Stefan Streichsbier streichsbaer

## Custom-Portlet.java
public void serveResource(ResourceRequest resourceRequest, ResourceResponse resourceResponse) throws IOException, PortletException {
  HttpServletRequest request = PortalUtil.getOriginalServletRequest(PortalUtil.getHttpServletRequest(resourceRequest));
  try {
      HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper(PortalUtil.getHttpServletRequest(resourceRequest)){
          @Override
          public String getParameter(String name) {
              if (name.equals("p_auth")) {
                  return PortalUtil.getOriginalServletRequest((HttpServletRequest) super.getRequest()).getParameter(name);
              }

## download_and_execute_Ropeytasks.sh
wget https://raw.githubusercontent.com/continuumsecurity/RopeyTasks/master/ropeytasks.jar?raw=true -O ropeytasks.jar
java -jar ropeytasks.jar

## clone_and_execute_bdd-security.sh
git clone https://github.com/continuumsecurity/bdd-security.git
cd bdd-security
./gradlew -Dcucumber.options="--tags @authentication --tags ~@skip" test

## bdd-security test run output
[...]
net.continuumsecurity.junit.SecurityTest > Scenario: Transmit authentication credentials over HTTPS.Then the protocol should be HTTPS FAILED
    java.lang.AssertionError
[...]
Report available on: /Users/.../bdd-security/build/reports/cucumber/pretty/feature-overview.html
[...]
BUILD FAILED

## authentication.feature
@authentication
Feature: Authentication
  Verify that the authentication system is robust
[...]
  @cwe-319-auth
  Scenario: Transmit authentication credentials over HTTPS
    Given a new browser or client instance
    And the client/browser is configured to use an intercepting proxy
    And the proxy logs are cleared
    When the default user logs in

## WebApplicationSteps.java
public class WebApplicationSteps {
  [...]
  public WebApplicationSteps() {
    }
    [..]
    @Given("^a new browser or client instance$")
    public void createAppForAnyClient() {
        createApp();
    }

## config.xml
<?xml version="1.0" encoding="ISO-8859-1" ?>
<web-app>
    <baseUrl>http://localhost:8080/</baseUrl>
    <!-- A Java class to hold the Selenium steps to test the application in depth. Optionally required for in-depth authn/z and session management testing. -->
    <class>net.continuumsecurity.examples.ropeytasks.RopeyTasksApplication</class>
    <!-- Optional names of the session ID cookies for session management testing. -->
    <sessionIds>
        <name>JSESSIONID</name>
    </sessionIds>
    <!-- the default user to use when logging in to the app -->

## RopeyTasksApplication.java
[..]
public class RopeyTasksApplication extends WebApplication implements ILogin,
        ILogout,INavigable {
[..]
    @Override
    public void openLoginPage() {
        driver.get(Config.getInstance().getBaseUrl() + "user/login");
        findAndWaitForElement(By.id("username"));
    }
    [..]

## download_and_execute_WebGoat.sh
wget https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0.1-war-exec.jar
java -jar webgoat-container-7.0.1-war-exec.jar

## updated-config.xml
<?xml version="1.0" encoding="ISO-8859-1" ?>
<web-app>
  [...]
  <baseUrl>http://localhost:8080/WebGoat/</baseUrl>
  <class>net.continuumsecurity.WebGoatApplication</class>
  <defaultUsername>guest</defaultUsername>
  <defaultPassword>guest</defaultPassword>
  [...]
</web-app>
	public void serveResource(ResourceRequest resourceRequest, ResourceResponse resourceResponse) throws IOException, PortletException {
	HttpServletRequest request = PortalUtil.getOriginalServletRequest(PortalUtil.getHttpServletRequest(resourceRequest));
	try {
	HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper(PortalUtil.getHttpServletRequest(resourceRequest)){
	@Override
	public String getParameter(String name) {
	if (name.equals("p_auth")) {
	return PortalUtil.getOriginalServletRequest((HttpServletRequest) super.getRequest()).getParameter(name);
	}
	wget https://raw.githubusercontent.com/continuumsecurity/RopeyTasks/master/ropeytasks.jar?raw=true -O ropeytasks.jar
	java -jar ropeytasks.jar
	git clone https://github.com/continuumsecurity/bdd-security.git
	cd bdd-security
	./gradlew -Dcucumber.options="--tags @authentication --tags ~@skip" test
	[...]
	net.continuumsecurity.junit.SecurityTest > Scenario: Transmit authentication credentials over HTTPS.Then the protocol should be HTTPS FAILED
	java.lang.AssertionError
	[...]
	Report available on: /Users/.../bdd-security/build/reports/cucumber/pretty/feature-overview.html
	[...]
	BUILD FAILED
	@authentication
	Feature: Authentication
	Verify that the authentication system is robust
	[...]
	@cwe-319-auth
	Scenario: Transmit authentication credentials over HTTPS
	Given a new browser or client instance
	And the client/browser is configured to use an intercepting proxy
	And the proxy logs are cleared
	When the default user logs in
	public class WebApplicationSteps {
	[...]
	public WebApplicationSteps() {
	}
	[..]
	@Given("^a new browser or client instance$")
	public void createAppForAnyClient() {
	createApp();
	}
	<?xml version="1.0" encoding="ISO-8859-1" ?>
	<web-app>
	<baseUrl>http://localhost:8080/</baseUrl>
	<!-- A Java class to hold the Selenium steps to test the application in depth. Optionally required for in-depth authn/z and session management testing. -->
	<class>net.continuumsecurity.examples.ropeytasks.RopeyTasksApplication</class>
	<!-- Optional names of the session ID cookies for session management testing. -->
	<sessionIds>
	<name>JSESSIONID</name>
	</sessionIds>
	<!-- the default user to use when logging in to the app -->
	[..]
	public class RopeyTasksApplication extends WebApplication implements ILogin,
	ILogout,INavigable {
	[..]
	@Override
	public void openLoginPage() {
	driver.get(Config.getInstance().getBaseUrl() + "user/login");
	findAndWaitForElement(By.id("username"));
	}
	[..]
	wget https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0.1-war-exec.jar
	java -jar webgoat-container-7.0.1-war-exec.jar