Reworked and polished assignment 8 and 9 (C and I)
This commit is contained in:
		
				
					committed by
					
						 Nanne Baars
						Nanne Baars
					
				
			
			
				
	
			
			
			
						parent
						
							cd3f7ea924
						
					
				
				
					commit
					1bcddaf710
				
			| @ -1007,7 +1007,7 @@ public class CreateDB { | |||||||
|                     + "first_name varchar(20)," |                     + "first_name varchar(20)," | ||||||
|                     + "last_name varchar(20)," |                     + "last_name varchar(20)," | ||||||
|                     + "department varchar(20)," |                     + "department varchar(20)," | ||||||
|                     + "salary varchar(10)," |                     + "salary int," | ||||||
|                     + "auth_tan varchar(6)" |                     + "auth_tan varchar(6)" | ||||||
|                     + ")"; |                     + ")"; | ||||||
|             statement.executeUpdate(createTableStatement); |             statement.executeUpdate(createTableStatement); | ||||||
| @ -1016,11 +1016,11 @@ public class CreateDB { | |||||||
|         } |         } | ||||||
|  |  | ||||||
|         // Populate |         // Populate | ||||||
|         String insertData1 = "INSERT INTO employees VALUES ('32147','Paulina',  'Travers', 'Accounting',  '$46.000', 'P45JSI')"; |         String insertData1 = "INSERT INTO employees VALUES ('32147','Paulina',  'Travers', 'Accounting',  46000, 'P45JSI')"; | ||||||
|         String insertData2 = "INSERT INTO employees VALUES ('89762','Tobi',     'Barnett', 'Development', '$77.000', 'TA9LL1')"; |         String insertData2 = "INSERT INTO employees VALUES ('89762','Tobi',     'Barnett', 'Development', 77000, 'TA9LL1')"; | ||||||
|         String insertData3 = "INSERT INTO employees VALUES ('96134','Bob',      'Franco',  'Marketing',   '$83.700', 'LO9S2V')"; |         String insertData3 = "INSERT INTO employees VALUES ('96134','Bob',      'Franco',  'Marketing',   83700, 'LO9S2V')"; | ||||||
|         String insertData4 = "INSERT INTO employees VALUES ('34477','Abraham ', 'Holman',  'Development', '$50.000', 'UU2ALK')"; |         String insertData4 = "INSERT INTO employees VALUES ('34477','Abraham ', 'Holman',  'Development', 50000, 'UU2ALK')"; | ||||||
|         String insertData5 = "INSERT INTO employees VALUES ('37648','John',     'Smith',   'Marketing',   '$64.350', '3SL99A')"; |         String insertData5 = "INSERT INTO employees VALUES ('37648','John',     'Smith',   'Marketing',   64350, '3SL99A')"; | ||||||
|         statement.executeUpdate(insertData1); |         statement.executeUpdate(insertData1); | ||||||
|         statement.executeUpdate(insertData2); |         statement.executeUpdate(insertData2); | ||||||
|         statement.executeUpdate(insertData3); |         statement.executeUpdate(insertData3); | ||||||
|  | |||||||
| @ -25,23 +25,20 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint { | |||||||
|     } |     } | ||||||
|  |  | ||||||
|     protected AttackResult injectableQueryAvailability(String action) { |     protected AttackResult injectableQueryAvailability(String action) { | ||||||
|         try { |         StringBuffer output = new StringBuffer(); | ||||||
|             Connection connection = DatabaseUtilities.getConnection(getWebSession()); |  | ||||||
|         String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; |         String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; | ||||||
|  |  | ||||||
|             StringBuffer output = new StringBuffer(); |         try { | ||||||
|  |             Connection connection = DatabaseUtilities.getConnection(getWebSession()); | ||||||
|  |  | ||||||
|             try { |             try { | ||||||
|                 Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); |                 Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); | ||||||
|                 ResultSet results = statement.executeQuery(query); |                 ResultSet results = statement.executeQuery(query); | ||||||
|  |  | ||||||
|                 if ((results != null) && (results.first())) { |                 if (results.getStatement() != null && results.first()) { | ||||||
|                     ResultSetMetaData resultsMetaData = results.getMetaData(); |                     output.append(SqlInjectionLesson8.generateTable(results)); | ||||||
|  |  | ||||||
|                     output.append(SqlInjectionLesson8.generateTable(results, resultsMetaData)); |  | ||||||
|                     results.last(); |                     results.last(); | ||||||
|  |                     return trackProgress(failed().feedback("sql-injection.10.entries").output(output.toString()).build()); | ||||||
|                     return trackProgress(failed().output(output.toString()).build()); |  | ||||||
|                 } else { |                 } else { | ||||||
|                     if (tableExists(connection)) { |                     if (tableExists(connection)) { | ||||||
|                         return trackProgress(failed().output(output.toString()).build()); |                         return trackProgress(failed().output(output.toString()).build()); | ||||||
| @ -52,7 +49,7 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint { | |||||||
|                 } |                 } | ||||||
|             } catch (SQLException e) { |             } catch (SQLException e) { | ||||||
|                 if (tableExists(connection)) { |                 if (tableExists(connection)) { | ||||||
|                     return trackProgress(failed().output(output.toString()).build()); |                     return trackProgress(failed().output("<span class='feedback-negative'>" + e.getMessage() + "</span><br>" + output.toString()).build()); | ||||||
|                 } |                 } | ||||||
|                 else { |                 else { | ||||||
|                     return trackProgress(success().feedback("sql-injection.10.success").build()); |                     return trackProgress(success().feedback("sql-injection.10.success").build()); | ||||||
| @ -60,7 +57,7 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint { | |||||||
|             } |             } | ||||||
|  |  | ||||||
|         } catch (Exception e) { |         } catch (Exception e) { | ||||||
|             return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build()); |             return trackProgress(failed().output("<span class='feedback-negative'>" + e.getMessage() + "</span>").build()); | ||||||
|         } |         } | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  | |||||||
| @ -27,68 +27,75 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint { | |||||||
|     } |     } | ||||||
|  |  | ||||||
|     protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { |     protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { | ||||||
|  |         StringBuffer output = new StringBuffer(); | ||||||
|  |         String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; | ||||||
|  |  | ||||||
|         try { |         try { | ||||||
|             Connection connection = DatabaseUtilities.getConnection(getWebSession()); |             Connection connection = DatabaseUtilities.getConnection(getWebSession()); | ||||||
|             String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; |  | ||||||
|  |  | ||||||
|             try { |             try { | ||||||
|                 Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); |                 Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); | ||||||
|                 log(connection, query); |                 log(connection, query); | ||||||
|                 ResultSet results = statement.executeQuery(query); |                 ResultSet results = statement.executeQuery(query); | ||||||
|  |  | ||||||
|                 if ((results != null) && (results.first())) { |                 if (results.getStatement() != null) { | ||||||
|                     ResultSetMetaData resultsMetaData = results.getMetaData(); |                     if (results.first()) { | ||||||
|                     StringBuffer output = new StringBuffer(); |                         output.append(generateTable(results)); | ||||||
|  |  | ||||||
|                     output.append(generateTable(results, resultsMetaData)); |  | ||||||
|                         results.last(); |                         results.last(); | ||||||
|  |  | ||||||
|                     // If they get back more than one user they succeeded |  | ||||||
|                         if (results.getRow() > 1) { |                         if (results.getRow() > 1) { | ||||||
|                         return trackProgress(success().feedback("sql-injection.8.success").feedbackArgs(output.toString()).build()); |                             // more than one record, the user succeeded | ||||||
|  |                             return trackProgress(success().feedback("sql-injection.8.success").output(output.toString()).build()); | ||||||
|                         } else { |                         } else { | ||||||
|                         return trackProgress(failed().output(output.toString()).build()); |                             // only one record | ||||||
|  |                             return trackProgress(failed().feedback("sql-injection.8.one").output(output.toString()).build()); | ||||||
|                         } |                         } | ||||||
|  |  | ||||||
|                     } else { |                     } else { | ||||||
|  |                         // no results | ||||||
|                         return trackProgress(failed().feedback("sql-injection.8.no.results").build()); |                         return trackProgress(failed().feedback("sql-injection.8.no.results").build()); | ||||||
|                     } |                     } | ||||||
|  |                 } else { | ||||||
|  |                     return trackProgress(failed().feedback("sql-injection.error").build()); | ||||||
|  |                 } | ||||||
|             } catch (SQLException e) { |             } catch (SQLException e) { | ||||||
|                 return trackProgress(failed().output(e.getMessage()).build()); |                 return trackProgress(failed().feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build()); | ||||||
|             } |             } | ||||||
|  |  | ||||||
|         } catch (Exception e) { |         } catch (Exception e) { | ||||||
|             return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build()); |             return trackProgress(failed().feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build()); | ||||||
|         } |         } | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     public static String generateTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException { |     public static String generateTable(ResultSet results) throws SQLException { | ||||||
|  |         ResultSetMetaData resultsMetaData = results.getMetaData(); | ||||||
|         int numColumns = resultsMetaData.getColumnCount(); |         int numColumns = resultsMetaData.getColumnCount(); | ||||||
|         results.beforeFirst(); |         results.beforeFirst(); | ||||||
|         StringBuffer t = new StringBuffer(); |         StringBuffer table = new StringBuffer(); | ||||||
|         t.append("<table>"); |         table.append("<table>"); | ||||||
|  |  | ||||||
|         if (results.next()) { |         if (results.next()) { | ||||||
|             t.append("<tr>"); |             table.append("<tr>"); | ||||||
|             for (int i = 1; i < (numColumns + 1); i++) { |             for (int i = 1; i < (numColumns + 1); i++) { | ||||||
|                 t.append("<th>" + resultsMetaData.getColumnName(i) + "</th>"); |                 table.append("<th>" + resultsMetaData.getColumnName(i) + "</th>"); | ||||||
|             } |             } | ||||||
|             t.append("</tr>"); |             table.append("</tr>"); | ||||||
|  |  | ||||||
|             results.beforeFirst(); |             results.beforeFirst(); | ||||||
|             while (results.next()) { |             while (results.next()) { | ||||||
|                 t.append("<tr>"); |                 table.append("<tr>"); | ||||||
|                 for (int i = 1; i < (numColumns + 1); i++) { |                 for (int i = 1; i < (numColumns + 1); i++) { | ||||||
|                     t.append("<td>" + results.getString(i) + "</td>"); |                     table.append("<td>" + results.getString(i) + "</td>"); | ||||||
|                 } |                 } | ||||||
|                 t.append("</tr>"); |                 table.append("</tr>"); | ||||||
|             } |             } | ||||||
|  |  | ||||||
|         } else { |         } else { | ||||||
|             t.append("Query Successful; however no data was returned from this query."); |             table.append("Query Successful; however no data was returned from this query."); | ||||||
|         } |         } | ||||||
|  |  | ||||||
|         t.append("</table>"); |         table.append("</table>"); | ||||||
|         return (t.toString()); |         return (table.toString()); | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     public static void log(Connection connection, String action) { |     public static void log(Connection connection, String action) { | ||||||
|  | |||||||
| @ -26,28 +26,29 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint { | |||||||
|  |  | ||||||
|     protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { |     protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { | ||||||
|         StringBuffer output = new StringBuffer(); |         StringBuffer output = new StringBuffer(); | ||||||
|  |         String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; | ||||||
|  |  | ||||||
|         try { |         try { | ||||||
|             Connection connection = DatabaseUtilities.getConnection(getWebSession()); |             Connection connection = DatabaseUtilities.getConnection(getWebSession()); | ||||||
|  |  | ||||||
|             try { |             try { | ||||||
|                 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; |  | ||||||
|                 Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); |                 Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); | ||||||
|                 SqlInjectionLesson8.log(connection, query); |                 SqlInjectionLesson8.log(connection, query); | ||||||
|                 ResultSet results = statement.executeQuery(query); |                 ResultSet results = statement.executeQuery(query); | ||||||
|  |  | ||||||
|                 if (results != null && results.first()) { |                 if (results.getStatement() != null && results.first()) { | ||||||
|                     output.append(SqlInjectionLesson8.generateTable(results, results.getMetaData())); |                     output.append(SqlInjectionLesson8.generateTable(results)); | ||||||
|                 } |                 } | ||||||
|             } catch (SQLException e) { |             } catch (SQLException e) { | ||||||
|                 System.err.println(e.getMessage()); |                 System.err.println(e.getMessage()); | ||||||
|                 return checkSalaryRanking(connection, output); |                 return trackProgress(failed().feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build()); | ||||||
|             } |             } | ||||||
|  |  | ||||||
|             return checkSalaryRanking(connection, output); |             return checkSalaryRanking(connection, output); | ||||||
|  |  | ||||||
|         } catch (Exception e) { |         } catch (Exception e) { | ||||||
|             System.err.println(e.getMessage()); |             System.err.println(e.getMessage()); | ||||||
|             return trackProgress(failed().output("<br><span style='color: red;'>" + this.getClass().getName() + " : " + e.getMessage() + "</span>").build()); |             return trackProgress(failed().feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build()); | ||||||
|         } |         } | ||||||
|     } |     } | ||||||
|  |  | ||||||
| @ -60,15 +61,15 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint { | |||||||
|             results.first(); |             results.first(); | ||||||
|             // user completes lesson if John Smith is the first in the list |             // user completes lesson if John Smith is the first in the list | ||||||
|             if ((results.getString(2).equals("John")) && (results.getString(3).equals("Smith"))) { |             if ((results.getString(2).equals("John")) && (results.getString(3).equals("Smith"))) { | ||||||
|                 output.append(SqlInjectionLesson8.generateTable(results, results.getMetaData())); |                 output.append(SqlInjectionLesson8.generateTable(results)); | ||||||
|                 return trackProgress(success().feedback("sql-injection.8.success").feedbackArgs(output.toString()).build()); |                 return trackProgress(success().feedback("sql-injection.9.success").output(output.toString()).build()); | ||||||
|             } else { |             } else { | ||||||
|                 return trackProgress(failed().output(output.toString()).build()); |                 return trackProgress(failed().feedback("sql-injection.9.one").output(output.toString()).build()); | ||||||
|             } |             } | ||||||
|  |  | ||||||
|         } catch (SQLException e) { |         } catch (SQLException e) { | ||||||
|             System.err.println(e.getMessage()); |             System.err.println(e.getMessage()); | ||||||
|             return trackProgress(failed().output("<br><span style='color: red;'>" + e.getMessage() + "</span>").build()); |             return trackProgress(failed().feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build()); | ||||||
|         } |         } | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  | |||||||
| @ -1,7 +1,7 @@ | |||||||
| .attack-feedback { | .feedback-positive { | ||||||
|     color: green; |     color: green; | ||||||
| } | } | ||||||
|  |  | ||||||
| .attack-feedback table { | .feedback-negative { | ||||||
|     color: black; |     color: red; | ||||||
| } | } | ||||||
| @ -9,6 +9,7 @@ sql.advanced.title=SQL Injection (advanced) | |||||||
| SqlInjectionChallenge1=Look at the different response you receive from the server | SqlInjectionChallenge1=Look at the different response you receive from the server | ||||||
| SqlInjectionChallenge2=The vulnerability is on the register form | SqlInjectionChallenge2=The vulnerability is on the register form | ||||||
| SqlInjectionChallenge3=Use tooling to automate this attack | SqlInjectionChallenge3=Use tooling to automate this attack | ||||||
|  | sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span> | ||||||
|  |  | ||||||
| NoResultsMatched=No results matched. Try Again. | NoResultsMatched=No results matched. Try Again. | ||||||
| SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query. | SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query. | ||||||
| @ -36,10 +37,10 @@ sql-injection.6a.no.results=No results matched. Try Again. | |||||||
| sql-injection.6b.success=You have succeeded: {0} | sql-injection.6b.success=You have succeeded: {0} | ||||||
| sql-injection.6b.no.results=No results matched. Try Again. | sql-injection.6b.no.results=No results matched. Try Again. | ||||||
|  |  | ||||||
| sql-injection.8.success=You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done! {0} |  | ||||||
| sql-injection.8.no.results=No employee found with matching lastname. Or maybe your authentication TAN is incorrect? | sql-injection.8.success=<span class='feedback-positive'>You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done!</span> | ||||||
| sql-injection.9.success=Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary! {0} | sql-injection.8.no.results=<span class='feedback-negative'>No employee found with matching lastname. Or maybe your authentication TAN is incorrect?</span> | ||||||
| sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data. | sql-injection.8.one=<span class='feedback-negative'>That's only one account. You want them all! Try again.</span> | ||||||
|  |  | ||||||
| SqlStringInjectionHint8-1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command. | SqlStringInjectionHint8-1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command. | ||||||
| SqlStringInjectionHint8-2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR. | SqlStringInjectionHint8-2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR. | ||||||
| @ -47,12 +48,20 @@ SqlStringInjectionHint8-3=Try appending a SQL statement that always resolves to | |||||||
| SqlStringInjectionHint8-4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct. | SqlStringInjectionHint8-4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct. | ||||||
| SqlStringInjectionHint8-5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1. | SqlStringInjectionHint8-5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1. | ||||||
|  |  | ||||||
|  |  | ||||||
|  | sql-injection.9.success=<span class='feedback-positive'>Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary!</span> | ||||||
|  | sql-injection.9.one=<span class='feedback-negative'>Still not earning enough! Better try again and change that.</span> | ||||||
|  |  | ||||||
| SqlStringInjectionHint9-1=Try to find a way, to chain another query to the end of the existing one. | SqlStringInjectionHint9-1=Try to find a way, to chain another query to the end of the existing one. | ||||||
| SqlStringInjectionHint9-2=Use the ; metacharacter to do so. | SqlStringInjectionHint9-2=Use the ; metacharacter to do so. | ||||||
| SqlStringInjectionHint9-3=Make use of DML to change your salary. | SqlStringInjectionHint9-3=Make use of DML to change your salary. | ||||||
| SqlStringInjectionHint9-4=Make sure that the resulting query is syntactically correct. | SqlStringInjectionHint9-4=Make sure that the resulting query is syntactically correct. | ||||||
| SqlStringInjectionHint9-5=How about something like '; UPDATE employees.... | SqlStringInjectionHint9-5=How about something like '; UPDATE employees.... | ||||||
|  |  | ||||||
|  |  | ||||||
|  | sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span> | ||||||
|  | sql-injection.10.entries=<span class='feedback-negative'>There's still evidence of what you did. Better remove the whole table.</span> | ||||||
|  |  | ||||||
| SqlStringInjectionHint10-1=Use the techniques that you have learned before. | SqlStringInjectionHint10-1=Use the techniques that you have learned before. | ||||||
| SqlStringInjectionHint10-2=The application takes your input and filters for entries that are LIKE it. | SqlStringInjectionHint10-2=The application takes your input and filters for entries that are LIKE it. | ||||||
| SqlStringInjectionHint10-3=Try query chaining to reach the goal. | SqlStringInjectionHint10-3=Try query chaining to reach the goal. | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user