Ejemplo n.º 1
0
if (php_sapi_name() === 'cli') {
    exit('ERROR: This script must be run from the browser.' . PHP_EOL);
}
$ESAPI = new ESAPI(__DIR__ . "/testresources/ESAPI.xml");
ob_start();
session_start();
$view = '';
$tests = null;
if (isset($_SESSION) && isset($_SESSION['tests'])) {
    $tests =& $_SESSION['tests'];
} else {
    $tests = array('csi' => 'changeSessionIdentifier', 'token' => 'verifyCSRFToken', 'cookie' => 'killAllCookies (incl. killCookie)', 'log' => 'logHTTPRequest', 'logo' => 'logHTTPRequestObfuscate');
    $_SESSION['tests'] =& $tests;
}
$util = ESAPI::getHTTPUtilities();
$req = new SafeRequest();
$uri = ESAPI::getEncoder()->encodeForHTML($req->getRequestURI());
if ($req->getParameter('req') == 'test1') {
    try {
        $util->verifyCSRFToken($req);
        $view .= '<p>Your Request contained the CSRF token we have in your session. Good!</p>';
    } catch (IntrusionException $e) {
        $view .= '<p>Your Request did NOT contain the CSRF token we have in your session. Did you tamper??</p>';
    }
    $tests['token'] .= ' - DONE';
    $oldSessID = session_id();
    $sr = $util->changeSessionIdentifier();
    if ($sr === true) {
        $view .= '<p>Your session was regenerated. ID went from: ';
        $view .= ESAPI::getEncoder()->encodeForHTML($oldSessID);
        $view .= ' to: ';
Ejemplo n.º 2
0
 /**
  * Format the Source IP address, URL, URL parameters, and all form parameters
  * into a string suitable for the log file. The list of parameters to obfuscate
  * should be specified in order to prevent sensitive information from being
  * logged. If a NULL or empty list of parameters is provided, then all
  * parameters will be logged in the clear. If HTTP request logging is done in a
  * central place $paramsToObfuscate could be made a configuration parameter. We
  * include it here in case different parts of the application need to obfuscate
  * different parameters.
  *
  * @param SafeRequest $request           Current Request object.
  * @param Auditor     $auditor           The auditor to write the request to.
  * @param array|NULL  $paramsToObfuscate The sensitive parameters.
  */
 public function logHTTPRequestObfuscate($request, $auditor, $paramsToObfuscate)
 {
     if ($request instanceof SafeRequest == false) {
         throw new InvalidArgumentException('logHTTPRequestObfuscate expects an instance of SafeRequest.');
     }
     if ($auditor instanceof Auditor == false) {
         throw new InvalidArgumentException('logHTTPRequestObfuscate expects an instance of Auditor.');
     }
     if ($paramsToObfuscate === null) {
         $paramsToObfuscate = array();
     } elseif (!is_array($paramsToObfuscate)) {
         throw new InvalidArgumentException('logHTTPRequestObfuscate expects an array $paramsToObfuscate or null.');
     }
     $msg = '';
     $msg .= $request->getRemoteAddr();
     if ($msg !== '') {
         $msg .= ' ';
     }
     $msg .= $request->getMethod();
     if ($msg !== '') {
         $msg .= ' ';
     }
     $path = $request->getRequestURI() . $request->getPathInfo();
     $msg .= $path;
     $params = $request->getParameterMap();
     if ($path !== '' && sizeof($params, false) > 0) {
         $msg .= '?';
     } elseif ($msg !== '') {
         $msg .= ' ';
     }
     $paramBuilder = array();
     foreach ($params as $pName => $pValues) {
         foreach ($pValues as $pval) {
             $pair = '';
             $pair .= "{$pName}";
             if ($pval == '') {
                 $paramBuilder[] = $pair;
                 continue;
             }
             if (in_array($pName, $paramsToObfuscate, true)) {
                 $pair .= '=********';
             } else {
                 $pair .= "={$pval}";
             }
             $paramBuilder[] = $pair;
         }
     }
     $msg .= implode('&', $paramBuilder);
     $cookies = $request->getCookies();
     $sessName = session_name();
     foreach ($cookies as $cName => $cValue) {
         if ($cName !== $sessName) {
             $msg .= "+{$cName}={$cValue}";
         }
     }
     $auditor->info(Auditor::SECURITY, true, $msg);
 }
 /**
  * Test of SafeRequest::getServerGlobal() with valid input.
  * 
  * @return bool true True on Pass.
  */
 function testGetServerGlobalInputValid()
 {
     $req = new SafeRequest(array('env' => array('PHP_SELF' => '/foo%2fbar')));
     $result = $req->getServerGlobal('PHP_SELF');
     $this->assertInternalType('string', $result);
     $this->assertEquals('/foo/bar', $result);
 }