improved the description of the new sql injection mitigation assignments

2018-11-03 16:35:52 +01:00 · 2018-11-03 16:35:52 +01:00 · 083eb1b567
commit 083eb1b567
parent d2a2716a9a
4 changed files with 18 additions and 35 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java
@ -3,6 +3,7 @@ package org.owasp.webgoat.plugin.mitigation;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.WebSession;
@ -14,6 +15,7 @@ import org.springframework.web.bind.annotation.ResponseBody;

@AssignmentPath("SqlInjection/attack10a")
@Slf4j
+@AssignmentHints(value = {"SqlStringInjectionHint10a1", "SqlStringInjectionHint10a2"})
 public class SqlInjectionLesson10a extends AssignmentEndpoint {

    @Autowired
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin.mitigation;

 import lombok.SneakyThrows;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
@ -18,6 +19,7 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;

@AssignmentPath("SqlInjection/attack10b")
+@AssignmentHints(value = {"SqlStringInjectionHint10b1", "SqlStringInjectionHint10b2", "SqlStringInjectionHint10b3"})
 public class SqlInjectionLesson10b extends AssignmentEndpoint {

    @RequestMapping(method = RequestMethod.POST)
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -25,6 +25,11 @@ SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT
 SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- "
 SqlStringInjectionHint9=Try sorting and look at the request
 SqlStringInjectionHint10=Intercept the request and try to specify a different order by
+SqlStringInjectionHint10a1=First establish a connection, after that you can create a statement.
+SqlStringInjectionHint10a2=For every datatype there is a method to insert values into a wildcard symbol in a statement.
+SqlStringInjectionHint10b1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection!
+SqlStringInjectionHint10b2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections!
+SqlStringInjectionHint10b3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype!
 SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
 SqlStringInjectionHint12=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens

--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc
@ -1,43 +1,17 @@
 == Try it! Writing safe code

-Now it's time to write your own code!
+Now it's time to write your own code! Use JDBC to connect to a database and use a statement to request data from the database (the content of the statement doesn't matter, but make sure, that the SQL is valid). The SQL Statement should at least contain one string parameter. The content of the parameter is stored in the variable 'String content'.

 All code you write down below gets inserted into a main method of a java class with the name "TestClass". This class also imports java.sql.*. Use your knowledge and write the right code from scratch!

+For example; following coding would compile without any error.
+
 [source,java]
 -------------------------------------------------------
+try {
    Connection conn = null;
- PreparedStatement stmt = null;
- try{
-    //STEP 1: Open a connection
-    conn = DriverManager.getConnection("DBURL","DBUSER","DBPW");
-
-    //STEP 2: Use the PreparedStatement
-    stmt = conn.prepareStatement("SELECT id, first, last, age FROM Employees WHERE id=?");
-    stmt.setString(1, "Hallo");
-
-    //STEP 3: Clean-up environment
-    stmt.close();
-    conn.close();
-    //STEP 4: catch Exceptions
- }catch(SQLException se){
-    //Handle errors for JDBC
-    se.printStackTrace();
+    System.out.println(conn);   //should output 'null'
 } catch (Exception e) {
-    //Handle errors for Class.forName
-    e.printStackTrace();
- }finally{
-    //finally block used to close resources
-    try{
-       if(stmt!=null)
-          stmt.close();
-    }catch(SQLException se2){
-    }// nothing we can do
-    try{
-       if(conn!=null)
-          conn.close();
-    }catch(SQLException se){
-       se.printStackTrace();
-    }//end finally try
- }//end try
+    System.out.println("Oops. Something went wrong!");
+}
 -------------------------------------------------------