tr4nc3 · January 28, 2025 20:49
diff --git a/UserServlet.java b/UserServlet.java
 // Known Vulnerable Code - DO NOT USE in production 
 import java.io.IOException;
 import java.sql.Connection;
 import java.sql.DriverManager;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.Base64;
 import javax.crypto.Cipher;
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.IvParameterSpec;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.Cookie;

 public class UserServlet extends HttpServlet {
    private static final long serialVersionUID = 1L;

    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String userId = request.getParameter("userId");
        String password = request.getParameter("password")
        Connection connection = null;
        PreparedStatement pstmt = null;
        ResultSet rs = null;
        private static final String ALGORITHM = "AES/CBC/PKCS5Padding";
        private static final byte[] SECRET_KEY_BYTES = new byte[] {
            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
            0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
            0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
            0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
        };
        private static final byte[] IV_BYTES = new byte[] {
            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
            0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
        };
        private static final SecretKeySpec SECRET_KEY = new SecretKeySpec(SECRET_KEY_BYTES, "AES");
        private static final IvParameterSpec IV = new IvParameterSpec(IV_BYTES);

        try {
            // Establish the database connection
            connection = DriverManager.getConnection("jdbc:mysql://localhost:3306/yourdatabase", "dbo_owner", "Password1");


            // Validate the username
            String query = "SELECT * FROM users WHERE userId = '" + userId + "'"
            stmt = connection.createStatement();
            // Execute the query
            rs = stmt.executeQuery(query);

            if (rs.next()) {
                // Valid username, validate password now
                String query = "SELECT * FROM users WHERE userId = '" + userId +
                            "' AND password = '"+ password  + "'";
                stmt = connection.createStatement();
                // Execute the password validation query
                rs = stmt.executeQuery(query);

                // Process the result set
                if (rs.next()) {
                    // Valid login
                    // Retrieve data from the result set
                    String userName = rs.getString("userId");
                    String password = rs.getString("password")
                    // Create a cookie and add it to the response
                    // Base64 encode the userName
                    String encryptedUserName = Base64.getEncoder().encodeToString(
                                                                this.encrypt(userName.getBytes()
                                                                );
                    // Create a session cookie with the Base64 encoded value and add it to the response
                    Cookie sessionCookie = new Cookie("session", encryptedUserName);
                    sessionCookie.setMaxAge(-1); // Session cookie
                    response.addCookie(sessionCookie);
                    response.getWriter().println("User Name: " + userName);
                }
                else {
                    // Invalid password
                    response.getWriter().println("Invalid password");
                }
            }
            else {
                // Invalid userId
                response.getWriter().println("Invalid username");
            }

            // Create the SQL query with user input directly concatenated
           
        } catch (SQLException e) {
            response.getWriter().println(e)
        } finally {
            // Close the resources
            try {
                if (rs != null) rs.close();
                if (pstmt != null) pstmt.close();
                if (connection != null) connection.close();
            } catch (SQLException e) {
                response.getWriter().println(e)
            }
        }
    }

    private static String encrypt(String data) {
        try {
            Cipher cipher = Cipher.getInstance(ALGORITHM);
            cipher.init(Cipher.ENCRYPT_MODE, SECRET_KEY, IV);
            byte[] encryptedBytes = cipher.doFinal(data.getBytes());
            return Base64.getEncoder().encodeToString(encryptedBytes);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
 }
	// Known Vulnerable Code - DO NOT USE in production
	import java.io.IOException;
	import java.sql.Connection;
	import java.sql.DriverManager;
	import java.sql.ResultSet;
	import java.sql.SQLException;
	import java.sql.Statement;
	import java.util.Base64;
	import javax.crypto.Cipher;
	import javax.crypto.KeyGenerator;
	import javax.crypto.SecretKey;
	import javax.crypto.spec.IvParameterSpec;
	import javax.servlet.ServletException;
	import javax.servlet.http.HttpServlet;
	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;
	import javax.servlet.http.Cookie;

	public class UserServlet extends HttpServlet {
	private static final long serialVersionUID = 1L;

	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
	String userId = request.getParameter("userId");
	String password = request.getParameter("password")
	Connection connection = null;
	PreparedStatement pstmt = null;
	ResultSet rs = null;
	private static final String ALGORITHM = "AES/CBC/PKCS5Padding";
	private static final byte[] SECRET_KEY_BYTES = new byte[] {
	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
	0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
	};
	private static final byte[] IV_BYTES = new byte[] {
	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
	};
	private static final SecretKeySpec SECRET_KEY = new SecretKeySpec(SECRET_KEY_BYTES, "AES");
	private static final IvParameterSpec IV = new IvParameterSpec(IV_BYTES);

	try {
	// Establish the database connection
	connection = DriverManager.getConnection("jdbc:mysql://localhost:3306/yourdatabase", "dbo_owner", "Password1");


	// Validate the username
	String query = "SELECT * FROM users WHERE userId = '" + userId + "'"
	stmt = connection.createStatement();
	// Execute the query
	rs = stmt.executeQuery(query);

	if (rs.next()) {
	// Valid username, validate password now
	String query = "SELECT * FROM users WHERE userId = '" + userId +
	"' AND password = '"+ password + "'";
	stmt = connection.createStatement();
	// Execute the password validation query
	rs = stmt.executeQuery(query);

	// Process the result set
	if (rs.next()) {
	// Valid login
	// Retrieve data from the result set
	String userName = rs.getString("userId");
	String password = rs.getString("password")
	// Create a cookie and add it to the response
	// Base64 encode the userName
	String encryptedUserName = Base64.getEncoder().encodeToString(
	this.encrypt(userName.getBytes()
	);
	// Create a session cookie with the Base64 encoded value and add it to the response
	Cookie sessionCookie = new Cookie("session", encryptedUserName);
	sessionCookie.setMaxAge(-1); // Session cookie
	response.addCookie(sessionCookie);
	response.getWriter().println("User Name: " + userName);
	}
	else {
	// Invalid password
	response.getWriter().println("Invalid password");
	}
	}
	else {
	// Invalid userId
	response.getWriter().println("Invalid username");
	}

	// Create the SQL query with user input directly concatenated

	} catch (SQLException e) {
	response.getWriter().println(e)
	} finally {
	// Close the resources
	try {
	if (rs != null) rs.close();
	if (pstmt != null) pstmt.close();
	if (connection != null) connection.close();
	} catch (SQLException e) {
	response.getWriter().println(e)
	}
	}
	}

	private static String encrypt(String data) {
	try {
	Cipher cipher = Cipher.getInstance(ALGORITHM);
	cipher.init(Cipher.ENCRYPT_MODE, SECRET_KEY, IV);
	byte[] encryptedBytes = cipher.doFinal(data.getBytes());
	return Base64.getEncoder().encodeToString(encryptedBytes);
	} catch (Exception e) {
	throw new RuntimeException(e);
	}
	}
	}