diff --git a/.github/workflows/endor_pr_scan.yml b/.github/workflows/endor_pr_scan.yml new file mode 100644 index 0000000..f6e5fd8 --- /dev/null +++ b/.github/workflows/endor_pr_scan.yml @@ -0,0 +1,34 @@ +name: Endor Labs PR Check for Vulns and Secrets +on: + pull_request: + branches: [ new_main] + workflow_dispatch: +jobs: + scan: + permissions: + security-events: write + contents: read + id-token: write + issues: write # Required to automatically comment on PRs for new policy violations + pull-requests: write # Required to automatically comment on PRs for new policy violations + actions: read + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v3 + - name: Setup Java + uses: actions/setup-java@v3 + with: + distribution: 'microsoft' + java-version: '17' + - name: Build Package + run: mvn clean install + - name: Endor Labs Scan Pull Request + uses: endorlabs/github-action@v1.1.2 + with: + namespace: 'nate-learn' + scan_dependencies: true + scan_secrets: true + pr: true + enable_pr_comments: true + github_token: ${{ secrets.GITHUB_TOKEN }} # Required for PR comments on new policy violations diff --git a/.github/workflows/endor_push_scan.yml b/.github/workflows/endor_push_scan.yml new file mode 100644 index 0000000..2f2c6cc --- /dev/null +++ b/.github/workflows/endor_push_scan.yml @@ -0,0 +1,38 @@ +name: Endor Labs Main Branch Check for Secrets and Vulns +on: + push: + branches: [ new_main ] + workflow_dispatch: +jobs: + scan: + permissions: + security-events: write + contents: read + actions: read + id-token: write + issues: write + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v3 + - name: Setup Java + uses: actions/setup-java@v3 + with: + distribution: 'microsoft' + java-version: '17' + - name: Build Package + run: mvn clean install + - name: Endor Labs Scan Main + uses: endorlabs/github-action@v1.1.4 + with: + namespace: 'nate-learn' + scan_dependencies: true + scan_secrets: true + pr: false + scan_summary_output_type: 'table' + sarif_file: 'findings.sarif' + additional_args: '--bypass-host-check' + - name: Upload findings to github + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'findings.sarif' diff --git a/.github/workflows/scan-with-endorlabs.yml b/.github/workflows/scan-with-endorlabs.yml new file mode 100644 index 0000000..cc91066 --- /dev/null +++ b/.github/workflows/scan-with-endorlabs.yml @@ -0,0 +1,207 @@ +# this workflow is a reusable flow to scan a repo using autobuild as a sidecar job +# _REQUIRES a LINUX runner on an amd64-compatible arch, with bash >= 4.0 available and curl installed +name: Scan Repo with Endor Labs @ v0 +on: + workflow_call: + inputs: + git-url: + description: git URL for repository to scan + required: true + type: string + namespace: + description: Endor Labs namespace (tenant name) for authentication/findings + required: true + type: string + is-pr: + description: Do not monitor this version; set true when you're scanning a Pull request + type: boolean + default: false + git-branch: + description: the branch of the target repo we wish to scan; if empty, scan the default branch + required: false + type: string + upload-logs: + description: "upload logs as artifacts (default: false)" + type: boolean + default: true + upload-json: + description: "upload json results as artifact (default: false)" + type: boolean + default: true + upload-sarif: + description: "upload SARIF results to GitHub for consumption in Security Tab (requires public repo or GHAS license); use only when sidecar-scanning within a repo!" + type: boolean + default: true + endorlabs-api-url: + description: "URL to use for Endor Labs root API (default = 'https://api.endorlabs.com')" + required: false + type: string + default: "https://api.endorlabs.com" + env-file: + description: Path to file that contains endor environment configuration + required: false + type: string + default: ".endorlabs/environment" + runner: + description: "Runner to use (default: 'ubuntu-22.04')" + required: false + type: string + default: "ubuntu-22.04" + + secrets: + endorlabs-api-auth: + description: "API auth data in the form KEY:SECRET -- if present, disables GitHub Action OIDC auth" + required: false + github-access-token: + description: "github access token to use instead of default Actions token; may be required to clone private repos" + required: false + +jobs: + endorlabs-auto-scan: + runs-on: ${{ inputs.runner }} + permissions: + id-token: write # allows authentication to Endor Labs using Actions OIDC JWT Token + contents: read # allows this job to clone org repos + security-events: write + env: + ENDOR_API: ${{ inputs.endorlabs-api-url }} + ENDOR_NAMESPACE: ${{ inputs.namespace }} + ENDOR_HOME: ".endorlabs-workflow" + ENDOR_OS: linux + ENDOR_ARCH: amd64 + ENDOR_GITHUB_ACTION_TOKEN_ENABLE: "true" + ENDOR_SCAN_SUMMARY_OUTPUT_TYPE: "json" + ENDOR_SCAN_PR: ${{ inputs.is-pr }} + GH_TOKEN: ${{ secrets.github-access-token || github.token }} + steps: + - id: safety-check + name: Check safety of inputs + shell: bash + run: | + shopt -s nocasematch + if ! [[ "$ENDOR_NAMESPACE" =~ ^[a-z0-9_-]+([.][a-z0-9_-]+)*$ ]]; then + echo "::error::namespace input does not conform to namespace format" + exit 1 + fi + shopt -u nocasematch + if ! [[ "$ENDOR_API" =~ ^https://[^/]+\.endorlabs.com$ ]]; then + echo "::error::endor API URL input does not use a *.endorlabs.com host, or does not start with https://" + exit 2 + fi + + - id: endorlabs-clone + name: clone ${{ inputs.git-url }} + shell: bash + env: + CLONE_URL: "${{ inputs.git-url }}" + run: | + if (git clone "${CLONE_URL}" "project"); then + >&2 echo "Cloned '${CLONE_URL}' successfully using bare git" + else + >&2 echo "Failed to clone '${CLONE_URL}' with bare git, trying gh" + if ! (gh repo clone "${CLONE_URL}" "project"); then + echo "::error::unable to clone '${CLONE_URL}' with any supported method" + exit 1 + fi + fi + + - id: endorlabs-setup + name: install endorlabs client + shell: bash + env: + ENDORLABS_API_AUTH: ${{ secrets.endorlabs-api-auth }} + ENDORLABS_ENV_FILE: ${{ inputs.env-file }} + run: | + if [[ -f "${ENDORLABS_ENV_FILE}" ]]; then + grep -E '^ENDOR_' "${ENDORLABS_ENV_FILE}" >> $GITHUB_ENV + echo "::group::added repo environment hints from ${ENDORLABS_ENV_FILE}'" + grep -E '^ENDOR_' "${ENDORLABS_ENV_FILE}" + echo "::endgroup::" + fi + mkdir -p "${ENDOR_HOME}" + curl -o "${ENDOR_HOME}/endorctl" ${ENDOR_API}/download/latest/endorctl_${ENDOR_OS}_${ENDOR_ARCH} + echo "$(curl -s https://api.endorlabs.com/sha/latest/endorctl_${ENDOR_OS}_${ENDOR_ARCH}) ${ENDOR_HOME}/endorctl" | sha256sum -c || exit 1 + chmod +x "${ENDOR_HOME}/endorctl" + if [[ -n "$ENDORLABS_API_AUTH" ]]; then + echo "::notice::Disabling GitHub Actions OIDC auth for Endor Labs, using API key auth instead" + echo "ENDOR_API_CREDENTIALS_KEY=$(cut -d: -f1 <<< ${ENDORLABS_API_AUTH})" >> $GITHUB_ENV + echo "ENDOR_API_CREDENTIALS_SECRET=$(cut -d: -f2 <<< ${ENDORLABS_API_AUTH})" >> $GITHUB_ENV + echo "ENDOR_GITHUB_ACTION_TOKEN_ENABLE=false" >> $GITHUB_ENV + fi + + - id: endorlabs-host-check + name: perform host check + shell: bash + run: | + LANGUAGES="" + "${ENDOR_HOME}/endorctl" host-check --path=project --droid-gpt 2> >(tee "${ENDOR_HOME}/host-check.log" >&2) + for lang in $(sed -nr 's/^.*Checking ([a-z_-]+) toolset.*$/\1/p' "${ENDOR_HOME}/host-check.log"); do LANGUAGES="${lang},$LANGUAGES"; done + if [[ -n "$LANGUAGES" ]]; then + if [[ -z "$ENDOR_SCAN_LANGUAGES" ]]; then + # only do this if the repo env hasn't manually set languages + # echo "ENDOR_SCAN_LANGUAGES=${LANGUAGES::-1}" >> $GITHUB_ENV ## TODO: decide if we really want to do this + >&2 echo "::notice::Detected languages: ${LANGUAGES::-1}" + fi + fi + + - id: endorlabs-scan-ref + name: scan branch of ${{ inputs.git-url }} + shell: bash + env: + SCAN_BRANCH: ${{ inputs.git-branch }} + CLONE_URL: "${{ inputs.git-url }}" + MAKE_SARIF: ${{ inputs.upload-sarif }} + run: | + if [[ -z "$ENDOR_SCAN_LANGUAGES" ]]; then + echo "::warning::No supported languages were detected to scan; check prior step for details. Scanning without language constraint list" + fi + if [[ -n "$SCAN_BRANCH" ]]; then + echo "::notice::Scanning requested ref '${SCAN_BRANCH}'" + git checkout "${SCAN_BRANCH}" + else + echo "::notice::Scanning default branch" + fi + if [[ "$MAKE_SARIF" == "true" ]] + then + echo "::notice::SARIF output requested for submission to GitHub" + ENDOR_SCAN_SUMMARY_SARIF_FILE="${PWD}/scan-results.sarif" + fi + "${ENDOR_HOME}/endorctl" scan --path ./project --bypass-host-check --build --verbose 2> >(tee "${ENDOR_HOME}/default-scan.log" >&2) > "${ENDOR_HOME}/scan-results-${GITHUB_RUN_ID}.json" + echo "results-json=${ENDOR_HOME}/scan-results-${GITHUB_RUN_ID}.json" >> $GITHUB_OUTPUT + echo "results-sarif=$ENDOR_SCAN_SUMMARY_SARIF_FILE" >> $GITHUB_OUTPUT + echo "github-run-id=$(echo $CLONE_URL|sed -r 's/[^a-z0-9_-]+/_/g')-${GITHUB_RUN_ID}" >> $GITHUB_OUTPUT + ls -r + + - id: endorlabs-upload-json-results + name: upload scan results as artifacts + if: inputs.upload-json + uses: actions/upload-artifact@v4 + continue-on-error: true + with: + name: endorlabs-scan-results-${{ steps.endorlabs-scan-ref.outputs.github-run-id }} + path: ${{ steps.endorlabs-scan-ref.outputs.results-json }} + if-no-files-found: warn + + - id: endorlabs-upload-scan-logs + name: upload scan logs as artifacts + if: inputs.upload-logs == true + uses: actions/upload-artifact@v4 + continue-on-error: true + with: + name: endorlabs-scan-logs-${{ steps.endorlabs-scan-ref.outputs.github-run-id }} + path: ${{ env.ENDOR_HOME }}/*.log + if-no-files-found: warn + + - id: endorlabs-submit-sarif + name: submit SARIF output to GitHub + # env: + # GH_TOKEN: ${{ secrets.write_pat }} + if: inputs.upload-sarif == true + uses: github/codeql-action/upload-sarif@v3 + continue-on-error: true + with: + # token: ${{ secrets.write_pat }} + sarif_file: ${{ steps.endorlabs-scan-ref.outputs.results-sarif }} + checkout_path: "${{ github.workspace }}/project" + wait-for-processing: false + diff --git a/.github/workflows/supervisory-scan.yml b/.github/workflows/supervisory-scan.yml new file mode 100644 index 0000000..1e14f7d --- /dev/null +++ b/.github/workflows/supervisory-scan.yml @@ -0,0 +1,44 @@ +name: Scan Specified Projects +on: + workflow_dispatch: + # uncomment below and adjust to frequency to automatically run + # schedule: + # - cron: 1 */2 * * * + +jobs: + # generate_matrix: + # runs-on: ubuntu-latest + # outputs: + # matrix: ${{ steps.set-matrix.outputs.matrix }} + # steps: + # - name: Checkout code + # uses: actions/checkout@v4 + # with: + # sparse-checkout: | + # repos.csv + # sparse-checkout-cone-mode: false + + # - name: Read repos and namespaces from CSV + # id: set-matrix + # run: | + # OUTPUT="$(awk -F',' '{print "{\"repo\":\"" $1 "\", \"namespace\":\"" $2 "\"}"}' repos.csv | jq -s '.' | tr '\n' ' ')" + # echo "matrix=$OUTPUT" >> $GITHUB_OUTPUT + + scan-matrix: + # needs: generate_matrix + # strategy: + # # fail-fast should be set false so that one scan failure doesn't stop the whole matrix + # fail-fast: false + # max-parallel: 5 + # matrix: + # projects: ${{ fromJSON(needs.generate_matrix.outputs.matrix) }} + uses: nmichalov/app-java-demo/.github/workflows/scan-with-endorlabs.yml@new_main + permissions: + id-token: write # allows authentication to Endor Labs using Actions OIDC JWT Token + pull-requests: write # allows scanner to leave a pull request comment, if enabled + issues: write # allows scanner to leave a PR comment, if enabled + contents: read # allows this job to clone org repos + security-events: write + with: + git-url: "https://github.com/nmichalov/app-java-demo.git" + namespace: nate-learn.testb #${{ matrix.projects.namespace }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..7a1a9aa --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,21 @@ +on: [push, workflow_dispatch] +name: build +jobs: + use-endorctl: + name: Usage of Endorctl + runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: read + steps: + - name: Setup with Endor Labs + # uses: endorlabs/github-action@1.1.4 + uses: endorlabs/github-action@v1.1.4 + with: + namespace: "nate-learn" + enable_github_action_token: true + + - name: Use Endorctl + run: | + endorctl api list -r Project diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1de5659 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +target \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 8670fb3..8adbc90 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,7 +18,6 @@ WORKDIR /app # Copy the built artifact from the build stage COPY --from=build /app/target/endor-java-webapp-demo.jar . -COPY --from=build /app/target/endor-java-webapp-demo-jar-with-dependencies.jar . # Expose any necessary ports EXPOSE 443 diff --git a/META-INF/MANIFEST.MF b/META-INF/MANIFEST.MF new file mode 100644 index 0000000..b901074 --- /dev/null +++ b/META-INF/MANIFEST.MF @@ -0,0 +1,4 @@ +Manifest-Version: 1.0 +Created-By: Maven JAR Plugin 3.4.1 +Build-Jdk-Spec: 23 + diff --git a/pom.xml b/pom.xml index a783d8a..1c22ee1 100644 --- a/pom.xml +++ b/pom.xml @@ -1,210 +1,215 @@ - 4.0.0 - com.endor.webapp - endor-java-webapp-demo - 4.0-SNAPSHOT - jar - endor-webapp Maven Webapp - - http://www.example.com - - UTF-8 - 1.8 - 1.8 - - - - javax.servlet - javax.servlet-api - 3.1.0 - - - org.apache.commons - commons-text - 1.9 - - - mysql - mysql-connector-java - 5.1.42 - - - com.mchange - c3p0 - 0.9.5.2 - - - org.jboss.weld - weld-core - 1.1.33.Final - - - javax.enterprise - cdi-api - - - javax.annotation - jsr250-api - - - org.jboss.spec.javax.interceptor - jboss-interceptors-api_1.1_spec - - - org.slf4j - slf4j-api - - - org.javassist - javassist - - - - - org.apache.logging.log4j - log4j-core - 2.3 - true - test - - - com.nqzero - permit-reflect - 0.3 - - - org.jboss.arquillian.config - arquillian-config-spi - 1.7.0.Alpha12 - - - org.jboss.arquillian.container - arquillian-container-impl-base - 1.7.0.Alpha12 - - - org.jboss.shrinkwrap.descriptors - shrinkwrap-descriptors-api-base - 2.0.0 - - - org.jboss.shrinkwrap - shrinkwrap-impl-base - 1.2.6 - - - org.mockito - mockito-core - 2.28.2 - - - com.google.errorprone - error_prone_annotations - 2.7.1 - - - org.webjars.bowergithub.webcomponents - webcomponentsjs - 2.0.0-beta.3 - - - org.webjars.bowergithub.webcomponents - shadycss - 1.9.1 - - - org.semver - api - 0.9.33 - - - com.google.code.findbugs - jsr305 - - - commons-lang - commons-lang - - - de.tototec - de.tototec.cmdoption - - - org.ow2.asm - asm - - - - + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> + 4.0.0 + + org.springframework.boot + spring-boot-starter-parent + 3.1.5 + + + com.endor.webapp + endor-java-AppServlet + 4.0-SNAPSHOT + jar + endor-webapp Maven Webapp + + http://www.example.com - - endor-java-webapp-demo - - - - maven-clean-plugin - 3.1.0 - - - - maven-resources-plugin - 3.0.2 - - - maven-compiler-plugin - 3.8.0 - - - maven-surefire-plugin - 2.22.1 - - - maven-war-plugin - 3.2.2 - - - maven-install-plugin - 2.5.2 - - - maven-deploy-plugin - 2.8.2 - - - - - - org.apache.maven.plugins - maven-compiler-plugin - - 8 - 8 - - - - org.apache.maven.plugins - maven-assembly-plugin - 3.1.1 + + UTF-8 + 17 + 17 + - - - jar-with-dependencies - - + + + + org.apache.commons + commons-text + 1.9 + + + mysql + mysql-connector-java + 5.1.42 + + + org.springframework.boot + spring-boot-starter-web + + + com.mchange + c3p0 + 0.9.5.2 + + + jakarta.servlet + jakarta.servlet-api + 5.0.0 + provided + + + org.jboss.weld + weld-core + 1.1.33.Final + + + javax.enterprise + cdi-api + + + javax.annotation + jsr250-api + + + org.jboss.spec.javax.interceptor + jboss-interceptors-api_1.1_spec + + + org.slf4j + slf4j-api + + + org.javassist + javassist + + + + + org.apache.logging.log4j + log4j-core + 2.3 + true + test + + + com.nqzero + permit-reflect + 0.3 + + + org.jboss.arquillian.config + arquillian-config-spi + 1.7.0.Alpha12 + + + org.jboss.arquillian.container + arquillian-container-impl-base + 1.7.0.Alpha12 + + + org.jboss.shrinkwrap.descriptors + shrinkwrap-descriptors-api-base + 2.0.0 + + + org.jboss.shrinkwrap + shrinkwrap-impl-base + 1.2.6 + + + org.mockito + mockito-core + 2.28.2 + + + com.google.errorprone + error_prone_annotations + 2.7.1 + + + org.webjars.bowergithub.webcomponents + webcomponentsjs + 2.0.0-beta.3 + + + org.webjars.bowergithub.webcomponents + shadycss + 1.9.1 + + + org.semver + api + 0.9.33 + + + com.google.code.findbugs + jsr305 + + + commons-lang + commons-lang + + + de.tototec + de.tototec.cmdoption + + + org.ow2.asm + asm + + + + - - - make-assembly - package - - single - - - - - - - \ No newline at end of file + + endor-java-webapp-demo + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.10.1 + + 17 + 17 + + + + + + org.apache.maven.plugins + maven-jar-plugin + 3.3.0 + + + + com.endor.App + + + + + + + + + org.springframework.boot + spring-boot-maven-plugin + + + + diff --git a/secrets.json b/secrets.json new file mode 100644 index 0000000..d757813 --- /dev/null +++ b/secrets.json @@ -0,0 +1,19 @@ +{ +production: true, +router: { + useHash: true, + enableTracing: false +}, +apollo: { + uri: 'https://newfactory-api-spa.grupomeiko.io/graphql', + xApiKey: 'secret-inserted-here' +}, +apollo_cloud: { + uri: 'https://newfactory-api-spa-cloud.grupomeiko.io/graphql', + xApiKey: 'secret-inserted-here' +}, +apollo_geo: { + uri: 'https://newfactory-api-spa-geo.grupomeiko.io/graphql', + xApiKey: 'secret-inserted-here' +} +} \ No newline at end of file diff --git a/src/main/java/com/endor/App.java b/src/main/java/com/endor/App.java new file mode 100644 index 0000000..f096c39 --- /dev/null +++ b/src/main/java/com/endor/App.java @@ -0,0 +1,13 @@ +package com.endor; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.boot.web.servlet.ServletComponentScan; + +@SpringBootApplication +@ServletComponentScan +public class App { + public static void main(String[] args) { + SpringApplication.run(App.class, args); + } +} diff --git a/src/main/java/com/endor/AppServlet.java b/src/main/java/com/endor/AppServlet.java index 40d1164..811d582 100644 --- a/src/main/java/com/endor/AppServlet.java +++ b/src/main/java/com/endor/AppServlet.java @@ -1,173 +1,118 @@ package com.endor; -import java.io.BufferedReader; -import java.io.BufferedWriter; -import java.io.FileReader; -import java.io.IOException; -import java.io.InputStreamReader; -import java.io.OutputStreamWriter; -import java.io.PrintWriter; -import java.net.URL; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import java.io.*; +import java.net.URL; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; -@javax.servlet.annotation.WebServlet(name = "AppServlet", urlPatterns = "/AppServlet") -public class AppServlet extends javax.servlet.http.HttpServlet { - protected void doPost(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws javax.servlet.ServletException, IOException { +@WebServlet(name = "AppServlet", urlPatterns = "/AppServlet") +public class AppServlet extends HttpServlet { + + @Override + protected void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException { doGet(request, response); } - protected void doGet(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws javax.servlet.ServletException, IOException { - //response.getWriter().println("Hello world"); - PrintWriter out = null; - try { - out = response.getWriter(); - } catch (Exception e) { - e.printStackTrace(); - } - HtmlUtil.printHtmlHeader(response); - HtmlUtil.startBody(response); - HtmlUtil.printMenu(response); - HtmlUtil.printCurrentTitle("SSRF", response); + @Override + protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException { + PrintWriter out = response.getWriter(); + response.setContentType("text/html"); - String form = "
" + - "URL: -- (If ssrf=file then inputs will be parsed from the file /opt/ssrfinput.txt)

" + + // Print HTML Form + out.println("SSRF Test"); + out.println("

SSRF Testing Application

"); + out.println("" + + "URL: -- (If ssrf=file, inputs will be parsed from the file /opt/ssrfinput.txt)

" + "Https URL:

" + - "" + "
"; - out.println(form); + "" + + ""); - - String loopback = request.getParameter("isloopback"); + // Get parameters from the form String ssrfUrl = request.getParameter("ssrf"); - String httpsssrfUrl = request.getParameter("httpsssrf"); - - System.out.printf("loopback : %s\n",loopback); - System.out.printf("ssrfUrl : %s\n",ssrfUrl); - System.out.printf("httpsssrfUrl : %s\n",httpsssrfUrl); - - if (loopback == null && ssrfUrl.equalsIgnoreCase("file")) { - BufferedReader reader = null; - try { - reader = new BufferedReader(new FileReader("/opt/ssrfinput.txt")); - System.out.println("ssrfinput.txt file opened successfully"); - } - catch (IOException e) { - System.out.println("Failed to open Input file"); - e.printStackTrace(); - } - try { - String line = reader.readLine(); - while (null != line) { - System.out.println("SSRF being called with :" + line); - UseUrlOpenConnection(request, response, line); - line = reader.readLine(); - Thread.sleep(2000); - } - reader.close(); - } - catch (Exception ex){ - ex.getStackTrace(); - } - } else if(loopback == null && ssrfUrl !=null && ssrfUrl.length() > 0) { - UseUrlOpenConnection(request, response, ssrfUrl); -// String countStr = request.getParameter("loop"); -// int count = Integer.parseInt(countStr); -// for (int i =0; i< count;i++) { -// restCall(request, response, i); -// } - } else if (loopback == null && 0 == httpsssrfUrl.toUpperCase().indexOf("HTTPS://")) { - System.out.println("Inside https://, calling UseUrlOpenConnectionhttps()"); - UseUrlOpenConnectionhttps(request, response, httpsssrfUrl); - + String httpsSsrfUrl = request.getParameter("httpsssrf"); + + if (ssrfUrl != null && ssrfUrl.equalsIgnoreCase("file")) { + processFile(request, response); + } else if (ssrfUrl != null && !ssrfUrl.isEmpty()) { + useUrlOpenConnection(request, response, ssrfUrl); + } else if (httpsSsrfUrl != null && httpsSsrfUrl.toLowerCase().startsWith("https://")) { + useUrlOpenConnectionHttps(request, response, httpsSsrfUrl); } - - System.out.println("Executed URLOpen"); + out.println(""); } - public void UseUrlOpenConnection(javax.servlet.http.HttpServletRequest request, - javax.servlet.http.HttpServletResponse response, String ssrfURL) throws javax.servlet.ServletException, IOException { - try { - response.getWriter().println("Inside Url.openStream"); - String url = "https://www.oracle.com/"; - if (ssrfURL != null && ssrfURL.length() > 0) { - url = ssrfURL; - } - URL oracle = new URL(url); + private void processFile(HttpServletRequest request, HttpServletResponse response) throws IOException { + PrintWriter out = response.getWriter(); + File file = new File("/opt/ssrfinput.txt"); - BufferedReader in = new BufferedReader( - new InputStreamReader(oracle.openStream())); + if (!file.exists()) { + out.println("

Error: File '/opt/ssrfinput.txt' not found!

"); + return; + } - String inputLine; - while ((inputLine = in.readLine()) != null){ - System.out.println(inputLine); - response.getWriter().print(inputLine);} - in.close(); + try (BufferedReader reader = new BufferedReader(new FileReader(file))) { + String line; + while ((line = reader.readLine()) != null) { + out.println("

Processing URL: " + line + "

"); + useUrlOpenConnection(request, response, line); + Thread.sleep(2000); // Simulate delay + } } catch (Exception e) { - response.getWriter().println("Exception!!"); - response.getWriter().print(e.getMessage()); - + out.println("

Error while reading the file: " + e.getMessage() + "

"); } } - public void UseUrlOpenConnectionhttps(javax.servlet.http.HttpServletRequest request, - javax.servlet.http.HttpServletResponse response, String ssrfURL) throws javax.servlet.ServletException, IOException { - - String hostname = "www.verisign.com"; - - - String hostname2 = "time.nist.gov"; - - String UrlToOpen = ssrfURL.replaceFirst("HTTPS://", ""); - UrlToOpen = UrlToOpen.replaceFirst("https://", ""); - + private void useUrlOpenConnection(HttpServletRequest request, HttpServletResponse response, String url) throws IOException { + PrintWriter out = response.getWriter(); + out.println("

Using URL.openConnection for: " + url + "

"); + try { - System.out.printf("Opening SSL socket for host : %s\n", UrlToOpen); - SSLSocketFactory factory = - (SSLSocketFactory)SSLSocketFactory.getDefault(); - SSLSocket socket = - (SSLSocket)factory.createSocket(UrlToOpen, 443); - - /* - * send http request - - */ - socket.startHandshake(); - - PrintWriter out = new PrintWriter(new BufferedWriter(new OutputStreamWriter(socket.getOutputStream()))); - - out.println("GET / HTTP/1.0"); - out.println(); - out.flush(); - - /* - * Make sure there were no surprises - */ - if (out.checkError()) - System.out.println( - "SSLSocketClient: java.io.PrintWriter error"); - - /* read response */ - BufferedReader in = new BufferedReader( - new InputStreamReader( - socket.getInputStream())); - - String inputLine; - while ((inputLine = in.readLine()) != null) { - System.out.println(inputLine); - response.getWriter().print(inputLine); + URL targetUrl = new URL(url); + try (BufferedReader in = new BufferedReader(new InputStreamReader(targetUrl.openStream()))) { + String inputLine; + while ((inputLine = in.readLine()) != null) { + out.println("

" + inputLine + "

"); + } } - in.close(); - out.close(); - socket.close(); - } catch (Exception e) { - e.printStackTrace(); + out.println("

Error during URL.openConnection: " + e.getMessage() + "

"); } + } + + private void useUrlOpenConnectionHttps(HttpServletRequest request, HttpServletResponse response, String url) throws IOException { + PrintWriter out = response.getWriter(); + out.println("

Using HTTPS Connection for: " + url + "

"); + String hostname = url.replaceFirst("https://", ""); + + try { + SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault(); + try (SSLSocket socket = (SSLSocket) factory.createSocket(hostname, 443)) { + socket.startHandshake(); + PrintWriter socketOut = new PrintWriter(new BufferedWriter(new OutputStreamWriter(socket.getOutputStream()))); + socketOut.println("GET / HTTP/1.0"); + socketOut.println(); + socketOut.flush(); + + if (socketOut.checkError()) { + out.println("

Error during HTTPS socket communication.

"); + } + + try (BufferedReader socketIn = new BufferedReader(new InputStreamReader(socket.getInputStream()))) { + String inputLine; + while ((inputLine = socketIn.readLine()) != null) { + out.println("

" + inputLine + "

"); + } + } + } + } catch (Exception e) { + out.println("

Error during HTTPS Connection: " + e.getMessage() + "

"); + } } - public static void main(String... args) { - System.out.println("Welocome to the java app"); - } } diff --git a/src/main/java/com/endor/AppServlet.java.bak b/src/main/java/com/endor/AppServlet.java.bak new file mode 100644 index 0000000..01e14cd --- /dev/null +++ b/src/main/java/com/endor/AppServlet.java.bak @@ -0,0 +1,178 @@ +package com.endor; + +import java.io.BufferedReader; +import java.io.BufferedWriter; +import java.io.FileReader; +import java.io.IOException; +import java.io.InputStreamReader; +import java.io.OutputStreamWriter; +import java.io.PrintWriter; +import java.net.URL; + +// import org.springframework.mock.web.MockHttpServletRequest; + +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; + +// create a diff + +@javax.servlet.annotation.WebServlet(name = "AppServlet", urlPatterns = "/AppServlet") +public class AppServlet extends javax.servlet.http.HttpServlet { + protected void doPost(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws javax.servlet.ServletException, IOException { + doGet(request, response); + } + + protected void doGet(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws javax.servlet.ServletException, IOException { + //response.getWriter().println("Hello world"); + PrintWriter out = null; + try { + out = response.getWriter(); + } catch (Exception e) { + e.printStackTrace(); + } + HtmlUtil.printHtmlHeader(response); + HtmlUtil.startBody(response); + HtmlUtil.printMenu(response); + HtmlUtil.printCurrentTitle("SSRF", response); + + String form = "
" + + "URL: -- (If ssrf=file then inputs will be parsed from the file /opt/ssrfinput.txt)

" + + "Https URL:

" + + "" + "
"; + out.println(form); + + + String loopback = request.getParameter("isloopback"); + String ssrfUrl = request.getParameter("ssrf"); + String httpsssrfUrl = request.getParameter("httpsssrf"); + + System.out.printf("loopback : %s\n",loopback); + System.out.printf("ssrfUrl : %s\n",ssrfUrl); + System.out.printf("httpsssrfUrl : %s\n",httpsssrfUrl); + + if (loopback == null && ssrfUrl.equalsIgnoreCase("file")) { + BufferedReader reader = null; + try { + reader = new BufferedReader(new FileReader("/opt/ssrfinput.txt")); + System.out.println("ssrfinput.txt file opened successfully"); + } + catch (IOException e) { + System.out.println("Failed to open Input file"); + e.printStackTrace(); + } + try { + String line = reader.readLine(); + while (null != line) { + System.out.println("SSRF being called with :" + line); + UseUrlOpenConnection(request, response, line); + line = reader.readLine(); + Thread.sleep(2000); + } + reader.close(); + } + catch (Exception ex){ + ex.getStackTrace(); + } + } else if(loopback == null && ssrfUrl !=null && ssrfUrl.length() > 0) { + UseUrlOpenConnection(request, response, ssrfUrl); +// String countStr = request.getParameter("loop"); +// int count = Integer.parseInt(countStr); +// for (int i =0; i< count;i++) { +// restCall(request, response, i); +// } + } else if (loopback == null && 0 == httpsssrfUrl.toUpperCase().indexOf("HTTPS://")) { + System.out.println("Inside https://, calling UseUrlOpenConnectionhttps()"); + UseUrlOpenConnectionhttps(request, response, httpsssrfUrl); + + } + + System.out.println("Executed URLOpen"); + + } + + public void UseUrlOpenConnection(javax.servlet.http.HttpServletRequest request, + javax.servlet.http.HttpServletResponse response, String ssrfURL) throws javax.servlet.ServletException, IOException { + try { + response.getWriter().println("Inside Url.openStream"); + String url = "https://www.oracle.com/"; + if (ssrfURL != null && ssrfURL.length() > 0) { + url = ssrfURL; + } + URL oracle = new URL(url); + + BufferedReader in = new BufferedReader( + new InputStreamReader(oracle.openStream())); + + String inputLine; + while ((inputLine = in.readLine()) != null){ + System.out.println(inputLine); + response.getWriter().print(inputLine);} + in.close(); + } catch (Exception e) { + response.getWriter().println("Exception!!"); + response.getWriter().print(e.getMessage()); + + } + } + + public void UseUrlOpenConnectionhttps(javax.servlet.http.HttpServletRequest request, + javax.servlet.http.HttpServletResponse response, String ssrfURL) throws javax.servlet.ServletException, IOException { + + String hostname = "www.verisign.com"; + + + String hostname2 = "time.nist.gov"; + + String UrlToOpen = ssrfURL.replaceFirst("HTTPS://", ""); + UrlToOpen = UrlToOpen.replaceFirst("https://", ""); + + try { + System.out.printf("Opening SSL socket for host : %s\n", UrlToOpen); + SSLSocketFactory factory = + (SSLSocketFactory)SSLSocketFactory.getDefault(); + SSLSocket socket = + (SSLSocket)factory.createSocket(UrlToOpen, 443); + + /* + * send http request + + */ + socket.startHandshake(); + + PrintWriter out = new PrintWriter(new BufferedWriter(new OutputStreamWriter(socket.getOutputStream()))); + + out.println("GET / HTTP/1.0"); + out.println(); + out.flush(); + + /* + * Make sure there were no surprises + */ + if (out.checkError()) + System.out.println( + "SSLSocketClient: java.io.PrintWriter error"); + + /* read response */ + BufferedReader in = new BufferedReader( + new InputStreamReader( + socket.getInputStream())); + + String inputLine; + while ((inputLine = in.readLine()) != null) { + System.out.println(inputLine); + response.getWriter().print(inputLine); + } + in.close(); + out.close(); + socket.close(); + + } catch (Exception e) { + e.printStackTrace(); + } + + } + public static void main(String... args) { + System.out.println("Welocome to the java app"); + + } +} diff --git a/src/main/java/com/endor/AsyncEchoUpgradeServlet.java b/src/main/java/com/endor/AsyncEchoUpgradeServlet.java index c679803..a5b4b4f 100644 --- a/src/main/java/com/endor/AsyncEchoUpgradeServlet.java +++ b/src/main/java/com/endor/AsyncEchoUpgradeServlet.java @@ -1,11 +1,11 @@ package com.endor; -import javax.servlet.AsyncContext; -import javax.servlet.ReadListener; -import javax.servlet.ServletException; -import javax.servlet.WriteListener; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.*; +import jakarta.servlet.AsyncContext; +import jakarta.servlet.ReadListener; +import jakarta.servlet.ServletException; +import jakarta.servlet.WriteListener; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.*; import java.io.IOException; import java.util.ArrayDeque; import java.util.Queue; diff --git a/src/main/java/com/endor/AsyncServlet.java b/src/main/java/com/endor/AsyncServlet.java index 789dc6a..c33318b 100644 --- a/src/main/java/com/endor/AsyncServlet.java +++ b/src/main/java/com/endor/AsyncServlet.java @@ -1,11 +1,11 @@ package com.endor; -import javax.servlet.AsyncContext; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.AsyncContext; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; import java.sql.*; @@ -15,7 +15,7 @@ public class AsyncServlet extends HttpServlet { /* ... Same variables and init method as in SyncServlet ... */ - protected void doPost(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws javax.servlet.ServletException, IOException { + protected void doPost(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws jakarta.servlet.ServletException, IOException { doGet(request, response); } diff --git a/src/main/java/com/endor/BooksServlet.java b/src/main/java/com/endor/BooksServlet.java index 73168c4..5a26a08 100644 --- a/src/main/java/com/endor/BooksServlet.java +++ b/src/main/java/com/endor/BooksServlet.java @@ -1,11 +1,11 @@ package com.endor; -import javax.servlet.RequestDispatcher; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.RequestDispatcher; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; import java.security.InvalidParameterException; @@ -642,7 +642,7 @@ public boolean executeSQLHelper(String methodName, String name, String pass) { StringBuffer sbuf = new StringBuffer(); String query = new String(); - query = "select FIRST, LAST from CUSTOMERS WHERE LAST=\'" + name + "\' AND PASSWORD= \'" + pass + "\'"; + query = "select FIRST, LAST from CUSTOMERS WHERE LAST=name AND PASSWORD=password"; if (methodName.equalsIgnoreCase("executeQuerySQL")) { @@ -1543,7 +1543,7 @@ public boolean StoredProcDirectParaAsync(String name, String pass) { //PreparedStatement stmt = null; CallableStatement c = null; try { - String Proc_query = "{CALL sql_login('" + name +"',"+ pass + "')}"; + String Proc_query = "{CALL sql_login('name and pass')}"; System.out.println("Created Procedure query string : " + Proc_query); c = conn.prepareCall(Proc_query); } catch (SQLException e) { diff --git a/src/main/java/com/endor/BotTest.java b/src/main/java/com/endor/BotTest.java index 370eb6d..5379b71 100644 --- a/src/main/java/com/endor/BotTest.java +++ b/src/main/java/com/endor/BotTest.java @@ -1,12 +1,12 @@ package com.endor; -import javax.servlet.AsyncContext; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.AsyncContext; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; import java.sql.*; @@ -17,7 +17,7 @@ public class BotTest extends HttpServlet { /* ... Same variables and init method as in SyncServlet ... */ boolean isPost = false; - protected void doPost(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws javax.servlet.ServletException, IOException { + protected void doPost(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws jakarta.servlet.ServletException, IOException { isPost = true; System.out.println("In Post request method"); doGet(request, response); diff --git a/src/main/java/com/endor/CSPFilter.java b/src/main/java/com/endor/CSPFilter.java index 348f168..1e1d2d4 100644 --- a/src/main/java/com/endor/CSPFilter.java +++ b/src/main/java/com/endor/CSPFilter.java @@ -3,14 +3,14 @@ import java.io.IOException; import java.io.PrintWriter; -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.annotation.WebFilter; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.Filter; +import jakarta.servlet.FilterChain; +import jakarta.servlet.FilterConfig; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletRequest; +import jakarta.servlet.ServletResponse; +import jakarta.servlet.annotation.WebFilter; +import jakarta.servlet.http.HttpServletResponse; /** * Servlet Filter implementation class CSPFilter diff --git a/src/main/java/com/endor/CookieTest.java b/src/main/java/com/endor/CookieTest.java index 7e372f7..d117e3e 100644 --- a/src/main/java/com/endor/CookieTest.java +++ b/src/main/java/com/endor/CookieTest.java @@ -1,11 +1,11 @@ package com.endor; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; diff --git a/src/main/java/com/endor/Deserialize1.java b/src/main/java/com/endor/Deserialize1.java index 21e5d41..0db072b 100644 --- a/src/main/java/com/endor/Deserialize1.java +++ b/src/main/java/com/endor/Deserialize1.java @@ -1,11 +1,11 @@ package com.endor; -import javax.servlet.ServletException; -import javax.servlet.annotation.MultipartConfig; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.MultipartConfig; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.BufferedReader; import java.io.ByteArrayInputStream; diff --git a/src/main/java/com/endor/ElExpression.java b/src/main/java/com/endor/ElExpression.java index 077d8a0..86b967b 100644 --- a/src/main/java/com/endor/ElExpression.java +++ b/src/main/java/com/endor/ElExpression.java @@ -2,14 +2,14 @@ import java.io.IOException; -import javax.servlet.RequestDispatcher; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; +import jakarta.servlet.RequestDispatcher; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpSession; import java.io.PrintWriter; @WebServlet("/elExpression") diff --git a/src/main/java/com/endor/EncryptionServlet.java b/src/main/java/com/endor/EncryptionServlet.java index 4cf4585..428d207 100644 --- a/src/main/java/com/endor/EncryptionServlet.java +++ b/src/main/java/com/endor/EncryptionServlet.java @@ -1,11 +1,11 @@ package com.endor; import javax.crypto.*; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; import java.security.*; diff --git a/src/main/java/com/endor/ExecuteServlet.java b/src/main/java/com/endor/ExecuteServlet.java index e5ebf86..ff58e3d 100644 --- a/src/main/java/com/endor/ExecuteServlet.java +++ b/src/main/java/com/endor/ExecuteServlet.java @@ -1,10 +1,10 @@ package com.endor; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; diff --git a/src/main/java/com/endor/ExtraServlet.java b/src/main/java/com/endor/ExtraServlet.java index 977a32f..0dc6dcb 100644 --- a/src/main/java/com/endor/ExtraServlet.java +++ b/src/main/java/com/endor/ExtraServlet.java @@ -11,12 +11,12 @@ import java.sql.Statement; import java.sql.Types; -import javax.servlet.ServletException; -import javax.servlet.ServletInputStream; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletInputStream; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; /** diff --git a/src/main/java/com/endor/FileUploadServlet.java b/src/main/java/com/endor/FileUploadServlet.java index 9d6eda9..bcc5034 100644 --- a/src/main/java/com/endor/FileUploadServlet.java +++ b/src/main/java/com/endor/FileUploadServlet.java @@ -1,12 +1,12 @@ package com.endor; -import javax.servlet.ServletException; -import javax.servlet.annotation.MultipartConfig; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.Part; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.MultipartConfig; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.Part; import java.io.*; import java.util.logging.Level; import java.util.logging.Logger; diff --git a/src/main/java/com/endor/GetInputStreamInnerTest.java b/src/main/java/com/endor/GetInputStreamInnerTest.java index bb5c2a6..88c9b12 100644 --- a/src/main/java/com/endor/GetInputStreamInnerTest.java +++ b/src/main/java/com/endor/GetInputStreamInnerTest.java @@ -1,12 +1,12 @@ package com.endor; -import javax.servlet.ServletException; -import javax.servlet.ServletInputStream; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletInputStream; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; import java.sql.*; @@ -123,7 +123,7 @@ public boolean executeSQLHelper(String name, String pass) { try { StringBuffer sbuf = new StringBuffer(); String query = new String(); - query = "select FIRST, LAST from CUSTOMERS WHERE LAST=\'" + name + "\' AND PASSWORD= \'" + pass + "\'"; + query = "select FIRST, LAST from CUSTOMERS WHERE LAST=name AND PASSWORD=pass"; System.out.println("Multileg PreparedStatementQUERY:" + query); PreparedStatement stmt = conn.prepareStatement(query); ResultSet rs = stmt.executeQuery(); @@ -170,8 +170,8 @@ public boolean getCustomersStoredProc(String name, String pass) { query = "{call verifyuser(?,?,?)}"; c = conn.prepareCall(query); - c.setString(1, name); - c.setString(2, pass); + c.setString(1, "test"); + c.setString(2, "test"); c.registerOutParameter(3, Types.INTEGER); System.out.println("Multihub DB stored Proc being called"); System.out.println(query); diff --git a/src/main/java/com/endor/GetInputStreamTest.java b/src/main/java/com/endor/GetInputStreamTest.java index 2dfc795..be13f9b 100644 --- a/src/main/java/com/endor/GetInputStreamTest.java +++ b/src/main/java/com/endor/GetInputStreamTest.java @@ -1,11 +1,11 @@ package com.endor; -import javax.servlet.ServletException; -import javax.servlet.ServletInputStream; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletInputStream; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; diff --git a/src/main/java/com/endor/HelloController.java b/src/main/java/com/endor/HelloController.java new file mode 100644 index 0000000..9f26cda --- /dev/null +++ b/src/main/java/com/endor/HelloController.java @@ -0,0 +1,14 @@ +// package com.example.springboot; + +// import org.springframework.web.bind.annotation.GetMapping; +// import org.springframework.web.bind.annotation.RestController; + +// @RestController +// public class HelloController { + +// @GetMapping("/") +// public String index() { +// return "Greetings from Spring Boot!"; +// } + +// } \ No newline at end of file diff --git a/src/main/java/com/endor/HtmlUtil.java b/src/main/java/com/endor/HtmlUtil.java index 0004ee7..193a0fb 100644 --- a/src/main/java/com/endor/HtmlUtil.java +++ b/src/main/java/com/endor/HtmlUtil.java @@ -1,6 +1,6 @@ package com.endor; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpServletResponse; import java.io.PrintWriter; public class HtmlUtil { diff --git a/src/main/java/com/endor/HttpTrace.java b/src/main/java/com/endor/HttpTrace.java index 5f66184..7a626fe 100644 --- a/src/main/java/com/endor/HttpTrace.java +++ b/src/main/java/com/endor/HttpTrace.java @@ -3,12 +3,12 @@ import java.io.IOException; import java.io.PrintWriter; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpSession; /** * Servlet implementation class HttpTrace diff --git a/src/main/java/com/endor/Login.java b/src/main/java/com/endor/Login.java index 307ff32..84895c0 100644 --- a/src/main/java/com/endor/Login.java +++ b/src/main/java/com/endor/Login.java @@ -4,13 +4,13 @@ import java.io.PrintWriter; import java.util.HashMap; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpSession; @WebServlet("/clothing-shop/login") public class Login extends HttpServlet { diff --git a/src/main/java/com/endor/LoginSuccess.java b/src/main/java/com/endor/LoginSuccess.java index 9865b38..eb7d236 100644 --- a/src/main/java/com/endor/LoginSuccess.java +++ b/src/main/java/com/endor/LoginSuccess.java @@ -3,12 +3,12 @@ import java.io.IOException; import java.io.PrintWriter; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; @WebServlet("/clothing-shop/LoginSuccess") public class LoginSuccess extends HttpServlet { diff --git a/src/main/java/com/endor/Logout.java b/src/main/java/com/endor/Logout.java index c50bb94..088e87b 100644 --- a/src/main/java/com/endor/Logout.java +++ b/src/main/java/com/endor/Logout.java @@ -1,11 +1,11 @@ package com.endor; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; -import javax.servlet.http.HttpServlet; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpSession; +import jakarta.servlet.http.HttpServlet; import java.io.IOException; @WebServlet("/clothing-shop/logout") diff --git a/src/main/java/com/endor/NewSQLExitServlet.java b/src/main/java/com/endor/NewSQLExitServlet.java index a8025db..ec0ad40 100644 --- a/src/main/java/com/endor/NewSQLExitServlet.java +++ b/src/main/java/com/endor/NewSQLExitServlet.java @@ -1,11 +1,11 @@ package com.endor; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; diff --git a/src/main/java/com/endor/OSCommandServlet.java b/src/main/java/com/endor/OSCommandServlet.java index 2339661..bb8d5f6 100644 --- a/src/main/java/com/endor/OSCommandServlet.java +++ b/src/main/java/com/endor/OSCommandServlet.java @@ -1,14 +1,14 @@ package com.endor; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; -@WebServlet(name = "ExecuteServlet") +@WebServlet(name = "ExecuteServletAlt") public class OSCommandServlet extends HttpServlet { protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); diff --git a/src/main/java/com/endor/RecordServlet.java b/src/main/java/com/endor/RecordServlet.java index 2d192aa..ec2459c 100644 --- a/src/main/java/com/endor/RecordServlet.java +++ b/src/main/java/com/endor/RecordServlet.java @@ -11,13 +11,13 @@ import java.sql.SQLException; import java.sql.Types; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpSession; @WebServlet("/clothing-shop/RecordServlet") diff --git a/src/main/java/com/endor/SecurePage.java b/src/main/java/com/endor/SecurePage.java index fb34bbb..92c88fa 100644 --- a/src/main/java/com/endor/SecurePage.java +++ b/src/main/java/com/endor/SecurePage.java @@ -1,10 +1,10 @@ package com.endor; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; diff --git a/src/main/java/com/endor/TypeSniff.java b/src/main/java/com/endor/TypeSniff.java index c97480a..c4f1a22 100644 --- a/src/main/java/com/endor/TypeSniff.java +++ b/src/main/java/com/endor/TypeSniff.java @@ -3,16 +3,16 @@ import java.io.IOException; import java.io.PrintWriter; -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.Filter; +import jakarta.servlet.FilterChain; +import jakarta.servlet.FilterConfig; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletRequest; +import jakarta.servlet.ServletResponse; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; /** * Servlet implementation class TypeSniff diff --git a/src/main/java/com/endor/XmlXXE.java b/src/main/java/com/endor/XmlXXE.java index 4b98f90..a971589 100644 --- a/src/main/java/com/endor/XmlXXE.java +++ b/src/main/java/com/endor/XmlXXE.java @@ -1,11 +1,11 @@ package com.endor; -import javax.servlet.ServletException; -import javax.servlet.annotation.MultipartConfig; -import javax.servlet.annotation.WebServlet; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.annotation.MultipartConfig; +import jakarta.servlet.annotation.WebServlet; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.BufferedReader; import java.io.ByteArrayInputStream; diff --git a/src/main/java/com/endor/stringsub.java b/src/main/java/com/endor/stringsub.java index 3e510b1..116313c 100644 --- a/src/main/java/com/endor/stringsub.java +++ b/src/main/java/com/endor/stringsub.java @@ -4,7 +4,8 @@ public class stringsub { public static void main(String... args) { final StringSubstitutor interpolator = StringSubstitutor.createInterpolator(); - String out = interpolator.replace("${script:javascript:java.lang.Runtime.getRuntime().exec('touch ./foo')}"); + // String out = interpolator.replace("${script:javascript:java.lang.Runtime.getRuntime().exec('touch ./foo')}"); + String out = "bababooy"; System.out.println(out); } } diff --git a/src/main/java/com/endor/wrapper/RequestWrapper1.java b/src/main/java/com/endor/wrapper/RequestWrapper1.java index 7f58d9b..f528b6f 100644 --- a/src/main/java/com/endor/wrapper/RequestWrapper1.java +++ b/src/main/java/com/endor/wrapper/RequestWrapper1.java @@ -1,7 +1,7 @@ package com.endor.wrapper; -import javax.servlet.ServletRequest; -import javax.servlet.ServletRequestWrapper; +import jakarta.servlet.ServletRequest; +import jakarta.servlet.ServletRequestWrapper; public class RequestWrapper1 extends ServletRequestWrapper { diff --git a/src/main/java/com/endor/wrapper/WrapperFilter.java b/src/main/java/com/endor/wrapper/WrapperFilter.java index 385905a..66c8153 100644 --- a/src/main/java/com/endor/wrapper/WrapperFilter.java +++ b/src/main/java/com/endor/wrapper/WrapperFilter.java @@ -1,6 +1,6 @@ package com.endor.wrapper; -import javax.servlet.*; +import jakarta.servlet.*; import java.io.IOException; import java.io.PrintWriter; diff --git a/src/main/java/com/endor/wrapper/WrapperServlet.java b/src/main/java/com/endor/wrapper/WrapperServlet.java index f92dfcd..f3f5b69 100644 --- a/src/main/java/com/endor/wrapper/WrapperServlet.java +++ b/src/main/java/com/endor/wrapper/WrapperServlet.java @@ -1,9 +1,9 @@ package com.endor.wrapper; -import javax.servlet.GenericServlet; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; +import jakarta.servlet.GenericServlet; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletRequest; +import jakarta.servlet.ServletResponse; import java.io.IOException; import java.io.PrintWriter;