dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/develop' into develop

Browse Source
This commit is contained in:
Jason White 2017-08-02 19:12:29 -04:00
commit 06bf690a3a
4 changed files with 24 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.MD
View File

@ -90,6 +90,10 @@ mvn -pl webgoat-server spring-boot:run
``` ```
... you should be running webgoat on localhost:8080/WebGoat momentarily ... you should be running webgoat on localhost:8080/WebGoat momentarily
To change IP addresss add the following variable to WebGoat/webgoat-container/src/main/resources/application.properties file
```server.address=x.x.x.x
```
# Vagrant # Vagrant

10
webgoat-container/pom.xml
View File

@ -37,6 +37,16 @@
</profiles> </profiles>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>de.flapdoodle.embed</groupId>
<artifactId>de.flapdoodle.embed.mongo</artifactId>
<version>2.0.0</version>
</dependency>
</dependencies>
</dependencyManagement>
<build> <build>
<resources> <resources>
<resource> <resource>

7
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc
View File

@ -1,6 +1,6 @@
== Order by clause == Order by clause
Question: Does a preparared statement always prevent against an SQL injection? Question: Does a prepared statement always prevent against an SQL injection?
Answer: No it does not Answer: No it does not
Let's take a look at the following statement: Let's take a look at the following statement:
@ -30,12 +30,11 @@ selectExpression:
Based on HSQLDB Based on HSQLDB
---- ----
This means an `orderExpression` van be a `selectExpression` which can be a function as well, so for example with This means an `orderExpression` can be a `selectExpression` which can be a function as well, so for example with
a `case` statement we might be able to ask the database some questions, like: a `case` statement we might be able to ask the database some questions, like:
---- ----
select * from users order by select * from users order by (case when (true) then lastname else firstname)
(select case when (true) then lastname else firstname)
---- ----
So we can substitute any kind of boolean operation in the `when(....)` part. The statement will just work because So we can substitute any kind of boolean operation in the `when(....)` part. The statement will just work because

12
webgoat-server/src/main/docker/Dockerfile
View File

@ -1,6 +1,8 @@
FROM openjdk:8-jre FROM openjdk:8-jre
VOLUME /tmp
RUN cd /root; mkdir -p .webgoat RUN useradd --home-dir /home/webgoat --create-home -U webgoat
ADD webgoat-server-8.0-SNAPSHOT.jar webgoat.jar
RUN sh -c 'touch /webgoat.jar' USER webgoat
ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/webgoat.jar"] RUN cd /home/webgoat/; mkdir -p .webgoat
COPY webgoat-server-8.0-SNAPSHOT.jar /home/webgoat/webgoat.jar
ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/home/webgoat/webgoat.jar"]