screenshots, dyn. adopt verification, dns-change & refactorings

Refactored Bidi Network request capturing
Dynamically adopt Verification Strategy
change dns resolution via config
Take Screenshots & Improved Error Handling

Author: denniskniep

CHANGELOG.md

@@ -9,6 +9,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+## [1.0.3] - 2026-03-14
+
+### Added
+
+- Take Screenshots
+- Dynamically adopt Verification Strategy
+- change dns resolution via config
+
+### Changed
+
+- Improved Error Handling
+- Refactored Bidi Network request capturing
+
 ## [1.0.1] - 2026-03-10
 
 ### Added

Dockerfile

@@ -8,13 +8,15 @@ RUN mvn dependency:go-offline
 COPY src ./src
 RUN mvn clean package -DskipTests
 
-FROM eclipse-temurin:21-jre-jammy
+FROM debian:sid-slim
 # Source: https://github.com/SeleniumHQ/docker-selenium/tree/trunk/NodeChromium
 
 USER root
 
 ENV DEBIAN_FRONTEND=noninteractive
 
+RUN apt-get update -qqy && apt-get -qqy install wget curl default-jdk
+
 COPY docker/install-chromium.sh ./install-chromium.sh
 RUN ./install-chromium.sh
 
@@ -31,8 +33,6 @@ RUN /opt/bin/wrap_chromium_binary && chromium --version
 COPY ./docker/chrome-cleanup.sh /opt/bin/chrome-cleanup.sh
 COPY ./docker/chrome-cleanup.conf /etc/supervisor/conf.d/chrome-cleanup.conf
 
-USER ${SEL_UID}
-
 #============================================
 # Dumping Browser information for config
 #============================================
@@ -54,4 +54,4 @@ RUN useradd -m -u 1000 appuser && \
 
 USER appuser
 
-ENTRYPOINT ["sh", "-c", "java", "-jar", "app.jar"]
+ENTRYPOINT ["java", "-jar", "app.jar"]

docker/install-chromium.sh

@@ -1,6 +1,9 @@
 #!/usr/bin/env bash
 set -e
 
+apt-get update -qqy
+apt-get -qqy install libnss3-tools
+
 # Install Chromium
 export CHROMIUM_VERSION="145.0.7632.159"
 export CHROMIUM_DEB_SITE="http://deb.debian.org/debian"
@@ -25,12 +28,6 @@ wget "$URL2" -O /tmp/chromium/chromium.deb
 wget "$URL3" -O /tmp/chromium/chromium-l10n.deb
 wget "$URL4" -O /tmp/chromium/chromium-driver.deb
 
-echo "deb ${CHROMIUM_DEB_SITE}/ sid main" >/etc/apt/sources.list.d/debian.list
-wget -qO- https://ftp-master.debian.org/keys/archive-key-12.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/debian-archive-keyring.gpg
-wget -qO- https://ftp-master.debian.org/keys/archive-key-12-security.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/debian-archive-security-keyring.gpg
-apt-get update -qqy
-apt-get -qqy install libnss3-tools
-
-apt-get -qqyf install /tmp/chromium/chromium-common.deb /tmp/chromium/chromium.deb /tmp/chromium/chromium-l10n.deb /tmp/chromium/chromium-driver.deb
+apt-get -yf install /tmp/chromium/chromium-common.deb /tmp/chromium/chromium.deb /tmp/chromium/chromium-l10n.deb /tmp/chromium/chromium-driver.deb
 
 rm -rf /tmp/chromium;

pom.xml

@@ -51,7 +51,7 @@
 		<dependency>
 			<groupId>org.seleniumhq.selenium</groupId>
 			<artifactId>selenium-java</artifactId>
-			<version>4.40.0</version>
+			<version>4.41.0</version>
 		</dependency>
 
 		<dependency>

src/main/java/de/denniskniep/safed/SafedCli.java

@@ -92,12 +92,16 @@ public void run(String... args) throws MalformedURLException {
                 var report = new Report();
                 report.setStatus(ScanResultStatus.FAILED);
                 report.setErrors(List.of("Provided ClientId  '" + clientId + "' not found!"));
+                reports.add(report);
             }
         }
 
-        LOG.info(Serialization.AsPrettyJson(reports));
+        LOG.debug(Serialization.AsPrettyJson(reports));
+        if(!LOG.isDebugEnabled()) {
+            LOG.info(Serialization.AsJsonString(reports));
+        }
+
         webhookService.sendReports(reports);
-        LOG.info("Finished assessment");
         SpringApplication.exit(applicationContext, () -> 0);
     }
 

src/main/java/de/denniskniep/safed/common/assessment/Assessment.java

@@ -26,8 +26,8 @@ public abstract class Assessment<T extends Scanner, C extends AppConfig> {
 
     private ScanResult firstScanSuccess;
     private ScanResult secondScanSuccess;
-    private ScanResult thirdScanSuccess;
-    private ScanResult fourthScanFailure;
+    private ScanResult isVulnerableScan;
+    private ScanResult isOkScan;
 
     public Assessment(T successScanner, T failureScanner) {
         this.successScanner = successScanner;
@@ -54,93 +54,143 @@ public Report run(String clientId, C scannerConfig) {
         var start = Instant.now();
         validate(scannerConfig);
 
+        try {
+            return runInternal(clientId, scannerConfig);
+        }catch (Exception e){
+            LOG.error("Unexpected error:", e);
+            var duration = Duration.between(start, Instant.now());
+            ReportBuilder reportBuilder = new ReportBuilder(clientId, duration.toMillis() , firstScanSuccess, secondScanSuccess, isVulnerableScan, isOkScan, new HashMap<>(), List.of(e.getMessage()));
+            return reportBuilder.Build();
+        }
+    }
+
+    private Report runInternal(String clientId, C scannerConfig) {
+        var start = Instant.now();
+
         List<String> errors = new ArrayList<>();
-        LOG.info("Start initial tests");
+        LOG.info("Start first baseline scan");
         // First scan with successful login
         firstScanSuccess = runScan(scannerConfig, successScanner);
+
+        LOG.info("Start second baseline scan");
         // Second scan with successful login, but maybe changes in the page content from login to login
         secondScanSuccess = runScan(scannerConfig, successScanner);
-        // Third scan with successful login - means VULNERABLE
-        thirdScanSuccess = runScan(scannerConfig, successScanner);
-        // Fourth scan with failed login - means OK
-        fourthScanFailure = runScan(scannerConfig, failureScanner);
 
+        LOG.info("Start test scan - proof ok");
+        // scan with failure - means OK (not vulnerable)
+        isOkScan = runScan(scannerConfig, failureScanner);
+
+        // Dynamically adopt Verification Strategy
+        List<String> okVerifications = isOkScan.getVerificationStrategies(ScanResultStatus.OK);
+        List<String> vulnVerifications = isOkScan.getVerificationStrategies(ScanResultStatus.VULNERABLE);
+        if(!vulnVerifications.isEmpty() && !okVerifications.isEmpty()){
+            // a significant drift in the response is expected, therefore verifications should report OK
+            // if not we remove all verifications that are not reporting OK!
+            scannerConfig = (C)scannerConfig.deepCopy();
+            scannerConfig.setVerificationStrategies(okVerifications);
+            LOG.info("Restart test scan - proof ok (Adopted Verification Strategy)");
+            isOkScan = runScan(scannerConfig, failureScanner);
+        }
+
+        LOG.info("Start test scan - proof vulnerable");
+        // Scan with success - means VULNERABLE
+        isVulnerableScan = runScan(scannerConfig, successScanner);
 
-        // For a manipulated OIDCResponse we expect a significant drift in the response
-        // The third scan with a successful login does not have that drift on purpose!
+        // For a malicious scan, we expect a significant drift in the response
+        // The successScanner does not have that drift on purpose!
         // As no error occur and the user is normally logged in, we expect that to be classified as VULNERABLE
-        if (thirdScanSuccess.getStatus() == ScanResultStatus.OK) {
-            errors.add("Third scan must always be classified as VULNERABLE!");
+        if (isVulnerableScan.getStatus() == ScanResultStatus.OK) {
+            var msg = "Fourth scan must always be classified as VULNERABLE!";
+            LOG.warn(msg);
+            errors.add(msg);
         }
 
-        // The fourth scan with a failing login should have a significant drift in the response
+        // For a malicious scan, we expect a significant drift in the response
+        // The failureScanner should have a significant drift in the response
         // Because an error occur and the user is not logged in, we expect that to be classified as OK
-        if (fourthScanFailure.getStatus() == ScanResultStatus.VULNERABLE) {
-            // For a manipulated OIDCResponse we expect a significant drift in the response
-            // The third scan with positive login does not have that on purpose!
-            errors.add("Fourth scan must always be classified as OK!");
+        if (isOkScan.getStatus() == ScanResultStatus.VULNERABLE) {
+            var msg = "Third scan must always be classified as OK!";
+            LOG.warn(msg);
+            errors.add(msg);
         }
 
+        LOG.info("Finished baseline and test scans");
 
-        LOG.info("End initial tests");
         var scanResults = new HashMap<String, ScanResult>();
         for (var scanner : scanners) {
             if (scannerConfig.getScanners() != null && !scannerConfig.getScanners().contains(scanner.getClass().getSimpleName())) {
                 LOG.info("Skip scanning with {}", scanner.getClass().getSimpleName());
                 continue;
             }
 
-            LOG.info("Start scanning with {}", scanner.getClass().getSimpleName());
-            var scanResult = runScan(scannerConfig, scanner);
-            scanResults.put(scanner.getClass().getSimpleName(), scanResult);
-            LOG.trace("Scanner {} finished with status: {}.\nFollowing evidences collected:\n{}", scanner.getClass().getSimpleName(), scanResult.getStatus(), String.join("\n", scanResult.getEvidences()));
+            LOG.debug("Start scanning with {}", scanner.getClass().getSimpleName());
+            try{
+                var scanResult = runScan(scannerConfig, scanner);
+                scanResults.put(scanner.getClass().getSimpleName(), scanResult);
+                LOG.info("ClientId: {}; Status: {}; Scanner: {};", clientId, scanResult.getStatus(), scanner.getClass().getSimpleName());
+            }catch(Exception e){
+                var scanResult = ScanResult.failed(List.of(e.getMessage()));
+                LOG.error("ClientId: {}; Status: {}; Scanner: {};", clientId, scanResult.getStatus(), scanner.getClass().getSimpleName());
+                scanResults.put(scanner.getClass().getSimpleName(), scanResult);
+            }
         }
-
-        var duration =  Duration.between(start, Instant.now());
-        ReportBuilder reportBuilder = new ReportBuilder(clientId, duration.toMillis() , firstScanSuccess, secondScanSuccess, thirdScanSuccess, fourthScanFailure, scanResults, errors);
-        return reportBuilder.Build();
+        var duration = Duration.between(start, Instant.now());
+        ReportBuilder reportBuilder = new ReportBuilder(clientId, duration.toMillis() , firstScanSuccess, secondScanSuccess, isVulnerableScan, isOkScan, scanResults, errors);
+        var report = reportBuilder.Build();
+        LOG.info("ClientId: {}; Status: {}; Finished Assessment ", report.getClientId(), report.getStatus());
+        return report;
     }
 
     private ScanResult runScan(C inputScannerConfig, T scanner) {
-        scanner.init(firstScanSuccess, secondScanSuccess, thirdScanSuccess, fourthScanFailure);
+        scanner.init(firstScanSuccess, secondScanSuccess, isVulnerableScan, isOkScan);
 
         C scannerConfig = (C)scanner.getScannerConfig(inputScannerConfig.deepCopy());
 
         AuthResult authResult = scan(scannerConfig, scanner);
 
         // All VerificationStrategies are used to gather infos
         var allVerificationStrategies = createVerificationStrategy(scanResultVerificationStrategies.keySet());
-        List<String> infos = allVerificationStrategies.extractInfos(authResult);
+        var infos = extractInfos(allVerificationStrategies, authResult);
 
         if (firstScanSuccess == null || secondScanSuccess == null) {
-            return new ScanResult(authResult, ScanResultStatus.OK, infos);
+            return ScanResult.ok(authResult, infos);
         }
 
         var selectedVerificationStrategies = createVerificationStrategy(scannerConfig.getVerificationStrategies());
-        var scanResult = selectedVerificationStrategies.evaluateScanResult(firstScanSuccess.getAuthResult(), secondScanSuccess.getAuthResult(), authResult);
-        var infosAndEvidences = new ArrayList<>(infos);
-        infosAndEvidences.addAll(scanResult.getEvidences());
-        return new ScanResult(scanResult.getAuthResult(), scanResult.getStatus(), infosAndEvidences);
+        var verifications = evaluate(selectedVerificationStrategies, firstScanSuccess.getAuthResult(), secondScanSuccess.getAuthResult(), authResult);
+        return new ScanResult(authResult, verifications, infos);
+    }
+
+    private Map<String, List<String>> extractInfos(List<ScanResultVerificationStrategy> verifications, AuthResult scanAuthResult) {
+        var infos = new HashMap<String, List<String>>();
+        for(var verificationStrategy : verifications){
+            infos.put(verificationStrategy.getClass().getSimpleName(), verificationStrategy.extractInfos(scanAuthResult));
+        }
+        return infos;
+    }
+
+    public  Map<String, VerificationResult> evaluate(List<ScanResultVerificationStrategy> verifications, AuthResult firstPositiveAuthResult, AuthResult secondPositiveAuthResult, AuthResult authResult) {
+        var results = new HashMap<String, VerificationResult>();
+        for(var verificationStrategy : verifications){
+            var result = verificationStrategy.evaluateScanResult(firstPositiveAuthResult, secondPositiveAuthResult, authResult);
+            results.put(verificationStrategy.getClass().getSimpleName(), result);
+        }
+        return results;
     }
 
     protected abstract AuthResult scan(C scannerConfig, T scanner);
 
-    private ScanResultVerificationStrategy createVerificationStrategy(Collection<String> verificationStrategyNames) {
+    private List<ScanResultVerificationStrategy> createVerificationStrategy(Collection<String> verificationStrategyNames) {
         if (verificationStrategyNames == null || verificationStrategyNames.isEmpty()) {
-            verificationStrategyNames = List.of(
-                    DiffVerification.class.getSimpleName(),
-                    UrlAndStatusCodeVerification.class.getSimpleName(),
-                    CookieVerification.class.getSimpleName()
-            );
+            verificationStrategyNames = scanResultVerificationStrategies.keySet();
         }
 
        List<ScanResultVerificationStrategy> verificationStrategies = new ArrayList<>();
        for (var name : verificationStrategyNames) {
            verificationStrategies.add(findVerificationStrategyByName(name));
        }
 
-       return new AnyMatchVerification(verificationStrategies);
-
+       return verificationStrategies;
     }
 
     private ScanResultVerificationStrategy findVerificationStrategyByName(String name) {

src/main/java/de/denniskniep/safed/common/auth/browser/AuthenticationLog.java

@@ -1,10 +1,12 @@
 package de.denniskniep.safed.common.auth.browser;
 
+import de.denniskniep.safed.common.auth.browser.bidi.ResponseDataDetails;
 import org.apache.commons.lang3.StringUtils;
-import org.openqa.selenium.bidi.network.ResponseDetails;
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Optional;
+import java.util.function.Predicate;
 
 public class AuthenticationLog {
 
@@ -14,19 +16,19 @@ public List<RequestResponse> getTraffic() {
         return traffic;
     }
 
-    public RequestResponse add(ResponseDetails responseDetails){
-       return add("",  responseDetails);
+    public RequestResponse add(ResponseDataDetails responseDataDetails){
+       return add("", responseDataDetails);
     }
 
     public void addAll(String context, List<RequestResponse> requestResponses){
         for (RequestResponse r : requestResponses) {
-            RequestResponse requestResponse = new RequestResponse(r.created(), context, r.responseDetails());
+            RequestResponse requestResponse = new RequestResponse(r.created(), context, r.responseDataDetails());
             traffic.add(requestResponse);
         }
     }
 
-    public RequestResponse add(String context, ResponseDetails responseDetails){
-        RequestResponse requestResponse = new RequestResponse(context, responseDetails);
+    public RequestResponse add(String context, ResponseDataDetails responseDataDetails){
+        RequestResponse requestResponse = new RequestResponse(context, responseDataDetails);
         traffic.add(requestResponse);
         return requestResponse;
     }
@@ -45,8 +47,30 @@ public void clearTrafficAfter(String requestId) {
         }
     }
 
+    public Optional<RequestResponse> find(Predicate<RequestResponse> findCondition){
+        return findInternal(Optional.empty(), findCondition);
+    }
+
+    public Optional<RequestResponse> findStartingAt(String startAtRequestId, Predicate<RequestResponse> findCondition){
+        return findInternal(Optional.of(startAtRequestId), findCondition);
+    }
+
+    private Optional<RequestResponse> findInternal(Optional<String> startAtRequestId, Predicate<RequestResponse> findCondition){
+        var execFind = false;
+        for (RequestResponse t : List.copyOf(traffic)) {
+            if (startAtRequestId.isEmpty() || StringUtils.equals(t.getRequest().getRequestId(), startAtRequestId.get())){
+                execFind = true;
+            }
+
+            if(execFind && findCondition.test(t)){
+                return Optional.of(t);
+            }
+        }
+        return Optional.empty();
+    }
+
     public String asShortLogList(){
-        return  String.join("\n",getTraffic().stream().map(RequestResponse::asShortLog).toList());
+        return String.join("\n",getTraffic().stream().map(RequestResponse::asShortLog).toList());
     }
 }