From 083eb1b567cf0259127c8e09a8a4d9ca46207906 Mon Sep 17 00:00:00 2001 From: Max Geldner Date: Sat, 3 Nov 2018 16:35:52 +0100 Subject: [PATCH] improved the description of the new sql injection mitigation assignments --- .../mitigation/SqlInjectionLesson10a.java | 2 + .../mitigation/SqlInjectionLesson10b.java | 2 + .../resources/i18n/WebGoatLabels.properties | 5 +++ .../en/SqlInjection_jdbc_newcode.adoc | 44 ++++--------------- 4 files changed, 18 insertions(+), 35 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java index d2cfd9f85..512eb30d5 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java @@ -3,6 +3,7 @@ package org.owasp.webgoat.plugin.mitigation; import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.session.WebSession; @@ -14,6 +15,7 @@ import org.springframework.web.bind.annotation.ResponseBody; @AssignmentPath("SqlInjection/attack10a") @Slf4j +@AssignmentHints(value = {"SqlStringInjectionHint10a1", "SqlStringInjectionHint10a2"}) public class SqlInjectionLesson10a extends AssignmentEndpoint { @Autowired diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java index acd69175b..3467ba6ad 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java @@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin.mitigation; import lombok.SneakyThrows; import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.springframework.web.bind.annotation.RequestMapping; @@ -18,6 +19,7 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; @AssignmentPath("SqlInjection/attack10b") +@AssignmentHints(value = {"SqlStringInjectionHint10b1", "SqlStringInjectionHint10b2", "SqlStringInjectionHint10b3"}) public class SqlInjectionLesson10b extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 50c5d725a..6b8dc9f1f 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -25,6 +25,11 @@ SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- " SqlStringInjectionHint9=Try sorting and look at the request SqlStringInjectionHint10=Intercept the request and try to specify a different order by +SqlStringInjectionHint10a1=First establish a connection, after that you can create a statement. +SqlStringInjectionHint10a2=For every datatype there is a method to insert values into a wildcard symbol in a statement. +SqlStringInjectionHint10b1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection! +SqlStringInjectionHint10b2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections! +SqlStringInjectionHint10b3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype! SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens SqlStringInjectionHint12=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc index 0530541ed..c1eab868c 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc @@ -1,43 +1,17 @@ == Try it! Writing safe code -Now it's time to write your own code! +Now it's time to write your own code! Use JDBC to connect to a database and use a statement to request data from the database (the content of the statement doesn't matter, but make sure, that the SQL is valid). The SQL Statement should at least contain one string parameter. The content of the parameter is stored in the variable 'String content'. All code you write down below gets inserted into a main method of a java class with the name "TestClass". This class also imports java.sql.*. Use your knowledge and write the right code from scratch! +For example; following coding would compile without any error. + [source,java] ------------------------------------------------------- - Connection conn = null; - PreparedStatement stmt = null; - try{ - //STEP 1: Open a connection - conn = DriverManager.getConnection("DBURL","DBUSER","DBPW"); - - //STEP 2: Use the PreparedStatement - stmt = conn.prepareStatement("SELECT id, first, last, age FROM Employees WHERE id=?"); - stmt.setString(1, "Hallo"); - - //STEP 3: Clean-up environment - stmt.close(); - conn.close(); - //STEP 4: catch Exceptions - }catch(SQLException se){ - //Handle errors for JDBC - se.printStackTrace(); - }catch(Exception e){ - //Handle errors for Class.forName - e.printStackTrace(); - }finally{ - //finally block used to close resources - try{ - if(stmt!=null) - stmt.close(); - }catch(SQLException se2){ - }// nothing we can do - try{ - if(conn!=null) - conn.close(); - }catch(SQLException se){ - se.printStackTrace(); - }//end finally try - }//end try +try { + Connection conn = null; + System.out.println(conn); //should output 'null' +} catch (Exception e) { + System.out.println("Oops. Something went wrong!"); +} -------------------------------------------------------