lessons: sql_injection

added another assignment
2018-10-30 11:49:21 +01:00 · 2018-10-30 11:49:21 +01:00 · 2334b3c02d
commit 2334b3c02d
parent 8667a85865
3 changed files with 147 additions and 0 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
@ -0,0 +1,85 @@
+package org.owasp.webgoat.plugin.mitigation;
+
+import lombok.SneakyThrows;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.tools.*;
+import java.io.IOException;
+import java.net.URI;
+import java.util.Arrays;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+@AssignmentPath("SqlInjection/attack10b")
+public class SqlInjectionLesson10b extends AssignmentEndpoint {
+
+    @RequestMapping(method = RequestMethod.POST)
+    @ResponseBody
+    public AttackResult completed(@RequestParam String code) {
+        String regex1 = "(?=.*PreparedStatement.*)(?=.*setString.*)(?=.*\\=\\?.*|.*\\=\\s\\?.*)";
+        boolean hasImportant = this.check_text(regex1, code.replace("\n", "").replace("\r", ""));
+        List<Diagnostic> hasCompiled = this.compileFromString(code);
+        String errors = "";
+        if(hasImportant && hasCompiled.size() < 2) {
+            return trackProgress(success().build());
+        } else if(hasCompiled.size() > 1) {
+            for(Diagnostic d : hasCompiled) {
+                errors += d.getMessage(null) + "\n";
+            }
+        }
+        return trackProgress(failed().output(errors).build());
+    }
+
+    private List<Diagnostic> compileFromString(String s) {
+        JavaCompiler compiler = ToolProvider.getSystemJavaCompiler();
+        DiagnosticCollector diagnosticsCollector = new DiagnosticCollector();
+        StandardJavaFileManager fileManager  = compiler.getStandardFileManager(diagnosticsCollector, null, null);
+        JavaFileObject javaObjectFromString = getJavaFileContentsAsString(s);
+        Iterable fileObjects = Arrays.asList(javaObjectFromString);
+        JavaCompiler.CompilationTask task = compiler.getTask(null, fileManager, diagnosticsCollector, null, null, fileObjects);
+        Boolean result = task.call();
+        List<Diagnostic> diagnostics = diagnosticsCollector.getDiagnostics();
+        if(result == true){
+            return null;
+        } else {
+            return diagnostics;
+        }
+    }
+
+    private SimpleJavaFileObject getJavaFileContentsAsString(String s){
+        StringBuilder javaFileContents = new StringBuilder("import java.sql.*; public class TestClass { public static void main(String[] args) {" + s + "}}");
+        JavaObjectFromString javaFileObject = null;
+        try{
+            javaFileObject = new JavaObjectFromString("TestClass.java", javaFileContents.toString());
+        }catch(Exception exception){
+            exception.printStackTrace();
+        }
+        return javaFileObject;
+    }
+
+    class JavaObjectFromString extends SimpleJavaFileObject {
+        private String contents = null;
+        public JavaObjectFromString(String className, String contents) throws Exception{
+            super(new URI(className), Kind.SOURCE);
+            this.contents = contents;
+        }
+        public CharSequence getCharContent(boolean ignoreEncodingErrors) throws IOException {
+            return contents;
+        }
+    }
+
+    private boolean check_text(String regex, String text) {
+        Pattern p = Pattern.compile(regex, Pattern.CASE_INSENSITIVE);
+        Matcher m = p.matcher(text);
+        if(m.find())
+            return true;
+        else return false;
+    }
+}
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
@ -35,6 +35,25 @@
            </div>
        </form>
    </div>
+    <div class="attack-feedback"></div>
+    <div class="attack-output"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_newcode.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10b" enctype="application/json;charset=UTF-8">
+            <div>
+                <textarea rows="10" cols="75" name="code" id="code"></textarea>
+            </div>
+            <div class="input-group" style="margin-top: 10px">
+                <button type="submit" class="btn btn-primary">Submit</button>
+            </div>
+        </form>
+    </div>
+    <div class="attack-feedback"></div>
+    <div class="attack-output"></div>
 </div>

 <div class="lesson-page-wrapper">
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc
@ -0,0 +1,43 @@
+== Try it! Writing safe code
+
+Now it's time to write your own code!
+
+All code you write down below gets inserted into a main method of a java class with the name "TestClass". This class also imports java.sql.*. Use your knowledge and write the right code from scratch!
+
+[source,java]
+-------------------------------------------------------
+ Connection conn = null;
+ PreparedStatement stmt = null;
+ try{
+    //STEP 1: Open a connection
+    conn = DriverManager.getConnection("DBURL","DBUSER","DBPW");
+
+    //STEP 2: Use the PreparedStatement
+    stmt = conn.prepareStatement("SELECT id, first, last, age FROM Employees WHERE id=?");
+    stmt.setString(1, "Hallo");
+
+    //STEP 3: Clean-up environment
+    stmt.close();
+    conn.close();
+    //STEP 4: catch Exceptions
+ }catch(SQLException se){
+    //Handle errors for JDBC
+    se.printStackTrace();
+ }catch(Exception e){
+    //Handle errors for Class.forName
+    e.printStackTrace();
+ }finally{
+    //finally block used to close resources
+    try{
+       if(stmt!=null)
+          stmt.close();
+    }catch(SQLException se2){
+    }// nothing we can do
+    try{
+       if(conn!=null)
+          conn.close();
+    }catch(SQLException se){
+       se.printStackTrace();
+    }//end finally try
+ }//end try
+-------------------------------------------------------