diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionAdvanced.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionAdvanced.java new file mode 100644 index 000000000..5a8a28c25 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionAdvanced.java @@ -0,0 +1,63 @@ +package org.owasp.webgoat.plugin; + +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.NewLesson; + +import java.util.ArrayList; +import java.util.List; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * + * @author WebGoat + * @version $Id: $Id + * @since October 12, 2016 + */ +public class SqlInjectionAdvanced extends NewLesson { + @Override + public Category getDefaultCategory() { + return Category.INJECTION; + } + + @Override + public List getHints() { + return new ArrayList<>(); + } + + @Override + public Integer getDefaultRanking() { + return 1; + } + + @Override + public String getTitle() { + return "SQL Injection (advanced)"; + } + + @Override + public String getId() { + return "SqlInjectionAdvanced"; + } +} diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java index 90774c0e3..701e9a0e4 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java @@ -48,7 +48,7 @@ import static org.owasp.webgoat.plugin.SqlInjectionLesson5a.writeTable; * @created October 28, 2003 */ @AssignmentPath("/SqlInjection/attack6a") -@AssignmentHints(value = {"SqlStringInjectionHint5", "SqlStringInjectionHint6"}) +@AssignmentHints(value = {"SqlStringInjectionHint5", "SqlStringInjectionHint6", "SqlStringInjectionHint7"}) public class SqlInjectionLesson6a extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionMitigations.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionMitigations.java new file mode 100644 index 000000000..291d9c98f --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionMitigations.java @@ -0,0 +1,63 @@ +package org.owasp.webgoat.plugin; + +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.NewLesson; + +import java.util.ArrayList; +import java.util.List; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * + * @author WebGoat + * @version $Id: $Id + * @since October 12, 2016 + */ +public class SqlInjectionMitigations extends NewLesson { + @Override + public Category getDefaultCategory() { + return Category.INJECTION; + } + + @Override + public List getHints() { + return new ArrayList<>(); + } + + @Override + public Integer getDefaultRanking() { + return 1; + } + + @Override + public String getTitle() { + return "SQL Injection (mitigations)"; + } + + @Override + public String getId() { + return "SqlInjectionMitigations"; + } +} diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html index 0cdcc1d49..bdbe8095e 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html +++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html @@ -71,78 +71,4 @@ -

-
-
- -
-
-
-
-
- - - - - - - -
Name:
-
-
-
-
-
-
-
- - - - - - - -
Password:
-
-
-
-
- -
-
-
-
- -
-
-
- -
-
-
- -
-
-
- -
-
-
- -
-
-
- -
-
-
- diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html new file mode 100644 index 000000000..3c4a1d6ec --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html @@ -0,0 +1,85 @@ + + + + + +
+
+
+ + +
+
+
+ +
+
+
+
+
+ + + + + + + +
Name:
+
+
+
+
+
+
+
+ + + + + + + +
Password:
+
+
+
+
+ +
+
+
+
+ +
+
+
+ +
+
+
+ +
+
+
+ +
+
+
+ +
+
+
+ +
+
+
+ + diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigation.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigation.html new file mode 100644 index 000000000..3c4a1d6ec --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigation.html @@ -0,0 +1,85 @@ + + + + + +
+
+
+ + +
+
+
+ +
+
+
+
+
+ + + + + + + +
Name:
+
+
+
+
+
+
+
+ + + + + + + +
Password:
+
+
+
+
+ +
+
+
+
+ +
+
+
+ +
+
+
+ +
+
+
+ +
+
+
+ +
+
+
+ +
+
+
+ + diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index e63a9fb5c..52cc02fe2 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -6,8 +6,9 @@ SqlStringInjectionHint1=The application is taking your input and inserting it at SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:

"SELECT * FROM user_data WHERE last_name = "accountName" SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ]. -SqlStringInjectionHint5=Try adding a union to the query, the number of columns should match. -SqlStringInjectionHint6=Try entering [ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- ]. +SqlStringInjectionHint5=First try to find out the number of columns by adding a group by 1,2,3 etc to the query. +SqlStringInjectionHint6=Try adding a union to the query, the number of columns should match. +SqlStringInjectionHint7=Try entering [ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- ]. sql-injection.5a.success=You have succeed: {0} sql-injection.5a.no.results=No results matched. Try Again. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjectionAdvanced_plan.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjectionAdvanced_plan.adoc new file mode 100644 index 000000000..c9a75b8a6 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjectionAdvanced_plan.adoc @@ -0,0 +1,8 @@ +== Concept + +This lesson describes the more advanced topics for an SQL injection. + +== Goals + +** Combining SQL Injection Techniques +** Blind SQL injection diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc index c0ad3d455..2e4a775d1 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc @@ -1,35 +1,28 @@ == Parameterized Queries – Java Example +[source,java] ------------------------------------------------------- -// Parser returns only valid string data -String accountID = getParser().getStringParameter(ACCT_ID, ""); -String data = null; -try -{ - // Read only database connection - Statement connection = DatabaseUtilities.getConnection(READ_ONLY); - - // Build a fully qualified query - String query = "SELECT first_name, last_name, acct_id, balance - FROM user_data WHERE acct_id = ?"; - PreparedStatement statement = connection.prepareStatement(query); - statement.setString(1, accountID); - ResultSet results = statement.executeQuery(); - if ((results != null) && (results.first() == true)) - { - // Only one record should be returned for this query - Results.last(); - if (results.getRow() <= 2) - { - data = processAccount(results); - } - else { // Handle the error – Database integrity issue } - } - else { // Handle the error – no records found } +public static String loadAccount() { + // Parser returns only valid string data + String accountID = getParser().getStringParameter(ACCT_ID, ""); + String data = null; + String query = "SELECT first_name, last_name, acct_id, balance FROM user_data WHERE acct_id = ?"; + try (Connection connection = null; + PreparedStatement statement = connection.prepareStatement(query)) { + statement.setString(1, accountID); + ResultSet results = statement.executeQuery(); + if (results != null && results.first()) { + results.last(); // Only one record should be returned for this query + if (results.getRow() <= 2) { + data = processAccount(results); + } else { + // Handle the error – Database integrity issue + } + } else { + // Handle the error – no records found } + } + } catch (SQLException sqle) { + // Log and handle the SQL Exception } + } + return data; } -catch (SQLException sqle) { // Log and handle the SQL Exception } -catch (Exception e) { // Log and handle the Exception } -finally { // Always close connection in finally block - DatabaseUtilities.closeConnection(); -} -return data; ------------------------------------------------------- diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_plan.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_plan.adoc index 2865b3d81..6fd7064aa 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_plan.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_plan.adoc @@ -9,5 +9,4 @@ This lesson describes what is Structured Query Language (SQL) and how it can be * The user will demonstrate knowledge on: ** String SQL Injection ** Numeric SQL Injection -** Combining SQL Injection Techniques