400 Subject: [PATCH 3/6] formatting commit #2 --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d7c852b6..eba0f2b1 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # VeraDemo - Blab-a-Gag :information_source: Notice + This project is intentionally vulnerable! It contains known vulnerabilities and security errors in its code and is meant as an example project for software security scanning tools such as Veracode. Please do not report vulnerabilities in this project; the odds are they’re there on purpose :) . ## About From e2f1aff994683f889791b6833400897f2d341525 Mon Sep 17 00:00:00 2001 From: Benjamin Duso Date: Fri, 18 Mar 2022 13:35:48 -0400 Subject: [PATCH 4/6] formatting commit #3 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eba0f2b1..2360c42b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # VeraDemo - Blab-a-Gag -:information_source: Notice +:information_source: ### Notice This project is intentionally vulnerable! It contains known vulnerabilities and security errors in its code and is meant as an example project for software security scanning tools such as Veracode. Please do not report vulnerabilities in this project; the odds are they’re there on purpose :) . From 1efd903abaab18ed1af6528e2b28b49c8504b6d5 Mon Sep 17 00:00:00 2001 From: Benjamin Duso Date: Fri, 18 Mar 2022 13:36:37 -0400 Subject: [PATCH 5/6] formatting commit #4 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2360c42b..eba0f2b1 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # VeraDemo - Blab-a-Gag -:information_source: ### Notice +:information_source: Notice This project is intentionally vulnerable! It contains known vulnerabilities and security errors in its code and is meant as an example project for software security scanning tools such as Veracode. Please do not report vulnerabilities in this project; the odds are they’re there on purpose :) . From 0b7ee1e7a058f03b612d3f37f58525090de5d968 Mon Sep 17 00:00:00 2001 From: Benjamin Duso Date: Fri, 18 Mar 2022 13:37:18 -0400 Subject: [PATCH 6/6] formatting commit #5 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eba0f2b1..4f028927 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # VeraDemo - Blab-a-Gag -:information_source: Notice +### :information_source: Notice This project is intentionally vulnerable! It contains known vulnerabilities and security errors in its code and is meant as an example project for software security scanning tools such as Veracode. Please do not report vulnerabilities in this project; the odds are they’re there on purpose :) .