WebFuzzing
diff --git a/‎core/src/main/kotlin/org/evomaster/core/problem/enterprise/ExperimentalFaultCategory.kt‎
Lines changed: 3 additions & 0 deletions b/‎core/src/main/kotlin/org/evomaster/core/problem/enterprise/ExperimentalFaultCategory.kt‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt‎
Lines changed: 70 additions & 0 deletions b/‎core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt‎
Lines changed: 70 additions & 0 deletions
diff --git a/‎core/src/main/kotlin/org/evomaster/core/problem/rest/service/fitness/AbstractRestFitness.kt‎
Lines changed: 47 additions & 0 deletions b/‎core/src/main/kotlin/org/evomaster/core/problem/rest/service/fitness/AbstractRestFitness.kt‎
Lines changed: 47 additions & 0 deletions
@@ -54,6 +54,9 @@ enum class ExperimentalFaultCategory(
     SECURITY_FORGOTTEN_AUTHENTICATION(980, "A Protected Resource Is Accessible Without Providing Any Authentication",
         "forgottenAuthentication",
         "TODO"),
+    SECURITY_STACK_TRACE(981, "Stack Trace",
+        "stackTrace",
+        "TODO"),
     ;
 
     override fun getCode(): Int {
 
@@ -6,6 +6,7 @@ import org.evomaster.core.EMConfig
 import javax.annotation.PostConstruct
 
 import org.evomaster.core.logging.LoggingUtil
+import org.evomaster.core.problem.enterprise.DetectedFault
 import org.evomaster.core.problem.enterprise.ExperimentalFaultCategory
 import org.evomaster.core.problem.enterprise.SampleType
 import org.evomaster.core.problem.enterprise.auth.AuthSettings
@@ -22,10 +23,12 @@ import org.evomaster.core.problem.rest.resource.RestResourceCalls
 import org.evomaster.core.problem.rest.service.sampler.AbstractRestSampler
 
 import org.evomaster.core.search.*
+import org.evomaster.core.search.action.ActionResult
 import org.evomaster.core.search.service.Archive
 import org.evomaster.core.search.service.FitnessFunction
 import org.evomaster.core.search.service.IdMapper
 import org.evomaster.core.search.service.Randomness
+import org.evomaster.core.utils.StackTraceUtils
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 
@@ -282,10 +285,77 @@ class SecurityRest {
             handleForgottenAuthentication()
         }
 
+        if (!config.isEnabledFaultCategory(ExperimentalFaultCategory.SECURITY_STACK_TRACE)) {
+            LoggingUtil.uniqueUserInfo("Skipping experimental security test for stack traces as disabled in configuration")
+        } else {
+            handleStackTraceCheck()
+        }
+
         //TODO other rules. See FaultCategory
         //etc.
     }
 
+    /**
+     * Checks whether any response body contains a stack trace, which would constitute a security issue.
+     * Stack traces expose internal implementation details that can aid attackers in exploiting vulnerabilities.
+     *
+     * Note: This is a best-effort oracle that may produce false positives, as some applications might
+     * legitimately return stack traces as part of their business logic.
+     *
+     * This check is performed only at the end of the search, not during each fitness evaluation,
+     * to avoid performance overhead during the main search phase.
+     */
+    private fun handleStackTraceCheck(){
+
+        mainloop@ for(action in actionDefinitions){
+
+            val suspicious = RestIndividualSelectorUtils.findIndividuals(
+                individualsInSolution,
+                action.verb,
+                action.path,
+                status = 500,
+            )
+
+            if(suspicious.isEmpty()){
+                continue
+            }
+
+            for(target in suspicious) {
+                var isFaultFound = false
+
+                val copyTarget = target.copy()
+                //  we need BOTH the check here and in the fitness function.
+                //  here: because we need to make sure 500 from archive are re-executed and added back with SECURITY tag if fault found
+                //  in ff: to avoid losing info if test is re-evaluated
+
+                isFaultFound = copyTarget.evaluatedMainActions()
+                    .asSequence()
+                    .filter { (it.action as RestCallAction).verb == action.verb && it.action.path == action.path }
+                    .mapNotNull { it.result as? RestCallResult }
+                    .any { r ->
+                        val body = r.getBody()
+                        r.getStatusCode() == 500 &&
+                                body != null &&
+                                StackTraceUtils.looksLikeStackTrace(body)
+                    }
+
+                if(isFaultFound){
+                    copyTarget.individual.modifySampleType(SampleType.SECURITY)
+                    copyTarget.individual.ensureFlattenedStructure()
+                    val evaluatedIndividual = fitness.computeWholeAchievedCoverageForPostProcessing(copyTarget.individual)
+
+                    if (evaluatedIndividual == null) {
+                        log.warn("Failed to evaluate constructed individual in handleStackTraceCheck")
+                        continue@mainloop
+                    }
+
+                    val added = archive.addIfNeeded(evaluatedIndividual)
+                    assert(added)
+                    continue@mainloop
+                }
+            }
+        }
+    }
 
     /**
      * Authenticated user A accesses endpoint X, but get 401 (instead of 403).
 
@@ -59,6 +59,7 @@ import org.evomaster.core.search.gene.string.StringGene
 import org.evomaster.core.search.gene.utils.GeneUtils
 import org.evomaster.core.search.service.DataPool
 import org.evomaster.core.taint.TaintAnalysis
+import org.evomaster.core.utils.StackTraceUtils
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import java.net.URL
@@ -1212,13 +1213,18 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
         handleExistenceLeakage(individual,actionResults,fv)
         handleNotRecognizedAuthenticated(individual, actionResults, fv)
         handleForgottenAuthentication(individual, actionResults, fv)
+        handleStackTraceCheck(individual, actionResults, fv)
     }
 
     private fun handleSsrfFaults(
         individual: RestIndividual,
         actionResults: List<ActionResult>,
         fv: FitnessValue
     ) {
+        if (!config.isEnabledFaultCategory(DefinedFaultCategory.SSRF)) {
+            return
+        }
+
         individual.seeMainExecutableActions().forEach {
             val ar = (actionResults.find { r -> r.sourceLocalId == it.getLocalId() } as RestCallResult?)
             if (ar != null) {
@@ -1240,6 +1246,9 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
         actionResults: List<ActionResult>,
         fv: FitnessValue
     ) {
+        if (!config.isEnabledFaultCategory(DefinedFaultCategory.SECURITY_NOT_RECOGNIZED_AUTHENTICATED)) {
+            return
+        }
 
         val notRecognized = individual.seeMainExecutableActions()
             .filter {
@@ -1277,6 +1286,10 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
         actionResults: List<ActionResult>,
         fv: FitnessValue
     ) {
+        if (!config.isEnabledFaultCategory(DefinedFaultCategory.SECURITY_EXISTENCE_LEAKAGE)) {
+            return
+        }
+
         val getPaths = individual.seeMainExecutableActions()
             .filter { it.verb == HttpVerb.GET }
             .map { it.path }
@@ -1301,11 +1314,40 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
         }
     }
 
+
+    private fun handleStackTraceCheck(
+        individual: RestIndividual,
+        actionResults: List<ActionResult>,
+        fv: FitnessValue
+    ) {
+        if (!config.isEnabledFaultCategory(ExperimentalFaultCategory.SECURITY_STACK_TRACE)) {
+            return
+        }
+
+        for(index in individual.seeMainExecutableActions().indices){
+            val a = individual.seeMainExecutableActions()[index]
+            val r = actionResults.find { it.sourceLocalId == a.getLocalId() } as RestCallResult
+
+            if(r.getStatusCode() == 500 && r.getBody() != null && StackTraceUtils.looksLikeStackTrace(r.getBody()!!)){
+                val scenarioId = idMapper.handleLocalTarget(
+                    idMapper.getFaultDescriptiveId(ExperimentalFaultCategory.SECURITY_STACK_TRACE, a.getName())
+                )
+                fv.updateTarget(scenarioId, 1.0, index)
+                r.addFault(DetectedFault(ExperimentalFaultCategory.SECURITY_STACK_TRACE, a.getName(), null))
+            }
+        }
+    }
+
     private fun handleForgottenAuthentication(
         individual: RestIndividual,
         actionResults: List<ActionResult>,
         fv: FitnessValue
     ) {
+
+        if (!config.isEnabledFaultCategory(ExperimentalFaultCategory.SECURITY_FORGOTTEN_AUTHENTICATION)) {
+            return
+        }
+
         val endpoints = individual.seeMainExecutableActions()
             .map { it.getName() }
             .toSet()
@@ -1337,6 +1379,11 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
         actionResults: List<ActionResult>,
         fv: FitnessValue
     ) {
+
+        if (!config.isEnabledFaultCategory(DefinedFaultCategory.SECURITY_WRONG_AUTHORIZATION)) {
+            return
+        }
+
         if (RestSecurityOracle.hasForbiddenOperation(verb, individual, actionResults)) {
            val actionIndex = individual.size() - 1
             val action = individual.seeMainExecutableActions()[actionIndex]
Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,9 @@ enum class ExperimentalFaultCategory(`
`54`	`54`	`SECURITY_FORGOTTEN_AUTHENTICATION(980, "A Protected Resource Is Accessible Without Providing Any Authentication",`
`55`	`55`	`"forgottenAuthentication",`
`56`	`56`	`"TODO"),`
	`57`	`+ SECURITY_STACK_TRACE(981, "Stack Trace",`
	`58`	`+ "stackTrace",`
	`59`	`+ "TODO"),`
`57`	`60`	`;`
`58`	`61`
`59`	`62`	`override fun getCode(): Int {`