Add a servlet that allows session fixation attaks

src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java

@@ -63,7 +63,9 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
                 session = request.getSession(true);
                 session.setAttribute("target", target);
                 if (loginType == null) {
-                    response.sendRedirect("/login" + queryString);
+                    response.sendRedirect(response.encodeRedirectURL("/login" + queryString));
+                } else if ("sessionfixation".equals(loginType)) {
+                    response.sendRedirect(response.encodeRedirectURL("/" + loginType + "/login" + queryString));
                 } else {
                     response.sendRedirect("/" + loginType + "/login" + queryString);
                 }

src/main/java/org/t246osslab/easybuggy/core/servlets/AdminsMainServlet.java

@@ -21,11 +21,14 @@ protected void doGet(HttpServletRequest req, HttpServletResponse res) throws Ser
         StringBuilder bodyHtml = new StringBuilder();
         bodyHtml.append(MessageUtils.getMsg("msg.admin.page.top", locale));
         bodyHtml.append("<br><br>");
-        bodyHtml.append("<a href=\"/uid/serverinfo.jsp\">" + MessageUtils.getMsg("section.server.info", locale) + "</a>");
+        bodyHtml.append("<a href=\"" + res.encodeURL("/uid/serverinfo.jsp") + "\">"
+                + MessageUtils.getMsg("section.server.info", locale) + "</a>");
         bodyHtml.append("<br><br>");
-        bodyHtml.append("<a href=\"/admins/csrf\">" + MessageUtils.getMsg("section.change.password", locale) + "</a>");
+        bodyHtml.append("<a href=\"" + res.encodeURL("/admins/csrf") + "\">"
+                + MessageUtils.getMsg("section.change.password", locale) + "</a>");
         bodyHtml.append("<br><br>");
-        bodyHtml.append("<a href=\"/admins/clickjacking\">" + MessageUtils.getMsg("section.change.mail", locale) + "</a>");
+        bodyHtml.append("<a href=\"" + res.encodeURL("/admins/clickjacking") + "\">"
+                + MessageUtils.getMsg("section.change.mail", locale) + "</a>");
         HTTPResponseCreator.createSimpleResponse(req, res, MessageUtils.getMsg("title.admins.main.page", locale),
                 bodyHtml.toString());
     }

src/main/java/org/t246osslab/easybuggy/vulnerabilities/SessionFixationServlet.java

@@ -0,0 +1,20 @@
+package org.t246osslab.easybuggy.vulnerabilities;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.t246osslab.easybuggy.core.servlets.DefaultLoginServlet;
+
+@SuppressWarnings("serial")
+@WebServlet(urlPatterns = { "/sessionfixation/login" })
+public class SessionFixationServlet extends DefaultLoginServlet {
+
+    public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {
+        req.setAttribute("login.page.note", "msg.note.session.fixation");
+        super.doGet(req, res);
+    }
+}

src/main/resources/indexpage_en.properties

@@ -85,6 +85,8 @@ function.name.open.redirect=Login page that allows Open Redirect
 function.description.open.redirect=There is an open redirect vulnerability in this login page.
 function.name.brute.force=Login page that allows brute-force attacks
 function.description.brute.force=This login page is vulnerable for brute-force attack because it does not have an account lock mechanism.
+function.name.session.fixation=Login page that allows session fixation attacks
+function.description.session.fixation=This login page is vulnerable for session fixation attack.
 function.name.verbose.error.message=Verbose Authentication Error Messages
 function.description.verbose.error.message=It is easy to guess an account who can logs in because authentication error messages on this page are too detailed.
 function.name.dangerous.file.inclusion=Dangerous File Inclusion

src/main/resources/indexpage_ja.properties

@@ -85,6 +85,8 @@ function.name.open.redirect=\u30aa\u30fc\u30d7\u30f3\u30ea\u30c0\u30a4\u30ec\u30
 function.description.open.redirect=\u3053\u306e\u30ed\u30b0\u30a4\u30f3\u30da\u30fc\u30b8\u306b\u306f\u30aa\u30fc\u30d7\u30f3\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u306e\u8106\u5f31\u6027\u304c\u3042\u308a\u307e\u3059\u3002
 function.name.brute.force=\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u53ef\u80fd\u306a\u30ed\u30b0\u30a4\u30f3\u753b\u9762
 function.description.brute.force=\u3053\u306e\u30ed\u30b0\u30a4\u30f3\u30da\u30fc\u30b8\u306b\u306f\u30a2\u30ab\u30a6\u30f3\u30c8\u30ed\u30c3\u30af\u304c\u7121\u3044\u305f\u3081\u3001\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u306b\u5bfe\u3057\u3066\u306e\u8106\u5f31\u3067\u3059\u3002
+function.name.session.fixation=\u30bb\u30c3\u30b7\u30e7\u30f3\u56fa\u5b9a\u653b\u6483\u53ef\u80fd\u306a\u30ed\u30b0\u30a4\u30f3\u753b\u9762
+function.description.session.fixation=\u3053\u306e\u30ed\u30b0\u30a4\u30f3\u30da\u30fc\u30b8\u306b\u306f\u30bb\u30c3\u30b7\u30e7\u30f3\u56fa\u5b9a\u653b\u6483\u306e\u8106\u5f31\u6027\u304c\u3042\u308a\u307e\u3059\u3002
 function.name.verbose.error.message=\u89aa\u5207\u904e\u304e\u308b\u8a8d\u8a3c\u30a8\u30e9\u30fc\u30e1\u30c3\u30bb\u30fc\u30b8
 function.description.verbose.error.message=\u3053\u306e\u30ed\u30b0\u30a4\u30f3\u30da\u30fc\u30b8\u306e\u30a8\u30e9\u30fc\u30e1\u30c3\u30bb\u30fc\u30b8\u306f\u89aa\u5207\u904e\u304e\u308b\u305f\u3081\u3001ID\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u63a8\u6e2c\u3055\u308c\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3067\u3059\u3002
 function.name.dangerous.file.inclusion=\u5371\u967a\u306a\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9

src/main/resources/messages_en.properties

@@ -125,6 +125,8 @@ msg.note.enter.decimal.value=Loss of trailing digits occurs if you enter 0.00000
 msg.note.enter.runtime.exec=If you enter <code>@Runtime@getRuntime().exec('rm -fr /your-important-dir/')</code> , then your important directory is removed on your server.
 msg.note.not.use.ext.db=Database connection leak occurs if using an external RDBMS such as MySQL. Please edit application.properties if using an external RDBMS.
 msg.note.positive.number=Integer overflow occurs if you enter a number greater than or equal to 63.
+msg.note.session.fixation=You can login with <code>admin</code> and <code>password</code>. \
+The URL rewriting feature works on this page in order to support clients that cannot use cookie, so the session fixation attack is possible.
 msg.note.slow.regular.expression=If you enter string to <code>aaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042</code>, parse processing will take several tens of seconds<br> \
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;If you enter string to <code>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042</code>, then ...
 msg.note.slow.string.plus.operation=If you enter a large number then the processing will take several tens of seconds because the string is created by "+" (plus) operator.

src/main/resources/messages_ja.properties

@@ -134,6 +134,8 @@ msg.note.ldap.injection=<code>admin</code> \u3068 <code>password</code>\u3092\u5
 msg.note.mail.header.injection=\u30d6\u30e9\u30a6\u30b6\u306e\u958b\u767a\u8005\u30e2\u30fc\u30c9\u3067\u4ef6\u540d\u306einput\u30bf\u30b0\u306etype\u5c5e\u6027\u3092textarea\u306b\u5909\u66f4\u3057\u3001\u300c[\u4efb\u610f\u4ef6\u540d][\u6539\u884c]Bcc: [\u4efb\u610f\u30e1\u30fc\u30eb\u30a2\u30c9\u30ec\u30b9]\u300d\u3092\u5165\u529b\u3057\u3066\u9001\u4fe1\u3059\u308b\u3068\u3001[\u4efb\u610f\u30e1\u30fc\u30eb\u30a2\u30c9\u30ec\u30b9]\u306b\u30e1\u30fc\u30eb\u3092\u9001\u4fe1\u3067\u304d\u307e\u3059\u3002
 msg.note.mojibake=\u6587\u5b57\u5217\u306b\u65e5\u672c\u8a9e\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u6587\u5b57\u5316\u3051\u304c\u767a\u751f\u3057\u307e\u3059\u3002
 msg.note.null.byte.injection=\u30d0\u30fc\u30b8\u30e7\u30f31.7.0_40\u3088\u308a\u524d\u306eJava\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u5834\u5408\u3001\u30af\u30a8\u30ea\u30b9\u30c8\u30ea\u30f3\u30b0\u306b <code>fileName=../WEB-INF/web.xml%00</code> \u3092\u4ed8\u52a0\u3059\u308b\u3068\u3001web.xml\u306e\u5185\u5bb9\u3092\u542b\u3080\u30d5\u30a1\u30a4\u30eb\u304c\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3067\u304d\u307e\u3059\u3002
+msg.note.session.fixation=<code>admin</code> \u3068 <code>password</code>\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u30ed\u30b0\u30a4\u30f3\u3067\u304d\u307e\u3059\u3002\
+\u3053\u306e\u30da\u30fc\u30b8\u3067\u306fCookie\u3092\u6271\u3048\u306a\u3044\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3092\u30b5\u30dd\u30fc\u30c8\u3059\u308b\u76ee\u7684\u3067URL\u30ea\u30e9\u30a4\u30c8\u304c\u6a5f\u80fd\u3057\u307e\u3059\u3002\u305d\u308c\u306b\u3088\u308a\u3001\u30bb\u30c3\u30b7\u30e7\u30f3\u56fa\u5b9a\u653b\u6483\u304c\u53ef\u80fd\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002
 msg.note.slow.regular.expression=\u6587\u5b57\u5217\u306b <code>aaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042</code> \u3092\u5165\u529b\u3059\u308b\u3068\u3001\u69cb\u6587\u89e3\u6790\u306b\u6570\u5341\u79d2\u304b\u308a\u307e\u3059\u3002<br> \
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\u6587\u5b57\u5217\u306b <code>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042</code> \u3092\u5165\u529b\u3059\u308b\u3068...
 msg.note.slow.string.plus.operation=+(\u30d7\u30e9\u30b9)\u6f14\u7b97\u5b50\u3067\u6587\u5b57\u5217\u3092\u9023\u7d50\u3057\u3066\u3044\u308b\u305f\u3081\u3001\u5927\u304d\u306a\u6587\u5b57\u6570\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u6587\u5b57\u5217\u751f\u6210\u306b\u6570\u5341\u79d2\u304b\u308a\u307e\u3059\u3002

src/main/webapp/index.jsp

@@ -183,6 +183,11 @@
 						key="function.name.brute.force" /></a>:
 				<fmt:message key="function.description.brute.force" />
 			</p></li>
+		<li><p>
+				<a href=<%=response.encodeURL("admins/main?logintype=sessionfixation")%>><fmt:message
+						key="function.name.session.fixation" /></a>:
+				<fmt:message key="function.description.session.fixation" />
+			</p></li>
 		<li><p>
 				<a href="admins/main?logintype=verbosemsg"><fmt:message
 						key="function.name.verbose.error.message" /></a>: