diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java index 6e089f236..cee8e8c13 100644 --- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java @@ -28,7 +28,7 @@ public class SqlInjectionLesson12aTest extends LessonTest { private WebgoatContext context; @Before - public void setup() throws Exception { + public void setup() { SqlInjection sql = new SqlInjection(); when(webSession.getCurrentLesson()).thenReturn(sql); @@ -44,6 +44,40 @@ public class SqlInjectionLesson12aTest extends LessonTest { .andExpect(status().isOk()); } + @Test + public void addressCorrectShouldOrderByHostname() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + } + + @Test + public void addressCorrectShouldOrderByHostnameUsingSubstr() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '1') IS NOT NULL then hostname else id end")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,2,1) = '0') IS NOT NULL then hostname else id end")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,3,1) = '4') IS NOT NULL then hostname else id end")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + } + + @Test + public void addressIncorrectShouldOrderByIdUsingSubstr() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '9') IS NOT NULL then hostname else id end")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev"))); + } + @Test public void trueShouldSortByHostname() throws Exception { mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") @@ -63,21 +97,13 @@ public class SqlInjectionLesson12aTest extends LessonTest { } @Test - public void passwordIncorrectShouldOrderByHostname() throws Exception { + public void addressIncorrectShouldOrderByHostname() throws Exception { mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%' THEN hostname ELSE id END")) .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev"))); } - @Test - public void passwordCorrectShouldOrderByHostname() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") - .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END")) - - .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); - } - @Test public void postingCorrectAnswerShouldPassTheLesson() throws Exception { mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack12a")