adding comments

omursahin · omursahin · commit 1decb605286c · 2025-05-13T13:50:06.000+02:00
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/oracle/RestSecurityOracle.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/oracle/RestSecurityOracle.kt
@@ -77,11 +77,21 @@ object RestSecurityOracle {
             }
         }
 
+        /**
+         * Check if there is any protected resource (i.e., one that returns 403 or 401 when accessed without proper authorization),
+         * but the same resource is also accessible without any authentication.
+         */
+
         val a403 = actionsWithResults.filter {
             (actionResults.find { r -> r.sourceLocalId == it.getLocalId() } as RestCallResult)
                 .getStatusCode() == 403
         }
 
+        val a401 = actionsWithResults.filter {
+            (actionResults.find { r -> r.sourceLocalId == it.getLocalId() } as RestCallResult)
+                .getStatusCode() == 401
+        }
+
         val a200 = actionsWithResults.filter {
             (actionResults.find { r -> r.sourceLocalId == it.getLocalId() } as RestCallResult)
                 .getStatusCode() == 200
@@ -90,7 +100,7 @@ object RestSecurityOracle {
             it.auth is NoAuth
         }
 
-        return a403.isNotEmpty() && a200.isNotEmpty()
+        return (a403.isNotEmpty() || a401.isNotEmpty()) && a200.isNotEmpty()
     }
 
     fun hasExistenceLeakage(
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt
@@ -604,7 +604,16 @@ class SecurityRest {
 
 
     /**
-     * Check if there is a test case with a 403 and another one with a 200 without authentication
+     * Check if there is a test case with a 403 and another one with a 200 without authentication.
+     * To check this, a resource must first be created (PUT or POST). While the user who created this
+     * resource can access it (200), the other user cannot (403). However, if a 200 status code is
+     * returned when attempting to access the same resource without sending the authorization header,
+     * it indicates that the authorization has been forgotten.
+     * Example:
+     * POST /resources/ AUTH1 -> 201 (location header: /resources/42/)
+     * GET /resources/42/ AUTH1 -> 200
+     * GET /resources/42/ AUTH2 -> 403
+     * GET /resources/42/ AUTH1 -> 200
      */
     private fun handleForbiddenAuthentication(){
         actionDefinitions.forEach { op ->
@@ -623,7 +632,6 @@ class SecurityRest {
                 it.individual.copy()
             }.forEach { ind ->
 
-                //add get request without any auth
                 val copyLast = ind.seeMainExecutableActions().last().copy() as RestCallAction
 
                 if(copyLast.verb != HttpVerb.GET)
diff --git a/wfc/src/main/java/com/webfuzzing/commons/faults/FaultCategory.java b/wfc/src/main/java/com/webfuzzing/commons/faults/FaultCategory.java
@@ -48,7 +48,7 @@ public enum FaultCategory {
     SECURITY_FORBIDDEN_PUT(803, "Forbidden Replacement But Allowed Modifications", "forbidsReplacementButAllowsModifications"),
     SECURITY_FORBIDDEN_PATCH(804, "Forbidden Updates But Allowed Modifications", "forbidsUpdatesButAllowsModifications"),
     SECURITY_ALLOW_MODIFICATION_BY_ALL(805, "Resource Created By An User Can Be Modified By All Other Users", "createdResourceCanBeModifiedByEveryone"),
-    SECURITY_FORGOTTEN_AUTHENTICATION(806, "Forgotten Authentication", "forgottenAuthentication")
+    SECURITY_FORGOTTEN_AUTHENTICATION(806, "A Protected Resource Is Accessible Without Providing Any Authentication", "forgottenAuthentication")
 
     //9xx: undefined
     ;

Original file line number	Diff line number	Diff line change
`@@ -77,11 +77,21 @@ object RestSecurityOracle {`
`77`	`77`	`}`
`78`	`78`	`}`
`79`	`79`
	`80`	`+ /**`
	`81`	`+ * Check if there is any protected resource (i.e., one that returns 403 or 401 when accessed without proper authorization),`
	`82`	`+ * but the same resource is also accessible without any authentication.`
	`83`	`+ */`
	`84`	`+`
`80`	`85`	`val a403 = actionsWithResults.filter {`
`81`	`86`	`(actionResults.find { r -> r.sourceLocalId == it.getLocalId() } as RestCallResult)`
`82`	`87`	`.getStatusCode() == 403`
`83`	`88`	`}`
`84`	`89`
	`90`	`+ val a401 = actionsWithResults.filter {`
	`91`	`+ (actionResults.find { r -> r.sourceLocalId == it.getLocalId() } as RestCallResult)`
	`92`	`+ .getStatusCode() == 401`
	`93`	`+ }`
	`94`	`+`
`85`	`95`	`val a200 = actionsWithResults.filter {`
`86`	`96`	`(actionResults.find { r -> r.sourceLocalId == it.getLocalId() } as RestCallResult)`
`87`	`97`	`.getStatusCode() == 200`
`@@ -90,7 +100,7 @@ object RestSecurityOracle {`
`90`	`100`	`it.auth is NoAuth`
`91`	`101`	`}`
`92`	`102`
`93`		`- return a403.isNotEmpty() && a200.isNotEmpty()`
	`103`	`+ return (a403.isNotEmpty() \|\| a401.isNotEmpty()) && a200.isNotEmpty()`
`94`	`104`	`}`
`95`	`105`
`96`	`106`	`fun hasExistenceLeakage(`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ public enum FaultCategory {`
`48`	`48`	`SECURITY_FORBIDDEN_PUT(803, "Forbidden Replacement But Allowed Modifications", "forbidsReplacementButAllowsModifications"),`
`49`	`49`	`SECURITY_FORBIDDEN_PATCH(804, "Forbidden Updates But Allowed Modifications", "forbidsUpdatesButAllowsModifications"),`
`50`	`50`	`SECURITY_ALLOW_MODIFICATION_BY_ALL(805, "Resource Created By An User Can Be Modified By All Other Users", "createdResourceCanBeModifiedByEveryone"),`
`51`		`- SECURITY_FORGOTTEN_AUTHENTICATION(806, "Forgotten Authentication", "forgottenAuthentication")`
	`51`	`+ SECURITY_FORGOTTEN_AUTHENTICATION(806, "A Protected Resource Is Accessible Without Providing Any Authentication", "forgottenAuthentication")`
`52`	`52`
`53`	`53`	`//9xx: undefined`
`54`	`54`	`;`