improved the description of the new sql injection mitigation assignments
This commit is contained in:
		| @ -3,6 +3,7 @@ package org.owasp.webgoat.plugin.mitigation; | |||||||
| import lombok.SneakyThrows; | import lombok.SneakyThrows; | ||||||
| import lombok.extern.slf4j.Slf4j; | import lombok.extern.slf4j.Slf4j; | ||||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||||
|  | import org.owasp.webgoat.assignments.AssignmentHints; | ||||||
| import org.owasp.webgoat.assignments.AssignmentPath; | import org.owasp.webgoat.assignments.AssignmentPath; | ||||||
| import org.owasp.webgoat.assignments.AttackResult; | import org.owasp.webgoat.assignments.AttackResult; | ||||||
| import org.owasp.webgoat.session.WebSession; | import org.owasp.webgoat.session.WebSession; | ||||||
| @ -14,6 +15,7 @@ import org.springframework.web.bind.annotation.ResponseBody; | |||||||
|  |  | ||||||
| @AssignmentPath("SqlInjection/attack10a") | @AssignmentPath("SqlInjection/attack10a") | ||||||
| @Slf4j | @Slf4j | ||||||
|  | @AssignmentHints(value = {"SqlStringInjectionHint10a1", "SqlStringInjectionHint10a2"}) | ||||||
| public class SqlInjectionLesson10a extends AssignmentEndpoint { | public class SqlInjectionLesson10a extends AssignmentEndpoint { | ||||||
|  |  | ||||||
|     @Autowired |     @Autowired | ||||||
|  | |||||||
| @ -2,6 +2,7 @@ package org.owasp.webgoat.plugin.mitigation; | |||||||
|  |  | ||||||
| import lombok.SneakyThrows; | import lombok.SneakyThrows; | ||||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||||
|  | import org.owasp.webgoat.assignments.AssignmentHints; | ||||||
| import org.owasp.webgoat.assignments.AssignmentPath; | import org.owasp.webgoat.assignments.AssignmentPath; | ||||||
| import org.owasp.webgoat.assignments.AttackResult; | import org.owasp.webgoat.assignments.AttackResult; | ||||||
| import org.springframework.web.bind.annotation.RequestMapping; | import org.springframework.web.bind.annotation.RequestMapping; | ||||||
| @ -18,6 +19,7 @@ import java.util.regex.Matcher; | |||||||
| import java.util.regex.Pattern; | import java.util.regex.Pattern; | ||||||
|  |  | ||||||
| @AssignmentPath("SqlInjection/attack10b") | @AssignmentPath("SqlInjection/attack10b") | ||||||
|  | @AssignmentHints(value = {"SqlStringInjectionHint10b1", "SqlStringInjectionHint10b2", "SqlStringInjectionHint10b3"}) | ||||||
| public class SqlInjectionLesson10b extends AssignmentEndpoint { | public class SqlInjectionLesson10b extends AssignmentEndpoint { | ||||||
|  |  | ||||||
|     @RequestMapping(method = RequestMethod.POST) |     @RequestMapping(method = RequestMethod.POST) | ||||||
|  | |||||||
| @ -25,6 +25,11 @@ SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT | |||||||
| SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- " | SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- " | ||||||
| SqlStringInjectionHint9=Try sorting and look at the request | SqlStringInjectionHint9=Try sorting and look at the request | ||||||
| SqlStringInjectionHint10=Intercept the request and try to specify a different order by | SqlStringInjectionHint10=Intercept the request and try to specify a different order by | ||||||
|  | SqlStringInjectionHint10a1=First establish a connection, after that you can create a statement. | ||||||
|  | SqlStringInjectionHint10a2=For every datatype there is a method to insert values into a wildcard symbol in a statement. | ||||||
|  | SqlStringInjectionHint10b1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection! | ||||||
|  | SqlStringInjectionHint10b2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections! | ||||||
|  | SqlStringInjectionHint10b3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype! | ||||||
| SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens | SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens | ||||||
| SqlStringInjectionHint12=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens | SqlStringInjectionHint12=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens | ||||||
|  |  | ||||||
|  | |||||||
| @ -1,43 +1,17 @@ | |||||||
| == Try it! Writing safe code | == Try it! Writing safe code | ||||||
|  |  | ||||||
| Now it's time to write your own code! | Now it's time to write your own code! Use JDBC to connect to a database and use a statement to request data from the database (the content of the statement doesn't matter, but make sure, that the SQL is valid). The SQL Statement should at least contain one string parameter. The content of the parameter is stored in the variable 'String content'. | ||||||
|  |  | ||||||
| All code you write down below gets inserted into a main method of a java class with the name "TestClass". This class also imports java.sql.*. Use your knowledge and write the right code from scratch! | All code you write down below gets inserted into a main method of a java class with the name "TestClass". This class also imports java.sql.*. Use your knowledge and write the right code from scratch! | ||||||
|  |  | ||||||
|  | For example; following coding would compile without any error. | ||||||
|  |  | ||||||
| [source,java] | [source,java] | ||||||
| ------------------------------------------------------- | ------------------------------------------------------- | ||||||
|  | try { | ||||||
|     Connection conn = null; |     Connection conn = null; | ||||||
|  PreparedStatement stmt = null; |     System.out.println(conn);   //should output 'null' | ||||||
|  try{ |  | ||||||
|     //STEP 1: Open a connection |  | ||||||
|     conn = DriverManager.getConnection("DBURL","DBUSER","DBPW"); |  | ||||||
|  |  | ||||||
|     //STEP 2: Use the PreparedStatement |  | ||||||
|     stmt = conn.prepareStatement("SELECT id, first, last, age FROM Employees WHERE id=?"); |  | ||||||
|     stmt.setString(1, "Hallo"); |  | ||||||
|  |  | ||||||
|     //STEP 3: Clean-up environment |  | ||||||
|     stmt.close(); |  | ||||||
|     conn.close(); |  | ||||||
|     //STEP 4: catch Exceptions |  | ||||||
|  }catch(SQLException se){ |  | ||||||
|     //Handle errors for JDBC |  | ||||||
|     se.printStackTrace(); |  | ||||||
| } catch (Exception e) { | } catch (Exception e) { | ||||||
|     //Handle errors for Class.forName |     System.out.println("Oops. Something went wrong!"); | ||||||
|     e.printStackTrace(); | } | ||||||
|  }finally{ |  | ||||||
|     //finally block used to close resources |  | ||||||
|     try{ |  | ||||||
|        if(stmt!=null) |  | ||||||
|           stmt.close(); |  | ||||||
|     }catch(SQLException se2){ |  | ||||||
|     }// nothing we can do |  | ||||||
|     try{ |  | ||||||
|        if(conn!=null) |  | ||||||
|           conn.close(); |  | ||||||
|     }catch(SQLException se){ |  | ||||||
|        se.printStackTrace(); |  | ||||||
|     }//end finally try |  | ||||||
|  }//end try |  | ||||||
| ------------------------------------------------------- | ------------------------------------------------------- | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user