Fix two things:

1) URL Decode all getHeader() values since it doesn't do that by default, unlike getParameter() and all the other common sources.
2) Change the XSS test cases using headers to use the referer header, rather than a custom header. We feel an attacker could only affect
the referer header. An attacker would have to use an existing XSS vuln to affect a custom header.
These introduce minor changes in many different test cases.

Author: davewichers

runBenchmark_wContrast.bat

@@ -1,22 +1,22 @@
-@ECHO OFF
-IF EXIST tools\Contrast\contrast.jar (
-  IF EXIST tools\Contrast\working (
-        DEL /F /Q tools\Contrast\contrast.log
+@ECHO OFF
+IF EXIST tools\Contrast\contrast.jar (
+  IF EXIST tools\Contrast\working (
+        DEL \F \Q tools\Contrast\contrast.log
 
-        RMDIR /S /Q tools\Contrast\cache
+        RMDIR \S tools\Contrast\cache
 
-        ECHO ""
+        ECHO ""
 
-        ECHO "Previous Contrast results have been removed"
+        ECHO Previous Contrast results have been removed
 
-        ECHO ""
-    )
-    CALL mvn clean package cargo:run -Pdeploywcontrast
+        ECHO ""
+    )
+    CALL mvn clean package cargo:run -Pdeploywcontrast
 
-    ECHO "Copying Contrast reports to results directory"
+    ECHO Copying Contrast reports to results directory
 
     COPY tools\Contrast\working\contrast.log results\Benchmark_1.2beta-Contrast.log
-
-) ELSE (
-    ECHO "Contrast is a commercial product, so you need a licensed version of Contrast in order to run it on the Benchmark. If you have access to Contrast, download the Contrast Agent for Java (contrast.jar) from the Team Server and put it into the /tools/Contrast folder, and then rerun this script."
-)
+
+) ELSE (
+    ECHO Contrast is a commercial product, so you need a licensed version of Contrast in order to run it on the Benchmark. If you have access to Contrast, download the Contrast Agent for Java (contrast.jar) from the Team Server and put it into the /tools/Contrast folder, and then rerun this script.
+)

runBenchmark_wContrast.sh

@@ -20,6 +20,6 @@ if [ -f tools/Contrast/contrast.jar ]; then
 
 else 
 
-  echo "Given that Contrast is a commercial product, you have to have a licensed version of Contrast in order to run it on the Benchmark. If you have access to Contrast, download the Contrast Agent (contrast.jar) from the Team Server and put it into the /tools/Contrast folder, and then rerun this script."
+  echo "Contrast is a commercial product, so you need a licensed version of Contrast in order to run it on the Benchmark. If you have access to Contrast, download the Contrast Agent for Java (contrast.jar) from the Team Server and put it into the /tools/Contrast folder, and then rerun this script."
 
 fi

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java

@@ -44,7 +44,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
 
 		String param = request.getHeader("vector");
 		if (param == null) param = "";
-
+        param = java.net.URLDecoder.decode(param, "UTF-8");
 
 		// Code based on example from:
 		// http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java

@@ -44,7 +44,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
 
 		String param = request.getHeader("vector");
 		if (param == null) param = "";
-
+        param = java.net.URLDecoder.decode(param, "UTF-8");
 
 		java.util.List<String> argList = new java.util.ArrayList<String>();
 

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java

@@ -44,6 +44,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
 
 		String param = request.getHeader("vector");
 		if (param == null) param = "";
+        param = java.net.URLDecoder.decode(param, "UTF-8");
 
 
 		String cmd = org.owasp.benchmark.helpers.Utils.getInsecureOSCommandString(this.getClass().getClassLoader());

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java

@@ -44,7 +44,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
 
 		String param = request.getHeader("vector");
 		if (param == null) param = "";
-
+        param = java.net.URLDecoder.decode(param, "UTF-8");
 
 		String sql = "{call " + param + "}";
 

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java

@@ -47,6 +47,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
 		if (headers.hasMoreElements()) {
 			param = headers.nextElement(); // just grab first element
 		}
+        param = java.net.URLDecoder.decode(param, "UTF-8");
 
 
 		java.io.File fileTarget = new java.io.File(param, "/Test.txt");

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java

@@ -47,6 +47,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
 		if (headers.hasMoreElements()) {
 			param = headers.nextElement(); // just grab first element
 		}
+        param = java.net.URLDecoder.decode(param, "UTF-8");
 
 
 	org.owasp.benchmark.helpers.LDAPManager ads = new org.owasp.benchmark.helpers.LDAPManager();

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java

@@ -43,11 +43,11 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
 
 
 		String param = "";
-		java.util.Enumeration<String> headers = request.getHeaders("vector");
+		java.util.Enumeration<String> headers = request.getHeaders("referer");
 		if (headers.hasMoreElements()) {
 			param = headers.nextElement(); // just grab first element
 		}
-
+        param = java.net.URLDecoder.decode(param, "UTF-8");
 
 		Object[] obj = { "a", "b" };
 		response.getWriter().format(java.util.Locale.US,param,obj);

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java

@@ -43,11 +43,11 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
 
 
 		String param = "";
-		java.util.Enumeration<String> headers = request.getHeaders("vector");
+		java.util.Enumeration<String> headers = request.getHeaders("referer");
 		if (headers.hasMoreElements()) {
 			param = headers.nextElement(); // just grab first element
 		}
-
+        param = java.net.URLDecoder.decode(param, "UTF-8");
 
 		Object[] obj = { "a", "b" };
 		response.getWriter().format(param,obj);