From 0740c4ba9506ca4ccd99c5ebbaee4da142a76383 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 11 Jun 2017 22:12:53 +0200
Subject: [PATCH] Split large SQL lesson
---
.../webgoat/plugin/SqlInjectionAdvanced.java | 63 ++++++++++++++
.../webgoat/plugin/SqlInjectionLesson6a.java | 2 +-
.../plugin/SqlInjectionMitigations.java | 63 ++++++++++++++
.../src/main/resources/html/SqlInjection.html | 74 ----------------
.../resources/html/SqlInjectionAdvanced.html | 85 +++++++++++++++++++
.../html/SqlInjectionMitigation.html | 85 +++++++++++++++++++
.../resources/i18n/WebGoatLabels.properties | 5 +-
.../en/SqlInjectionAdvanced_plan.adoc | 8 ++
.../en/SqlInjection_content10.adoc | 55 ++++++------
.../lessonPlans/en/SqlInjection_plan.adoc | 1 -
10 files changed, 332 insertions(+), 109 deletions(-)
create mode 100644 webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionAdvanced.java
create mode 100644 webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionMitigations.java
create mode 100644 webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
create mode 100644 webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigation.html
create mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjectionAdvanced_plan.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionAdvanced.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionAdvanced.java
new file mode 100644
index 000000000..5a8a28c25
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionAdvanced.java
@@ -0,0 +1,63 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class SqlInjectionAdvanced extends NewLesson {
+ @Override
+ public Category getDefaultCategory() {
+ return Category.INJECTION;
+ }
+
+ @Override
+ public List<String> getHints() {
+ return new ArrayList<>();
+ }
+
+ @Override
+ public Integer getDefaultRanking() {
+ return 1;
+ }
+
+ @Override
+ public String getTitle() {
+ return "SQL Injection (advanced)";
+ }
+
+ @Override
+ public String getId() {
+ return "SqlInjectionAdvanced";
+ }
+}
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java
index 90774c0e3..701e9a0e4 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java
@@ -48,7 +48,7 @@ import static org.owasp.webgoat.plugin.SqlInjectionLesson5a.writeTable;
* @created October 28, 2003
*/
@AssignmentPath("/SqlInjection/attack6a")
-@AssignmentHints(value = {"SqlStringInjectionHint5", "SqlStringInjectionHint6"})
+@AssignmentHints(value = {"SqlStringInjectionHint5", "SqlStringInjectionHint6", "SqlStringInjectionHint7"})
public class SqlInjectionLesson6a extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionMitigations.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionMitigations.java
new file mode 100644
index 000000000..291d9c98f
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionMitigations.java
@@ -0,0 +1,63 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class SqlInjectionMitigations extends NewLesson {
+ @Override
+ public Category getDefaultCategory() {
+ return Category.INJECTION;
+ }
+
+ @Override
+ public List<String> getHints() {
+ return new ArrayList<>();
+ }
+
+ @Override
+ public Integer getDefaultRanking() {
+ return 1;
+ }
+
+ @Override
+ public String getTitle() {
+ return "SQL Injection (mitigations)";
+ }
+
+ @Override
+ public String getId() {
+ return "SqlInjectionMitigations";
+ }
+}
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
index 0cdcc1d49..bdbe8095e 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
@@ -71,78 +71,4 @@
</div>
</div>
-<div class="lesson-page-wrapper">
- <div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
- <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
- <div class="attack-container">
- <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
- <form class="attack-form" accept-charset="UNKNOWN"
- method="POST" name="form"
- action="/WebGoat/SqlInjection/attack6a"
- enctype="application/json;charset=UTF-8">
- <table>
- <tr>
- <td>Name:</td>
- <td><input name="userid_6a" value="" type="TEXT"/></td>
- <td><input
- name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
- <td></td>
- </tr>
- </table>
- </form>
- <div class="attack-feedback"></div>
- <div class="attack-output"></div>
- </div>
- <div class="attack-container">
- <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
- <form class="attack-form" accept-charset="UNKNOWN"
- method="POST" name="form"
- action="/WebGoat/SqlInjection/attack6b"
- enctype="application/json;charset=UTF-8">
- <table>
- <tr>
- <td>Password:</td>
- <td><input name="userid_6b" value="" type="TEXT"/></td>
- <td><input
- name="Check Dave's Password:" value="Check Password" type="SUBMIT"/></td>
- <td></td>
- </tr>
- </table>
- </form>
- <div class="attack-feedback"></div>
- <div class="attack-output"></div>
- </div>
-
-</div>
-<div class="lesson-page-wrapper">
- <div class="adoc-content" th:replace="doc:SqlInjection_content7.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
- <div class="adoc-content" th:replace="doc:SqlInjection_content8.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
- <div class="adoc-content" th:replace="doc:SqlInjection_content9.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
- <div class="adoc-content" th:replace="doc:SqlInjection_content10.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
- <div class="adoc-content" th:replace="doc:SqlInjection_content11.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
- <div class="adoc-content" th:replace="doc:SqlInjection_content12.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
- <div class="adoc-content" th:replace="doc:SqlInjection_content13.adoc"></div>
-</div>
-
</html>
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
new file mode 100644
index 000000000..3c4a1d6ec
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjectionAdvanced_plan.adoc"></div>
+</div>
+
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
+ <div class="attack-container">
+ <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+ <form class="attack-form" accept-charset="UNKNOWN"
+ method="POST" name="form"
+ action="/WebGoat/SqlInjection/attack6a"
+ enctype="application/json;charset=UTF-8">
+ <table>
+ <tr>
+ <td>Name:</td>
+ <td><input name="userid_6a" value="" type="TEXT"/></td>
+ <td><input
+ name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
+ <td></td>
+ </tr>
+ </table>
+ </form>
+ <div class="attack-feedback"></div>
+ <div class="attack-output"></div>
+ </div>
+ <div class="attack-container">
+ <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+ <form class="attack-form" accept-charset="UNKNOWN"
+ method="POST" name="form"
+ action="/WebGoat/SqlInjection/attack6b"
+ enctype="application/json;charset=UTF-8">
+ <table>
+ <tr>
+ <td>Password:</td>
+ <td><input name="userid_6b" value="" type="TEXT"/></td>
+ <td><input
+ name="Check Dave's Password:" value="Check Password" type="SUBMIT"/></td>
+ <td></td>
+ </tr>
+ </table>
+ </form>
+ <div class="attack-feedback"></div>
+ <div class="attack-output"></div>
+ </div>
+
+</div>
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content7.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content8.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content9.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content10.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content11.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content12.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content13.adoc"></div>
+</div>
+
+</html>
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigation.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigation.html
new file mode 100644
index 000000000..3c4a1d6ec
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigation.html
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjectionAdvanced_plan.adoc"></div>
+</div>
+
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
+ <div class="attack-container">
+ <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+ <form class="attack-form" accept-charset="UNKNOWN"
+ method="POST" name="form"
+ action="/WebGoat/SqlInjection/attack6a"
+ enctype="application/json;charset=UTF-8">
+ <table>
+ <tr>
+ <td>Name:</td>
+ <td><input name="userid_6a" value="" type="TEXT"/></td>
+ <td><input
+ name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
+ <td></td>
+ </tr>
+ </table>
+ </form>
+ <div class="attack-feedback"></div>
+ <div class="attack-output"></div>
+ </div>
+ <div class="attack-container">
+ <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+ <form class="attack-form" accept-charset="UNKNOWN"
+ method="POST" name="form"
+ action="/WebGoat/SqlInjection/attack6b"
+ enctype="application/json;charset=UTF-8">
+ <table>
+ <tr>
+ <td>Password:</td>
+ <td><input name="userid_6b" value="" type="TEXT"/></td>
+ <td><input
+ name="Check Dave's Password:" value="Check Password" type="SUBMIT"/></td>
+ <td></td>
+ </tr>
+ </table>
+ </form>
+ <div class="attack-feedback"></div>
+ <div class="attack-output"></div>
+ </div>
+
+</div>
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content7.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content8.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content9.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content10.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content11.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content12.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:SqlInjection_content13.adoc"></div>
+</div>
+
+</html>
diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
index e63a9fb5c..52cc02fe2 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@@ -6,8 +6,9 @@ SqlStringInjectionHint1=The application is taking your input and inserting it at
SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
-SqlStringInjectionHint5=Try adding a union to the query, the number of columns should match.
-SqlStringInjectionHint6=Try entering [ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- ].
+SqlStringInjectionHint5=First try to find out the number of columns by adding a group by 1,2,3 etc to the query.
+SqlStringInjectionHint6=Try adding a union to the query, the number of columns should match.
+SqlStringInjectionHint7=Try entering [ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- ].
sql-injection.5a.success=You have succeed: {0}
sql-injection.5a.no.results=No results matched. Try Again.
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjectionAdvanced_plan.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjectionAdvanced_plan.adoc
new file mode 100644
index 000000000..c9a75b8a6
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjectionAdvanced_plan.adoc
@@ -0,0 +1,8 @@
+== Concept
+
+This lesson describes the more advanced topics for an SQL injection.
+
+== Goals
+
+** Combining SQL Injection Techniques
+** Blind SQL injection
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc
index c0ad3d455..2e4a775d1 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc
@@ -1,35 +1,28 @@
== Parameterized Queries – Java Example
+[source,java]
-------------------------------------------------------
-// Parser returns only valid string data
-String accountID = getParser().getStringParameter(ACCT_ID, "");
-String data = null;
-try
-{
- // Read only database connection
- Statement connection = DatabaseUtilities.getConnection(READ_ONLY);
-
- // Build a fully qualified query
- String query = "SELECT first_name, last_name, acct_id, balance
- FROM user_data WHERE acct_id = ?";
- PreparedStatement statement = connection.prepareStatement(query);
- statement.setString(1, accountID);
- ResultSet results = statement.executeQuery();
- if ((results != null) && (results.first() == true))
- {
- // Only one record should be returned for this query
- Results.last();
- if (results.getRow() <= 2)
- {
- data = processAccount(results);
- }
- else { // Handle the error – Database integrity issue }
- }
- else { // Handle the error – no records found }
+public static String loadAccount() {
+ // Parser returns only valid string data
+ String accountID = getParser().getStringParameter(ACCT_ID, "");
+ String data = null;
+ String query = "SELECT first_name, last_name, acct_id, balance FROM user_data WHERE acct_id = ?";
+ try (Connection connection = null;
+ PreparedStatement statement = connection.prepareStatement(query)) {
+ statement.setString(1, accountID);
+ ResultSet results = statement.executeQuery();
+ if (results != null && results.first()) {
+ results.last(); // Only one record should be returned for this query
+ if (results.getRow() <= 2) {
+ data = processAccount(results);
+ } else {
+ // Handle the error – Database integrity issue
+ }
+ } else {
+ // Handle the error – no records found }
+ }
+ } catch (SQLException sqle) {
+ // Log and handle the SQL Exception }
+ }
+ return data;
}
-catch (SQLException sqle) { // Log and handle the SQL Exception }
-catch (Exception e) { // Log and handle the Exception }
-finally { // Always close connection in finally block
- DatabaseUtilities.closeConnection();
-}
-return data;
-------------------------------------------------------
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_plan.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_plan.adoc
index 2865b3d81..6fd7064aa 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_plan.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_plan.adoc
@@ -9,5 +9,4 @@ This lesson describes what is Structured Query Language (SQL) and how it can be
* The user will demonstrate knowledge on:
** String SQL Injection
** Numeric SQL Injection
-** Combining SQL Injection Techniques