From 1c020945453f399273ff86e702cbf210c76acda6 Mon Sep 17 00:00:00 2001 From: "chuck@securityfoundry.com" Date: Fri, 30 Oct 2009 04:53:19 +0000 Subject: [PATCH] Added 3 new lessons. Some strings are in the properties files, but not all. Modified CreateDB.java in order to create a new salaries table used by the new SQL injection lessons. git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@390 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../WebGoatLabels_english.properties | 27 +- .../lessons/BypassHtmlFieldRestrictions.java | 256 +++++++++++++++++ .../org/owasp/webgoat/lessons/SqlAddData.java | 247 ++++++++++++++++ .../owasp/webgoat/lessons/SqlModifyData.java | 266 ++++++++++++++++++ .../org/owasp/webgoat/session/CreateDB.java | 48 ++++ 5 files changed, 837 insertions(+), 7 deletions(-) create mode 100644 main/project/JavaSource/org/owasp/webgoat/lessons/BypassHtmlFieldRestrictions.java create mode 100644 main/project/JavaSource/org/owasp/webgoat/lessons/SqlAddData.java create mode 100644 main/project/JavaSource/org/owasp/webgoat/lessons/SqlModifyData.java diff --git a/main/project/JavaSource/WebGoatLabels_english.properties b/main/project/JavaSource/WebGoatLabels_english.properties index 4939dc531..ed804f909 100644 --- a/main/project/JavaSource/WebGoatLabels_english.properties +++ b/main/project/JavaSource/WebGoatLabels_english.properties @@ -56,7 +56,7 @@ Refresh=Refresh WeakAuthenticationCookieHints1=The server authenticates the user using a cookie, if you send the right cookie. WeakAuthenticationCookieHints2=Is the AuthCookie value guessable knowing the username and password? -WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using WebScarab. +WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using WebScarab. WeakAuthenticationCookieHints4=After logging in as webgoat a cookie is added. 65432ubphcfx
After logging in as aspect a cookie is added. 65432udfqtb
Is there anything similar about the cookies and the login names? #RemoteAdminFlaw.java @@ -213,15 +213,28 @@ ThisAmountCharged=This amount will be charged to your credit card immediately. HiddenFieldTamperingHint1=This application is using hidden fields to transmit price information to the server. HiddenFieldTamperingHint2=Use a program to intercept and change the value in the hidden field. -HiddenFieldTamperingHint3=Use WebScarab to change the price of the TV from " +HiddenFieldTamperingHint3=Use WebScarab to change the price of the TV from " HiddenFieldTamperingHint32= to +# Modify data with SQL Injection +EnterUserid=Enter your userid: +SqlModifyDataHint1=You can use SQL Injection to execute more than one SQL statement. +SqlModifyDataHint2=Use a semicolon (;) to separate SQL statements. +SqlModifyDataHint3=Modify data using a SQL UPDATE Statement. +SqlModifyDataHint4=For details and examples for SQL UPDATE statements, see http://www.w3schools.com/SQl/sql_update.asp +SqlModifyDataHint5=SOLUTION:
foo'; UPDATE salaries SET salary=9999999 WHERE userid='jsmith - - - - - +# Modify data with SQL Injection +SqlAddDataHint1=You can use SQL Injection to execute more than one SQL statement. +SqlAddDataHint2=Use a semicolon (;) to separate SQL statements. You will also need to comment out some characters that come after the injection with a double hyphen (--). +SqlAddDataHint3=Modify data using a SQL INSERT Statement. +SqlAddDataHint4=For details and examples for SQL INSERT statements, see http://www.w3schools.com/SQl/sql_insert.asp +SqlAddDataHint5=SOLUTION:
bar'; INSERT INTO salaries VALUES ('cwillis', 999999); -- + +# Bypass Html Field Restrictions +BypassHtmlFieldRestrictionsHint1=You must re-enable the disabled form field or manually add its parameter name to your request. +BypassHtmlFieldRestrictionsHint2=You can use WebScarab to intercept requests and make changes. +BypassHtmlFieldRestrictionsHint3=Rather than using WebScarab, you could instead use the Web Developer and/or Hackbar Firefox extensions to complete this lesson. diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/BypassHtmlFieldRestrictions.java b/main/project/JavaSource/org/owasp/webgoat/lessons/BypassHtmlFieldRestrictions.java new file mode 100644 index 000000000..06a2cae69 --- /dev/null +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/BypassHtmlFieldRestrictions.java @@ -0,0 +1,256 @@ + +package org.owasp.webgoat.lessons; + +import java.sql.Connection; +import java.sql.ResultSet; +import java.sql.ResultSetMetaData; +import java.sql.SQLException; +import java.sql.Statement; +import java.util.ArrayList; +import java.util.List; +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.StringElement; +import org.apache.ecs.html.A; +import org.apache.ecs.html.BR; +import org.apache.ecs.html.Div; +import org.apache.ecs.html.IMG; +import org.apache.ecs.html.Input; +import org.apache.ecs.html.P; +import org.apache.ecs.html.PRE; +import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.session.ECSFactory; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; + + +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository for free software + * projects. + * + * For details, please see http://code.google.com/p/webgoat/ + * + * @author Chuck Willis Chuck's web + * site + * @created October 29, 2009 + */ +public class BypassHtmlFieldRestrictions extends SequentialLessonAdapter +{ + public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0)); + + private final static String USERID = "userid"; + + private String userid; + + /** + * Description of the Method + * + * @param s + * Description of the Parameter + * @return Description of the Return Value + */ + protected Element createContent(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + try { + boolean failed = false; + + // select element + ec.addElement(new Div().addElement(new StringElement("Select field with two possible values:"))); + + String[] allowedSelect = {"foo", "bar"}; + + ec.addElement(new org.apache.ecs.html.Select("select", allowedSelect)); + + // radio button element + ec.addElement(new P()); + ec.addElement(new Div().addElement(new StringElement("Radio button with two possible values:"))); + + + Input radiofoo = new Input("radio", "radio", "foo"); + radiofoo.setChecked(true); + ec.addElement(radiofoo); + ec.addElement(new StringElement("foo")); + ec.addElement(new BR()); + ec.addElement(new Input("radio", "radio", "bar")); + ec.addElement(new StringElement("bar")); + + // checkbox + ec.addElement(new P()); + ec.addElement(new Div().addElement(new StringElement("Checkbox:"))); + Input checkbox = new Input("checkbox", "checkbox"); + checkbox.setChecked(true); + ec.addElement(checkbox); + ec.addElement(new StringElement("checkbox")); + + // create shortinput + ec.addElement(new P()); + ec.addElement(new Div().addElement(new StringElement("Input field restricted to 5 characters:"))); + Input shortinput = new Input(Input.TEXT, "shortinput", "12345"); + shortinput.setMaxlength(5); + ec.addElement(shortinput); + + ec.addElement(new P()); + ec.addElement(new Div().addElement(new StringElement("Disabled input field:"))); + String defaultdisabledinputtext = "disabled"; + Input disabledinput = new Input(Input.TEXT, "disabledinput", defaultdisabledinputtext); + disabledinput.setDisabled(true); + ec.addElement(disabledinput); + ec.addElement(new BR()); + + // Submit Button + ec.addElement(new P()); + ec.addElement(new Div().addElement(new StringElement("Submit button:"))); + String submittext = "Submit"; + Element b = ECSFactory.makeButton(submittext); + ec.addElement(b); + + // Now check inputs that were submitted (if any) + + // check select field + String submittedselect = s.getParser().getRawParameter("select"); + if(submittedselect.equals("foo")) failed = true; + if(submittedselect.equals("bar")) failed = true; + + // check radio buttons + String submittedradio = s.getParser().getRawParameter("radio"); + if(submittedselect.equals("foo")) failed = true; + if(submittedselect.equals("bar")) failed = true; + + // check checkbox (note - if the box is not checked, this will throw an exception, but that + // is okay) + if(s.getParser().getRawParameter("checkbox").equals("on")) failed = true; + + // check shortinput + if(s.getParser().getRawParameter("shortinput").length() < 6) failed = true; + + // check disabledinput (note - if the field was not re-enabled, this will throw an exception, but that + // is okay) + if(s.getParser().getRawParameter("disabledinput").equals(defaultdisabledinputtext)) failed = true; + + // check submitbutton + if(s.getParser().getRawParameter("SUBMIT").equals(submittext)) failed = true; + + + // if we didn't fail, we succeeded! + if(failed != true) { + makeSuccess(s); + } + + } catch(ParameterNotFoundException e) { + //s.setMessage("Error, required parameter not found"); + e.printStackTrace(); + } + + return (ec); + } + + /** + * Gets the category attribute of the object + * + * @return The category value + */ + protected Category getDefaultCategory() + { + return Category.PARAMETER_TAMPERING; + } + + /** + * Gets the credits attribute of the AbstractLesson object + * + * @return The credits value + */ + public Element getCredits() + { + return super.getCustomCredits("Created by Chuck Willis ", MANDIANT_LOGO); + } + + /** + * Gets the hints attribute of the DatabaseFieldScreen object + * + * @return The hints value + */ + protected List getHints(WebSession s) + { + List hints = new ArrayList(); + + hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint1")); + hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint2")); + hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint3")); + + return hints; + } + + private final static Integer DEFAULT_RANKING = new Integer(10); + + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } + + /** + * Gets the title attribute of the DatabaseFieldScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("Bypass HTML Field Restrictions"); + } + + /** + * Gets the instructions attribute of the SqlInjection object + * + * @return The instructions value + */ + public String getInstructions(WebSession s) + { + String instructions = "The form below uses HTML form field restrictions. " + + " In order to pass this lesson, submit the form with each field containing an unallowed value. " + + "You must submit invalid values for all six fields in one form submission."; + + return (instructions); + } + + /** + * Constructor for the DatabaseFieldScreen object + * + * @param s + * Description of the Parameter + */ + public void handleRequest(WebSession s) + { + try + { + super.handleRequest(s); + } catch (Exception e) + { + // System.out.println("Exception caught: " + e); + e.printStackTrace(System.out); + } + } + +} diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlAddData.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlAddData.java new file mode 100644 index 000000000..aefbf6332 --- /dev/null +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlAddData.java @@ -0,0 +1,247 @@ + +package org.owasp.webgoat.lessons; + +import java.sql.Connection; +import java.sql.ResultSet; +import java.sql.ResultSetMetaData; +import java.sql.SQLException; +import java.sql.Statement; +import java.util.ArrayList; +import java.util.List; +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.html.A; +import org.apache.ecs.html.BR; +import org.apache.ecs.html.IMG; +import org.apache.ecs.html.Input; +import org.apache.ecs.html.P; +import org.apache.ecs.html.PRE; +import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.session.ECSFactory; +import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; + + +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository for free software + * projects. + * + * For details, please see http://code.google.com/p/webgoat/ + * + * @author Chuck Willis Chuck's web + * site (this lesson is based on the String SQL Injection lesson) + * @created October 29, 2009 + */ +public class SqlAddData extends SequentialLessonAdapter +{ + public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0)); + + private final static String USERID = "userid"; + + private String userid; + + /** + * Description of the Method + * + * @param s + * Description of the Parameter + * @return Description of the Return Value + */ + protected Element createContent(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + try + { + Connection connection = DatabaseUtilities.getConnection(s); + + ec.addElement(makeAccountLine(s)); + + String query = "SELECT * FROM salaries WHERE userid = '" + userid + "'"; + //ec.addElement(new PRE(query)); + + try + { + // get number of rows in table before executing injectable query + Statement target_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + ResultSet target_results = target_statement.executeQuery("SELECT * from salaries"); + target_results.last(); + int number_of_results_before = target_results.getRow(); + + System.out.println("Before running query, table salaries has " + + number_of_results_before + " records."); + + // execute query + Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + + statement.execute(query); + + ResultSet results = statement.getResultSet(); + + if ((results != null) && (results.first() == true)) + { + ResultSetMetaData resultsMetaData = results.getMetaData(); + ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData)); + results.last(); + } + else + { + ec.addElement(WebGoatI18N.get("NoResultsMatched")); + } + + // see if the number of rows in the table has changed + target_results = target_statement.executeQuery("SELECT * from salaries"); + target_results.last(); + int number_of_results_after = target_results.getRow(); + + System.out.println("After running query, table salaries has " + + number_of_results_after + " records."); + + if(number_of_results_after != number_of_results_before) { + makeSuccess(s); + } + + } catch (SQLException sqle) + { + ec.addElement(new P().addElement(sqle.getMessage())); + sqle.printStackTrace(); + } + } catch (Exception e) + { + s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); + e.printStackTrace(); + } + + return (ec); + } + + + + protected Element makeAccountLine(WebSession s) + { + ElementContainer ec = new ElementContainer(); + ec.addElement(new P().addElement(WebGoatI18N.get("EnterUserid"))); + + userid = s.getParser().getRawParameter(USERID, "jsmith"); + Input input = new Input(Input.TEXT, USERID, userid.toString()); + ec.addElement(input); + + Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); + ec.addElement(b); + + return ec; + + } + + /** + * Gets the category attribute of the SqNumericInjection object + * + * @return The category value + */ + protected Category getDefaultCategory() + { + return Category.INJECTION; + } + + /** + * Gets the credits attribute of the AbstractLesson object + * + * @return The credits value + */ + public Element getCredits() + { + return super.getCustomCredits("Created by Chuck Willis ", MANDIANT_LOGO); + } + + /** + * Gets the hints attribute of the DatabaseFieldScreen object + * + * @return The hints value + */ + protected List getHints(WebSession s) + { + List hints = new ArrayList(); + + hints.add(WebGoatI18N.get("SqlAddDataHint1")); + hints.add(WebGoatI18N.get("SqlAddDataHint2")); + hints.add(WebGoatI18N.get("SqlAddDataHint3")); + hints.add(WebGoatI18N.get("SqlAddDataHint4")); + hints.add(WebGoatI18N.get("SqlAddDataHint5")); + + return hints; + } + + private final static Integer DEFAULT_RANKING = new Integer(78); + + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } + + /** + * Gets the title attribute of the DatabaseFieldScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("Add Data with SQL Injection"); + } + + /** + * Gets the instructions attribute of the SqlInjection object + * + * @return The instructions value + */ + public String getInstructions(WebSession s) + { + String instructions = "The form below allows a user to view salaries associated with a userid " + + "(from the table named salaries). This form" + + " is vulnerable to String SQL Injection. In order to pass this lesson, use SQL Injection to " + + "add a record to the table."; + + return (instructions); + } + + /** + * Constructor for the DatabaseFieldScreen object + * + * @param s + * Description of the Parameter + */ + public void handleRequest(WebSession s) + { + try + { + super.handleRequest(s); + } catch (Exception e) + { + // System.out.println("Exception caught: " + e); + e.printStackTrace(System.out); + } + } + +} diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlModifyData.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlModifyData.java new file mode 100644 index 000000000..722418b66 --- /dev/null +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlModifyData.java @@ -0,0 +1,266 @@ + +package org.owasp.webgoat.lessons; + +import java.sql.Connection; +import java.sql.ResultSet; +import java.sql.ResultSetMetaData; +import java.sql.SQLException; +import java.sql.Statement; +import java.util.ArrayList; +import java.util.List; +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.html.A; +import org.apache.ecs.html.BR; +import org.apache.ecs.html.IMG; +import org.apache.ecs.html.Input; +import org.apache.ecs.html.P; +import org.apache.ecs.html.PRE; +import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.session.ECSFactory; +import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; + + +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository for free software + * projects. + * + * For details, please see http://code.google.com/p/webgoat/ + * + * @author Chuck Willis Chuck's web + * site (this lesson is based on the String SQL Injection lesson) + * @created October 29, 2009 + */ +public class SqlModifyData extends SequentialLessonAdapter +{ + public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0)); + + private final static String USERID = "userid"; + + private final static String TARGET_USERID = "jsmith"; + private final static String NONTARGET_USERID = "lsmith"; + + private String userid; + + /** + * Description of the Method + * + * @param s + * Description of the Parameter + * @return Description of the Return Value + */ + protected Element createContent(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + try + { + Connection connection = DatabaseUtilities.getConnection(s); + + ec.addElement(makeAccountLine(s)); + + String query = "SELECT * FROM salaries WHERE userid = '" + userid + "'"; + //ec.addElement(new PRE(query)); + + try + { + // check target data + Statement target_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + ResultSet target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+TARGET_USERID+"'"); + target_results.first(); + String before_salary_target_salary = target_results.getString(1); + + System.out.println("Before running query, salary for target userid " + TARGET_USERID + " = " + before_salary_target_salary ); + + target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+NONTARGET_USERID+"'"); + target_results.first(); + String before_salary_nontarget_salary = target_results.getString(1); + + System.out.println("Before running query, salary for nontarget userid " + NONTARGET_USERID + " = " + before_salary_nontarget_salary ); + + // execute query + Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + // + statement.execute(query); + + ResultSet results = statement.getResultSet(); + + if ((results != null) && (results.first() == true)) + { + ResultSetMetaData resultsMetaData = results.getMetaData(); + ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData)); + results.last(); + } + else + { + ec.addElement(WebGoatI18N.get("NoResultsMatched")); + } + + // see if target data was modified + target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+TARGET_USERID+"'"); + target_results.first(); + String after_salary_target_salary = target_results.getString(1); + + System.out.println("After running query, salary for target userid " + TARGET_USERID + " = " + before_salary_target_salary ); + + target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+NONTARGET_USERID+"'"); + target_results.first(); + String after_salary_nontarget_salary = target_results.getString(1); + + System.out.println("After running query, salary for nontarget userid " + NONTARGET_USERID + " = " + before_salary_nontarget_salary ); + + if(!after_salary_nontarget_salary.equals(before_salary_nontarget_salary)) { + s.setMessage("You modified the salary for another userid, in order to succeed you must modify the salary of only userid " + + TARGET_USERID + "."); + } else { + if(!after_salary_target_salary.equals(before_salary_target_salary)) { + makeSuccess(s); + } + } + + } catch (SQLException sqle) + { + ec.addElement(new P().addElement(sqle.getMessage())); + sqle.printStackTrace(); + } + } catch (Exception e) + { + s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); + e.printStackTrace(); + } + + return (ec); + } + + + + protected Element makeAccountLine(WebSession s) + { + ElementContainer ec = new ElementContainer(); + ec.addElement(new P().addElement(WebGoatI18N.get("EnterUserid"))); + + userid = s.getParser().getRawParameter(USERID, "jsmith"); + Input input = new Input(Input.TEXT, USERID, userid.toString()); + ec.addElement(input); + + Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); + ec.addElement(b); + + return ec; + + } + + /** + * Gets the category attribute of the SqNumericInjection object + * + * @return The category value + */ + protected Category getDefaultCategory() + { + return Category.INJECTION; + } + + /** + * Gets the credits attribute of the AbstractLesson object + * + * @return The credits value + */ + public Element getCredits() + { + return super.getCustomCredits("Created by Chuck Willis ", MANDIANT_LOGO); + } + + /** + * Gets the hints attribute of the DatabaseFieldScreen object + * + * @return The hints value + */ + protected List getHints(WebSession s) + { + List hints = new ArrayList(); + + hints.add(WebGoatI18N.get("SqlModifyDataHint1")); + hints.add(WebGoatI18N.get("SqlModifyDataHint2")); + hints.add(WebGoatI18N.get("SqlModifyDataHint3")); + hints.add(WebGoatI18N.get("SqlModifyDataHint4")); + hints.add(WebGoatI18N.get("SqlModifyDataHint5")); + + return hints; + } + + private final static Integer DEFAULT_RANKING = new Integer(77); + + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } + + /** + * Gets the title attribute of the DatabaseFieldScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("Modify Data with SQL Injection"); + } + + /** + * Gets the instructions attribute of the SqlInjection object + * + * @return The instructions value + */ + public String getInstructions(WebSession s) + { + String instructions = "The form below allows a user to view salaries associated with a userid " + + "(from the table named salaries). This form" + + " is vulnerable to String SQL Injection. In order to pass this lesson, use SQL Injection to " + + "modify the salary for userid " + + TARGET_USERID + "."; + + return (instructions); + } + + /** + * Constructor for the DatabaseFieldScreen object + * + * @param s + * Description of the Parameter + */ + public void handleRequest(WebSession s) + { + try + { + super.handleRequest(s); + } catch (Exception e) + { + // System.out.println("Exception caught: " + e); + e.printStackTrace(System.out); + } + } + +} diff --git a/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java b/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java index cef4f69ae..23d725fc5 100644 --- a/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java +++ b/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java @@ -351,6 +351,53 @@ public class CreateDB statement.executeUpdate(insertData4); statement.executeUpdate(insertData5); + } + + // creates the table salaries which is used in the lessons + // which add or modify data using sql injection + private void createModifyWithSQLLessonTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + // Delete table if there is one + try + { + String dropTable = "DROP TABLE salaries"; + statement.executeUpdate(dropTable); + } + catch (SQLException e) + { + System.out.println("Error dropping salaries table"); + } + + // Create the new table + try + { + String createTableStatement = "CREATE TABLE salaries (" + + "userid varchar(50)," + + "salary int" + + ")"; + statement.executeUpdate(createTableStatement); + } + catch (SQLException e) + { + System.out.println("Error creating salaries table"); + e.printStackTrace(); + } + + // Populate it + String insertData1 = "INSERT INTO salaries VALUES ('jsmith', 20000)"; + String insertData2 = "INSERT INTO salaries VALUES ('lsmith', 45000)"; + String insertData3 = "INSERT INTO salaries VALUES ('wgoat', 100000)"; + String insertData4 = "INSERT INTO salaries VALUES ('rjones', 777777)"; + String insertData5 = "INSERT INTO salaries VALUES ('manderson', 65000)"; + + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + } /** @@ -996,6 +1043,7 @@ public class CreateDB createTanUserDataTable(connection); createTanTable(connection); createMFEImagesTable(connection); + createModifyWithSQLLessonTable(connection); System.out.println("Success: creating tables."); } }