From 25dae3a4a824e918e5294d3268cea18ba917620c Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sat, 19 Oct 2019 17:17:54 +0200 Subject: [PATCH] Fix merge request --- webgoat-container/pom.xml | 10 + .../owasp/webgoat/DatabaseInitialization.java | 46 + .../main/java/org/owasp/webgoat/WebGoat.java | 9 +- .../webgoat/service/RestartLessonService.java | 18 +- .../org/owasp/webgoat/session/CreateDB.java | 1073 ----------------- .../webgoat/session/DatabaseUtilities.java | 129 -- .../org/owasp/webgoat/session/WebSession.java | 38 +- .../owasp/webgoat/session/WebgoatContext.java | 187 --- .../resources/application-webgoat.properties | 5 +- .../main/resources/db/container/V1__init.sql | 64 + .../org/owasp/webgoat/TestApplication.java | 27 + .../org/owasp/webgoat/plugins/LessonTest.java | 5 +- .../webgoat/users/UserRepositoryTest.java | 4 +- .../users/UserTrackerRepositoryTest.java | 3 +- .../resources/application-test.properties | 3 +- .../org/owasp/webgoat/IntegrationTest.java | 33 +- .../owasp/webgoat/SqlInjectionLessonTest.java | 8 +- .../test/java/org/owasp/webgoat/XXETest.java | 67 +- .../challenges/challenge5/Assignment5.java | 86 +- .../challenges/challenge6/Assignment6.java | 132 -- .../challenges/challenge6/Challenge6.java | 28 - .../db/migration/V2018_09_26_1__users.sql | 11 + .../chrome_dev_tools/ChromeDevToolsTest.java | 2 - .../java/org/owasp/webgoat/cia/CIAQuiz.java | 8 - .../org/owasp/webgoat/cia/CIAQuizTest.java | 1 - .../ShopEndpointTest.java | 6 +- .../owasp/webgoat/jwt/JWTFinalEndpoint.java | 17 +- .../db/migration/V2019_09_25_1__jwt.sql | 7 + .../org/owasp/webgoat/missing_ac/Users.java | 71 +- .../MissingFunctionYourHashTest.java | 7 +- .../advanced/SqlInjectionChallenge.java | 86 +- .../advanced/SqlInjectionChallengeLogin.java | 54 +- .../advanced/SqlInjectionLesson6a.java | 26 +- .../advanced/SqlInjectionLesson6b.java | 23 +- .../advanced/SqlInjectionQuiz.java | 6 - .../introduction/SqlInjectionLesson10.java | 30 +- .../introduction/SqlInjectionLesson2.java | 58 +- .../introduction/SqlInjectionLesson3.java | 35 +- .../introduction/SqlInjectionLesson4.java | 32 +- .../introduction/SqlInjectionLesson5.java | 4 +- .../introduction/SqlInjectionLesson5a.java | 147 +-- .../introduction/SqlInjectionLesson5b.java | 97 +- .../introduction/SqlInjectionLesson8.java | 29 +- .../introduction/SqlInjectionLesson9.java | 43 +- .../sql_injection/mitigation/Servers.java | 13 +- .../mitigation/SqlInjectionLesson10a.java | 17 +- .../mitigation/SqlInjectionLesson12a.java | 32 +- .../db/migration/V2019_09_26_1__servers.sql | 13 + .../db/migration/V2019_09_26_2__users.sql | 24 + .../db/migration/V2019_09_26_3__salaries.sql | 10 + .../db/migration/V2019_09_26_4__tan.sql | 14 + .../V2019_09_26_5__challenge_assignment.sql | 10 + .../V2019_09_26_6__user_system_data.sql | 12 + .../db/migration/V2019_09_26_7__employees.sql | 20 + .../src/main/resources/html/SqlInjection.html | 4 +- .../en/SqlInjection_content10.adoc | 2 +- .../en/SqlInjection_content11.adoc | 2 +- .../en/SqlInjection_content12a.adoc | 4 +- .../lessonPlans/en/SqlInjection_content6.adoc | 10 +- .../en/SqlInjection_content6c.adoc | 4 +- .../lessonPlans/en/SqlInjection_content7.adoc | 6 +- .../lessonPlans/en/SqlInjection_content8.adoc | 10 +- .../lessonPlans/en/SqlInjection_content9.adoc | 4 +- .../SqlInjection_introduction_content11.adoc | 2 +- .../SqlInjection_introduction_content12.adoc | 2 +- .../SqlInjection_introduction_content2.adoc | 6 +- ...Injection_introduction_content5_after.adoc | 6 +- .../webgoat/sql_injection/SqlLessonTest.java | 1 - .../SqlInjectionLesson10Test.java | 6 - .../introduction/SqlInjectionLesson2Test.java | 45 + .../introduction/SqlInjectionLesson5Test.java | 32 +- .../SqlInjectionLesson5aTest.java | 49 +- .../introduction/SqlInjectionLesson8Test.java | 7 - .../introduction/SqlInjectionLesson9Test.java | 6 - .../mitigation/SqlInjectionLesson12aTest.java | 7 - .../owasp/webgoat/HSQLDBDatabaseConfig.java | 16 +- .../org/owasp/webwolf/MvcConfiguration.java | 13 + .../org/owasp/webwolf/requests/Requests.java | 1 - .../resources/application-webwolf.properties | 1 + 79 files changed, 900 insertions(+), 2286 deletions(-) create mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/DatabaseInitialization.java delete mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java delete mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java delete mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatContext.java create mode 100644 webgoat-container/src/main/resources/db/container/V1__init.sql create mode 100644 webgoat-container/src/test/java/org/owasp/webgoat/TestApplication.java delete mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge6/Assignment6.java delete mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge6/Challenge6.java create mode 100644 webgoat-lessons/challenge/src/main/resources/db/migration/V2018_09_26_1__users.sql create mode 100644 webgoat-lessons/jwt/src/main/resources/db/migration/V2019_09_25_1__jwt.sql create mode 100644 webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_1__servers.sql create mode 100644 webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_2__users.sql create mode 100644 webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_3__salaries.sql create mode 100644 webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_4__tan.sql create mode 100644 webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_5__challenge_assignment.sql create mode 100644 webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_6__user_system_data.sql create mode 100644 webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_7__employees.sql create mode 100644 webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2Test.java diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml index a2d55e70b..7588b1bd2 100644 --- a/webgoat-container/pom.xml +++ b/webgoat-container/pom.xml @@ -92,6 +92,10 @@ org.springframework.boot spring-boot-starter-actuator + + org.flywaydb + flyway-core + org.asciidoctor asciidoctorj @@ -100,6 +104,12 @@ org.springframework.boot spring-boot-starter-data-jpa + + + HikariCP + com.zaxxer + + org.apache.commons diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/DatabaseInitialization.java b/webgoat-container/src/main/java/org/owasp/webgoat/DatabaseInitialization.java new file mode 100644 index 000000000..17e8087a2 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/DatabaseInitialization.java @@ -0,0 +1,46 @@ +package org.owasp.webgoat; + +import org.flywaydb.core.Flyway; +import org.owasp.webgoat.service.RestartLessonService; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.DependsOn; + +import javax.sql.DataSource; +import java.util.Map; + +/** + * Define 2 Flyway instances, 1 for WebGoat itself which it uses for internal storage like users and 1 for lesson + * specific tables we use. This way we clean the data in the lesson database quite easily see {@link RestartLessonService#restartLesson()} + * for how we clean the lesson related tables. + */ +@Configuration +public class DatabaseInitialization { + + private final DataSource dataSource; + + public DatabaseInitialization(DataSource dataSource) { + this.dataSource = dataSource; + } + + @Bean(initMethod = "migrate") + public Flyway flyWayContainer() { + return Flyway + .configure().configuration( + Map.of("driver", "org.hsqldb.jdbc.JDBCDriver")) + .dataSource(dataSource) + .schemas("container") + .locations("db/container") + .load(); + } + + @Bean(initMethod = "migrate") + @DependsOn("flyWayContainer") + public Flyway flywayLessons() { + return Flyway + .configure().configuration( + Map.of("driver", "org.hsqldb.jdbc.JDBCDriver")) + .dataSource(dataSource) + .load(); + } +} \ No newline at end of file diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java index dc0f8bb69..30ade6d34 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java @@ -32,17 +32,16 @@ package org.owasp.webgoat; import org.owasp.webgoat.session.UserSessionData; import org.owasp.webgoat.session.WebSession; -import org.owasp.webgoat.session.WebgoatContext; import org.springframework.beans.factory.annotation.Value; -import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Scope; import org.springframework.context.annotation.ScopedProxyMode; import org.springframework.web.client.RestTemplate; import java.io.File; -@SpringBootApplication +@Configuration public class WebGoat { @Bean(name = "pluginTargetDirectory") @@ -52,8 +51,8 @@ public class WebGoat { @Bean @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS) - public WebSession webSession(WebgoatContext webgoatContext) { - return new WebSession(webgoatContext); + public WebSession webSession() { + return new WebSession(); } @Bean diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java index b2f503f48..e44780778 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java @@ -25,6 +25,7 @@ package org.owasp.webgoat.service; import lombok.AllArgsConstructor; import lombok.extern.slf4j.Slf4j; +import org.flywaydb.core.Flyway; import org.owasp.webgoat.lessons.Lesson; import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.users.UserTracker; @@ -34,25 +35,15 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseStatus; -/** - *

RestartLessonService class.

- * - * @author rlawson - * @version $Id: $Id - */ @Controller @AllArgsConstructor @Slf4j public class RestartLessonService { private final WebSession webSession; - private UserTrackerRepository userTrackerRepository; + private final UserTrackerRepository userTrackerRepository; + private final Flyway flywayLessons; - /** - * Returns current lesson - * - * @return a {@link java.lang.String} object. - */ @RequestMapping(path = "/service/restartlesson.mvc", produces = "text/text") @ResponseStatus(value = HttpStatus.OK) public void restartLesson() { @@ -62,5 +53,8 @@ public class RestartLessonService { UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); userTracker.reset(al); userTrackerRepository.save(userTracker); + + flywayLessons.clean(); + flywayLessons.migrate(); } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java deleted file mode 100644 index a34e734db..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java +++ /dev/null @@ -1,1073 +0,0 @@ - -package org.owasp.webgoat.session; - -import java.sql.Connection; -import java.sql.SQLException; -import java.sql.Statement; - - -/** - * ************************************************************************************************ - *

- *

- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - *

- * Copyright (c) 2002 - 20014 Bruce Mayhew - *

- * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - *

- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - *

- * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - *

- * Getting Source ============== - *

- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * @author Jeff Williams Aspect Security - * @version $Id: $Id - */ -public class CreateDB { - - /** - * Description of the Method - * - * @param connection Description of the Parameter - * @throws SQLException Description of the Exception - */ - private void createServersTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Drop servers table - try { - String dropTable = "DROP TABLE servers"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop servers table"); - } - - // Create the new table - try { - String createTableStatement = "CREATE TABLE servers" - + " (" + "id varchar(10)," - + "hostname varchar(20)," - + "ip varchar(20)," - + "mac varchar(20)," - + "status varchar(20)," - + "description varchar(40)" - + ")"; - statement.executeUpdate(createTableStatement); - - String insertData1 = "INSERT INTO servers VALUES ('1', 'webgoat-dev', '192.168.4.0', 'AA:BB:11:22:CC:DD', 'online', 'Development server')"; - String insertData2 = "INSERT INTO servers VALUES ('2', 'webgoat-tst', '192.168.2.1', 'EE:FF:33:44:AB:CD', 'online', 'Test server')"; - String insertData3 = "INSERT INTO servers VALUES ('3', 'webgoat-acc', '192.168.3.3', 'EF:12:FE:34:AA:CC', 'offline', 'Acceptance server')"; - String insertData4 = "INSERT INTO servers VALUES ('4', 'webgoat-pre-prod', '192.168.6.4', 'EF:12:FE:34:AA:CC', 'offline', 'Pre-production server')"; - String insertData5 = "INSERT INTO servers VALUES ('4', 'webgoat-prd', '104.130.219.202', 'FA:91:EB:82:DC:73', 'out of order', 'Production server')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - } catch (SQLException e) { - System.out.println("Error creating product table " + e.getLocalizedMessage()); - } - } - - /** - * Description of the Method - * - * @param connection Description of the Parameter - * @throws SQLException Description of the Exception - */ - private void createJWTKeys(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Drop servers table - try { - String dropTable = "DROP TABLE jwt_keys"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop jwtkeys table"); - } - - // Create the new table - try { - String createTableStatement = "CREATE TABLE jwt_keys" - + " (" + "id varchar(20)," - + "key varchar(20))"; - statement.executeUpdate(createTableStatement); - - String insertData1 = "INSERT INTO jwt_keys VALUES ('webgoat_key', 'qwertyqwerty1234')"; - String insertData2 = "INSERT INTO jwt_keys VALUES ('webwolf_key', 'doesnotreallymatter')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - } catch (SQLException e) { - System.out.println("Error creating product table " + e.getLocalizedMessage()); - } - } - - - /** - * Description of the Method - * - * @param connection Description of the Parameter - * @throws SQLException Description of the Exception - */ - private void createMessageTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Drop admin user table - try { - String dropTable = "DROP TABLE messages"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop message database"); - } - - // Create the new table - try { - String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50)," - + "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating message database " + e.getLocalizedMessage()); - } - } - - /** - * Description of the Method - * - * @param connection Description of the Parameter - * @throws SQLException Description of the Exception - */ - private void createMFEImagesTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Drop mfe_images table - try { - String dropTable = "DROP TABLE mfe_images"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop mfe_images table from database"); - } - - // Create the new mfe_images table - try { - String createTableStatement = "CREATE TABLE mfe_images (" - + "user_name varchar(50) not null, " - + "image_relative_url varchar(50) not null" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating mfe_images table in database " + e.getLocalizedMessage()); - } - - } - - /** - * Description of the Method - * - * @param connection Description of the Parameter - * @throws SQLException Description of the Exception - */ - private void createProductTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Drop admin user table - try { - String dropTable = "DROP TABLE product_system_data"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop product table"); - } - - // Create the new table - try { - String createTableStatement = "CREATE TABLE product_system_data (" - + "productid varchar(6) not null primary key," + "product_name varchar(20)," + "price varchar(10)" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating product table " + e.getLocalizedMessage()); - } - - // Populate - String insertData1 = "INSERT INTO product_system_data VALUES ('32226','Dog Bone','$1.99')"; - String insertData2 = "INSERT INTO product_system_data VALUES ('35632','DVD Player','$214.99')"; - String insertData3 = "INSERT INTO product_system_data VALUES ('24569','60 GB Hard Drive','$149.99')"; - String insertData4 = "INSERT INTO product_system_data VALUES ('56970','80 GB Hard Drive','$179.99')"; - String insertData5 = "INSERT INTO product_system_data VALUES ('14365','56 inch HDTV','$6999.99')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - } - - /** - * Description of the Method - * - * @param connection Description of the Parameter - * @throws SQLException Description of the Exception - */ - private void createUserAdminTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Drop admin user table - try { - String dropTable = "DROP TABLE user_system_data"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop user admin table"); - } - - // Create the new table - try { - String createTableStatement = "CREATE TABLE user_system_data (" + "userid int not null primary key," - + "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating user admin table " + e.getLocalizedMessage()); - } - - // Populate - String insertData1 = "INSERT INTO user_system_data VALUES (101,'jsnow','passwd1', '')"; - String insertData2 = "INSERT INTO user_system_data VALUES (102,'jdoe','passwd2', '')"; - String insertData3 = "INSERT INTO user_system_data VALUES (103,'jplane','passwd3', '')"; - String insertData4 = "INSERT INTO user_system_data VALUES (104,'jeff','jeff', '')"; - String insertData5 = "INSERT INTO user_system_data VALUES (105,'dave','passW0rD', '')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - } - - /** - * Description of the Method - * - * @param connection Description of the Parameter - * @throws SQLException Description of the Exception - */ - private void createUserDataTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try { - String dropTable = "DROP TABLE user_data"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop user table"); - } - - // Create the new table - try { - String createTableStatement = "CREATE TABLE user_data (" + "userid int not null," - + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30)," - + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int" + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating user table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO user_data VALUES (101,'Joe','Snow','987654321','VISA',' ',0)"; - String insertData2 = "INSERT INTO user_data VALUES (101,'Joe','Snow','2234200065411','MC',' ',0)"; - String insertData3 = "INSERT INTO user_data VALUES (102,'John','Smith','2435600002222','MC',' ',0)"; - String insertData4 = "INSERT INTO user_data VALUES (102,'John','Smith','4352209902222','AMEX',' ',0)"; - String insertData5 = "INSERT INTO user_data VALUES (103,'Jane','Plane','123456789','MC',' ',0)"; - String insertData6 = "INSERT INTO user_data VALUES (103,'Jane','Plane','333498703333','AMEX',' ',0)"; - String insertData7 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','176896789','MC',' ',0)"; - String insertData8 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','333300003333','AMEX',' ',0)"; - String insertData9 = "INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','673834489','MC',' ',0)"; - String insertData10 = "INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','33413003333','AMEX',' ',0)"; - String insertData11 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','123609789','MC',' ',0)"; - String insertData12 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','338893453333','AMEX',' ',0)"; - String insertData13 = "INSERT INTO user_data VALUES (15613,'Joesph','Something','33843453533','AMEX',' ',0)"; - String insertData14 = "INSERT INTO user_data VALUES (15837,'Chaos','Monkey','32849386533','CM',' ',0)"; - String insertData15 = "INSERT INTO user_data VALUES (19204,'Mr','Goat','33812953533','VISA',' ',0)"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData8); - statement.executeUpdate(insertData9); - statement.executeUpdate(insertData10); - statement.executeUpdate(insertData11); - statement.executeUpdate(insertData12); - statement.executeUpdate(insertData13); - statement.executeUpdate(insertData14); - statement.executeUpdate(insertData15); - - } - - private void createLoginTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try { - String dropTable = "DROP TABLE user_login"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop user_login table"); - } - - // Create the new table - try { - String createTableStatement = "CREATE TABLE user_login (" + "userid varchar(5)," - + "webgoat_user varchar(20)" + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating user_login table " + e.getLocalizedMessage()); - } - - } - - // creates the table pins which is used in the blind sql injection lesson - private void createBlindSQLLessonTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try { - String dropTable = "DROP TABLE pins"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop pins table"); - } - - // Create the new table - try { - String createTableStatement = "CREATE TABLE pins (" - + "cc_number varchar(30)," - + "pin int," - + "name varchar(20)" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating pins table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO pins VALUES ('987654321098765', 1234, 'Joe')"; - String insertData2 = "INSERT INTO pins VALUES ('1234567890123456', 4567, 'Jack')"; - String insertData3 = "INSERT INTO pins VALUES ('4321432143214321', 4321, 'Jill')"; - String insertData4 = "INSERT INTO pins VALUES ('1111111111111111', 7777, 'Jim')"; - String insertData5 = "INSERT INTO pins VALUES ('1111222233334444', 2364, 'John')"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - - } - - // creates the table salaries which is used in the lessons - // which add or modify data using sql injection - private void createModifyWithSQLLessonTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try { - String dropTable = "DROP TABLE salaries"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop salaries table"); - } - - // Create the new table - try { - String createTableStatement = "CREATE TABLE salaries (" - + "userid varchar(50)," - + "salary int" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating salaries table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO salaries VALUES ('jsmith', 20000)"; - String insertData2 = "INSERT INTO salaries VALUES ('lsmith', 45000)"; - String insertData3 = "INSERT INTO salaries VALUES ('wgoat', 100000)"; - String insertData4 = "INSERT INTO salaries VALUES ('rjones', 777777)"; - String insertData5 = "INSERT INTO salaries VALUES ('manderson', 65000)"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - - } - - /** - * Description of the Method - * - * @param connection Description of the Parameter - * @throws SQLException Description of the Exception - */ - private void createWeatherDataTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try { - String dropTable = "DROP TABLE weather_data"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop weather table"); - } - - // Create the new table - try { - String createTableStatement = "CREATE TABLE weather_data (" + "station int not null," - + "name varchar(20) not null," + "state char(2) not null," + "min_temp int not null," - + "max_temp int not null" + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating weather table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO weather_data VALUES (101,'Columbia','MD',-10,102)"; - String insertData2 = "INSERT INTO weather_data VALUES (102,'Seattle','WA',-15,90)"; - String insertData3 = "INSERT INTO weather_data VALUES (103,'New York','NY',-10,110)"; - String insertData4 = "INSERT INTO weather_data VALUES (104,'Houston','TX',20,120)"; - String insertData5 = "INSERT INTO weather_data VALUES (10001,'Camp David','MD',-10,100)"; - String insertData6 = "INSERT INTO weather_data VALUES (11001,'Ice Station Zebra','NA',-60,30)"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - } - - /** - * Create users with tans - * - * @param connection - * @throws SQLException - */ - private void createTanUserDataTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try { - String dropTable = "DROP TABLE user_data_tan"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop user_data_tan table"); - } - - // Create the new table - try { - String createTableStatement = "CREATE TABLE user_data_tan (" + "userid int not null," - + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30)," - + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int," + "password varchar(20)" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating user_data_tan table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO user_data_tan VALUES (101,'Joe','Snow','987654321','VISA',' ',0, 'banana')"; - String insertData2 = "INSERT INTO user_data_tan VALUES (102,'Jane','Plane','74589864','MC',' ',0, 'tarzan')"; - String insertData3 = "INSERT INTO user_data_tan VALUES (103,'Jack','Sparrow','68659365','MC',' ',0, 'sniffy')"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - } - - /** - * Create the Table for the tans - * - * @param connection - * @throws SQLException - */ - private void createTanTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try { - String dropTable = "DROP TABLE tan"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop tan table"); - } - - // Create the new table - try { - String createTableStatement = "CREATE TABLE tan (" + "userid int not null," + "tanNr int," + "tanValue int" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating tan table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO tan VALUES (101,1,15161)"; - String insertData2 = "INSERT INTO tan VALUES (101,2,4894)"; - String insertData3 = "INSERT INTO tan VALUES (101,3,18794)"; - String insertData4 = "INSERT INTO tan VALUES (101,4,1564)"; - String insertData5 = "INSERT INTO tan VALUES (101,5,45751)"; - - String insertData6 = "INSERT INTO tan VALUES (102,1,15648)"; - String insertData7 = "INSERT INTO tan VALUES (102,2,92156)"; - String insertData8 = "INSERT INTO tan VALUES (102,3,4879)"; - String insertData9 = "INSERT INTO tan VALUES (102,4,9458)"; - String insertData10 = "INSERT INTO tan VALUES (102,5,4879)"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData8); - statement.executeUpdate(insertData9); - statement.executeUpdate(insertData10); - - } - - // -------------------------------------------------------------------------- - // -------------------------------------------------------------------------- - // - // The tables below are for WebGoat Financials - // - // DO NOT MODIFY THESE TABLES - unless you change the org chart - // and access control matrix documents - // - // -------------------------------------------------------------------------- - // -------------------------------------------------------------------------- - - private void createEmployeeTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - try { - String dropTable = "DROP TABLE employee"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop employee table"); - } - - // Create Table - try { - String createTable = "CREATE TABLE employee (" - // + "userid INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY," - + "userid INT NOT NULL PRIMARY KEY," + "first_name VARCHAR(20)," + "last_name VARCHAR(20)," - + "ssn VARCHAR(12)," + "password VARCHAR(10)," + "title VARCHAR(20)," + "phone VARCHAR(13)," - + "address1 VARCHAR(80)," + "address2 VARCHAR(80)," + "manager INT," + "start_date CHAR(8)," - + "salary INT," + "ccn VARCHAR(30)," + "ccn_limit INT," + "email VARCHAR(30)," // reason - // for the recent write-up - + "disciplined_date CHAR(8)," // date of write up, NA otherwise - + "disciplined_notes VARCHAR(60)," // reason for the recent write-up - + "personal_description VARCHAR(60)" // We can be rude here - // + ",CONSTRAINT fl UNIQUE NONCLUSTERED (first_name, last_name)" - + ")"; - - statement.executeUpdate(createTable); - } catch (SQLException e) { - System.out.println("Error: unable to create employee table " + e.getLocalizedMessage()); - } - - String insertData1 = "INSERT INTO employee VALUES (101, 'Larry', 'Stooge', '386-09-5451', 'larry'," - + "'Technician','443-689-0192','9175 Guilford Rd','New York, NY', 102, 01012000,55000,'2578546969853547'," - + "5000,'larry@stooges.com',010106,'Constantly harassing coworkers','Does not work well with others')"; - - String insertData2 = "INSERT INTO employee VALUES (102, 'Moe', 'Stooge', '936-18-4524','moe'," - + "'CSO','443-938-5301', '3013 AMD Ave', 'New York, NY', 112, 03082003, 140000, 'NA', 0, 'moe@stooges.com', 0101013, " - + "'Hit Curly over head', 'Very dominating over Larry and Curly')"; - - String insertData3 = "INSERT INTO employee VALUES (103, 'Curly', 'Stooge', '961-08-0047','curly'," - + "'Technician','410-667-6654', '1112 Crusoe Lane', 'New York, NY', 102, 02122001, 50000, 'NA', 0, 'curly@stooges.com', 0101014, " - + "'Hit Moe back', 'Owes three-thousand to company for fradulent purchases')"; - - String insertData4 = "INSERT INTO employee VALUES (104, 'Eric', 'Walker', '445-66-5565','eric'," - + "'Engineer','410-887-1193', '1160 Prescott Rd', 'New York, NY', 107, 12152005, 13000, 'NA', 0, 'eric@modelsrus.com',0101013, " - + "'Bothering Larry about webgoat problems', 'Late. Always needs help. Too intern-ish.')"; - - String insertData5 = "INSERT INTO employee VALUES (105, 'Tom', 'Cat', '792-14-6364','tom'," - + "'Engineer','443-599-0762', '2211 HyperThread Rd.', 'New York, NY', 106, 01011999, 80000, '5481360857968521', 30000, 'tom@wb.com', 0, " - + "'NA', 'Co-Owner.')"; - - String insertData6 = "INSERT INTO employee VALUES (106, 'Jerry', 'Mouse', '858-55-4452','jerry'," - + "'Human Resources','443-699-3366', '3011 Unix Drive', 'New York, NY', 102, 01011999, 70000, '6981754825013564', 20000, 'jerry@wb.com', 0, " - + "'NA', 'Co-Owner.')"; - - String insertData7 = "INSERT INTO employee VALUES (107, 'David', 'Giambi', '439-20-9405','david'," - + "'Human Resources','610-521-8413', '5132 DIMM Avenue', 'New York, NY', 102, 05011999, 100000, '6981754825018101', 10000, 'david@modelsrus.com', 061402, " - + "'Hacked into accounting server. Modified personal pay.', 'Strong work habbit. Questionable ethics.')"; - - String insertData8 = "INSERT INTO employee VALUES (108, 'Bruce', 'McGuirre', '707-95-9482','bruce'," - + "'Engineer','610-282-1103', '8899 FreeBSD Drive ', 'New York, NY', 107, 03012000, 110000, '6981754825854136', 30000, 'bruce@modelsrus.com', 061502, " - + "'Tortuous Boot Camp workout at 5am. Employees felt sick.', 'Enjoys watching others struggle in exercises.')"; - - String insertData9 = "INSERT INTO employee VALUES (109, 'Sean', 'Livingston', '136-55-1046','sean'," - + "'Engineer','610-878-9549', '6422 dFlyBSD Road', 'New York, NY', 107, 06012003, 130000, '6981754825014510', 5000, 'sean@modelsrus.com', 072804, " - + "'Late to work 30 days in row due to excessive Halo 2', 'Has some fascination with Steelers. Go Ravens.')"; - - String insertData10 = "INSERT INTO employee VALUES (110, 'Joanne', 'McDougal', '789-54-2413','joanne'," - + "'Human Resources','610-213-6341', '5567 Broadband Lane', 'New York, NY', 106, 01012001, 90000, '6981754825081054', 300, 'joanne@modelsrus.com', 112005, " - + "'Used company cc to purchase new car. Limit adjusted.', 'Finds it necessary to leave early every day.')"; - - String insertData11 = "INSERT INTO employee VALUES (111, 'John', 'Wayne', '129-69-4572', 'john'," - + "'CTO','610-213-1134', '129 Third St', 'New York, NY', 112, 01012001, 200000, '4437334565679921', 300, 'john@guns.com', 112005, " - + "'', '')"; - String insertData12 = "INSERT INTO employee VALUES (112, 'Neville', 'Bartholomew', '111-111-1111', 'socks'," - + "'CEO','408-587-0024', '1 Corporate Headquarters', 'San Jose, CA', 112, 03012000, 450000, '4803389267684109', 300000, 'neville@modelsrus.com', 112005, " - + "'', '')"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData8); - statement.executeUpdate(insertData9); - statement.executeUpdate(insertData10); - statement.executeUpdate(insertData11); - statement.executeUpdate(insertData12); - - } - - private void createRolesTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - try { - String dropTable = "DROP TABLE roles"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop roles table"); - } - - try { - String createTable = "CREATE TABLE roles (" + "userid INT NOT NULL," + "role VARCHAR(10) NOT NULL," - + "PRIMARY KEY (userid, role)" + ")"; - - statement.executeUpdate(createTable); - } catch (SQLException e) { - System.out.println("Error: Unable to create role table: " + e.getLocalizedMessage()); - } - - String insertData1 = "INSERT INTO roles VALUES (101, 'employee')"; - String insertData2 = "INSERT INTO roles VALUES (102, 'manager')"; - String insertData3 = "INSERT INTO roles VALUES (103, 'employee')"; - String insertData4 = "INSERT INTO roles VALUES (104, 'employee')"; - String insertData5 = "INSERT INTO roles VALUES (105, 'employee')"; - String insertData6 = "INSERT INTO roles VALUES (106, 'hr')"; - String insertData7 = "INSERT INTO roles VALUES (107, 'manager')"; - String insertData8 = "INSERT INTO roles VALUES (108, 'employee')"; - String insertData9 = "INSERT INTO roles VALUES (109, 'employee')"; - String insertData10 = "INSERT INTO roles VALUES (110, 'hr')"; - String insertData11 = "INSERT INTO roles VALUES (111, 'admin')"; - String insertData12 = "INSERT INTO roles VALUES (112, 'admin')"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData8); - statement.executeUpdate(insertData9); - statement.executeUpdate(insertData10); - statement.executeUpdate(insertData11); - statement.executeUpdate(insertData12); - } - - private void createAuthTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - try { - String dropTable = "DROP TABLE auth"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop auth table"); - } - - try { - String createTable = "CREATE TABLE auth (" + "role VARCHAR(10) NOT NULL," - + "functionid VARCHAR(20) NOT NULL," + "PRIMARY KEY (role, functionid)" + ")"; - - statement.executeUpdate(createTable); - } catch (SQLException e) { - System.out.println("Error: unable to create auth table: " + e.getLocalizedMessage()); - } - - String insertData1 = "INSERT INTO auth VALUES('employee', 'Logout')"; - String insertData2 = "INSERT INTO auth VALUES('employee', 'ListStaff')"; - String insertData3 = "INSERT INTO auth VALUES('employee', 'ViewProfile')"; - String insertData4 = "INSERT INTO auth VALUES('employee', 'EditProfile')"; - String insertData4_1 = "INSERT INTO auth VALUES('employee', 'SearchStaff')"; - String insertData4_2 = "INSERT INTO auth VALUES('employee', 'FindProfile')"; - String insertData5 = "INSERT INTO auth VALUES('manager', 'Logout')"; - String insertData6 = "INSERT INTO auth VALUES('manager', 'ListStaff')"; - String insertData7 = "INSERT INTO auth VALUES('manager', 'ViewProfile')"; - String insertData7_1 = "INSERT INTO auth VALUES('manager', 'SearchStaff')"; - String insertData7_2 = "INSERT INTO auth VALUES('manager', 'FindProfile')"; - // String insertData8 = "INSERT INTO auth VALUES('manager', 'EditProfile')"; - // String insertData9 = "INSERT INTO auth VALUES('manager', 'CreateProfile')"; - // String insertData10 = "INSERT INTO auth VALUES('manager', 'DeleteProfile')"; - // String insertData11 = "INSERT INTO auth VALUES('manager', 'UpdateProfile')"; - String insertData12 = "INSERT INTO auth VALUES('hr', 'Logout')"; - String insertData13 = "INSERT INTO auth VALUES('hr', 'ListStaff')"; - String insertData14 = "INSERT INTO auth VALUES('hr', 'ViewProfile')"; - String insertData15 = "INSERT INTO auth VALUES('hr', 'EditProfile')"; - String insertData16 = "INSERT INTO auth VALUES('hr', 'CreateProfile')"; - String insertData17 = "INSERT INTO auth VALUES('hr', 'DeleteProfile')"; - String insertData18 = "INSERT INTO auth VALUES('hr', 'UpdateProfile')"; - String insertData18_1 = "INSERT INTO auth VALUES('hr', 'SearchStaff')"; - String insertData18_2 = "INSERT INTO auth VALUES('hr', 'FindProfile')"; - String insertData19 = "INSERT INTO auth VALUES('admin', 'Logout')"; - String insertData20 = "INSERT INTO auth VALUES('admin', 'ListStaff')"; - String insertData21 = "INSERT INTO auth VALUES('admin', 'ViewProfile')"; - String insertData22 = "INSERT INTO auth VALUES('admin', 'EditProfile')"; - String insertData23 = "INSERT INTO auth VALUES('admin', 'CreateProfile')"; - String insertData24 = "INSERT INTO auth VALUES('admin', 'DeleteProfile')"; - String insertData25 = "INSERT INTO auth VALUES('admin', 'UpdateProfile')"; - String insertData25_1 = "INSERT INTO auth VALUES('admin', 'SearchStaff')"; - String insertData25_2 = "INSERT INTO auth VALUES('admin', 'FindProfile')"; - -// // Add a permission for the webgoat role to see the source. -// // The challenge(s) will change the default role to "challenge" -// String insertData26 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOURCE -// + "')"; -// String insertData27 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS -// + "')"; - // Add a permission for the webgoat role to see the solution. - // The challenge(s) will change the default role to "challenge" -// String insertData28 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION -// + "')"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData4_1); - statement.executeUpdate(insertData4_2); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData7_1); - statement.executeUpdate(insertData7_2); - // statement.executeUpdate(insertData8); - // statement.executeUpdate(insertData9); - // statement.executeUpdate(insertData10); - // statement.executeUpdate(insertData11); - statement.executeUpdate(insertData12); - statement.executeUpdate(insertData13); - statement.executeUpdate(insertData14); - statement.executeUpdate(insertData15); - statement.executeUpdate(insertData16); - statement.executeUpdate(insertData17); - statement.executeUpdate(insertData18); - statement.executeUpdate(insertData18_1); - statement.executeUpdate(insertData18_2); - statement.executeUpdate(insertData19); - statement.executeUpdate(insertData20); - statement.executeUpdate(insertData21); - statement.executeUpdate(insertData22); - statement.executeUpdate(insertData23); - statement.executeUpdate(insertData24); - statement.executeUpdate(insertData25); - statement.executeUpdate(insertData25_1); - statement.executeUpdate(insertData25_2); - //statement.executeUpdate(insertData26); - //statement.executeUpdate(insertData27); - //statement.executeUpdate(insertData28); - } - - private void createOwnershipTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - try { - String dropTable = "DROP TABLE ownership"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop ownership table"); - } - - try { - String createTable = "CREATE TABLE ownership (" + "employer_id INT NOT NULL," + "employee_id INT NOT NULL," - + "PRIMARY KEY (employee_id, employer_id)" + ")"; - - statement.executeUpdate(createTable); - } catch (SQLException e) { - System.out.println("Error: unable to create ownership table: " + e.getLocalizedMessage()); - } - - String inputData = "INSERT INTO ownership VALUES (112, 101)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 102)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 103)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 104)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 105)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 106)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 107)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 108)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 109)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 110)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 111)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 112)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (102, 101)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 102)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 103)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 104)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 105)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 106)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 107)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 108)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 109)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 110)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 111)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (111, 101)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 102)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 103)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 104)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 105)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 106)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 107)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 108)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 109)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 110)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 111)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (106, 105)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (106, 106)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (106, 110)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (101, 101)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (103, 103)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (107, 104)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (107, 108)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (107, 109)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (107, 107)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (105, 105)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (110, 110)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (104, 104)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (108, 108)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (109, 109)"; - statement.executeUpdate(inputData); - - } - - // -------------------------------------------------------------------------- - // - // End of WebGoat Financials - // - // -------------------------------------------------------------------------- - - /** - * Start creation of data for WebServices labs - */ - - private void createTransactionTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - try { - String dropTable = "DROP TABLE transactions"; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - System.out.println("Info - Could not drop transactions table"); - } - - try { - String createTable = "CREATE TABLE Transactions (" + "userName VARCHAR(16) NOT NULL, " - + "sequence INTEGER NOT NULL, " + "from_account VARCHAR(16) NOT NULL, " - + "to_account VARCHAR(16) NOT NULL, " + "transactionDate TIMESTAMP NOT NULL, " - + "description VARCHAR(255) NOT NULL, " + "amount INTEGER NOT NULL" + ")"; - - statement.executeUpdate(createTable); - } catch (SQLException e) { - System.out.println("Error: unable to create transactions table: " + e.getLocalizedMessage()); - throw e; - } - - String[] data = new String[]{ - "'dave', 0, '238-4723-4024', '324-7635-9867', '2008-02-06 21:40:00', 'Mortgage', '150'", - "'dave', 1, '238-4723-4024', '324-7635-9867', '2008-02-12 21:41:00', 'Car', '150'", - "'dave', 2, '238-4723-4024', '324-7635-9867', '2008-02-20 21:42:00', 'School fees', '150'", - "'CEO', 3, '348-6324-9872', '345-3490-8345', '2008-02-15 21:40:00', 'Rolls Royce', '-150000'", - "'CEO', 4, '348-6324-9872', '342-5893-4503', '2008-02-25 21:41:00', 'Mansion', '-150000'", - "'CEO', 5, '348-6324-9872', '980-2344-5492', '2008-02-27 21:42:00', 'Vacation', '-150000'", - "'jeff', 6, '934-2002-3485', '783-2409-8234', '2008-02-01 21:40:00', 'Vet', '250'", - "'jeff', 7, '934-2002-3485', '634-5879-0345', '2008-02-19 21:41:00', 'Doctor', '800'", - "'jeff', 8, '934-2002-3485', '435-4325-3358', '2008-02-20 21:42:00', 'X-rays', '200'",}; - try { - for (int i = 0; i < data.length; i++) { - statement.executeUpdate("INSERT INTO Transactions VALUES (" + data[i] + ");"); - } - } catch (SQLException sqle) { - System.out.println("Error: Unable to insert transactions: " + sqle.getLocalizedMessage()); - int errorCode = sqle.getErrorCode(); - System.out.println("Error Code: " + errorCode); - // ignore exceptions for Oracle and SQL Server - if (errorCode != 911 && errorCode != 273) { - throw sqle; - } - } - } - - /** - * Creates the table used in SQL-Injections (introduction) - */ - private void createEmployeesTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); - - // Drop employees and access_log tables - try { - statement.executeUpdate("DROP TABLE employees"); - } catch (SQLException e) { - System.out.println("Info - Could not drop employees table"); - } - try { - statement.executeUpdate("DROP TABLE access_log"); - } catch (SQLException e) { - System.out.println("Info - Could not drop access_log table"); - } - - // Create the employees table - try { - String createTableStatement = "CREATE TABLE employees (" - + "userid varchar(6) not null primary key," - + "first_name varchar(20)," - + "last_name varchar(20)," - + "department varchar(20)," - + "salary int," - + "auth_tan varchar(6)" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating employees table " + e.getLocalizedMessage()); - } - - // Populate - String insertData1 = "INSERT INTO employees VALUES ('32147','Paulina', 'Travers', 'Accounting', 46000, 'P45JSI')"; - String insertData2 = "INSERT INTO employees VALUES ('89762','Tobi', 'Barnett', 'Development', 77000, 'TA9LL1')"; - String insertData3 = "INSERT INTO employees VALUES ('96134','Bob', 'Franco', 'Marketing', 83700, 'LO9S2V')"; - String insertData4 = "INSERT INTO employees VALUES ('34477','Abraham ', 'Holman', 'Development', 50000, 'UU2ALK')"; - String insertData5 = "INSERT INTO employees VALUES ('37648','John', 'Smith', 'Marketing', 64350, '3SL99A')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - - // Create the logging table - try { - String createTableStatement = "CREATE TABLE access_log (" - + "id int not null primary key identity," - + "time varchar(50)," - + "action varchar(200)" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) { - System.out.println("Error creating access_log table " + e.getLocalizedMessage()); - } - } - - /** - * Description of the Method - * - * @param connection Description of the Parameter - * @throws SQLException Description of the Exception - * @throws java.sql.SQLException if any. - */ - public void makeDB(Connection connection) throws SQLException { - System.out.println("Successful connection to database"); - createServersTable(connection); - createUserDataTable(connection); - createLoginTable(connection); - createBlindSQLLessonTable(connection); - createUserAdminTable(connection); - createProductTable(connection); - createMessageTable(connection); - createEmployeeTable(connection); - createRolesTable(connection); - createAuthTable(connection); - createOwnershipTable(connection); - createWeatherDataTable(connection); - createTransactionTable(connection); - createTanUserDataTable(connection); - createTanTable(connection); - createMFEImagesTable(connection); - createModifyWithSQLLessonTable(connection); - createJWTKeys(connection); - createEmployeesTable(connection); - System.out.println("Success: creating tables."); - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java deleted file mode 100644 index 1d015ff3d..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java +++ /dev/null @@ -1,129 +0,0 @@ - -package org.owasp.webgoat.session; - -import java.sql.Connection; -import java.sql.DriverManager; -import java.sql.SQLException; -import java.util.HashMap; -import java.util.Map; - - -/** - ************************************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * @author Jeff Williams Aspect Security - * @version $Id: $Id - */ -//TODO: class we need to refactor to new structure, we can put the connection in the current session of the user - // start using jdbc template -public class DatabaseUtilities -{ - - private static Map connections = new HashMap(); - private static Map dbBuilt = new HashMap(); - - /** - *

getConnection.

- * - * @param s a {@link org.owasp.webgoat.session.WebSession} object. - * @return a {@link java.sql.Connection} object. - * @throws java.sql.SQLException if any. - */ - public static Connection getConnection(WebSession s) throws SQLException - { - return getConnection(s.getUserName(), s.getWebgoatContext()); - } - - /** - *

getConnection.

- * - * @param user a {@link java.lang.String} object. - * @param context a {@link org.owasp.webgoat.session.WebgoatContext} object. - * @return a {@link java.sql.Connection} object. - * @throws java.sql.SQLException if any. - */ - public static synchronized Connection getConnection(String user, WebgoatContext context) throws SQLException - { - Connection conn = connections.get(user); - if (conn != null && !conn.isClosed()) return conn; - conn = makeConnection(user, context); - connections.put(user, conn); - - if (dbBuilt.get(user) == null) - { - new CreateDB().makeDB(conn); - dbBuilt.put(user, Boolean.TRUE); - } - - return conn; - } - - /** - *

returnConnection.

- * - * @param user a {@link java.lang.String} object. - */ - public static synchronized void returnConnection(String user) - { - try - { - Connection connection = connections.get(user); - if (connection == null || connection.isClosed()) return; - - if (connection.getMetaData().getDatabaseProductName().toLowerCase().contains("oracle")) connection.close(); - } catch (SQLException sqle) - { - sqle.printStackTrace(); - } - } - - private static Connection makeConnection(String user, WebgoatContext context) throws SQLException - { - try - { - Class.forName(context.getDatabaseDriver()); - - if (context.getDatabaseConnectionString().contains("hsqldb")) return getHsqldbConnection(user, context); - - String userPrefix = context.getDatabaseUser(); - String password = context.getDatabasePassword(); - String url = context.getDatabaseConnectionString(); - return DriverManager.getConnection(url, userPrefix + "_" + user, password); - } catch (ClassNotFoundException cnfe) - { - cnfe.printStackTrace(); - throw new SQLException("Couldn't load the database driver: " + cnfe.getLocalizedMessage()); - } - } - - private static Connection getHsqldbConnection(String user, WebgoatContext context) throws ClassNotFoundException, - SQLException - { - String url = context.getDatabaseConnectionString().replace("{USER}", user); - return DriverManager.getConnection(url, "sa", ""); - } - -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java index 667dee5ce..f59bdbaf5 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java @@ -41,39 +41,12 @@ public class WebSession implements Serializable { private static final long serialVersionUID = -4270066103101711560L; private final WebGoatUser currentUser; - private final WebgoatContext webgoatContext; private Lesson currentLesson; - /** - * Constructor for the WebSession object - * - * @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object. - */ - public WebSession(WebgoatContext webgoatContext) { - this.webgoatContext = webgoatContext; + public WebSession() { this.currentUser = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); } - /** - *

getConnection.

- * - * @param s a {@link org.owasp.webgoat.session.WebSession} object. - * @return a {@link java.sql.Connection} object. - * @throws java.sql.SQLException if any. - */ - public static synchronized Connection getConnection(WebSession s) throws SQLException { - return DatabaseUtilities.getConnection(s); - } - - /** - *

returnConnection.

- * - * @param s a {@link org.owasp.webgoat.session.WebSession} object. - */ - public static void returnConnection(WebSession s) { - DatabaseUtilities.returnConnection(s.getUserName()); - } - /** *

Setter for the field currentScreen.

* @@ -100,13 +73,4 @@ public class WebSession implements Serializable { public String getUserName() { return currentUser.getUsername(); } - - /** - *

Getter for the field webgoatContext.

- * - * @return a {@link org.owasp.webgoat.session.WebgoatContext} object. - */ - public WebgoatContext getWebgoatContext() { - return webgoatContext; - } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatContext.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatContext.java deleted file mode 100644 index c2e0c7e12..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatContext.java +++ /dev/null @@ -1,187 +0,0 @@ -package org.owasp.webgoat.session; - -import org.springframework.beans.factory.annotation.Value; -import org.springframework.context.annotation.Configuration; - -/** - *

WebgoatContext class.

- * - * @version $Id: $Id - * @author dm - */ -@Configuration -public class WebgoatContext { - - @Value("${webgoat.database.connection.string}") - private String databaseConnectionString; - - private String realConnectionString = null; - - @Value("${webgoat.database.driver}") - private String databaseDriver; - - private String databaseUser; - - private String databasePassword; - - private boolean showCookies = false; - - private boolean showParams = false; - - private boolean showRequest = false; - - private boolean showSource = false; - - private boolean showSolution = false; - - private boolean enterprise = false; - - private boolean codingExercises = false; - - @Value("${webgoat.feedback.address}") - private String feedbackAddress; - - @Value("${webgoat.feedback.address.html}") - private String feedbackAddressHTML = ""; - - private boolean isDebug = false; - - @Value("${webgoat.default.language}") - private String defaultLanguage; - - /** - * returns the connection string with the real path to the database - * directory inserted at the word PATH - * - * @return The databaseConnectionString value - */ - public String getDatabaseConnectionString() { - return this.databaseConnectionString; - } - - /** - * Gets the databaseDriver attribute of the WebSession object - * - * @return The databaseDriver value - */ - public String getDatabaseDriver() { - return (databaseDriver); - } - - /** - * Gets the databaseUser attribute of the WebSession object - * - * @return The databaseUser value - */ - public String getDatabaseUser() { - return (databaseUser); - } - - /** - * Gets the databasePassword attribute of the WebSession object - * - * @return The databasePassword value - */ - public String getDatabasePassword() { - return (databasePassword); - } - - /** - *

isEnterprise.

- * - * @return a boolean. - */ - public boolean isEnterprise() { - return enterprise; - } - - /** - *

isCodingExercises.

- * - * @return a boolean. - */ - public boolean isCodingExercises() { - return codingExercises; - } - - /** - *

Getter for the field feedbackAddress.

- * - * @return a {@link java.lang.String} object. - */ - public String getFeedbackAddress() { - return feedbackAddress; - } - - /** - *

Getter for the field feedbackAddressHTML.

- * - * @return a {@link java.lang.String} object. - */ - public String getFeedbackAddressHTML() { - return feedbackAddressHTML; - } - - /** - *

isDebug.

- * - * @return a boolean. - */ - public boolean isDebug() { - return isDebug; - } - - /** - *

isShowCookies.

- * - * @return a boolean. - */ - public boolean isShowCookies() { - return showCookies; - } - - /** - *

isShowParams.

- * - * @return a boolean. - */ - public boolean isShowParams() { - return showParams; - } - - /** - *

isShowRequest.

- * - * @return a boolean. - */ - public boolean isShowRequest() { - return showRequest; - } - - /** - *

isShowSource.

- * - * @return a boolean. - */ - public boolean isShowSource() { - return showSource; - } - - /** - *

isShowSolution.

- * - * @return a boolean. - */ - public boolean isShowSolution() { - return showSolution; - } - - /** - *

Getter for the field defaultLanguage.

- * - * @return a {@link java.lang.String} object. - */ - public String getDefaultLanguage() { - return defaultLanguage; - } -} diff --git a/webgoat-container/src/main/resources/application-webgoat.properties b/webgoat-container/src/main/resources/application-webgoat.properties index 7fb0ab26d..4e68521e3 100644 --- a/webgoat-container/src/main/resources/application-webgoat.properties +++ b/webgoat-container/src/main/resources/application-webgoat.properties @@ -1,6 +1,5 @@ server.error.include-stacktrace=always server.error.path=/error.html -server.session.timeout=600 server.servlet.context-path=/WebGoat server.port=${WEBGOAT_PORT:8080} server.address=${WEBGOAT_HOST:127.0.0.1} @@ -10,13 +9,12 @@ server.ssl.key-store=${WEBGOAT_KEYSTORE:classpath:goatkeystore.pkcs12} server.ssl.key-store-password=${WEBGOAT_KEYSTORE_PASSWORD:password} server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat} server.ssl.enabled=${WEBGOAT_SSLENABLED:false} -security.require-ssl=${WEBGOAT_SSLENABLED:false} hsqldb.port=${WEBGOAT_HSQLPORT:9001} spring.datasource.url=jdbc:hsqldb:hsql://${server.address}:${hsqldb.port}/webgoat -spring.jpa.hibernate.ddl-auto=update spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver +spring.jpa.properties.hibernate.default_schema=CONTAINER logging.level.org.thymeleaf=INFO logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO @@ -38,7 +36,6 @@ webgoat.email=webgoat@owasp.org webgoat.emaillist=owasp-webgoat@lists.owasp.org webgoat.feedback.address=webgoat@owasp.org webgoat.feedback.address.html=webgoat@owasp.org -webgoat.database.driver=org.hsqldb.jdbcDriver webgoat.database.connection.string=jdbc:hsqldb:mem:{USER} webgoat.default.language=en diff --git a/webgoat-container/src/main/resources/db/container/V1__init.sql b/webgoat-container/src/main/resources/db/container/V1__init.sql new file mode 100644 index 000000000..176eef387 --- /dev/null +++ b/webgoat-container/src/main/resources/db/container/V1__init.sql @@ -0,0 +1,64 @@ +CREATE SCHEMA CONTAINER; + +CREATE SEQUENCE CONTAINER.HIBERNATE_SEQUENCE AS INTEGER START WITH 1; + +CREATE TABLE CONTAINER.ASSIGNMENT ( + ID BIGINT NOT NULL PRIMARY KEY, + NAME VARCHAR(255), + PATH VARCHAR(255) +); + +CREATE TABLE CONTAINER.LESSON_TRACKER( + ID BIGINT NOT NULL PRIMARY KEY, + LESSON_NAME VARCHAR(255), + NUMBER_OF_ATTEMPTS INTEGER NOT NULL +); + +CREATE TABLE CONTAINER.LESSON_TRACKER_ALL_ASSIGNMENTS( + LESSON_TRACKER_ID BIGINT NOT NULL, + ALL_ASSIGNMENTS_ID BIGINT NOT NULL, + PRIMARY KEY(LESSON_TRACKER_ID,ALL_ASSIGNMENTS_ID), + CONSTRAINT FKNHIDKE27BCJHI8C7WJ9QW6Y3Q FOREIGN KEY(ALL_ASSIGNMENTS_ID) REFERENCES CONTAINER.ASSIGNMENT(ID), + CONSTRAINT FKBM51QSDJ7N17O2DNATGAMW7D FOREIGN KEY(LESSON_TRACKER_ID) REFERENCES CONTAINER.LESSON_TRACKER(ID), + CONSTRAINT UK_SYGJY2S8O8DDGA2K5YHBMUVEA UNIQUE(ALL_ASSIGNMENTS_ID) +); + +CREATE TABLE CONTAINER.LESSON_TRACKER_SOLVED_ASSIGNMENTS( + LESSON_TRACKER_ID BIGINT NOT NULL, + SOLVED_ASSIGNMENTS_ID BIGINT NOT NULL, + PRIMARY KEY(LESSON_TRACKER_ID,SOLVED_ASSIGNMENTS_ID), + CONSTRAINT FKPP850U1MG09YKKL2EQGM0TRJK FOREIGN KEY(SOLVED_ASSIGNMENTS_ID) REFERENCES CONTAINER.ASSIGNMENT(ID), + CONSTRAINT FKNKRWGA1UHLOQ6732SQXHXXSCR FOREIGN KEY(LESSON_TRACKER_ID) REFERENCES CONTAINER.LESSON_TRACKER(ID), + CONSTRAINT UK_9WFYDUY3TVE1XD05LWOUEG0C1 UNIQUE(SOLVED_ASSIGNMENTS_ID) +); + +CREATE TABLE CONTAINER.USER_TRACKER( + ID BIGINT NOT NULL PRIMARY KEY, + USERNAME VARCHAR(255) +); + +CREATE TABLE CONTAINER.USER_TRACKER_LESSON_TRACKERS( + USER_TRACKER_ID BIGINT NOT NULL, + LESSON_TRACKERS_ID BIGINT NOT NULL, + PRIMARY KEY(USER_TRACKER_ID,LESSON_TRACKERS_ID), + CONSTRAINT FKQJSTCA3YND3OHP35D50PNUH3H FOREIGN KEY(LESSON_TRACKERS_ID) REFERENCES CONTAINER.LESSON_TRACKER(ID), + CONSTRAINT FKC9GX8INK7LRC79XC77O2MN9KE FOREIGN KEY(USER_TRACKER_ID) REFERENCES CONTAINER.USER_TRACKER(ID), + CONSTRAINT UK_5D8N5I3IC26CVF7DF7N95DOJB UNIQUE(LESSON_TRACKERS_ID) +); + +CREATE TABLE CONTAINER.WEB_GOAT_USER( + USERNAME VARCHAR(255) NOT NULL PRIMARY KEY, + PASSWORD VARCHAR(255), + ROLE VARCHAR(255) +); + +CREATE TABLE CONTAINER.EMAIL( + ID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL PRIMARY KEY, + CONTENTS VARCHAR(1024), + RECIPIENT VARCHAR(255), + SENDER VARCHAR(255), + TIME TIMESTAMP, + TITLE VARCHAR(255) +); + +ALTER TABLE CONTAINER.EMAIL ALTER COLUMN ID RESTART WITH 2; \ No newline at end of file diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/TestApplication.java b/webgoat-container/src/test/java/org/owasp/webgoat/TestApplication.java new file mode 100644 index 000000000..79ce22a41 --- /dev/null +++ b/webgoat-container/src/test/java/org/owasp/webgoat/TestApplication.java @@ -0,0 +1,27 @@ +package org.owasp.webgoat; + +import org.hsqldb.jdbc.JDBCDriver; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.context.annotation.Bean; +import org.springframework.jdbc.datasource.DriverManagerDataSource; + +import javax.sql.DataSource; +import java.sql.DriverManager; +import java.sql.SQLException; + +@SpringBootApplication +public class TestApplication { + + /** + * We define our own datasource, otherwise we end up with Hikari one which for some lessons will + * throw an error (feature not supported) + */ + @Bean + @ConditionalOnProperty(prefix = "webgoat.start", name = "hsqldb", havingValue = "false") + public DataSource dataSource(@Value("${spring.datasource.url}") String url) throws SQLException { + DriverManager.registerDriver(new JDBCDriver()); + return new DriverManagerDataSource(url); + } +} diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java index a296f1c74..7716f4806 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java @@ -4,7 +4,6 @@ import org.junit.Before; import org.owasp.webgoat.i18n.Language; import org.owasp.webgoat.i18n.PluginMessages; import org.owasp.webgoat.session.WebSession; -import org.owasp.webgoat.session.WebgoatContext; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.mock.mockito.MockBean; @@ -34,8 +33,7 @@ public abstract class LessonTest { protected PluginMessages messages; @MockBean protected WebSession webSession; - @Autowired - private WebgoatContext context; + @MockBean private Language language; @@ -43,7 +41,6 @@ public abstract class LessonTest { public void init() { when(webSession.getUserName()).thenReturn("unit-test"); when(language.getLocale()).thenReturn(Locale.getDefault()); - when(webSession.getWebgoatContext()).thenReturn(context); } } diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserRepositoryTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserRepositoryTest.java index 67b4d9bcf..e23594d20 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserRepositoryTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserRepositoryTest.java @@ -5,10 +5,12 @@ import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest; +import org.springframework.test.context.ActiveProfiles; import org.springframework.test.context.junit4.SpringRunner; @DataJpaTest @RunWith(SpringRunner.class) +@ActiveProfiles({"test", "webgoat"}) public class UserRepositoryTest { @Autowired @@ -24,6 +26,4 @@ public class UserRepositoryTest { Assertions.assertThat(user.getUsername()).isEqualTo("test"); Assertions.assertThat(user.getPassword()).isEqualTo("password"); } - - } \ No newline at end of file diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java index 2ebcb61ae..c1d0d36ef 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java @@ -9,12 +9,14 @@ import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.Lesson; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest; +import org.springframework.test.context.ActiveProfiles; import org.springframework.test.context.junit4.SpringRunner; import java.util.List; @DataJpaTest @RunWith(SpringRunner.class) +@ActiveProfiles({"test", "webgoat"}) public class UserTrackerRepositoryTest { private class TestLesson extends Lesson { @@ -44,7 +46,6 @@ public class UserTrackerRepositoryTest { @Autowired private UserTrackerRepository userTrackerRepository; - @Test public void saveUserTracker() { UserTracker userTracker = new UserTracker("test"); diff --git a/webgoat-container/src/test/resources/application-test.properties b/webgoat-container/src/test/resources/application-test.properties index a4e152215..c3f2faec0 100644 --- a/webgoat-container/src/test/resources/application-test.properties +++ b/webgoat-container/src/test/resources/application-test.properties @@ -1,4 +1,5 @@ webgoat.user.directory=${java.io.tmpdir} spring.datasource.url=jdbc:hsqldb:mem:test -spring.jpa.hibernate.ddl-auto=create-drop \ No newline at end of file +webgoat.start.hsqldb=false +spring.flyway.locations=classpath:/db/container diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java index 7771e86ec..8807b21ce 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java @@ -25,7 +25,7 @@ public abstract class IntegrationTest { private static String WEBGOAT_URL = "http://127.0.0.1:" + WG_PORT + "/WebGoat/"; private static String WEBWOLF_URL = "http://127.0.0.1:" + WW_PORT + "/"; private static boolean WG_SSL = false;//enable this if you want to run the test on ssl - + @Getter private String webGoatCookie; @Getter @@ -37,18 +37,16 @@ public abstract class IntegrationTest { @BeforeClass public static void beforeAll() { - - if (WG_SSL) { +if (WG_SSL) { WEBGOAT_URL = WEBGOAT_URL.replace("http:","https:"); } - - if (!started) { + if (!started) { started = true; if (!isAlreadyRunning(WG_PORT)) { SpringApplicationBuilder wgs = new SpringApplicationBuilder(StartWebGoat.class) .properties(Map.of("spring.config.name", "application-webgoat,application-inttest", "WEBGOAT_SSLENABLED", WG_SSL, "WEBGOAT_PORT", WG_PORT)); wgs.run(); - + } if (!isAlreadyRunning(WW_PORT)) { SpringApplicationBuilder wws = new SpringApplicationBuilder(WebWolf.class) @@ -80,13 +78,13 @@ public abstract class IntegrationTest { @Before public void login() { - + String location = given() .when() .relaxedHTTPSValidation() .formParam("username", webgoatUser) .formParam("password", "password") - .post(url("login")).then() + .post(url("login")).then() .cookie("JSESSIONID") .statusCode(302) .extract().header("Location"); @@ -212,7 +210,7 @@ public abstract class IntegrationTest { .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .get(url("service/lessonoverview.mvc")) - .then() + .then() .statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true))); Assert.assertThat(RestAssured.given() @@ -238,22 +236,21 @@ public abstract class IntegrationTest { .statusCode(200) .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult)); } - - public void checkAssignmentWithGet(String url, Map params, boolean expectedResult) { +public void checkAssignmentWithGet(String url, Map params, boolean expectedResult) { Assert.assertThat( RestAssured.given() .when() .relaxedHTTPSValidation() - .cookie("JSESSIONID", getWebGoatCookie()) + .cookie("JSESSIONID", getWebGoatCookie()) .queryParams(params) - .get(url) + .get(url) .then() .statusCode(200) .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult)); } - + public String getWebGoatServerPath() throws IOException { - + //read path from server String result = RestAssured.given() .when() @@ -265,9 +262,9 @@ public abstract class IntegrationTest { result = result.replace("%20", " "); return result; } - + public String getWebWolfServerPath() throws IOException { - + //read path from server String result = RestAssured.given() .when() @@ -279,6 +276,6 @@ public abstract class IntegrationTest { result = result.replace("%20", " "); return result; } - + } diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java index 941b088e6..b47254b6a 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java @@ -39,14 +39,14 @@ public class SqlInjectionLessonTest extends IntegrationTest { params.put("query", sql_3); checkAssignment(url("/WebGoat/SqlInjection/attack3"), params, true); - params.clear(); - params.put("query", sql_4_drop); - checkAssignment(url("/WebGoat/SqlInjection/attack4"), params, false); - params.clear(); params.put("query", sql_4_add); checkAssignment(url("/WebGoat/SqlInjection/attack4"), params, true); + params.clear(); + params.put("query", sql_4_drop); + checkAssignment(url("/WebGoat/SqlInjection/attack4"), params, false); + params.clear(); params.put("query", sql_5); checkAssignment(url("/WebGoat/SqlInjection/attack5"), params, true); diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java index 4c7070de1..db919a1d4 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java @@ -16,70 +16,59 @@ public class XXETest extends IntegrationTest { private static final String xxe4 = "]>&xxe;test"; private static final String dtd7 = "\">%all;"; private static final String xxe7 = "%remote;]>test&send;"; - + private String webGoatHomeDirectory; private String webwolfFileDir; - - + @Test public void runTests() throws IOException { startLesson("XXE"); - webGoatHomeDirectory = getWebGoatServerPath(); webwolfFileDir = getWebWolfServerPath(); - - checkAssignment(url("/WebGoat/xxe/simple"),ContentType.XML,xxe3,true); - - checkAssignment(url("/WebGoat/xxe/content-type"),ContentType.XML,xxe4,true); - - - - checkAssignment(url("/WebGoat/xxe/blind"),ContentType.XML,""+getSecret()+"",true ); - + checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, true); + checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, true); + checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, "" + getSecret() + "", true); checkResults("xxe/"); - } - + /** * This performs the steps of the exercise before the secret can be committed in the final step. + * * @return * @throws IOException */ private String getSecret() throws IOException { - - //remove any left over DTD - Path webWolfFilePath = Paths.get(webwolfFileDir); - if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")).toFile().exists()) { - Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd"))); + //remove any left over DTD + Path webWolfFilePath = Paths.get(webwolfFileDir); + if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(), "blind.dtd")).toFile().exists()) { + Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(), "blind.dtd"))); } String secretFile = webGoatHomeDirectory.concat("/XXE/secret.txt"); String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("/landing")).replace("SECRET", secretFile); - + //upload DTD RestAssured.given() - .when() - .relaxedHTTPSValidation() - .cookie("WEBWOLFSESSION", getWebWolfCookie()) - .multiPart("file", "blind.dtd", dtd7String.getBytes()) - .post(webWolfUrl("/WebWolf/fileupload")) - .then() - .extract().response().getBody().asString(); - + .when() + .relaxedHTTPSValidation() + .cookie("WEBWOLFSESSION", getWebWolfCookie()) + .multiPart("file", "blind.dtd", dtd7String.getBytes()) + .post(webWolfUrl("/WebWolf/fileupload")) + .then() + .extract().response().getBody().asString(); //upload attack String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/files")).replace("USERNAME", getWebgoatUser()); - checkAssignment(url("/WebGoat/xxe/blind?send=test"),ContentType.XML,xxe7String,false ); - + checkAssignment(url("/WebGoat/xxe/blind?send=test"), ContentType.XML, xxe7String, false); + //read results from WebWolf String result = RestAssured.given() - .when() - .relaxedHTTPSValidation() - .cookie("WEBWOLFSESSION", getWebWolfCookie()) - .get(webWolfUrl("/WebWolf/requests")) - .then() - .extract().response().getBody().asString(); + .when() + .relaxedHTTPSValidation() + .cookie("WEBWOLFSESSION", getWebWolfCookie()) + .get(webWolfUrl("/WebWolf/requests")) + .then() + .extract().response().getBody().asString(); result = result.replace("%20", " "); - result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("),result.lastIndexOf("WebGoat 8.0 rocks... (")+33); + result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("), result.lastIndexOf("WebGoat 8.0 rocks... (") + 33); return result; } - } diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java index fe6e97c1e..f6f3ca953 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java @@ -23,96 +23,48 @@ package org.owasp.webgoat.challenges.challenge5; import lombok.extern.slf4j.Slf4j; -import org.apache.commons.lang3.RandomStringUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.challenges.Flag; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.owasp.webgoat.session.WebSession; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.util.StringUtils; -import org.springframework.web.bind.annotation.*; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; -import java.sql.*; +import javax.sql.DataSource; +import java.sql.PreparedStatement; +import java.sql.ResultSet; -import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD_TOM; - -/** - * @author nbaars - * @since 4/8/17. - */ @RestController @Slf4j public class Assignment5 extends AssignmentEndpoint { - //Make it more random at runtime (good luck guessing) - private static final String USERS_TABLE_NAME = "challenge_users_" + RandomStringUtils.randomAlphabetic(16); + private final DataSource dataSource; - @Autowired - private WebSession webSession; + public Assignment5(DataSource dataSource) { + this.dataSource = dataSource; + } @PostMapping("/challenge/5") @ResponseBody public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { - Connection connection = DatabaseUtilities.getConnection(webSession); - checkDatabase(connection); - if (!StringUtils.hasText(username_login) || !StringUtils.hasText(password_login)) { return failed().feedback("required4").build(); } if (!"Larry".equals(username_login)) { return failed().feedback("user.not.larry").feedbackArgs(username_login).build(); } + try (var connection = dataSource.getConnection()) { + PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'"); + ResultSet resultSet = statement.executeQuery(); - PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = '" + username_login + "' and password = '" + password_login + "'"); - ResultSet resultSet = statement.executeQuery(); - - if (resultSet.next()) { - return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build(); - } else { - return failed().feedback("challenge.close").build(); + if (resultSet.next()) { + return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build(); + } else { + return failed().feedback("challenge.close").build(); + } } } - - private void checkDatabase(Connection connection) throws SQLException { - try { - Statement statement = connection.createStatement(); - statement.execute("select 1 from " + USERS_TABLE_NAME); - } catch (SQLException e) { - createChallengeTable(connection); - } - } - - private void createChallengeTable(Connection connection) { - Statement statement = null; - try { - statement = connection.createStatement(); - String dropTable = "DROP TABLE " + USERS_TABLE_NAME; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - log.info("Delete failed, this does not point to an error table might not have been present..."); - } - log.debug("Challenge 5 - Creating tables for users {}", USERS_TABLE_NAME); - try { - String createTableStatement = "CREATE TABLE " + USERS_TABLE_NAME - + " (" + "userid varchar(250)," - + "email varchar(30)," - + "password varchar(30)" - + ")"; - statement.executeUpdate(createTableStatement); - - String insertData1 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('larry', 'larry@webgoat.org', 'larryknows')"; - String insertData2 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('tom', 'tom@webgoat.org', '" + PASSWORD_TOM + "')"; - String insertData3 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('alice', 'alice@webgoat.org', 'rt*(KJ()LP())$#**')"; - String insertData4 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('eve', 'eve@webgoat.org', '**********')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - } catch (SQLException e) { - log.error("Unable create table", e); - } - } - } diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge6/Assignment6.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge6/Assignment6.java deleted file mode 100644 index 93e5195d8..000000000 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge6/Assignment6.java +++ /dev/null @@ -1,132 +0,0 @@ -package org.owasp.webgoat.challenges.challenge6; - -import lombok.extern.slf4j.Slf4j; -import org.apache.commons.lang3.RandomStringUtils; -import org.owasp.webgoat.assignments.AssignmentEndpoint; -import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.challenges.Flag; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.owasp.webgoat.session.WebSession; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.util.StringUtils; -import org.springframework.web.bind.annotation.*; - -import java.sql.*; - -import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD_TOM; - -/** - * @author nbaars - * @since 4/8/17. - */ -@RestController -@Slf4j -public class Assignment6 extends AssignmentEndpoint { - - //Make it more random at runtime (good luck guessing) - private static final String USERS_TABLE_NAME = "challenge_users_6" + RandomStringUtils.randomAlphabetic(16); - - @Autowired - private WebSession webSession; - - public Assignment6() { - log.info("Challenge 6 tablename is: {}", USERS_TABLE_NAME); - } - - @PutMapping("/challenge/6") //assignment path is bounded to class so we use different http method :-) - @ResponseBody - public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception { - AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg); - - if (attackResult == null) { - Connection connection = DatabaseUtilities.getConnection(webSession); - checkDatabase(connection); - - String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'"; - Statement statement = connection.createStatement(); - ResultSet resultSet = statement.executeQuery(checkUserQuery); - - if (resultSet.next()) { - attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build(); - } else { - PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO " + USERS_TABLE_NAME + " VALUES (?, ?, ?)"); - preparedStatement.setString(1, username_reg); - preparedStatement.setString(2, email_reg); - preparedStatement.setString(3, password_reg); - preparedStatement.execute(); - attackResult = success().feedback("user.created").feedbackArgs(username_reg).build(); - } - } - return attackResult; - } - - private AttackResult checkArguments(String username_reg, String email_reg, String password_reg) { - if (StringUtils.isEmpty(username_reg) || StringUtils.isEmpty(email_reg) || StringUtils.isEmpty(password_reg)) { - return failed().feedback("input.invalid").build(); - } - if (username_reg.length() > 250 || email_reg.length() > 30 || password_reg.length() > 30) { - return failed().feedback("input.invalid").build(); - } - return null; - } - - @PostMapping("/challenge/6") - @ResponseBody - public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { - Connection connection = DatabaseUtilities.getConnection(webSession); - checkDatabase(connection); - - PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = ? and password = ?"); - statement.setString(1, username_login); - statement.setString(2, password_login); - ResultSet resultSet = statement.executeQuery(); - - if (resultSet.next() && "tom".equals(username_login)) { - return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(6)).build(); - } else { - return failed().feedback("challenge.close").build(); - } - } - - private void checkDatabase(Connection connection) throws SQLException { - try { - Statement statement = connection.createStatement(); - statement.execute("select 1 from " + USERS_TABLE_NAME); - } catch (SQLException e) { - createChallengeTable(connection); - } - } - - private void createChallengeTable(Connection connection) { - Statement statement = null; - try { - statement = connection.createStatement(); - String dropTable = "DROP TABLE " + USERS_TABLE_NAME; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - log.info("Delete failed, this does not point to an error table might not have been present..."); - } - log.debug("Challenge 6 - Creating tables for users {}", USERS_TABLE_NAME); - try { - String createTableStatement = "CREATE TABLE " + USERS_TABLE_NAME - + " (" + "userid varchar(250)," - + "email varchar(30)," - + "password varchar(30)" - + ")"; - statement.executeUpdate(createTableStatement); - - String insertData1 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('larry', 'larry@webgoat.org', 'larryknows')"; - String insertData2 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('tom', 'tom@webgoat.org', '" + PASSWORD_TOM + "')"; - String insertData3 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('alice', 'alice@webgoat.org', 'rt*(KJ()LP())$#**')"; - String insertData4 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('eve', 'eve@webgoat.org', '**********')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - } catch (SQLException e) { - log.error("Unable create table", e); - } - } - -} - diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge6/Challenge6.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge6/Challenge6.java deleted file mode 100644 index 1dc3544b3..000000000 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge6/Challenge6.java +++ /dev/null @@ -1,28 +0,0 @@ -package org.owasp.webgoat.challenges.challenge6; - -import org.owasp.webgoat.lessons.Category; -import org.owasp.webgoat.lessons.Lesson; -import org.springframework.stereotype.Component; - -/** - * @author nbaars - * @since 3/21/17. - */ -@Component -public class Challenge6 extends Lesson { - - @Override - public Category getDefaultCategory() { - return Category.CHALLENGE; - } - - @Override - public String getTitle() { - return "challenge6.title"; - } - - @Override - public String getId() { - return "Challenge6"; - } -} diff --git a/webgoat-lessons/challenge/src/main/resources/db/migration/V2018_09_26_1__users.sql b/webgoat-lessons/challenge/src/main/resources/db/migration/V2018_09_26_1__users.sql new file mode 100644 index 000000000..a04639ac4 --- /dev/null +++ b/webgoat-lessons/challenge/src/main/resources/db/migration/V2018_09_26_1__users.sql @@ -0,0 +1,11 @@ +--Challenge 5 - Creating tables for users +CREATE TABLE challenge_users( + userid varchar(250), + email varchar(30), + password varchar(30) +); + +INSERT INTO challenge_users VALUES ('larry', 'larry@webgoat.org', 'larryknows'); +INSERT INTO challenge_users VALUES ('tom', 'tom@webgoat.org', 'thisisasecretfortomonly'); +INSERT INTO challenge_users VALUES ('alice', 'alice@webgoat.org', 'rt*(KJ()LP())$#**'); +INSERT INTO challenge_users VALUES ('eve', 'eve@webgoat.org', '**********'); diff --git a/webgoat-lessons/chrome-dev-tools/src/test/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevToolsTest.java b/webgoat-lessons/chrome-dev-tools/src/test/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevToolsTest.java index 677976e49..ecbe7ba1b 100644 --- a/webgoat-lessons/chrome-dev-tools/src/test/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevToolsTest.java +++ b/webgoat-lessons/chrome-dev-tools/src/test/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevToolsTest.java @@ -5,10 +5,8 @@ import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; import org.owasp.webgoat.plugins.LessonTest; -import org.owasp.webgoat.session.WebgoatContext; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; -import org.springframework.test.web.servlet.MvcResult; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.setup.MockMvcBuilders; diff --git a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIAQuiz.java b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIAQuiz.java index 7c67a8935..84a162841 100644 --- a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIAQuiz.java +++ b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIAQuiz.java @@ -1,17 +1,9 @@ package org.owasp.webgoat.cia; import org.owasp.webgoat.assignments.AssignmentEndpoint; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; import org.springframework.web.bind.annotation.*; -import java.io.IOException; -import java.sql.Connection; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; - @RestController public class CIAQuiz extends AssignmentEndpoint { diff --git a/webgoat-lessons/cia/src/test/java/org/owasp/webgoat/cia/CIAQuizTest.java b/webgoat-lessons/cia/src/test/java/org/owasp/webgoat/cia/CIAQuizTest.java index 6618a349e..bebb202ca 100644 --- a/webgoat-lessons/cia/src/test/java/org/owasp/webgoat/cia/CIAQuizTest.java +++ b/webgoat-lessons/cia/src/test/java/org/owasp/webgoat/cia/CIAQuizTest.java @@ -4,7 +4,6 @@ import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; import org.owasp.webgoat.plugins.LessonTest; -import org.owasp.webgoat.session.WebgoatContext; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.springframework.test.web.servlet.MvcResult; diff --git a/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ShopEndpointTest.java b/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ShopEndpointTest.java index 2d3b6cd91..56e3f66f5 100644 --- a/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ShopEndpointTest.java +++ b/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ShopEndpointTest.java @@ -27,6 +27,8 @@ import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.junit.MockitoJUnitRunner; +import org.owasp.webgoat.plugins.LessonTest; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; @@ -40,8 +42,8 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal * @author nbaars * @since 5/2/17. */ -@RunWith(MockitoJUnitRunner.class) -public class ShopEndpointTest { +@RunWith(SpringJUnit4ClassRunner.class) +public class ShopEndpointTest extends LessonTest { private MockMvc mockMvc; diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java index e1bf87bd2..68819b6a7 100644 --- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java +++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java @@ -22,20 +22,15 @@ package org.owasp.webgoat.jwt; -import com.google.common.base.Charsets; import io.jsonwebtoken.*; import io.jsonwebtoken.impl.TextCodec; import org.apache.commons.lang3.StringUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.owasp.webgoat.session.WebSession; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.*; -import java.sql.Connection; +import javax.sql.DataSource; import java.sql.ResultSet; import java.sql.SQLException; @@ -67,8 +62,11 @@ import java.sql.SQLException; @AssignmentHints({"jwt-final-hint1", "jwt-final-hint2", "jwt-final-hint3", "jwt-final-hint4", "jwt-final-hint5", "jwt-final-hint6"}) public class JWTFinalEndpoint extends AssignmentEndpoint { - @Autowired - private WebSession webSession; + private final DataSource dataSource; + + private JWTFinalEndpoint(DataSource dataSource) { + this.dataSource = dataSource; + } @PostMapping("/JWT/final/follow/{user}") public @ResponseBody @@ -92,8 +90,7 @@ public class JWTFinalEndpoint extends AssignmentEndpoint { @Override public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) { final String kid = (String) header.get("kid"); - try { - Connection connection = DatabaseUtilities.getConnection(webSession); + try (var connection = dataSource.getConnection()) { ResultSet rs = connection.createStatement().executeQuery("SELECT key FROM jwt_keys WHERE id = '" + kid + "'"); while (rs.next()) { return TextCodec.BASE64.decode(rs.getString(1)); diff --git a/webgoat-lessons/jwt/src/main/resources/db/migration/V2019_09_25_1__jwt.sql b/webgoat-lessons/jwt/src/main/resources/db/migration/V2019_09_25_1__jwt.sql new file mode 100644 index 000000000..975574373 --- /dev/null +++ b/webgoat-lessons/jwt/src/main/resources/db/migration/V2019_09_25_1__jwt.sql @@ -0,0 +1,7 @@ +CREATE TABLE jwt_keys( + id varchar(20), + key varchar(20) +); + +INSERT INTO jwt_keys VALUES ('webgoat_key', 'qwertyqwerty1234'); +INSERT INTO jwt_keys VALUES ('webwolf_key', 'doesnotreallymatter'); diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java index 69bc8ce78..21898432f 100644 --- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java +++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java @@ -22,77 +22,73 @@ package org.owasp.webgoat.missing_ac; -import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.UserSessionData; -import org.owasp.webgoat.session.WebSession; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.GetMapping; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody; -import javax.servlet.http.HttpServletRequest; -import java.sql.*; +import javax.sql.DataSource; +import java.sql.Connection; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; import java.util.HashMap; public class Users { - @Autowired - private WebSession webSession; + private UserSessionData userSessionData; + private DataSource dataSource; - @Autowired - UserSessionData userSessionData; + public Users(UserSessionData userSessionData, DataSource dataSource) { + this.userSessionData = userSessionData; + this.dataSource = dataSource; + } @GetMapping(produces = {"application/json"}) @ResponseBody protected HashMap getUsers() { - try { - Connection connection = DatabaseUtilities.getConnection(getWebSession()); + try (Connection connection = dataSource.getConnection()) { String query = "SELECT * FROM user_data"; try { Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); ResultSet results = statement.executeQuery(query); - HashMap allUsersMap = new HashMap(); + HashMap allUsersMap = new HashMap(); if ((results != null) && (results.first() == true)) { - ResultSetMetaData resultsMetaData = results.getMetaData(); - StringBuffer output = new StringBuffer(); - while (results.next()) { int id = results.getInt(0); - HashMap userMap = new HashMap<>(); + HashMap userMap = new HashMap<>(); userMap.put("first", results.getString(1)); userMap.put("last", results.getString(2)); userMap.put("cc", results.getString(3)); userMap.put("ccType", results.getString(4)); userMap.put("cookie", results.getString(5)); - userMap.put("loginCount",Integer.toString(results.getInt(6))); - allUsersMap.put(id,userMap); + userMap.put("loginCount", Integer.toString(results.getInt(6))); + allUsersMap.put(id, userMap); } - userSessionData.setValue("allUsers",allUsersMap); + userSessionData.setValue("allUsers", allUsersMap); return allUsersMap; } } catch (SQLException sqle) { sqle.printStackTrace(); - HashMap errMap = new HashMap() {{ - put("err",sqle.getErrorCode() + "::" + sqle.getMessage()); + HashMap errMap = new HashMap() {{ + put("err", sqle.getErrorCode() + "::" + sqle.getMessage()); }}; - return new HashMap() {{ - put(0,errMap); + return new HashMap() {{ + put(0, errMap); }}; } catch (Exception e) { e.printStackTrace(); - HashMap errMap = new HashMap() {{ - put("err",e.getMessage() + "::" + e.getCause()); + HashMap errMap = new HashMap() {{ + put("err", e.getMessage() + "::" + e.getCause()); }}; e.printStackTrace(); - return new HashMap() {{ - put(0,errMap); + return new HashMap() {{ + put(0, errMap); }}; @@ -108,24 +104,15 @@ public class Users { } catch (Exception e) { e.printStackTrace(); - HashMap errMap = new HashMap() {{ - put("err",e.getMessage() + "::" + e.getCause()); + HashMap errMap = new HashMap() {{ + put("err", e.getMessage() + "::" + e.getCause()); }}; e.printStackTrace(); - return new HashMap() {{ - put(0,errMap); + return new HashMap<>() {{ + put(0, errMap); }}; } return null; } - - protected WebSession getWebSession() { - return webSession; - } - -// @Override -// public String getPath() { -// return "/access-control/list-users"; -// } } diff --git a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionYourHashTest.java b/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionYourHashTest.java index def9adfa1..86c7d59c2 100644 --- a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionYourHashTest.java +++ b/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionYourHashTest.java @@ -54,10 +54,9 @@ public class MissingFunctionYourHashTest extends AssignmentEndpointTest { MissingFunctionACYourHash yourHashTest = new MissingFunctionACYourHash(); init(yourHashTest); this.mockMvc = standaloneSetup(yourHashTest).build(); - this.mockDisplayUser = new DisplayUser(new WebGoatUser("user","userPass")); - ReflectionTestUtils.setField(yourHashTest,"userService",userService); - when(mockDisplayUser.getUserHash()).thenReturn("2340928sadfajsdalsNfwrBla="); - when(userService.loadUserByUsername(any())).thenReturn(new WebGoatUser("user","userPass")); + this.mockDisplayUser = new DisplayUser(new WebGoatUser("user", "userPass")); + ReflectionTestUtils.setField(yourHashTest, "userService", userService); + when(userService.loadUserByUsername(any())).thenReturn(new WebGoatUser("user", "userPass")); when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC()); } diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java index c34372fdb..9260a553c 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java @@ -23,20 +23,16 @@ package org.owasp.webgoat.sql_injection.advanced; import lombok.extern.slf4j.Slf4j; -import org.apache.commons.lang3.RandomStringUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.owasp.webgoat.session.WebSession; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.util.StringUtils; import org.springframework.web.bind.annotation.PutMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.RestController; +import javax.sql.DataSource; import java.sql.*; /** @@ -48,50 +44,45 @@ import java.sql.*; @Slf4j public class SqlInjectionChallenge extends AssignmentEndpoint { - private static final String PASSWORD_TOM = "thisisasecretfortomonly"; - //Make it more random at runtime (good luck guessing) - static final String USERS_TABLE_NAME = "challenge_users_6" + RandomStringUtils.randomAlphabetic(16); + private final DataSource dataSource; - @Autowired - private WebSession webSession; - - public SqlInjectionChallenge() { - log.info("Challenge 6 tablename is: {}", USERS_TABLE_NAME); + public SqlInjectionChallenge(DataSource dataSource) { + this.dataSource = dataSource; } - @PutMapping("/SqlInjectionAdvanced/challenge") //assignment path is bounded to class so we use different http method :-) + @PutMapping("/SqlInjectionAdvanced/challenge") + //assignment path is bounded to class so we use different http method :-) @ResponseBody public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception { AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg); if (attackResult == null) { - Connection connection = DatabaseUtilities.getConnection(webSession); - checkDatabase(connection); - try { - String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'"; + + try (Connection connection = dataSource.getConnection()) { + String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery(checkUserQuery); if (resultSet.next()) { - if (username_reg.contains("tom'")) { - attackResult = trackProgress(success().feedback("user.exists").build()); - } else { - attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build(); - } + if (username_reg.contains("tom'")) { + attackResult = trackProgress(success().feedback("user.exists").build()); + } else { + attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build(); + } } else { - PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO " + USERS_TABLE_NAME + " VALUES (?, ?, ?)"); + PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO sql_challenge_users VALUES (?, ?, ?)"); preparedStatement.setString(1, username_reg); preparedStatement.setString(2, email_reg); preparedStatement.setString(3, password_reg); preparedStatement.execute(); attackResult = success().feedback("user.created").feedbackArgs(username_reg).build(); } - } catch(SQLException e) { + } catch (SQLException e) { attackResult = failed().output("Something went wrong").build(); } - } - return attackResult; + } + return attackResult; } private AttackResult checkArguments(String username_reg, String email_reg, String password_reg) { @@ -103,46 +94,5 @@ public class SqlInjectionChallenge extends AssignmentEndpoint { } return null; } - - static void checkDatabase(Connection connection) throws SQLException { - try { - Statement statement = connection.createStatement(); - System.out.println(USERS_TABLE_NAME); - statement.execute("select 1 from " + USERS_TABLE_NAME); - } catch (SQLException e) { - createChallengeTable(connection); - } - } - - static void createChallengeTable(Connection connection) { - Statement statement = null; - try { - statement = connection.createStatement(); - String dropTable = "DROP TABLE " + USERS_TABLE_NAME; - statement.executeUpdate(dropTable); - } catch (SQLException e) { - log.info("Delete failed, this does not point to an error table might not have been present..."); - } - log.debug("Challenge 6 - Creating tables for users {}", USERS_TABLE_NAME); - try { - String createTableStatement = "CREATE TABLE " + USERS_TABLE_NAME - + " (" + "userid varchar(250)," - + "email varchar(30)," - + "password varchar(30)" - + ")"; - statement.executeUpdate(createTableStatement); - - String insertData1 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('larry', 'larry@webgoat.org', 'larryknows')"; - String insertData2 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('tom', 'tom@webgoat.org', '" + PASSWORD_TOM + "')"; - String insertData3 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('alice', 'alice@webgoat.org', 'rt*(KJ()LP())$#**')"; - String insertData4 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('eve', 'eve@webgoat.org', '**********')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - } catch (SQLException e) { - log.error("Unable create table", e); - } - } } diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java index 25a3b7821..b24ffef8c 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java @@ -25,36 +25,40 @@ package org.owasp.webgoat.sql_injection.advanced; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.owasp.webgoat.session.WebSession; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.web.bind.annotation.*; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; -import java.sql.*; +import javax.sql.DataSource; +import java.sql.PreparedStatement; +import java.sql.ResultSet; @RestController -@AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"}) +@AssignmentHints(value = {"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"}) public class SqlInjectionChallengeLogin extends AssignmentEndpoint { - @Autowired - private WebSession webSession; + private final DataSource dataSource; - @PostMapping("/SqlInjectionAdvanced/challenge_Login") - @ResponseBody - public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { - Connection connection = DatabaseUtilities.getConnection(webSession); - SqlInjectionChallenge.checkDatabase(connection); - - PreparedStatement statement = connection.prepareStatement("select password from " + SqlInjectionChallenge.USERS_TABLE_NAME + " where userid = ? and password = ?"); - statement.setString(1, username_login); - statement.setString(2, password_login); - ResultSet resultSet = statement.executeQuery(); - - if (resultSet.next()) { - return ("tom".equals(username_login)) ? trackProgress(success().build()) - : success().feedback("ResultsButNotTom").build(); - } else { - return failed().feedback("NoResultsMatched").build(); + public SqlInjectionChallengeLogin(DataSource dataSource) { + this.dataSource = dataSource; + } + + @PostMapping("/SqlInjectionAdvanced/challenge_Login") + @ResponseBody + public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { + try (var connection = dataSource.getConnection()) { + PreparedStatement statement = connection.prepareStatement("select password from sql_challenge_users where userid = ? and password = ?"); + statement.setString(1, username_login); + statement.setString(2, password_login); + ResultSet resultSet = statement.executeQuery(); + + if (resultSet.next()) { + return ("tom".equals(username_login)) ? trackProgress(success().build()) + : success().feedback("ResultsButNotTom").build(); + } else { + return failed().feedback("NoResultsMatched").build(); + } + } } - } } diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java index 88a8e47df..14dcc1fa6 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java @@ -26,35 +26,43 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson5a; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.springframework.web.bind.annotation.*; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; -import java.io.IOException; +import javax.sql.DataSource; import java.sql.*; @RestController @AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3", -"SqlStringInjectionHint-advanced-6a-4"}) + "SqlStringInjectionHint-advanced-6a-4"}) public class SqlInjectionLesson6a extends AssignmentEndpoint { + private final DataSource dataSource; + + public SqlInjectionLesson6a(DataSource dataSource) { + this.dataSource = dataSource; + } + @PostMapping("/SqlInjectionAdvanced/attack6a") @ResponseBody - public AttackResult completed(@RequestParam String userid_6a) throws IOException { + public AttackResult completed(@RequestParam String userid_6a) { return injectableQuery(userid_6a); // The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- } protected AttackResult injectableQuery(String accountName) { String query = ""; - try(Connection connection = DatabaseUtilities.getConnection(getWebSession())) { + try (Connection connection = dataSource.getConnection()) { boolean usedUnion = true; query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; //Check if Union is used - if(!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) { + if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) { usedUnion = false; } - try(Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY)) { ResultSet results = statement.executeQuery(query); @@ -65,7 +73,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint { output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); String appendingWhenSucceded; - if(usedUnion) + if (usedUnion) appendingWhenSucceded = "Well done! Can you also figure out a solution, by appending a new Sql Statement?"; else appendingWhenSucceded = "Well done! Can you also figure out a solution, by using a UNION?"; diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java index 6d63efc7a..542a37013 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java @@ -24,11 +24,13 @@ package org.owasp.webgoat.sql_injection.advanced; import org.owasp.webgoat.assignments.AssignmentEndpoint; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.springframework.web.bind.annotation.*; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; +import javax.sql.DataSource; import java.io.IOException; import java.sql.Connection; import java.sql.ResultSet; @@ -39,10 +41,16 @@ import java.sql.Statement; @RestController public class SqlInjectionLesson6b extends AssignmentEndpoint { + private final DataSource dataSource; + + public SqlInjectionLesson6b(DataSource dataSource) { + this.dataSource = dataSource; + } + @PostMapping("/SqlInjectionAdvanced/attack6b") @ResponseBody public AttackResult completed(@RequestParam String userid_6b) throws IOException { - if (userid_6b.toString().equals(getPassword())) { + if (userid_6b.equals(getPassword())) { return trackProgress(success().build()); } else { return trackProgress(failed().build()); @@ -50,18 +58,15 @@ public class SqlInjectionLesson6b extends AssignmentEndpoint { } protected String getPassword() { - String password = "dave"; - try { - Connection connection = DatabaseUtilities.getConnection(getWebSession()); + try (Connection connection = dataSource.getConnection()) { String query = "SELECT password FROM user_system_data WHERE user_name = 'dave'"; - try { Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); ResultSet results = statement.executeQuery(query); - if ((results != null) && (results.first() == true)) { + if (results != null && results.first()) { password = results.getString("password"); } } catch (SQLException sqle) { diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionQuiz.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionQuiz.java index 744139f6e..b72c355ca 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionQuiz.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionQuiz.java @@ -23,16 +23,10 @@ package org.owasp.webgoat.sql_injection.advanced; import org.owasp.webgoat.assignments.AssignmentEndpoint; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; import org.springframework.web.bind.annotation.*; import java.io.IOException; -import java.sql.Connection; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; /** * add a question: 1. Append new question to JSON string diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java index cef4136c5..c6e662f99 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java @@ -26,15 +26,27 @@ package org.owasp.webgoat.sql_injection.introduction; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.springframework.web.bind.annotation.*; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; -import java.sql.*; +import javax.sql.DataSource; +import java.sql.Connection; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; @RestController @AssignmentHints(value = {"SqlStringInjectionHint.10.1", "SqlStringInjectionHint.10.2", "SqlStringInjectionHint.10.3", "SqlStringInjectionHint.10.4", "SqlStringInjectionHint.10.5", "SqlStringInjectionHint.10.6"}) public class SqlInjectionLesson10 extends AssignmentEndpoint { + private final DataSource dataSource; + + public SqlInjectionLesson10(DataSource dataSource) { + this.dataSource = dataSource; + } + @PostMapping("/SqlInjection/attack10") @ResponseBody public AttackResult completed(@RequestParam String action_string) { @@ -45,9 +57,7 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint { StringBuffer output = new StringBuffer(); String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; - try { - Connection connection = DatabaseUtilities.getConnection(getWebSession()); - + try (Connection connection = dataSource.getConnection()) { try { Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); ResultSet results = statement.executeQuery(query); @@ -59,16 +69,14 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint { } else { if (tableExists(connection)) { return trackProgress(failed().feedback("sql-injection.10.entries").output(output.toString()).build()); - } - else { + } else { return trackProgress(success().feedback("sql-injection.10.success").build()); } } } catch (SQLException e) { if (tableExists(connection)) { return trackProgress(failed().feedback("sql-injection.error").output("
" + output.toString()).build()); - } - else { + } else { return trackProgress(success().feedback("sql-injection.10.success").build()); } } @@ -80,7 +88,7 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint { private boolean tableExists(Connection connection) { try { - Statement stmt = connection.createStatement(); + Statement stmt = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); ResultSet results = stmt.executeQuery("SELECT * FROM access_log"); int cols = results.getMetaData().getColumnCount(); return (cols > 0); diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java index a0b096e9c..19dc15a92 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java @@ -26,49 +26,53 @@ package org.owasp.webgoat.sql_injection.introduction; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.springframework.web.bind.annotation.*; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; -import java.sql.*; +import javax.sql.DataSource; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; + +import static java.sql.ResultSet.CONCUR_READ_ONLY; +import static java.sql.ResultSet.TYPE_SCROLL_INSENSITIVE; @RestController @AssignmentHints(value = {"SqlStringInjectionHint2-1", "SqlStringInjectionHint2-2", "SqlStringInjectionHint2-3", "SqlStringInjectionHint2-4"}) public class SqlInjectionLesson2 extends AssignmentEndpoint { + private final DataSource dataSource; + + public SqlInjectionLesson2(DataSource dataSource) { + this.dataSource = dataSource; + } + @PostMapping("/SqlInjection/attack2") @ResponseBody public AttackResult completed(@RequestParam String query) { return injectableQuery(query); } - protected AttackResult injectableQuery(String _query) { - try { - Connection connection = DatabaseUtilities.getConnection(getWebSession()); - String query = _query; + protected AttackResult injectableQuery(String query) { + try (var connection = dataSource.getConnection()) { + Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY); + ResultSet results = statement.executeQuery(query); + StringBuffer output = new StringBuffer(); - try { - Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet results = statement.executeQuery(_query); - StringBuffer output = new StringBuffer(); + results.first(); - results.first(); - - if (results.getString("department").equals("Marketing")) { - output.append(""); - output.append(SqlInjectionLesson8.generateTable(results)); - return trackProgress(success().feedback("sql-injection.2.success").output(output.toString()).build()); - } else { - return trackProgress(failed().feedback("sql-injection.2.failed").output(output.toString()).build()); - } - - } catch (SQLException sqle) { - - return trackProgress(failed().feedback("sql-injection.2.failed").output(sqle.getMessage()).build()); + if (results.getString("department").equals("Marketing")) { + output.append(""); + output.append(SqlInjectionLesson8.generateTable(results)); + return trackProgress(success().feedback("sql-injection.2.success").output(output.toString()).build()); + } else { + return trackProgress(failed().feedback("sql-injection.2.failed").output(output.toString()).build()); } - } catch (Exception e) { - return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build()); + } catch (SQLException sqle) { + return trackProgress(failed().feedback("sql-injection.2.failed").output(sqle.getMessage()).build()); } } } diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java index a16abd63a..7541c2065 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java @@ -26,16 +26,31 @@ package org.owasp.webgoat.sql_injection.introduction; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.springframework.web.bind.annotation.*; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; -import java.sql.*; +import javax.sql.DataSource; +import java.sql.Connection; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; + +import static java.sql.ResultSet.CONCUR_READ_ONLY; +import static java.sql.ResultSet.TYPE_SCROLL_INSENSITIVE; @RestController @AssignmentHints(value = {"SqlStringInjectionHint3-1", "SqlStringInjectionHint3-2"}) public class SqlInjectionLesson3 extends AssignmentEndpoint { + private final DataSource dataSource; + + public SqlInjectionLesson3(DataSource dataSource) { + this.dataSource = dataSource; + } + @PostMapping("/SqlInjection/attack3") @ResponseBody public AttackResult completed(@RequestParam String query) { @@ -43,15 +58,10 @@ public class SqlInjectionLesson3 extends AssignmentEndpoint { } protected AttackResult injectableQuery(String _query) { - try { - Connection connection = DatabaseUtilities.getConnection(getWebSession()); - String query = _query; - - try { - Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - Statement check_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); + try (Connection connection = dataSource.getConnection()) { + try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) { + Statement check_statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, + CONCUR_READ_ONLY); statement.executeUpdate(_query); ResultSet _results = check_statement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';"); StringBuffer output = new StringBuffer(); @@ -66,7 +76,6 @@ public class SqlInjectionLesson3 extends AssignmentEndpoint { } } catch (SQLException sqle) { - return trackProgress(failed().output(sqle.getMessage()).build()); } } catch (Exception e) { diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java index 703e99719..9bbe9e831 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java @@ -25,19 +25,28 @@ package org.owasp.webgoat.sql_injection.introduction; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.springframework.web.bind.annotation.*; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; -import java.io.IOException; +import javax.sql.DataSource; import java.sql.*; +import static java.sql.ResultSet.*; + @RestController @AssignmentHints(value = {"SqlStringInjectionHint4-1", "SqlStringInjectionHint4-2", "SqlStringInjectionHint4-3"}) public class SqlInjectionLesson4 extends AssignmentEndpoint { + private final DataSource dataSource; + + public SqlInjectionLesson4(DataSource dataSource) { + this.dataSource = dataSource; + } + @PostMapping("/SqlInjection/attack4") @ResponseBody public AttackResult completed(@RequestParam String query) { @@ -45,16 +54,11 @@ public class SqlInjectionLesson4 extends AssignmentEndpoint { } protected AttackResult injectableQuery(String _query) { - try { - Connection connection = DatabaseUtilities.getConnection(getWebSession()); - try { - Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - Statement check_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); + try (Connection connection = dataSource.getConnection()) { + try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) { statement.executeUpdate(_query); - ResultSet _results = check_statement.executeQuery("SELECT phone from employees;"); - ResultSetMetaData _resultMetaData = _results.getMetaData(); + connection.commit(); + ResultSet _results = statement.executeQuery("SELECT phone from employees;"); StringBuffer output = new StringBuffer(); // user completes lesson if column phone exists if (_results.first()) { @@ -63,9 +67,7 @@ public class SqlInjectionLesson4 extends AssignmentEndpoint { } else { return trackProgress(failed().output(output.toString()).build()); } - } catch (SQLException sqle) { - return trackProgress(failed().output(sqle.getMessage()).build()); } } catch (Exception e) { diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java index 8e1b587ed..bc2f0d062 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java @@ -38,13 +38,13 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint { @PostMapping("/SqlInjection/attack5") @ResponseBody - public AttackResult completed(@RequestParam("_query") String query) { + public AttackResult completed(String query) { return injectableQuery(query); } protected AttackResult injectableQuery(String query) { try { - String regex = "(?i)^(grant alter table to [\"']?unauthorizedUser[\"']?)(?:[;]?)$"; + String regex = "(?i)^(grant alter table to [']?unauthorizedUser[']?)(?:[;]?)$"; StringBuffer output = new StringBuffer(); // user completes lesson if the query is correct diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java index 714ab0c06..380d4b69e 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java @@ -24,12 +24,13 @@ package org.owasp.webgoat.sql_injection.introduction; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.springframework.web.bind.annotation.*; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; -import java.io.IOException; +import javax.sql.DataSource; import java.sql.*; @@ -37,83 +38,83 @@ import java.sql.*; @AssignmentHints(value = {"SqlStringInjectionHint5a1"}) public class SqlInjectionLesson5a extends AssignmentEndpoint { - private static final String EXPLANATION = "
Explanation: This injection works, because or '1' = '1' " - + "always evaluates to true (The string ending literal for '1 is closed by the query itself, so you should not inject it). " - + "So the injected query basically looks like this: SELECT * FROM user_data WHERE first_name = 'John' and last_name = '' or TRUE, " - + "which will always evaluate to true, no matter what came before it."; + private static final String EXPLANATION = "
Explanation: This injection works, because or '1' = '1' " + + "always evaluates to true (The string ending literal for '1 is closed by the query itself, so you should not inject it). " + + "So the injected query basically looks like this: SELECT * FROM user_data WHERE first_name = 'John' and last_name = '' or TRUE, " + + "which will always evaluate to true, no matter what came before it."; + private final DataSource dataSource; - @PostMapping("/SqlInjection/assignment5a") - @ResponseBody - public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) { - return injectableQuery(account + " " + operator + " " + injection); - } + public SqlInjectionLesson5a(DataSource dataSource) { + this.dataSource = dataSource; + } - protected AttackResult injectableQuery(String accountName) { - String query = ""; - try { - Connection connection = DatabaseUtilities.getConnection(getWebSession()); - query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; - try(Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY)) { + @PostMapping("/SqlInjection/assignment5a") + @ResponseBody + public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) { + return injectableQuery(account + " " + operator + " " + injection); + } - ResultSet results = statement.executeQuery(query); + protected AttackResult injectableQuery(String accountName) { + String query = ""; + try (Connection connection = dataSource.getConnection()) { + query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; + try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) { + ResultSet results = statement.executeQuery(query); - if ((results != null) && (results.first())) { - ResultSetMetaData resultsMetaData = results.getMetaData(); - StringBuilder output = new StringBuilder(); + if ((results != null) && (results.first())) { + ResultSetMetaData resultsMetaData = results.getMetaData(); + StringBuilder output = new StringBuilder(); - output.append(writeTable(results, resultsMetaData)); - results.last(); + output.append(writeTable(results, resultsMetaData)); + results.last(); + + // If they get back more than one user they succeeded + if (results.getRow() >= 6) { + return trackProgress(success().feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build()); + } else { + return trackProgress(failed().output(output.toString() + "
Your query was: " + query).build()); + } + } else { + return trackProgress(failed().feedback("sql-injection.5a.no.results").output("Your query was: " + query).build()); + } + } catch (SQLException sqle) { + return trackProgress(failed().output(sqle.getMessage() + "
Your query was: " + query).build()); + } + } catch (Exception e) { + return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage() + "
Your query was: " + query).build()); + } + } + + public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException { + int numColumns = resultsMetaData.getColumnCount(); + results.beforeFirst(); + StringBuilder t = new StringBuilder(); + t.append("

"); + + if (results.next()) { + for (int i = 1; i < (numColumns + 1); i++) { + t.append(resultsMetaData.getColumnName(i)); + t.append(", "); + } + + t.append("
"); + results.beforeFirst(); + + while (results.next()) { + + for (int i = 1; i < (numColumns + 1); i++) { + t.append(results.getString(i)); + t.append(", "); + } + + t.append("
"); + } - // If they get back more than one user they succeeded - if (results.getRow() >= 6) { - return trackProgress(success().feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build()); - } else { - return trackProgress(failed().output(output.toString() + "
Your query was: " + query).build()); - } } else { - return trackProgress(failed().feedback("sql-injection.5a.no.results").output("Your query was: " + query).build()); - - } - } catch (SQLException sqle) { - - return trackProgress(failed().output(sqle.getMessage() + "
Your query was: " + query).build()); - } - } catch (Exception e) { - return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage() + "
Your query was: " + query).build()); - } - } - - public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException { - int numColumns = resultsMetaData.getColumnCount(); - results.beforeFirst(); - StringBuilder t = new StringBuilder(); - t.append("

"); - - if (results.next()) { - for (int i = 1; i < (numColumns + 1); i++) { - t.append(resultsMetaData.getColumnName(i)); - t.append(", "); - } - - t.append("
"); - results.beforeFirst(); - - while (results.next()) { - - for (int i = 1; i < (numColumns + 1); i++) { - t.append(results.getString(i)); - t.append(", "); + t.append("Query Successful; however no data was returned from this query."); } - t.append("
"); - } - - } else { - t.append("Query Successful; however no data was returned from this query."); + t.append("

"); + return (t.toString()); } - - t.append("

"); - return (t.toString()); - } } \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java index 1638ff143..00e4c0560 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java @@ -26,10 +26,13 @@ package org.owasp.webgoat.sql_injection.introduction; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.springframework.web.bind.annotation.*; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; import javax.servlet.http.HttpServletRequest; +import javax.sql.DataSource; import java.io.IOException; import java.sql.*; @@ -38,59 +41,61 @@ import java.sql.*; @AssignmentHints(value = {"SqlStringInjectionHint5b1", "SqlStringInjectionHint5b2", "SqlStringInjectionHint5b3", "SqlStringInjectionHint5b4"}) public class SqlInjectionLesson5b extends AssignmentEndpoint { - @PostMapping("/SqlInjection/assignment5b") - @ResponseBody - public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException { - return injectableQuery(login_count, userid); - } + private final DataSource dataSource; - protected AttackResult injectableQuery(String login_count, String accountName) { - String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; - try { - Connection connection = DatabaseUtilities.getConnection(getWebSession()); - PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); + public SqlInjectionLesson5b(DataSource dataSource) { + this.dataSource = dataSource; + } - int count = 0; - try { - count = Integer.parseInt(login_count); - } catch(Exception e) { - return trackProgress(failed().output("Could not parse: " + login_count + " to a number" + - "
Your query was: " + queryString.replace("?", login_count)).build()); - } + @PostMapping("/SqlInjection/assignment5b") + @ResponseBody + public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException { + return injectableQuery(login_count, userid); + } - query.setInt(1, count); - //String query = "SELECT * FROM user_data WHERE Login_Count = " + login_count + " and userid = " + accountName, ; - try { - Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet results = query.executeQuery(); + protected AttackResult injectableQuery(String login_count, String accountName) { + String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; + try (Connection connection = dataSource.getConnection()) { + PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); - if ((results != null) && (results.first() == true)) { - ResultSetMetaData resultsMetaData = results.getMetaData(); - StringBuffer output = new StringBuffer(); + int count = 0; + try { + count = Integer.parseInt(login_count); + } catch (Exception e) { + return trackProgress(failed().output("Could not parse: " + login_count + " to a number" + + "
Your query was: " + queryString.replace("?", login_count)).build()); + } - output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); - results.last(); + query.setInt(1, count); + //String query = "SELECT * FROM user_data WHERE Login_Count = " + login_count + " and userid = " + accountName, ; + try { + ResultSet results = query.executeQuery(); - // If they get back more than one user they succeeded - if (results.getRow() >= 6) { - return trackProgress(success().feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build()); - } else { - return trackProgress(failed().output(output.toString() + "
Your query was: " + queryString.replace("?", login_count)).build()); - } + if ((results != null) && (results.first() == true)) { + ResultSetMetaData resultsMetaData = results.getMetaData(); + StringBuffer output = new StringBuffer(); - } else { - return trackProgress(failed().feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build()); + output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); + results.last(); + + // If they get back more than one user they succeeded + if (results.getRow() >= 6) { + return trackProgress(success().feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build()); + } else { + return trackProgress(failed().output(output.toString() + "
Your query was: " + queryString.replace("?", login_count)).build()); + } + + } else { + return trackProgress(failed().feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build()); // output.append(getLabelManager().get("NoResultsMatched")); - } - } catch (SQLException sqle) { + } + } catch (SQLException sqle) { - return trackProgress(failed().output(sqle.getMessage() + "
Your query was: " + queryString.replace("?", login_count)).build()); - } - } catch (Exception e) { - return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage() + "
Your query was: " + queryString.replace("?", login_count)).build()); + return trackProgress(failed().output(sqle.getMessage() + "
Your query was: " + queryString.replace("?", login_count)).build()); + } + } catch (Exception e) { + return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage() + "
Your query was: " + queryString.replace("?", login_count)).build()); + } } - } } \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java index 744d08eab..88dc0c0dd 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java @@ -25,20 +25,29 @@ package org.owasp.webgoat.sql_injection.introduction; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.springframework.web.bind.annotation.*; - -import java.util.Calendar; -import java.text.SimpleDateFormat; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; +import javax.sql.DataSource; import java.sql.*; +import java.text.SimpleDateFormat; +import java.util.Calendar; + +import static java.sql.ResultSet.*; @RestController @AssignmentHints(value = {"SqlStringInjectionHint.8.1", "SqlStringInjectionHint.8.2", "SqlStringInjectionHint.8.3", "SqlStringInjectionHint.8.4", "SqlStringInjectionHint.8.5"}) public class SqlInjectionLesson8 extends AssignmentEndpoint { + private final DataSource dataSource; + + public SqlInjectionLesson8(DataSource dataSource) { + this.dataSource = dataSource; + } + @PostMapping("/SqlInjection/attack8") @ResponseBody public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { @@ -49,11 +58,9 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint { StringBuffer output = new StringBuffer(); String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; - try { - Connection connection = DatabaseUtilities.getConnection(getWebSession()); - + try (Connection connection = dataSource.getConnection()) { try { - Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); + Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE); log(connection, query); ResultSet results = statement.executeQuery(query); @@ -126,7 +133,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint { String log_query = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; try { - Statement statement = connection.createStatement(); + Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); statement.executeUpdate(log_query); } catch (SQLException e) { System.err.println(e.getMessage()); diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java index ecd422b16..32e325ae1 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java @@ -26,21 +26,30 @@ package org.owasp.webgoat.sql_injection.introduction; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.RestController; +import javax.sql.DataSource; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; +import static java.sql.ResultSet.CONCUR_READ_ONLY; +import static org.hsqldb.jdbc.JDBCResultSet.*; + @RestController @AssignmentHints(value = {"SqlStringInjectionHint.9.1", "SqlStringInjectionHint.9.2", "SqlStringInjectionHint.9.3", "SqlStringInjectionHint.9.4", "SqlStringInjectionHint.9.5"}) public class SqlInjectionLesson9 extends AssignmentEndpoint { + private final DataSource dataSource; + + public SqlInjectionLesson9(DataSource dataSource) { + this.dataSource = dataSource; + } + @PostMapping("/SqlInjection/attack9") @ResponseBody public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { @@ -50,15 +59,12 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint { protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { StringBuffer output = new StringBuffer(); String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; - - try { - Connection connection = DatabaseUtilities.getConnection(getWebSession()); - + try (Connection connection = dataSource.getConnection()) { try { - Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); + Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); SqlInjectionLesson8.log(connection, query); ResultSet results = statement.executeQuery(query); - + var test = results.getRow() != 0; if (results.getStatement() != null) { if (results.first()) { output.append(SqlInjectionLesson8.generateTable(results)); @@ -66,7 +72,6 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint { // no results return trackProgress(failed().feedback("sql-injection.8.no.results").build()); } - } } catch (SQLException e) { System.err.println(e.getMessage()); @@ -84,20 +89,20 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint { private AttackResult checkSalaryRanking(Connection connection, StringBuffer output) { try { String query = "SELECT * FROM employees ORDER BY salary DESC"; - Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); - ResultSet results = statement.executeQuery(query); + try (Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); + ) { + ResultSet results = statement.executeQuery(query); - results.first(); - // user completes lesson if John Smith is the first in the list - if ((results.getString(2).equals("John")) && (results.getString(3).equals("Smith"))) { - output.append(SqlInjectionLesson8.generateTable(results)); - return trackProgress(success().feedback("sql-injection.9.success").output(output.toString()).build()); - } else { - return trackProgress(failed().feedback("sql-injection.9.one").output(output.toString()).build()); + results.first(); + // user completes lesson if John Smith is the first in the list + if ((results.getString(2).equals("John")) && (results.getString(3).equals("Smith"))) { + output.append(SqlInjectionLesson8.generateTable(results)); + return trackProgress(success().feedback("sql-injection.9.success").output(output.toString()).build()); + } else { + return trackProgress(failed().feedback("sql-injection.9.one").output(output.toString()).build()); + } } - } catch (SQLException e) { - System.err.println(e.getMessage()); return trackProgress(failed().feedback("sql-injection.error").output("
").build()); } } diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java index cf32533d1..19400c1a2 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java @@ -26,12 +26,10 @@ import com.google.common.collect.Lists; import lombok.AllArgsConstructor; import lombok.Getter; import lombok.SneakyThrows; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.owasp.webgoat.session.WebSession; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.MediaType; import org.springframework.web.bind.annotation.*; +import javax.sql.DataSource; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.ResultSet; @@ -45,6 +43,8 @@ import java.util.List; @RequestMapping("SqlInjectionMitigations/servers") public class Servers { + private final DataSource dataSource; + @AllArgsConstructor @Getter private class Server { @@ -57,14 +57,15 @@ public class Servers { private String description; } - @Autowired - private WebSession webSession; + public Servers(DataSource dataSource) { + this.dataSource = dataSource; + } @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE) @SneakyThrows @ResponseBody public List sort(@RequestParam String column) { - Connection connection = DatabaseUtilities.getConnection(webSession); + Connection connection = dataSource.getConnection(); PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column); ResultSet rs = preparedStatement.executeQuery(); List servers = Lists.newArrayList(); diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java index 3d885a002..c50ef2d05 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java @@ -22,23 +22,20 @@ package org.owasp.webgoat.sql_injection.mitigation; -import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.WebSession; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.web.bind.annotation.*; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; @RestController @Slf4j @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-10a2"}) public class SqlInjectionLesson10a extends AssignmentEndpoint { - @Autowired - private WebSession webSession; private String[] results = {"getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"}; @PostMapping("/SqlInjectionMitigations/attack10a") @@ -47,15 +44,15 @@ public class SqlInjectionLesson10a extends AssignmentEndpoint { String[] userInput = {field1, field2, field3, field4, field5, field6, field7}; int position = 0; boolean completed = false; - for(String input : userInput) { - if(input.toLowerCase().contains(this.results[position].toLowerCase())) { + for (String input : userInput) { + if (input.toLowerCase().contains(this.results[position].toLowerCase())) { completed = true; } else { return trackProgress(failed().build()); } position++; } - if(completed) { + if (completed) { return trackProgress(success().build()); } return trackProgress(failed().build()); diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12a.java index 84d09a919..5bef46772 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12a.java @@ -27,42 +27,40 @@ import lombok.extern.slf4j.Slf4j; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.owasp.webgoat.session.WebSession; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.RestController; +import javax.sql.DataSource; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.ResultSet; -/** - * @author nbaars - * @since 6/13/17. - */ @RestController @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-12a-1", "SqlStringInjectionHint-mitigation-12a-2", "SqlStringInjectionHint-mitigation-12a-3", "SqlStringInjectionHint-mitigation-12a-4"}) @Slf4j public class SqlInjectionLesson12a extends AssignmentEndpoint { - @Autowired - private WebSession webSession; + private final DataSource dataSource; + + public SqlInjectionLesson12a(DataSource dataSource) { + this.dataSource = dataSource; + } @PostMapping("/SqlInjectionMitigations/attack12a") @ResponseBody @SneakyThrows public AttackResult completed(@RequestParam String ip) { - Connection connection = DatabaseUtilities.getConnection(webSession); - PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ? and hostname = ?"); - preparedStatement.setString(1, ip); - preparedStatement.setString(2, "webgoat-prd"); - ResultSet resultSet = preparedStatement.executeQuery(); - if (resultSet.next()) { - return trackProgress(success().build()); + try (Connection connection = dataSource.getConnection()) { + PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ? and hostname = ?"); + preparedStatement.setString(1, ip); + preparedStatement.setString(2, "webgoat-prd"); + ResultSet resultSet = preparedStatement.executeQuery(); + if (resultSet.next()) { + return trackProgress(success().build()); + } + return trackProgress(failed().build()); } - return trackProgress(failed().build()); } } \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_1__servers.sql b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_1__servers.sql new file mode 100644 index 000000000..6dbdb7762 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_1__servers.sql @@ -0,0 +1,13 @@ +CREATE TABLE servers( + id varchar(10), + hostname varchar(20), + ip varchar(20), + mac varchar(20), + status varchar(20), + description varchar(40) +); +INSERT INTO servers VALUES ('1', 'webgoat-dev', '192.168.4.0', 'AA:BB:11:22:CC:DD', 'online', 'Development server'); +INSERT INTO servers VALUES ('2', 'webgoat-tst', '192.168.2.1', 'EE:FF:33:44:AB:CD', 'online', 'Test server'); +INSERT INTO servers VALUES ('3', 'webgoat-acc', '192.168.3.3', 'EF:12:FE:34:AA:CC', 'offline', 'Acceptance server'); +INSERT INTO servers VALUES ('4', 'webgoat-pre-prod', '192.168.6.4', 'EF:12:FE:34:AA:CC', 'offline', 'Pre-production server'); +INSERT INTO servers VALUES ('4', 'webgoat-prd', '104.130.219.202', 'FA:91:EB:82:DC:73', 'out of order', 'Production server'); diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_2__users.sql b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_2__users.sql new file mode 100644 index 000000000..355feaf55 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_2__users.sql @@ -0,0 +1,24 @@ +CREATE TABLE user_data( + userid int not null, + first_name varchar(20), + last_name varchar(20), + cc_number varchar(30), + cc_type varchar(10), + cookie varchar(20), + login_count int +); +INSERT INTO user_data VALUES (101,'Joe','Snow','987654321','VISA',' ',0); +INSERT INTO user_data VALUES (101,'Joe','Snow','2234200065411','MC',' ',0); +INSERT INTO user_data VALUES (102,'John','Smith','2435600002222','MC',' ',0); +INSERT INTO user_data VALUES (102,'John','Smith','4352209902222','AMEX',' ',0); +INSERT INTO user_data VALUES (103,'Jane','Plane','123456789','MC',' ',0); +INSERT INTO user_data VALUES (103,'Jane','Plane','333498703333','AMEX',' ',0); +INSERT INTO user_data VALUES (10312,'Jolly','Hershey','176896789','MC',' ',0); +INSERT INTO user_data VALUES (10312,'Jolly','Hershey','333300003333','AMEX',' ',0); +INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','673834489','MC',' ',0); +INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','33413003333','AMEX',' ',0); +INSERT INTO user_data VALUES (15603,'Peter','Sand','123609789','MC',' ',0); +INSERT INTO user_data VALUES (15603,'Peter','Sand','338893453333','AMEX',' ',0); +INSERT INTO user_data VALUES (15613,'Joesph','Something','33843453533','AMEX',' ',0); +INSERT INTO user_data VALUES (15837,'Chaos','Monkey','32849386533','CM',' ',0); +INSERT INTO user_data VALUES (19204,'Mr','Goat','33812953533','VISA',' ',0); diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_3__salaries.sql b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_3__salaries.sql new file mode 100644 index 000000000..12961e2f8 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_3__salaries.sql @@ -0,0 +1,10 @@ +CREATE TABLE salaries( + userid varchar(50), + salary int +); + +INSERT INTO salaries VALUES ('jsmith', 20000); +INSERT INTO salaries VALUES ('lsmith', 45000); +INSERT INTO salaries VALUES ('wgoat', 100000); +INSERT INTO salaries VALUES ('rjones', 777777); +INSERT INTO salaries VALUES ('manderson', 65000); diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_4__tan.sql b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_4__tan.sql new file mode 100644 index 000000000..5029282f0 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_4__tan.sql @@ -0,0 +1,14 @@ +CREATE TABLE user_data_tan ( + userid int not null, + first_name varchar(20), + last_name varchar(20), + cc_number varchar(30), + cc_type varchar(10), + cookie varchar(20), + login_count int, + password varchar(20) +); + +INSERT INTO user_data_tan VALUES (101,'Joe','Snow','987654321','VISA',' ',0, 'banana'); +INSERT INTO user_data_tan VALUES (102,'Jane','Plane','74589864','MC',' ',0, 'tarzan'); +INSERT INTO user_data_tan VALUES (103,'Jack','Sparrow','68659365','MC',' ',0, 'sniffy'); \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_5__challenge_assignment.sql b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_5__challenge_assignment.sql new file mode 100644 index 000000000..46a5c5357 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_5__challenge_assignment.sql @@ -0,0 +1,10 @@ +CREATE TABLE sql_challenge_users( + userid varchar(250), + email varchar(30), + password varchar(30) +); + +INSERT INTO sql_challenge_users VALUES ('larry', 'larry@webgoat.org', 'larryknows'); +INSERT INTO sql_challenge_users VALUES ('tom', 'tom@webgoat.org', 'thisisasecretfortomonly'); +INSERT INTO sql_challenge_users VALUES ('alice', 'alice@webgoat.org', 'rt*(KJ()LP())$#**'); +INSERT INTO sql_challenge_users VALUES ('eve', 'eve@webgoat.org', '**********'); diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_6__user_system_data.sql b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_6__user_system_data.sql new file mode 100644 index 000000000..cce0eed62 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_6__user_system_data.sql @@ -0,0 +1,12 @@ +CREATE TABLE user_system_data( + userid int not null primary key, + user_name varchar(12), + password varchar(10), + cookie varchar(30) +); + +INSERT INTO user_system_data VALUES (101,'jsnow','passwd1', ''); +INSERT INTO user_system_data VALUES (102,'jdoe','passwd2', ''); +INSERT INTO user_system_data VALUES (103,'jplane','passwd3', ''); +INSERT INTO user_system_data VALUES (104,'jeff','jeff', ''); +INSERT INTO user_system_data VALUES (105,'dave','passW0rD', ''); \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_7__employees.sql b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_7__employees.sql new file mode 100644 index 000000000..2ea974f4d --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_7__employees.sql @@ -0,0 +1,20 @@ +CREATE TABLE employees( + userid varchar(6) not null primary key, + first_name varchar(20), + last_name varchar(20), + department varchar(20), + salary int, + auth_tan varchar(6) +); + +INSERT INTO employees VALUES ('32147','Paulina', 'Travers', 'Accounting', 46000, 'P45JSI'); +INSERT INTO employees VALUES ('89762','Tobi', 'Barnett', 'Development', 77000, 'TA9LL1'); +INSERT INTO employees VALUES ('96134','Bob', 'Franco', 'Marketing', 83700, 'LO9S2V'); +INSERT INTO employees VALUES ('34477','Abraham ', 'Holman', 'Development', 50000, 'UU2ALK'); +INSERT INTO employees VALUES ('37648','John', 'Smith', 'Marketing', 64350, '3SL99A'); + +CREATE TABLE access_log ( + id int not null primary key identity, + time varchar(50), + action varchar(200) +); diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html index 110ef126d..acbdc939d 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html +++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html @@ -116,7 +116,7 @@
- 
"SELECT * FROM USERS WHERE NAME = ''";
+ 
"SELECT * FROM users WHERE name = ''";