dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reworked and polished assignment 8 and 9 (C and I)

Browse Source
This commit is contained in:
Benedikt - Desktop
2018-11-06 17:44:26 +01:00
committed by Nanne Baars
parent cd3f7ea924
commit 1bcddaf710
6 changed files with 73 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
webgoat-lessons/sql-injection/src/main/resources/css/assignments.css
View File

@ -1,7 +1,7 @@
.attack-feedback {
.feedback-positive {
color: green;
}
.attack-feedback table {
color: black;
.feedback-negative {
color: red;
}

19
webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -5,10 +5,11 @@ EnterLastName=Enter your last name:
sql.injection.title=SQL Injection (introduction)
sql.mitigation.title=SQL Injection (mitigation)
sql.advanced.title=SQL Injection (advanced)
SqlInjectionChallenge1=Look at the different response you receive from the server
SqlInjectionChallenge2=The vulnerability is on the register form
SqlInjectionChallenge3=Use tooling to automate this attack
sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span>
NoResultsMatched=No results matched. Try Again.
SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query.
@ -36,10 +37,10 @@ sql-injection.6a.no.results=No results matched. Try Again.
sql-injection.6b.success=You have succeeded: {0}
sql-injection.6b.no.results=No results matched. Try Again.
sql-injection.8.success=You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done! {0}
sql-injection.8.no.results=No employee found with matching lastname. Or maybe your authentication TAN is incorrect?
sql-injection.9.success=Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary! {0}
sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data.
sql-injection.8.success=<span class='feedback-positive'>You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done!</span>
sql-injection.8.no.results=<span class='feedback-negative'>No employee found with matching lastname. Or maybe your authentication TAN is incorrect?</span>
sql-injection.8.one=<span class='feedback-negative'>That's only one account. You want them all! Try again.</span>
SqlStringInjectionHint8-1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command.
SqlStringInjectionHint8-2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR.
@ -47,12 +48,20 @@ SqlStringInjectionHint8-3=Try appending a SQL statement that always resolves to
SqlStringInjectionHint8-4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct.
SqlStringInjectionHint8-5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1.
sql-injection.9.success=<span class='feedback-positive'>Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary!</span>
sql-injection.9.one=<span class='feedback-negative'>Still not earning enough! Better try again and change that.</span>
SqlStringInjectionHint9-1=Try to find a way, to chain another query to the end of the existing one.
SqlStringInjectionHint9-2=Use the ; metacharacter to do so.
SqlStringInjectionHint9-3=Make use of DML to change your salary.
SqlStringInjectionHint9-4=Make sure that the resulting query is syntactically correct.
SqlStringInjectionHint9-5=How about something like '; UPDATE employees....
sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span>
sql-injection.10.entries=<span class='feedback-negative'>There's still evidence of what you did. Better remove the whole table.</span>
SqlStringInjectionHint10-1=Use the techniques that you have learned before.
SqlStringInjectionHint10-2=The application takes your input and filters for entries that are LIKE it.
SqlStringInjectionHint10-3=Try query chaining to reach the goal.