dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added 3 new lessons. Some strings are in the properties files, but not all. Modified CreateDB.java in order to create a new salaries table used by the new SQL injection lessons.

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@390 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
chuck@securityfoundry.com 2009-10-30 04:53:19 +00:00
parent 1dc6c799a7
commit 1c02094545
5 changed files with 837 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
main/project/JavaSource/WebGoatLabels_english.properties
View File

@ -56,7 +56,7 @@ Refresh=Refresh
WeakAuthenticationCookieHints1=The server authenticates the user using a cookie, if you send the right cookie.
WeakAuthenticationCookieHints2=Is the AuthCookie value guessable knowing the username and password?
WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>.
WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A>.
WeakAuthenticationCookieHints4=After logging in as webgoat a cookie is added. 65432ubphcfx<br/>After logging in as aspect a cookie is added. 65432udfqtb<br/>Is there anything similar about the cookies and the login names?
#RemoteAdminFlaw.java
@ -213,15 +213,28 @@ ThisAmountCharged=This amount will be charged to your credit card immediately.
HiddenFieldTamperingHint1=This application is using hidden fields to transmit price information to the server.
HiddenFieldTamperingHint2=Use a program to intercept and change the value in the hidden field.
HiddenFieldTamperingHint3=Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from "
HiddenFieldTamperingHint3=Use <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A> to change the price of the TV from "
HiddenFieldTamperingHint32= to
# Modify data with SQL Injection
EnterUserid=Enter your userid:
SqlModifyDataHint1=You can use SQL Injection to execute more than one SQL statement.
SqlModifyDataHint2=Use a semicolon (;) to separate SQL statements.
SqlModifyDataHint3=Modify data using a SQL UPDATE Statement.
SqlModifyDataHint4=For details and examples for SQL UPDATE statements, see <A href=\"http://www.w3schools.com/SQl/sql_update.asp\">http://www.w3schools.com/SQl/sql_update.asp</A>
SqlModifyDataHint5=SOLUTION:<br/>foo'; UPDATE salaries SET salary=9999999 WHERE userid='jsmith
# Modify data with SQL Injection
SqlAddDataHint1=You can use SQL Injection to execute more than one SQL statement.
SqlAddDataHint2=Use a semicolon (;) to separate SQL statements. You will also need to comment out some characters that come after the injection with a double hyphen (--).
SqlAddDataHint3=Modify data using a SQL INSERT Statement.
SqlAddDataHint4=For details and examples for SQL INSERT statements, see <A href=\"http://www.w3schools.com/SQl/sql_insert.asp\">http://www.w3schools.com/SQl/sql_insert.asp</A>
SqlAddDataHint5=SOLUTION:<br/>bar'; INSERT INTO salaries VALUES ('cwillis', 999999); --
# Bypass Html Field Restrictions
BypassHtmlFieldRestrictionsHint1=You must re-enable the disabled form field or manually add its parameter name to your request.
BypassHtmlFieldRestrictionsHint2=You can use <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A> to intercept requests and make changes.
BypassHtmlFieldRestrictionsHint3=Rather than using <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A>, you could instead use the <A href=\"http://chrispederick.com/work/web-developer/\">Web Developer</a> and/or <A href=\"http://devels-playground.blogspot.com/\">Hackbar</a> Firefox extensions to complete this lesson.

256
main/project/JavaSource/org/owasp/webgoat/lessons/BypassHtmlFieldRestrictions.java Normal file
View File

@ -0,0 +1,256 @@
package org.owasp.webgoat.lessons;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.PRE;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
* site</a>
* @created October 29, 2009
*/
public class BypassHtmlFieldRestrictions extends SequentialLessonAdapter
{
public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
private final static String USERID = "userid";
private String userid;
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try {
boolean failed = false;
// select element
ec.addElement(new Div().addElement(new StringElement("Select field with two possible values:")));
String[] allowedSelect = {"foo", "bar"};
ec.addElement(new org.apache.ecs.html.Select("select", allowedSelect));
// radio button element
ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Radio button with two possible values:")));
Input radiofoo = new Input("radio", "radio", "foo");
radiofoo.setChecked(true);
ec.addElement(radiofoo);
ec.addElement(new StringElement("foo"));
ec.addElement(new BR());
ec.addElement(new Input("radio", "radio", "bar"));
ec.addElement(new StringElement("bar"));
// checkbox
ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Checkbox:")));
Input checkbox = new Input("checkbox", "checkbox");
checkbox.setChecked(true);
ec.addElement(checkbox);
ec.addElement(new StringElement("checkbox"));
// create shortinput
ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Input field restricted to 5 characters:")));
Input shortinput = new Input(Input.TEXT, "shortinput", "12345");
shortinput.setMaxlength(5);
ec.addElement(shortinput);
ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Disabled input field:")));
String defaultdisabledinputtext = "disabled";
Input disabledinput = new Input(Input.TEXT, "disabledinput", defaultdisabledinputtext);
disabledinput.setDisabled(true);
ec.addElement(disabledinput);
ec.addElement(new BR());
// Submit Button
ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Submit button:")));
String submittext = "Submit";
Element b = ECSFactory.makeButton(submittext);
ec.addElement(b);
// Now check inputs that were submitted (if any)
// check select field
String submittedselect = s.getParser().getRawParameter("select");
if(submittedselect.equals("foo")) failed = true;
if(submittedselect.equals("bar")) failed = true;
// check radio buttons
String submittedradio = s.getParser().getRawParameter("radio");
if(submittedselect.equals("foo")) failed = true;
if(submittedselect.equals("bar")) failed = true;
// check checkbox (note - if the box is not checked, this will throw an exception, but that
// is okay)
if(s.getParser().getRawParameter("checkbox").equals("on")) failed = true;
// check shortinput
if(s.getParser().getRawParameter("shortinput").length() < 6) failed = true;
// check disabledinput (note - if the field was not re-enabled, this will throw an exception, but that
// is okay)
if(s.getParser().getRawParameter("disabledinput").equals(defaultdisabledinputtext)) failed = true;
// check submitbutton
if(s.getParser().getRawParameter("SUBMIT").equals(submittext)) failed = true;
// if we didn't fail, we succeeded!
if(failed != true) {
makeSuccess(s);
}
} catch(ParameterNotFoundException e) {
//s.setMessage("Error, required parameter not found");
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.PARAMETER_TAMPERING;
}
/**
* Gets the credits attribute of the AbstractLesson object
*
* @return The credits value
*/
public Element getCredits()
{
return super.getCustomCredits("Created by Chuck Willis&nbsp;", MANDIANT_LOGO);
}
/**
* Gets the hints attribute of the DatabaseFieldScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint1"));
hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint2"));
hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint3"));
return hints;
}
private final static Integer DEFAULT_RANKING = new Integer(10);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the DatabaseFieldScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Bypass HTML Field Restrictions");
}
/**
* Gets the instructions attribute of the SqlInjection object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "The form below uses HTML form field restrictions. " +
" In order to pass this lesson, submit the form with each field containing an unallowed value. "
+ "<b>You must submit invalid values for all six fields in one form submission.</b>";
return (instructions);
}
/**
* Constructor for the DatabaseFieldScreen object
*
* @param s
* Description of the Parameter
*/
public void handleRequest(WebSession s)
{
try
{
super.handleRequest(s);
} catch (Exception e)
{
// System.out.println("Exception caught: " + e);
e.printStackTrace(System.out);
}
}
}

247
main/project/JavaSource/org/owasp/webgoat/lessons/SqlAddData.java Normal file
View File

@ -0,0 +1,247 @@
package org.owasp.webgoat.lessons;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.PRE;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
* site</a> (this lesson is based on the String SQL Injection lesson)
* @created October 29, 2009
*/
public class SqlAddData extends SequentialLessonAdapter
{
public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
private final static String USERID = "userid";
private String userid;
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
Connection connection = DatabaseUtilities.getConnection(s);
ec.addElement(makeAccountLine(s));
String query = "SELECT * FROM salaries WHERE userid = '" + userid + "'";
//ec.addElement(new PRE(query));
try
{
// get number of rows in table before executing injectable query
Statement target_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet target_results = target_statement.executeQuery("SELECT * from salaries");
target_results.last();
int number_of_results_before = target_results.getRow();
System.out.println("Before running query, table salaries has "
+ number_of_results_before + " records.");
// execute query
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.execute(query);
ResultSet results = statement.getResultSet();
if ((results != null) && (results.first() == true))
{
ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
results.last();
}
else
{
ec.addElement(WebGoatI18N.get("NoResultsMatched"));
}
// see if the number of rows in the table has changed
target_results = target_statement.executeQuery("SELECT * from salaries");
target_results.last();
int number_of_results_after = target_results.getRow();
System.out.println("After running query, table salaries has "
+ number_of_results_after + " records.");
if(number_of_results_after != number_of_results_before) {
makeSuccess(s);
}
} catch (SQLException sqle)
{
ec.addElement(new P().addElement(sqle.getMessage()));
sqle.printStackTrace();
}
} catch (Exception e)
{
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
protected Element makeAccountLine(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement(WebGoatI18N.get("EnterUserid")));
userid = s.getParser().getRawParameter(USERID, "jsmith");
Input input = new Input(Input.TEXT, USERID, userid.toString());
ec.addElement(input);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!"));
ec.addElement(b);
return ec;
}
/**
* Gets the category attribute of the SqNumericInjection object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.INJECTION;
}
/**
* Gets the credits attribute of the AbstractLesson object
*
* @return The credits value
*/
public Element getCredits()
{
return super.getCustomCredits("Created by Chuck Willis&nbsp;", MANDIANT_LOGO);
}
/**
* Gets the hints attribute of the DatabaseFieldScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("SqlAddDataHint1"));
hints.add(WebGoatI18N.get("SqlAddDataHint2"));
hints.add(WebGoatI18N.get("SqlAddDataHint3"));
hints.add(WebGoatI18N.get("SqlAddDataHint4"));
hints.add(WebGoatI18N.get("SqlAddDataHint5"));
return hints;
}
private final static Integer DEFAULT_RANKING = new Integer(78);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the DatabaseFieldScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Add Data with SQL Injection");
}
/**
* Gets the instructions attribute of the SqlInjection object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "The form below allows a user to view salaries associated with a userid "
+ "(from the table named <b>salaries</b>). This form"
+ " is vulnerable to String SQL Injection. In order to pass this lesson, use SQL Injection to "
+ "add a record to the table.";
return (instructions);
}
/**
* Constructor for the DatabaseFieldScreen object
*
* @param s
* Description of the Parameter
*/
public void handleRequest(WebSession s)
{
try
{
super.handleRequest(s);
} catch (Exception e)
{
// System.out.println("Exception caught: " + e);
e.printStackTrace(System.out);
}
}
}

266
main/project/JavaSource/org/owasp/webgoat/lessons/SqlModifyData.java Normal file
View File

@ -0,0 +1,266 @@
package org.owasp.webgoat.lessons;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.PRE;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
* site</a> (this lesson is based on the String SQL Injection lesson)
* @created October 29, 2009
*/
public class SqlModifyData extends SequentialLessonAdapter
{
public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
private final static String USERID = "userid";
private final static String TARGET_USERID = "jsmith";
private final static String NONTARGET_USERID = "lsmith";
private String userid;
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
Connection connection = DatabaseUtilities.getConnection(s);
ec.addElement(makeAccountLine(s));
String query = "SELECT * FROM salaries WHERE userid = '" + userid + "'";
//ec.addElement(new PRE(query));
try
{
// check target data
Statement target_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+TARGET_USERID+"'");
target_results.first();
String before_salary_target_salary = target_results.getString(1);
System.out.println("Before running query, salary for target userid " + TARGET_USERID + " = " + before_salary_target_salary );
target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+NONTARGET_USERID+"'");
target_results.first();
String before_salary_nontarget_salary = target_results.getString(1);
System.out.println("Before running query, salary for nontarget userid " + NONTARGET_USERID + " = " + before_salary_nontarget_salary );
// execute query
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
//
statement.execute(query);
ResultSet results = statement.getResultSet();
if ((results != null) && (results.first() == true))
{
ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
results.last();
}
else
{
ec.addElement(WebGoatI18N.get("NoResultsMatched"));
}
// see if target data was modified
target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+TARGET_USERID+"'");
target_results.first();
String after_salary_target_salary = target_results.getString(1);
System.out.println("After running query, salary for target userid " + TARGET_USERID + " = " + before_salary_target_salary );
target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+NONTARGET_USERID+"'");
target_results.first();
String after_salary_nontarget_salary = target_results.getString(1);
System.out.println("After running query, salary for nontarget userid " + NONTARGET_USERID + " = " + before_salary_nontarget_salary );
if(!after_salary_nontarget_salary.equals(before_salary_nontarget_salary)) {
s.setMessage("You modified the salary for another userid, in order to succeed you must modify the salary of only userid "
+ TARGET_USERID + ".");
} else {
if(!after_salary_target_salary.equals(before_salary_target_salary)) {
makeSuccess(s);
}
}
} catch (SQLException sqle)
{
ec.addElement(new P().addElement(sqle.getMessage()));
sqle.printStackTrace();
}
} catch (Exception e)
{
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
protected Element makeAccountLine(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement(WebGoatI18N.get("EnterUserid")));
userid = s.getParser().getRawParameter(USERID, "jsmith");
Input input = new Input(Input.TEXT, USERID, userid.toString());
ec.addElement(input);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!"));
ec.addElement(b);
return ec;
}
/**
* Gets the category attribute of the SqNumericInjection object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.INJECTION;
}
/**
* Gets the credits attribute of the AbstractLesson object
*
* @return The credits value
*/
public Element getCredits()
{
return super.getCustomCredits("Created by Chuck Willis&nbsp;", MANDIANT_LOGO);
}
/**
* Gets the hints attribute of the DatabaseFieldScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("SqlModifyDataHint1"));
hints.add(WebGoatI18N.get("SqlModifyDataHint2"));
hints.add(WebGoatI18N.get("SqlModifyDataHint3"));
hints.add(WebGoatI18N.get("SqlModifyDataHint4"));
hints.add(WebGoatI18N.get("SqlModifyDataHint5"));
return hints;
}
private final static Integer DEFAULT_RANKING = new Integer(77);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the DatabaseFieldScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Modify Data with SQL Injection");
}
/**
* Gets the instructions attribute of the SqlInjection object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "The form below allows a user to view salaries associated with a userid "
+ "(from the table named <b>salaries</b>). This form"
+ " is vulnerable to String SQL Injection. In order to pass this lesson, use SQL Injection to "
+ "modify the salary for userid <b>"
+ TARGET_USERID + "</b>.";
return (instructions);
}
/**
* Constructor for the DatabaseFieldScreen object
*
* @param s
* Description of the Parameter
*/
public void handleRequest(WebSession s)
{
try
{
super.handleRequest(s);
} catch (Exception e)
{
// System.out.println("Exception caught: " + e);
e.printStackTrace(System.out);
}
}
}

48
main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
View File

@ -351,6 +351,53 @@ public class CreateDB
statement.executeUpdate(insertData4);
statement.executeUpdate(insertData5);
}
// creates the table salaries which is used in the lessons
// which add or modify data using sql injection
private void createModifyWithSQLLessonTable(Connection connection) throws SQLException
{
Statement statement = connection.createStatement();
// Delete table if there is one
try
{
String dropTable = "DROP TABLE salaries";
statement.executeUpdate(dropTable);
}
catch (SQLException e)
{
System.out.println("Error dropping salaries table");
}
// Create the new table
try
{
String createTableStatement = "CREATE TABLE salaries ("
+ "userid varchar(50),"
+ "salary int"
+ ")";
statement.executeUpdate(createTableStatement);
}
catch (SQLException e)
{
System.out.println("Error creating salaries table");
e.printStackTrace();
}
// Populate it
String insertData1 = "INSERT INTO salaries VALUES ('jsmith', 20000)";
String insertData2 = "INSERT INTO salaries VALUES ('lsmith', 45000)";
String insertData3 = "INSERT INTO salaries VALUES ('wgoat', 100000)";
String insertData4 = "INSERT INTO salaries VALUES ('rjones', 777777)";
String insertData5 = "INSERT INTO salaries VALUES ('manderson', 65000)";
statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2);
statement.executeUpdate(insertData3);
statement.executeUpdate(insertData4);
statement.executeUpdate(insertData5);
}
/**
@ -996,6 +1043,7 @@ public class CreateDB
createTanUserDataTable(connection);
createTanTable(connection);
createMFEImagesTable(connection);
createModifyWithSQLLessonTable(connection);
System.out.println("Success: creating tables.");
}
}