lessons: sql_injection

added another assignment
2018-10-30 11:49:21 +01:00
parent 8667a85865
commit 2334b3c02d
3 changed files with 147 additions and 0 deletions
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
@ -35,6 +35,25 @@
            </div>
        </form>
    </div>
+    <div class="attack-feedback"></div>
+    <div class="attack-output"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_newcode.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10b" enctype="application/json;charset=UTF-8">
+            <div>
+                <textarea rows="10" cols="75" name="code" id="code"></textarea>
+            </div>
+            <div class="input-group" style="margin-top: 10px">
+                <button type="submit" class="btn btn-primary">Submit</button>
+            </div>
+        </form>
+    </div>
+    <div class="attack-feedback"></div>
+    <div class="attack-output"></div>
 </div>

 <div class="lesson-page-wrapper">
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc
@ -0,0 +1,43 @@
+== Try it! Writing safe code
+
+Now it's time to write your own code!
+
+All code you write down below gets inserted into a main method of a java class with the name "TestClass". This class also imports java.sql.*. Use your knowledge and write the right code from scratch!
+
+[source,java]
+-------------------------------------------------------
+ Connection conn = null;
+ PreparedStatement stmt = null;
+ try{
+    //STEP 1: Open a connection
+    conn = DriverManager.getConnection("DBURL","DBUSER","DBPW");
+
+    //STEP 2: Use the PreparedStatement
+    stmt = conn.prepareStatement("SELECT id, first, last, age FROM Employees WHERE id=?");
+    stmt.setString(1, "Hallo");
+
+    //STEP 3: Clean-up environment
+    stmt.close();
+    conn.close();
+    //STEP 4: catch Exceptions
+ }catch(SQLException se){
+    //Handle errors for JDBC
+    se.printStackTrace();
+ }catch(Exception e){
+    //Handle errors for Class.forName
+    e.printStackTrace();
+ }finally{
+    //finally block used to close resources
+    try{
+       if(stmt!=null)
+          stmt.close();
+    }catch(SQLException se2){
+    }// nothing we can do
+    try{
+       if(conn!=null)
+          conn.close();
+    }catch(SQLException se){
+       se.printStackTrace();
+    }//end finally try
+ }//end try
+-------------------------------------------------------