From 8a2499c56a505e4fdc9edc70903ce623b5ddb513 Mon Sep 17 00:00:00 2001 From: Paul Moreno Date: Wed, 19 Jul 2017 15:55:10 +0200 Subject: [PATCH 1/4] Update to README.MD (#372) Providing instructions on how to change listening IP address. --- README.MD | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.MD b/README.MD index 3a5d469b3..cb8d34ee8 100644 --- a/README.MD +++ b/README.MD @@ -90,6 +90,10 @@ mvn -pl webgoat-server spring-boot:run ``` ... you should be running webgoat on localhost:8080/WebGoat momentarily +To change IP addresss add the following variable to WebGoat/webgoat-container/src/main/resources/application.properties file + +```server.address=x.x.x.x +``` # Vagrant From b06fb72a743dbd6a5272aadb7047a98be4db9b5a Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 25 Jul 2017 17:40:55 +0200 Subject: [PATCH 2/4] Fixed typo --- .../resources/lessonPlans/en/SqlInjection_content12a.adoc | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc index 88d1a4f4c..e34480675 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc @@ -1,6 +1,6 @@ == Order by clause -Question: Does a preparared statement always prevent against an SQL injection? +Question: Does a prepared statement always prevent against an SQL injection? Answer: No it does not Let's take a look at the following statement: @@ -30,12 +30,11 @@ selectExpression: Based on HSQLDB ---- -This means an `orderExpression` van be a `selectExpression` which can be a function as well, so for example with +This means an `orderExpression` can be a `selectExpression` which can be a function as well, so for example with a `case` statement we might be able to ask the database some questions, like: ---- -select * from users order by - (select case when (true) then lastname else firstname) +select * from users order by (case when (true) then lastname else firstname) ---- So we can substitute any kind of boolean operation in the `when(....)` part. The statement will just work because From 0b92a57f77cf9d95303182131d9dbcda861f7d08 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 26 Jul 2017 05:06:40 +0200 Subject: [PATCH 3/4] WebGoat no longer runs as root in the Docker container. --- webgoat-server/src/main/docker/Dockerfile | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/webgoat-server/src/main/docker/Dockerfile b/webgoat-server/src/main/docker/Dockerfile index 255e71064..debc223cb 100644 --- a/webgoat-server/src/main/docker/Dockerfile +++ b/webgoat-server/src/main/docker/Dockerfile @@ -1,6 +1,8 @@ FROM openjdk:8-jre -VOLUME /tmp -RUN cd /root; mkdir -p .webgoat -ADD webgoat-server-8.0-SNAPSHOT.jar webgoat.jar -RUN sh -c 'touch /webgoat.jar' -ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/webgoat.jar"] \ No newline at end of file + +RUN useradd --home-dir /home/webgoat --create-home -U webgoat + +USER webgoat +RUN cd /home/webgoat/; mkdir -p .webgoat +COPY webgoat-server-8.0-SNAPSHOT.jar /home/webgoat/webgoat.jar +ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/home/webgoat/webgoat.jar"] \ No newline at end of file From 49621c637fb328d07032250ceb06f79a7aa93085 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 26 Jul 2017 05:07:15 +0200 Subject: [PATCH 4/4] Upgraded to latest in memory MongoDB (due to download link no longer working) --- webgoat-container/pom.xml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml index d2f86a151..50950734a 100644 --- a/webgoat-container/pom.xml +++ b/webgoat-container/pom.xml @@ -37,6 +37,16 @@ + + + + de.flapdoodle.embed + de.flapdoodle.embed.mongo + 2.0.0 + + + +