diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DangerousEval.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DangerousEval.java
index 02ea116d0..c45e92d2b 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DangerousEval.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DangerousEval.java
@@ -107,10 +107,7 @@ public class DangerousEval extends LessonAdapter
tr = new TR();
tr.addElement(new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
tr.addElement(new TD().addElement("69.99").setAlign("right"));
- tr.addElement(new TD().addElement(
- new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1",
- "1")))
- .setAlign("right"));
+ tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "1"))).setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
total = quantity * 69.99f;
runningTotal += total;
@@ -119,10 +116,7 @@ public class DangerousEval extends LessonAdapter
tr = new TR();
tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
tr.addElement(new TD().addElement("27.99").setAlign("right"));
- tr.addElement(new TD().addElement(
- new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2",
- "1")))
- .setAlign("right"));
+ tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "1"))).setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
total = quantity * 27.99f;
runningTotal += total;
@@ -131,10 +125,7 @@ public class DangerousEval extends LessonAdapter
tr = new TR();
tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
tr.addElement(new TD().addElement("1599.99").setAlign("right"));
- tr.addElement(new TD().addElement(
- new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3",
- "1")))
- .setAlign("right"));
+ tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "1"))).setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
total = quantity * 1599.99f;
runningTotal += total;
@@ -144,10 +135,7 @@ public class DangerousEval extends LessonAdapter
tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
tr.addElement(new TD().addElement("299.99").setAlign("right"));
- tr.addElement(new TD().addElement(
- new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4",
- "1")))
- .setAlign("right"));
+ tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "1"))).setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
total = quantity * 299.99f;
runningTotal += total;
@@ -232,16 +220,15 @@ public class DangerousEval extends LessonAdapter
hints.add("The lesson is similar to the standard reflected cross-site scripting lesson.");
hints.add("The access code parameter is vulnerable to a reflected cross-site scripting problem.");
hints.add("The usual <SCRIPT>alert(document.cookie);</SCRIPT> will not work in this lesson. Why?");
- hints
- .add("User-supplied data is landing in the Javascript eval() function. Your attack will not require the < and > characters.");
+ hints.add("User-supplied data is landing in the Javascript eval() function. Your attack will not require the < and > characters.");
hints.add("In order to pass this lesson, you must 'alert' the document.cookie.");
hints.add("Try 123');alert(document.cookie);('");
return hints;
}
- //
/**
* Gets the instructions attribute of the WeakAccessControl object
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
index 97d98284a..8284e5376 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
@@ -31,6 +31,7 @@ import org.owasp.webgoat.session.WebSession;
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
index 3b9247512..dc0d23294 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
@@ -345,8 +345,7 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
if (action != null)
{
// System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: "
- // +
- // action.getActionName());
+ // + action.getActionName());
if (!action.requiresAuthentication())
{
// Access to Login does not require authentication.
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
index 85f2beba5..b5ab7b2d9 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
@@ -114,7 +114,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
StringBuffer msg = new StringBuffer();
msg.append("Bet you can't do it again! ");
- msg.append("This lesson has detected your successfull attack ");
+ msg.append("This lesson has detected your successful attack ");
msg.append("and has now switched to a defensive mode. ");
msg.append("Try again to attack a parameterized query.");
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java
index 9640d8b3e..39390e655 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java
@@ -234,8 +234,7 @@ public class TraceXSS extends LessonAdapter
}
//
private final static Integer DEFAULT_RANKING = new Integer(130);
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
index 14397ff65..e93c0b524 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
@@ -268,9 +268,8 @@ public class ReportCardScreen extends LessonAdapter
{
H2 h2 = new H2();
// FIXME: The session is the current session, not the session of the user we are reporting.
- // String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ? " [Normal User
- // - Hacked Admin
- // Access]" : " [Normal User]";
+ // String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ?
+ // " [Normal User - Hacked Admin Access]" : " [Normal User]";
String type = "";
h2.addElement(new StringElement("Results for: " + user + type));
return h2;
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/FindProfile_i.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/FindProfile_i.java
index 7954053c7..1ba80d482 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/FindProfile_i.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/FindProfile_i.java
@@ -1,4 +1,3 @@
-
package org.owasp.webgoat.lessons.instructor.CrossSiteScripting;
import java.util.regex.Pattern;
@@ -10,15 +9,25 @@ import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
-/*
- * STAGE 5 FIXES Solution Summary: Edit FindProfile.java and change getRequestParameter(). Modify
- * getRequestParameter() with lines denoted by // STAGE 5 - FIX. Solution Steps: 1. Talk about the
- * different parser methods. We could have used the parser method that takes a regular expression.
- * 2. Call validate on the request parameter. return validate(s.getParser().getRawParameter(name),
- * (Pattern) patterns.get(name)); Note: patterns.get(name) is used to fetch the XSS validation
- * pattern that is defined in FindProfile.Java protected static Map patterns = new HashMap(); static
- * { patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}")); }
- */
+// STAGE 5 FIXES
+// Solution Summary: Edit FindProfile.java and change getRequestParameter().
+// Modify getRequestParameter() with lines denoted by // STAGE 5 - FIX.
+// Solution Steps:
+// 1. Talk about the different parser methods. We could have used the parser method that takes a
+// regular expression.
+// 2. Call validate on the request parameter.
+// return validate(s.getParser().getRawParameter(name), (Pattern) patterns.get(name));
+//
+// Note: patterns.get(name) is used to fetch the XSS validation pattern that is defined
+// in FindProfile.Java
+//
+// protected static Map patterns = new HashMap();
+// static
+// {
+// patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}"));
+// }
+
+
public class FindProfile_i extends FindProfile
{
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/UpdateProfile_i.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/UpdateProfile_i.java
index 93138c018..ff103298d 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/UpdateProfile_i.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/UpdateProfile_i.java
@@ -14,19 +14,31 @@ import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
-/*
- * STAGE 2 FIXES Solution Summary: Edit UpdateProfile.java and change parseEmployeeProfile(). Modify
- * parseEmployeeProfile() with lines denoted by // STAGE 2 - FIX. Solution Steps: 1. Talk about the
- * different parser methods. a. parseEmployeeProfile(subjectId, s.getRequest()) - uses the request
- * object directly. - calling validate() on the appropriate parameter b.
- * parseEmployeeProfile(subjectId, s.getParser()) - uses the parser object to pull request data
- * (centralized mechanism) 2. Fix the request object version of the call // STAGE 2 - FIX Replace
- * the call to: String address1 = request.getParameter(CrossSiteScripting.ADDRESS1); With: final
- * Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 - FIX String
- * address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1); //
- * STAGE 2 - FIX 3. Fix the parser version of the call. // STAGE 2 - ALTERNATE FIX Change all calls
- * in parseEmployeeProfile(subjectId, s.getParser()) to use the appropriate parser.method() call
- */
+// STAGE 2 FIXES
+// Solution Summary: Edit UpdateProfile.java and change parseEmployeeProfile().
+// Modify parseEmployeeProfile() with lines denoted by // STAGE 2 - FIX.
+// Solution Steps:
+// 1. Talk about the different parser methods.
+// a. parseEmployeeProfile(subjectId, s.getRequest())
+// - uses the request object directly.
+// - calling validate() on the appropriate parameter
+// b. parseEmployeeProfile(subjectId, s.getParser())
+// - uses the parser object to pull request data (centralized mechanism)
+//
+// 2. Fix the request object version of the call // STAGE 2 - FIX
+// Replace the call to:
+// String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
+//
+// With:
+// final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 - FIX
+// String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1);
+// // STAGE 2 - FIX
+//
+//
+// 3. Fix the parser version of the call. // STAGE 2 - ALTERNATE FIX
+// Change all calls in parseEmployeeProfile(subjectId, s.getParser()) to use
+// the appropriate parser.method() call
+//
public class UpdateProfile_i extends UpdateProfile
{
@@ -47,13 +59,12 @@ public class UpdateProfile_i extends UpdateProfile
// Validate this parameter against a regular expression pattern designed for street
// addresses.
- final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 -
- // FIX
- String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1); // STAGE
- // 2
- // -
- // FIX
+ // STAGE 2 - FIX
+ final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}");
+ String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1);
+
+
String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
int manager = Integer.parseInt(request.getParameter(CrossSiteScripting.MANAGER));
String startDate = request.getParameter(CrossSiteScripting.START_DATE);
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/ViewProfile_i.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/ViewProfile_i.java
index b76aa04cf..95dbb74e6 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/ViewProfile_i.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/ViewProfile_i.java
@@ -5,10 +5,13 @@ import org.owasp.webgoat.lessons.CrossSiteScripting.ViewProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-/*
- * STAGE 4 FIXES Solution Summary: Look in the WebContent/lesson/CrossSiteScripting/ViewProfile.jsp
- * Look for the <-- STAGE 4 - FIX in the ViewProfile.jsp
- */
+// STAGE 4 FIXES
+//
+//Solution Summary: Look in the WebContent/lesson/CrossSiteScripting/ViewProfile.jsp
+//
+//Look for the <-- STAGE 4 - FIX in the ViewProfile.jsp
+//
+//
public class ViewProfile_i extends ViewProfile
{
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java
index 75696b50e..bbdd854b0 100755
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java
@@ -5,55 +5,128 @@ import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
+/* STAGE 2 FIXES
+Solution Summary (1. or 2.)
+ 1. Modify the UPDATE_EMPLOYEE stored procedure in the database and add
+ a validation step. Oracle 10G now supports regular expressions.
+ 2. Apply a column constraint can also work IFF the existing data is clean
-/*
- * STAGE 2 FIXES Solution Summary (1. or 2.) 1. Modify the UPDATE_EMPLOYEE stored procedure in the
- * database and add a validation step. Oracle 10G now supports regular expressions. 2. Apply a
- * column constraint can also work IFF the existing data is clean Solution Steps: 1. Talk about the
- * different database approaches. a. Apply validation in the UPDATE stored proc - Possible to bypass
- * by not using that stored proc b. Apply a table column constraint - Cannot be bypassed. The DB
- * enforces the constraint under all conditions 2. Fix the stored proc Define the pattern. Validate
- * the field against the pattern. Raise an exception if invalid. CREATE OR REPLACE PROCEDURE
- * UPDATE_EMPLOYEE( v_userid IN employee.userid%type, v_first_name IN employee.first_name%type,
- * v_last_name IN employee.last_name%type, v_ssn IN employee.ssn%type, v_title IN
- * employee.title%type, v_phone IN employee.phone%type, v_address1 IN employee.address1%type,
- * v_address2 IN employee.address2%type, v_manager IN employee.manager%type, v_start_date IN
- * employee.start_date%type, v_salary IN employee.salary%type, v_ccn IN employee.ccn%type,
- * v_ccn_limit IN employee.ccn_limit%type, v_disciplined_date IN employee.disciplined_date%type,
- * v_disciplined_notes IN employee.disciplined_notes%type, v_personal_description IN
- * employee.personal_description%type ) AS P_ADDRESS1 VARCHAR2(100) := '^[a-zA-Z0-9,\. ]{0,80}$';
- * BEGIN IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN RAISE VALUE_ERROR; END IF; UPDATE EMPLOYEE
- * SET first_name = v_first_name, last_name = v_last_name, ssn = v_ssn, title = v_title, phone =
- * v_phone, address1 = v_address1, address2 = v_address2, manager = v_manager, start_date =
- * v_Start_date, salary = v_salary, ccn = v_ccn, ccn_limit = v_ccn_limit, disciplined_date =
- * v_disciplined_date, disciplined_notes = v_disciplined_notes, personal_description =
- * v_personal_description WHERE userid = v_userid; END; / 3. Apply a table column constraint ALTER
- * TABLE EMPLOYEE ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\.
- * ]{0,80}$')); FOR SQL SERVER, the following is required: DROP PROCEDURE
- * webgoat_guest.UPDATE_EMPLOYEE GO CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
- * @v_userid INT,
- * @v_first_name VARCHAR(20),
- * @v_last_name VARCHAR(20),
- * @v_ssn VARCHAR(12),
- * @v_title VARCHAR(20),
- * @v_phone VARCHAR(13),
- * @v_address1 VARCHAR(80),
- * @v_address2 VARCHAR(80),
- * @v_manager INT,
- * @v_start_date CHAR(8),
- * @v_salary INT,
- * @v_ccn VARCHAR(30),
- * @v_ccn_limit INT,
- * @v_disciplined_date CHAR(8),
- * @v_disciplined_notes VARCHAR(60),
- * @v_personal_description VARCHAR(60) AS IF [webgoat_guest].RegexMatch(@v_address1,
- * N'^[a-zA-Z0-9,\. ]{0,80}$') = 0 BEGIN RAISERROR('Illegal characters in address1', 11, 1) RETURN
- * END UPDATE EMPLOYEE SET first_name = @v_first_name, last_name = @v_last_name, ssn = @v_ssn, title
- * = @v_title, phone = @v_phone, address1 = @v_address1, address2 = @v_address2, manager =
- * @v_manager, start_date = @v_Start_date, salary = @v_salary, ccn = @v_ccn, ccn_limit =
- * @v_ccn_limit, disciplined_date = @v_disciplined_date, disciplined_notes = @v_disciplined_notes,
- * personal_description = @v_personal_description WHERE userid = @v_userid; GO
- */
+Solution Steps:
+1. Talk about the different database approaches.
+ a. Apply validation in the UPDATE stored proc
+ - Possible to bypass by not using that stored proc
+
+ b. Apply a table column constraint
+ - Cannot be bypassed. The DB enforces the constraint under all conditions
+
+2. Fix the stored proc
+
+Define the pattern.
+Validate the field against the pattern.
+Raise an exception if invalid.
+
+CREATE OR REPLACE PROCEDURE UPDATE_EMPLOYEE(
+ v_userid IN employee.userid%type,
+ v_first_name IN employee.first_name%type,
+ v_last_name IN employee.last_name%type,
+ v_ssn IN employee.ssn%type,
+ v_title IN employee.title%type,
+ v_phone IN employee.phone%type,
+ v_address1 IN employee.address1%type,
+ v_address2 IN employee.address2%type,
+ v_manager IN employee.manager%type,
+ v_start_date IN employee.start_date%type,
+ v_salary IN employee.salary%type,
+ v_ccn IN employee.ccn%type,
+ v_ccn_limit IN employee.ccn_limit%type,
+ v_disciplined_date IN employee.disciplined_date%type,
+ v_disciplined_notes IN employee.disciplined_notes%type,
+ v_personal_description IN employee.personal_description%type
+)
+AS
+ P_ADDRESS1 VARCHAR2(100) := '^[a-zA-Z0-9,\. ]{0,80}$';
+BEGIN
+ IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN
+ RAISE VALUE_ERROR;
+ END IF;
+ UPDATE EMPLOYEE
+ SET
+ first_name = v_first_name,
+ last_name = v_last_name,
+ ssn = v_ssn,
+ title = v_title,
+ phone = v_phone,
+ address1 = v_address1,
+ address2 = v_address2,
+ manager = v_manager,
+ start_date = v_Start_date,
+ salary = v_salary,
+ ccn = v_ccn,
+ ccn_limit = v_ccn_limit,
+ disciplined_date = v_disciplined_date,
+ disciplined_notes = v_disciplined_notes,
+ personal_description = v_personal_description
+ WHERE
+ userid = v_userid;
+END;
+/
+
+3. Apply a table column constraint
+ ALTER TABLE EMPLOYEE
+ ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\. ]{0,80}$'));
+
+
+FOR SQL SERVER, the following is required:
+
+
+DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
+GO
+
+CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
+ @v_userid INT,
+ @v_first_name VARCHAR(20),
+ @v_last_name VARCHAR(20),
+ @v_ssn VARCHAR(12),
+ @v_title VARCHAR(20),
+ @v_phone VARCHAR(13),
+ @v_address1 VARCHAR(80),
+ @v_address2 VARCHAR(80),
+ @v_manager INT,
+ @v_start_date CHAR(8),
+ @v_salary INT,
+ @v_ccn VARCHAR(30),
+ @v_ccn_limit INT,
+ @v_disciplined_date CHAR(8),
+ @v_disciplined_notes VARCHAR(60),
+ @v_personal_description VARCHAR(60)
+AS
+ IF [webgoat_guest].RegexMatch(@v_address1, N'^[a-zA-Z0-9,\. ]{0,80}$') = 0
+ BEGIN
+ RAISERROR('Illegal characters in address1', 11, 1)
+ RETURN
+ END
+ UPDATE EMPLOYEE
+ SET
+ first_name = @v_first_name,
+ last_name = @v_last_name,
+ ssn = @v_ssn,
+ title = @v_title,
+ phone = @v_phone,
+ address1 = @v_address1,
+ address2 = @v_address2,
+ manager = @v_manager,
+ start_date = @v_Start_date,
+ salary = @v_salary,
+ ccn = @v_ccn,
+ ccn_limit = @v_ccn_limit,
+ disciplined_date = @v_disciplined_date,
+ disciplined_notes = @v_disciplined_notes,
+ personal_description = @v_personal_description
+ WHERE
+ userid = @v_userid;
+GO
+
+*/
public class UpdateProfile_i extends UpdateProfile
{
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBSQLInjection/Login_i.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBSQLInjection/Login_i.java
index 4fe6b9078..bb1e4baee 100755
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBSQLInjection/Login_i.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBSQLInjection/Login_i.java
@@ -2,16 +2,44 @@
package org.owasp.webgoat.lessons.instructor.DBSQLInjection;
/*
- * The solution is to choose Neville's userid, and enter a password like: ' OR '1'='1 Modify the
- * Stored function LOGIN_EMPLOYEE to use fixed statements or bind variables For ORACLE: CREATE OR
- * REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
- * cnt NUMBER; BEGIN SELECT COUNT() INTO cnt FROM EMPLOYEE WHERE USERID = v_id AND PASSWORD =
- * v_password; RETURN cnt; END; / OR CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id
- * NUMBER, v_password VARCHAR) RETURN NUMBER AS stmt VARCHAR(32767); cnt NUMBER; BEGIN stmt :=
- * 'SELECT COUNT () FROM EMPLOYEE WHERE USERID = :1 AND PASSWORD = :2'; EXECUTE IMMEDIATE stmt INTO
- * cnt USING v_id, v_password; RETURN cnt; END; / For SQL SERVER CREATE FUNCTION
- * webgoat_guest.EMPLOYEE_LOGIN (
- * @v_id INT,
- * @v_password VARCHAR(100) ) RETURNS INTEGER AS BEGIN DECLARE @count int SELECT @count = COUNT()
- * FROM EMPLOYEE WHERE USERID = @v_id AND PASSWORD = @v_password; return @count END
- */
+ * The solution is to choose Neville's userid, and enter a password like:
+ * ' OR '1'='1
+ * Modify the Stored function LOGIN_EMPLOYEE to use fixed statements or bind variables
+ *
+ *
+ * For ORACLE:
+CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
+ cnt NUMBER;
+BEGIN
+ SELECT COUNT(*) INTO cnt FROM EMPLOYEE
+ WHERE USERID = v_id
+ AND PASSWORD = v_password;
+ RETURN cnt;
+END;
+/
+
+* OR
+
+CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
+ stmt VARCHAR(32767); cnt NUMBER;
+BEGIN
+ stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = :1 AND PASSWORD = :2';
+ EXECUTE IMMEDIATE stmt INTO cnt USING v_id, v_password;
+ RETURN cnt;
+END;
+/
+
+ * For SQL SERVER
+
+CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
+ @v_id INT,
+ @v_password VARCHAR(100)
+) RETURNS INTEGER
+AS
+ BEGIN
+ DECLARE @count int
+ SELECT @count = COUNT(*) FROM EMPLOYEE WHERE USERID = @v_id AND PASSWORD = @v_password;
+ return @count
+ END
+
+*/
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java
index 8c98d8ed7..729f0e35a 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java
@@ -57,15 +57,23 @@ public class EditProfile_i extends EditProfile
if (answer_results.next())
{
// Note: Do NOT get the password field.
- profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
- answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
- .getString("title"), answer_results.getString("phone"), answer_results
- .getString("address1"), answer_results.getString("address2"), answer_results
- .getInt("manager"), answer_results.getString("start_date"), answer_results
- .getInt("salary"), answer_results.getString("ccn"), answer_results
- .getInt("ccn_limit"), answer_results.getString("disciplined_date"),
- answer_results.getString("disciplined_notes"), answer_results
- .getString("personal_description"));
+ profile = new Employee(
+ answer_results.getInt("userid"),
+ answer_results.getString("first_name"),
+ answer_results.getString("last_name"),
+ answer_results.getString("ssn"),
+ answer_results.getString("title"),
+ answer_results.getString("phone"),
+ answer_results.getString("address1"),
+ answer_results.getString("address2"),
+ answer_results.getInt("manager"),
+ answer_results.getString("start_date"),
+ answer_results.getInt("salary"),
+ answer_results.getString("ccn"),
+ answer_results.getInt("ccn_limit"),
+ answer_results.getString("disciplined_date"),
+ answer_results.getString("disciplined_notes"),
+ answer_results.getString("personal_description"));
/*
* System.out.println("Retrieved employee from db: " +
* profile.getFirstName() + " " + profile.getLastName() + " (" +
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/RoleBasedAccessControl_i.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/RoleBasedAccessControl_i.java
index b13e65516..b1fa98e6e 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/RoleBasedAccessControl_i.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/RoleBasedAccessControl_i.java
@@ -21,25 +21,34 @@ import org.owasp.webgoat.session.WebSession;
*
*/
-/*
- * STAGE 2 FIXES Solution Summary: Edit RoleBasedAccessControl.java and change handleRequest().
- * Modify handleRequest() with lines denoted by // STAGE 2 - FIX. Solution Steps: 1. This solution
- * adds an access control check in the controller. Point out that their architecture may require the
- * check to occur in the business function. 2. Look at the RoleBasedAccessControl class identify
- * where execution happens of an action. a. action.handleRequest(s); is not protected by an access
- * control check. b. look at handleRequest(s) to determine where access control check should occur.
- * c. add protection by a programmatic authorization check before dispatching to the action: 1. Add
- * an isAuthorized() call before dispatching to the action, and throw an unauthorized exception.
- * Tell student this exception exists. Use eclipse command completion to find the isAuthorized()
- * call on the action. From command completion - determine calling arguments of isAuthorized() int
- * userId = action.getUserId(s); if (action.isAuthorized(s, userId, action.getActionName())) {
- * action.handleRequest(s); } else throw new UnauthorizedException(); Repeat stage 1 and note that
- * the function fails with a "Not authorized" message. Tom will be in the list again, because the DB
- * is reset when lesson restarts. Adding the access check in the
- * RoleBasedAccessControl:handleRequest() is putting the check in the “Controller” The access check
- * can also be added to DeleteProfile.deleteEmployeeProfile(), which is putting the check in the
- * “Business Function”
- */
+/* STAGE 2 FIXES
+Solution Summary: Edit RoleBasedAccessControl.java and change handleRequest().
+ Modify handleRequest() with lines denoted by // STAGE 2 - FIX.
+Solution Steps:
+1. This solution adds an access control check in the controller.
+ Point out that their architecture may require the check to occur in the business function.
+2. Look at the RoleBasedAccessControl class identify where execution happens of an action.
+ a. action.handleRequest(s); is not protected by an access control check.
+ b. look at handleRequest(s) to determine where access control check should occur.
+ c. add protection by a programmatic authorization check before dispatching to the action:
+ 1. Add an isAuthorized() call before dispatching to the action,
+ and throw an unauthorized exception. Tell student this exception exists.
+ Use eclipse command completion to find the isAuthorized() call on the action.
+ From command completion - determine calling arguments of isAuthorized()
+
+ int userId = action.getUserId(s);
+ if (action.isAuthorized(s, userId, action.getActionName()))
+ {
+ action.handleRequest(s);
+ }
+ else
+ throw new UnauthorizedException();
+
+Repeat stage 1 and note that the function fails with a "Not authorized" message.
+ Tom will be in the list again, because the DB is reset when lesson restarts.
+ Adding the access check in the RoleBasedAccessControl:handleRequest() is putting the check in the “Controller”
+ The access check can also be added to DeleteProfile.deleteEmployeeProfile(), which is putting the check in the “Business Function”
+*/
public class RoleBasedAccessControl_i extends RoleBasedAccessControl
{
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/ViewProfile_i.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/ViewProfile_i.java
index e2da0d538..719352e96 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/ViewProfile_i.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/ViewProfile_i.java
@@ -10,32 +10,40 @@ import org.owasp.webgoat.session.Employee;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.WebSession;
-
-/*
- * STAGE 4 FIXES 1. Find the code location where this flaw of directly retrieving the profile
- * without data-level access control checking exists: public void handleRequest( WebSession s ) { …
- * Employee employee = getEmployeeProfile(s, userId, employeeId); … } public Employee
- * getEmployeeProfile(WebSession s, int employeeId, int subjectUserId) throws UnauthorizedException
- * { … return getEmployeeProfile(s, employeeId, subjectUserId); … } 2. The solution requires a
- * data-level access control check to ensure the user has the rights to access the data they are
- * requesting. a. There is a common method you can take advantage of: isAuthorizedForEmployee(s,
- * userId, subjectUserId) Either tell the student this exists or have them look in
- * DefaultLessonAction. Note that this is not required to implement data access control but is for
- * detection of violations. b. Uncomment the modified query retrieving the user data to have data
- * access control String query =
- * "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
- * "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; 3. Bundle
- * the entire logic with this call and throw an unauthorized exception if
- * (isAuthorizedForEmployee(s, userId, subjectUserId)) { ... //String query =
- * "SELECT * FROM employee WHERE userid = " + subjectUserId; String query =
- * "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
- * "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; // STAGE 4
- * - FIX ... } else { throw new UnauthorizedException(); } 4. Repeat stage 3 and note that the
- * function fails with a "Not authorized" message. Adding the access check in the query is providing
- * data-level access control. The access check from isAuthorizedForEmployee is used to detect a
- * violation. The same logic could've been applied after the query but isAuthorizedForEmployee
- * provides a nice centralized abstraction of that logic.
- */
+/* STAGE 4 FIXES
+1. Find the code location where this flaw of directly retrieving the profile without data-level access control checking exists:
+ public void handleRequest( WebSession s )
+ { …
+ Employee employee = getEmployeeProfile(s, userId, employeeId);
+ … }
+ public Employee getEmployeeProfile(WebSession s, int employeeId, int subjectUserId) throws UnauthorizedException { …
+ return getEmployeeProfile(s, employeeId, subjectUserId);
+ … }
+2. The solution requires a data-level access control check to ensure the user has the rights to access the data they are requesting.
+ a. There is a common method you can take advantage of:
+ isAuthorizedForEmployee(s, userId, subjectUserId)
+ Either tell the student this exists or have them look in DefaultLessonAction.
+ Note that this is not required to implement data access control but is for detection of violations.
+ b. Uncomment the modified query retrieving the user data to have data access control
+ String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
+ "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
+3. Bundle the entire logic with this call and throw an unauthorized exception
+ if (isAuthorizedForEmployee(s, userId, subjectUserId))
+ { ...
+ //String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
+ String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
+ "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; // STAGE 4 - FIX
+ ...
+ }
+ else
+ {
+ throw new UnauthorizedException();
+ }
+4. Repeat stage 3 and note that the function fails with a "Not authorized" message.
+Adding the access check in the query is providing data-level access control.
+The access check from isAuthorizedForEmployee is used to detect a violation.
+The same logic could've been applied after the query but isAuthorizedForEmployee provides a nice centralized abstraction of that logic.
+*/
public class ViewProfile_i extends ViewProfile
{
@@ -58,8 +66,10 @@ public class ViewProfile_i extends ViewProfile
// Query the database for the profile data of the given employee
try
{
- // String query = "SELECT * FROM employee WHERE userid = " + subjectUserId; // STAGE
- // 4 - FIX
+
+ // STAGE 4 - FIX
+ // String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
+
// Switch to this query to add Data Access Control
//
@@ -67,11 +77,9 @@ public class ViewProfile_i extends ViewProfile
// - qualify on ownership.employer_id to see only the current userId records
// - qualify on ownership.employee_id to see the current selected employee profile
+ // STAGE 4 - FIX
String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and "
- + "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; // STAGE
- // 4
- // -
- // FIX
+ + "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
try
{
@@ -81,21 +89,29 @@ public class ViewProfile_i extends ViewProfile
if (answer_results.next())
{
// Note: Do NOT get the password field.
- profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
- answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
- .getString("title"), answer_results.getString("phone"), answer_results
- .getString("address1"), answer_results.getString("address2"), answer_results
- .getInt("manager"), answer_results.getString("start_date"), answer_results
- .getInt("salary"), answer_results.getString("ccn"), answer_results
- .getInt("ccn_limit"), answer_results.getString("disciplined_date"),
- answer_results.getString("disciplined_notes"), answer_results
- .getString("personal_description"));
- /*
- * System.out.println("Retrieved employee from db: " +
- * profile.getFirstName() + " " + profile.getLastName() + " (" +
- * profile.getId() + ")");
- */}
- } catch (SQLException sqle)
+ profile = new Employee(
+ answer_results.getInt("userid"),
+ answer_results.getString("first_name"),
+ answer_results.getString("last_name"),
+ answer_results.getString("ssn"),
+ answer_results.getString("title"),
+ answer_results.getString("phone"),
+ answer_results.getString("address1"),
+ answer_results.getString("address2"),
+ answer_results.getInt("manager"),
+ answer_results.getString("start_date"),
+ answer_results.getInt("salary"),
+ answer_results.getString("ccn"),
+ answer_results.getInt("ccn_limit"),
+ answer_results.getString("disciplined_date"),
+ answer_results.getString("disciplined_notes"),
+ answer_results.getString("personal_description"));
+/* System.out.println("Retrieved employee from db: " +
+ profile.getFirstName() + " " + profile.getLastName() +
+ " (" + profile.getId() + ")");
+*/ }
+ }
+ catch ( SQLException sqle )
{
s.setMessage("Error getting employee profile");
sqle.printStackTrace();
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java
index b05d45814..7cf0be67f 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java
@@ -10,19 +10,25 @@ import org.owasp.webgoat.lessons.SQLInjection.Login;
import org.owasp.webgoat.lessons.SQLInjection.SQLInjection;
import org.owasp.webgoat.session.WebSession;
-
/*
- * Solution Summary: Edit Login.java and change login(). Modify login() with lines denoted by //
- * STAGE 2 - FIX. Solution Steps: 1. Change dynamic query to parameterized query. a. Replace the
- * dynamic varaibles with the "?" String query =
- * "SELECT * FROM employee WHERE userid = ? and password = ?" b. Create a preparedStatement using
- * the new query PreparedStatement answer_statement =
- * SQLInjection.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE,
- * ResultSet.CONCUR_READ_ONLY ); c. Set the values of the parameterized query
- * answer_statement.setString(1, userId); // STAGE 2 - FIX answer_statement.setString(2, password);
- * // STAGE 2 - FIX d. Execute the preparedStatement ResultSet answer_results =
- * answer_statement.executeQuery();
- */
+Solution Summary: Edit Login.java and change login().
+ Modify login() with lines denoted by // STAGE 2 - FIX.
+Solution Steps:
+1. Change dynamic query to parameterized query.
+ a. Replace the dynamic varaibles with the "?"
+ String query = "SELECT * FROM employee WHERE userid = ? and password = ?"
+
+ b. Create a preparedStatement using the new query
+ PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement(
+ query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
+
+ c. Set the values of the parameterized query
+ answer_statement.setString(1, userId); // STAGE 2 - FIX
+ answer_statement.setString(2, password); // STAGE 2 - FIX
+
+ d. Execute the preparedStatement
+ ResultSet answer_results = answer_statement.executeQuery();
+*/
public class Login_i extends Login
{
@@ -38,16 +44,15 @@ public class Login_i extends Login
try
{
- String query = "SELECT * FROM employee WHERE userid = ? and password = ?"; // STAGE 2 -
- // FIX
+ // STAGE 2 - FIX
+ String query = "SELECT * FROM employee WHERE userid = ? and password = ?";
try
{
+
+ // STAGE 2 - FIX
PreparedStatement answer_statement = WebSession.getConnection(s)
- .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); // STAGE
- // 2
- // -
- // FIX
+ .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
answer_statement.setString(1, userId); // STAGE 2 - FIX
answer_statement.setString(2, password); // STAGE 2 - FIX
ResultSet answer_results = answer_statement.executeQuery(); // STAGE 2 - FIX
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java
index 27175da8a..40d76d73d 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java
@@ -11,24 +11,32 @@ import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder;
-
/*
- * Solution Summary: Edit ViewProfile.java and change getEmployeeProfile(). Modify
- * getEmployeeProfile() with lines denoted by // STAGE 4 - FIX. Solution Steps: 1. Change dynamic
- * query to parameterized query. a. Replace the dynamic variables with the "?" Old: String query =
- * "SELECT employee.* " +
- * "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
- * "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; New:
- * String query = "SELECT employee.* " +
- * "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
- * "ownership.employer_id = ? and ownership.employee_id = ?"; b. Create a preparedStatement using
- * the new query PreparedStatement answer_statement =
- * SQLInjection.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE,
- * ResultSet.CONCUR_READ_ONLY ); c. Set the values of the parameterized query
- * answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX answer_statement.setInt(2,
- * Integer.parseInt(subjectUserId)); // STAGE 4 - FIX d. Execute the preparedStatement ResultSet
- * answer_results = answer_statement.executeQuery();
- */
+Solution Summary: Edit ViewProfile.java and change getEmployeeProfile().
+ Modify getEmployeeProfile() with lines denoted by // STAGE 4 - FIX.
+
+Solution Steps:
+1. Change dynamic query to parameterized query.
+ a. Replace the dynamic variables with the "?"
+ Old: String query = "SELECT employee.* " +
+ "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
+ "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
+
+ New: String query = "SELECT employee.* " +
+ "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
+ "ownership.employer_id = ? and ownership.employee_id = ?";
+
+ b. Create a preparedStatement using the new query
+ PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement(
+ query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
+
+ c. Set the values of the parameterized query
+ answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX
+ answer_statement.setInt(2, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
+
+ d. Execute the preparedStatement
+ ResultSet answer_results = answer_statement.executeQuery();
+*/
public class ViewProfile_i extends ViewProfile
{
@@ -53,30 +61,38 @@ public class ViewProfile_i extends ViewProfile
try
{
- PreparedStatement answer_statement = WebSession.getConnection(s)
- .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); // STAGE
- // 4
- // -
- // FIX
+ // STAGE 4 - FIX
+ PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
+ ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX
answer_statement.setInt(2, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
ResultSet answer_results = answer_statement.executeQuery(); // STAGE 4 - FIX
if (answer_results.next())
{
// Note: Do NOT get the password field.
- profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
- answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
- .getString("title"), answer_results.getString("phone"), answer_results
- .getString("address1"), answer_results.getString("address2"), answer_results
- .getInt("manager"), answer_results.getString("start_date"), answer_results
- .getInt("salary"), answer_results.getString("ccn"), answer_results
- .getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
- .getString("disciplined_notes"), answer_results.getString("personal_description"));
- /*
- * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
- * " " + profile.getLastName() + " (" + profile.getId() + ")");
- */}
- } catch (SQLException sqle)
+ profile = new Employee(
+ answer_results.getInt("userid"),
+ answer_results.getString("first_name"),
+ answer_results.getString("last_name"),
+ answer_results.getString("ssn"),
+ answer_results.getString("title"),
+ answer_results.getString("phone"),
+ answer_results.getString("address1"),
+ answer_results.getString("address2"),
+ answer_results.getInt("manager"),
+ answer_results.getString("start_date"),
+ answer_results.getInt("salary"),
+ answer_results.getString("ccn"),
+ answer_results.getInt("ccn_limit"),
+ answer_results.getString("disciplined_date"),
+ answer_results.getString("disciplined_notes"),
+ answer_results.getString("personal_description"));
+/* System.out.println("Retrieved employee from db: " +
+ profile.getFirstName() + " " + profile.getLastName() +
+ " (" + profile.getId() + ")");
+*/ }
+ }
+ catch ( SQLException sqle )
{
s.setMessage("Error getting employee profile");
sqle.printStackTrace();
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java
index 14a5e62ce..ffadf10aa 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java
@@ -129,7 +129,8 @@ public class Course
fileName = fileName.trim();
/**
- * We do not handle directories. We do not handle files with different extensions
+ * We do not handle directories.
+ * We do not handle files with different extensions
*/
if (fileName.endsWith("/") || !fileName.endsWith(ext)) { return null; }
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java
index fd2b35ab0..58bfdbeaf 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java
@@ -184,8 +184,7 @@ public class UserTracker
usermap.put(screen.getTitle(), tracker);
}
// System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " +
- // tracker.hashCode() + "
- // for " + screen );
+ // tracker.hashCode() + " for " + screen );
return tracker;
}
@@ -261,9 +260,8 @@ public class UserTracker
LessonTracker tracker = getLessonTracker(s, screen);
- // System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen + " LTH
- // " +
- // tracker.hashCode() );
+ // System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen +
+ // " LTH " + tracker.hashCode() );
tracker.store(s, screen);
HashMap usermap = getUserMap(s.getUserName());
diff --git a/webgoat/main/project/WebContent/lesson_plans/SqlNumericInjection.html b/webgoat/main/project/WebContent/lesson_plans/SqlNumericInjection.html
index 17a789ba9..a081c1a29 100644
--- a/webgoat/main/project/WebContent/lesson_plans/SqlNumericInjection.html
+++ b/webgoat/main/project/WebContent/lesson_plans/SqlNumericInjection.html
@@ -8,7 +8,7 @@ SQL injection attacks represent a serious threat to any database-driven site. Th
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.
-It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queiries, even if the threat of SQL injection has been prevented in some other manner.
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.
General Goal(s):
The form below allows a user to view weather data. Try to inject an SQL string that results in all the weather data being displayed.
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/lesson_plans/SqlStringInjection.html b/webgoat/main/project/WebContent/lesson_plans/SqlStringInjection.html
index 32f6d4bac..2dc84b697 100644
--- a/webgoat/main/project/WebContent/lesson_plans/SqlStringInjection.html
+++ b/webgoat/main/project/WebContent/lesson_plans/SqlStringInjection.html
@@ -8,7 +8,7 @@ SQL injection attacks represent a serious threat to any database-driven site. Th
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.
-It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queiries, even if the threat of SQL injection has been prevented in some other manner.
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.
General Goal(s):
The form below allows a user to view their credit card numbers. Try to inject an SQL string that results in all the credit card numbers being displayed. Try the user name of 'Smith'.
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/lesson_solutions/SqlNumericInjection.html b/webgoat/main/project/WebContent/lesson_solutions/SqlNumericInjection.html
index 6a8fe7e2c..2d61caad5 100644
--- a/webgoat/main/project/WebContent/lesson_solutions/SqlNumericInjection.html
+++ b/webgoat/main/project/WebContent/lesson_solutions/SqlNumericInjection.html
@@ -599,7 +599,7 @@ SQL injection attacks represent a serious threat to any database-driven site. Th
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.
-It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queiries, even if the threat of SQL injection has been prevented in some other manner.
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.
General
Goal(s):
diff --git a/webgoat/main/project/WebContent/lesson_solutions/SqlStringInjection.html b/webgoat/main/project/WebContent/lesson_solutions/SqlStringInjection.html
index 3b57def06..df6f06d29 100644
--- a/webgoat/main/project/WebContent/lesson_solutions/SqlStringInjection.html
+++ b/webgoat/main/project/WebContent/lesson_solutions/SqlStringInjection.html
@@ -602,7 +602,7 @@ Not only is it a threat easily instigated, it is also a threat that, with a
little common-sense and forethought, can easily be prevented.
It is always good practice to sanitize all input data, especially data that
-will used in OS command, scripts, and database queiries, even if the threat of
+will used in OS command, scripts, and database queries, even if the threat of
SQL injection has been prevented in some other manner.