Add 2 weak random test cases to this branch.

Dave Wichers · Dave Wichers · commit 437bcf7170bc · 2026-02-05T14:42:40.000-05:00
diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00898.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00898.java
@@ -0,0 +1,105 @@
+/**
+ * OWASP Benchmark Project v1.2
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Nick Sanidas
+ * @created 2015
+ */
+package org.owasp.benchmark.testcode;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@WebServlet(value = "/weakrand-01/Benchmark00898")
+public class Benchmark00898 extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        doPost(request, response);
+    }
+
+    @Override
+    public void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        response.setContentType("text/html;charset=UTF-8");
+
+        org.owasp.benchmark.helpers.SeparateClassRequest scr =
+                new org.owasp.benchmark.helpers.SeparateClassRequest(request);
+        String param = scr.getTheValue("Benchmark00898");
+
+        String bar = "";
+        if (param != null) {
+            bar =
+                    new String(
+                            org.apache.commons.codec.binary.Base64.decodeBase64(
+                                    org.apache.commons.codec.binary.Base64.encodeBase64(
+                                            param.getBytes())));
+        }
+
+        byte[] bytes = new byte[10];
+        new java.util.Random().nextBytes(bytes);
+        String rememberMeKey = org.owasp.esapi.ESAPI.encoder().encodeForBase64(bytes, true);
+
+        String user = "Byron";
+        String fullClassName = this.getClass().getName();
+        String testCaseNumber =
+                fullClassName.substring(fullClassName.lastIndexOf('.') + 1 + "Benchmark".length());
+        user += testCaseNumber;
+
+        String cookieName = "rememberMe" + testCaseNumber;
+
+        boolean foundUser = false;
+        javax.servlet.http.Cookie[] cookies = request.getCookies();
+        if (cookies != null) {
+            for (int i = 0; !foundUser && i < cookies.length; i++) {
+                javax.servlet.http.Cookie cookie = cookies[i];
+                if (cookieName.equals(cookie.getName())) {
+                    if (cookie.getValue().equals(request.getSession().getAttribute(cookieName))) {
+                        foundUser = true;
+                    }
+                }
+            }
+        }
+
+        if (foundUser) {
+            response.getWriter().println("Welcome back: " + user + "<br/>");
+        } else {
+            javax.servlet.http.Cookie rememberMe =
+                    new javax.servlet.http.Cookie(cookieName, rememberMeKey);
+            rememberMe.setSecure(true);
+            rememberMe.setHttpOnly(true);
+            rememberMe.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
+            rememberMe.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet
+            // e.g., /benchmark/sql-01/Benchmark01001
+            request.getSession().setAttribute(cookieName, rememberMeKey);
+            response.addCookie(rememberMe);
+            response.getWriter()
+                    .println(
+                            user
+                                    + " has been remembered with cookie: "
+                                    + rememberMe.getName()
+                                    + " whose value is: "
+                                    + rememberMe.getValue()
+                                    + "<br/>");
+        }
+
+        response.getWriter().println("Randomness java.util.Random.nextBytes() executed");
+    }
+}
diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00899.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00899.java
@@ -0,0 +1,116 @@
+/**
+ * OWASP Benchmark Project v1.2
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Nick Sanidas
+ * @created 2015
+ */
+package org.owasp.benchmark.testcode;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@WebServlet(value = "/weakrand-01/Benchmark00899")
+public class Benchmark00899 extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        doPost(request, response);
+    }
+
+    @Override
+    public void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        response.setContentType("text/html;charset=UTF-8");
+
+        org.owasp.benchmark.helpers.SeparateClassRequest scr =
+                new org.owasp.benchmark.helpers.SeparateClassRequest(request);
+        String param = scr.getTheValue("Benchmark00899");
+
+        String bar;
+        String guess = "ABC";
+        char switchTarget = guess.charAt(1); // condition 'B', which is safe
+
+        // Simple case statement that assigns param to bar on conditions 'A', 'C', or 'D'
+        switch (switchTarget) {
+            case 'A':
+                bar = param;
+                break;
+            case 'B':
+                bar = "bob";
+                break;
+            case 'C':
+            case 'D':
+                bar = param;
+                break;
+            default:
+                bar = "bob's your uncle";
+                break;
+        }
+
+        double value = new java.util.Random().nextDouble();
+        String rememberMeKey = Double.toString(value).substring(2); // Trim off the 0. at the front.
+
+        String user = "Donna";
+        String fullClassName = this.getClass().getName();
+        String testCaseNumber =
+                fullClassName.substring(fullClassName.lastIndexOf('.') + 1 + "Benchmark".length());
+        user += testCaseNumber;
+
+        String cookieName = "rememberMe" + testCaseNumber;
+
+        boolean foundUser = false;
+        javax.servlet.http.Cookie[] cookies = request.getCookies();
+        if (cookies != null) {
+            for (int i = 0; !foundUser && i < cookies.length; i++) {
+                javax.servlet.http.Cookie cookie = cookies[i];
+                if (cookieName.equals(cookie.getName())) {
+                    if (cookie.getValue().equals(request.getSession().getAttribute(cookieName))) {
+                        foundUser = true;
+                    }
+                }
+            }
+        }
+
+        if (foundUser) {
+            response.getWriter().println("Welcome back: " + user + "<br/>");
+        } else {
+            javax.servlet.http.Cookie rememberMe =
+                    new javax.servlet.http.Cookie(cookieName, rememberMeKey);
+            rememberMe.setSecure(true);
+            rememberMe.setHttpOnly(true);
+            rememberMe.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
+            rememberMe.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet
+            // e.g., /benchmark/sql-01/Benchmark01001
+            request.getSession().setAttribute(cookieName, rememberMeKey);
+            response.addCookie(rememberMe);
+            response.getWriter()
+                    .println(
+                            user
+                                    + " has been remembered with cookie: "
+                                    + rememberMe.getName()
+                                    + " whose value is: "
+                                    + rememberMe.getValue()
+                                    + "<br/>");
+        }
+
+        response.getWriter().println("Randomness java.util.Random.nextDouble() executed");
+    }
+}
