# benchmark1.2

**Repository Path**: zhang_ziqiang/benchmark1.2

## Basic Information

- **Project Name**: benchmark1.2
- **Description**: Owasp benchmark 1.2 for test verify purpose.

For original owasp benchmark source code, please check: https://github.com/OWASP-Benchmark/BenchmarkJava
- **Primary Language**: Java
- **License**: Apache-2.0
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 4
- **Created**: 2024-03-15
- **Last Updated**: 2024-07-11

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README


<h1>Owasp benchmark 1.2 test suite</h1>


# 代码处理
## 替换Base64
```
new String( new sun.misc.BASE64Decoder().decodeBuffer( 
		    new sun.misc.BASE64Encoder().encode(
```

with 

```
new String(java.util.Base64.getDecoder().decode(java.util.Base64.getEncoder().encodeToString(
```

## 用例按CWE和bad/good分组
使用：`sdong_testcase\src\test\java\sdong\testcase\benchmark\SplitBenchmarkByCweTest.java`。


# 用例汇总

issueType|Description|goodcase|badcase
-|-|-:|-:|
CWE-22|对路径名的限制不恰当(路径遍历)|135|133
CWE-327|使用已被攻破或存在风险的密码学算法|116|130
CWE-328|可逆的单向哈希|107|129
CWE-330|使用不充分的随机数|275|218
CWE-501|违背信任边界|43|83
CWE-614|HTTPS会话中未设置'Secure'属性的敏感Cookie|31|36
CWE-643|XPath表达式中数据转义处理不恰当(XPath注入)|20|15
CWE-78|OS命令中使用的特殊元素转义处理不恰当(OS命令注入)|125|126
CWE-79|在Web页面生成时对输入的转义处理不恰当(跨站脚本)|209|246
CWE-89|SQL命令中使用的特殊元素转义处理不恰当(SQL注入)|232|272
CWE-90|LDAP查询中使用的特殊元素转义处理不恰当(LDAP注入)|32|27


-- benchmark summary
```sql
select a.issueType, b.nameCn description, a.goodcase, a.badcase from (
	select t.issueType,sum(case when isflaw = 0 then 1 else 0 end) goodcase, sum(case when isflaw = 1 then 1 else 0 end) badcase from test_case_flaws f, test_case_flaw_type t
	where t.testCaseFlawsId= f.testCaseFlawsId group by t.issueType
) a, cwe b where a.issuetype = b.cweid
```