diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson10.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson10.java index e1dcc4add..aeb62efa5 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson10.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson10.java @@ -14,6 +14,7 @@ import org.springframework.web.bind.annotation.ResponseBody; import java.sql.*; @AssignmentPath("/SqlInjection/attack10") +@AssignmentHints(value = {"SqlStringInjectionHint10-1", "SqlStringInjectionHint10-2", "SqlStringInjectionHint10-3", "SqlStringInjectionHint10-4", "SqlStringInjectionHint10-5", "SqlStringInjectionHint10-6"}) public class SqlInjectionLesson10 extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson8.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson8.java index f7144f893..b12c392af 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson8.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson8.java @@ -78,6 +78,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint { while (results.next()) { t.append(""); for (int i = 1; i < (numColumns + 1); i++) { + System.out.println(results.getString(i)); t.append("" + results.getString(i) + ""); } t.append(""); diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson9.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson9.java index 36da98a24..97b8c0b22 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson9.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson9.java @@ -48,7 +48,7 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint { } catch (Exception e) { System.err.println(e.getMessage()); - return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build()); + return trackProgress(failed().output("
" + this.getClass().getName() + " : " + e.getMessage() + "").build()); } } @@ -59,11 +59,10 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint { ResultSet results = statement.executeQuery(query); results.first(); - System.out.println(results.getString(2)); - System.out.println(results.getString(3)); // user completes lesson if John Smith is the first in the list if ((results.getString(2).equals("John")) && (results.getString(3).equals("Smith"))) { + output.append(SqlInjectionLesson8.generateTable(results, results.getMetaData())); return trackProgress(success().feedback("sql-injection.9.success").feedbackArgs(output.toString()).build()); } else { return trackProgress(failed().output(output.toString()).build()); @@ -71,7 +70,7 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint { } catch (SQLException e) { System.err.println(e.getMessage()); - return trackProgress(failed().output(e.getMessage()).build()); + return trackProgress(failed().output("
" + e.getMessage() + "").build()); } } diff --git a/webgoat-lessons/sql-injection/src/main/resources/css/assignments.css b/webgoat-lessons/sql-injection/src/main/resources/css/assignments.css new file mode 100644 index 000000000..dc1e3cdd4 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/css/assignments.css @@ -0,0 +1,7 @@ +.attack-feedback { + color: green; +} + +.attack-feedback table { + color: black; +} \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html index f99ea51f3..39f8594e4 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html +++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html @@ -1,6 +1,7 @@ +
@@ -25,7 +26,7 @@
- +
diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 7c0e27cf2..83568052b 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -53,4 +53,11 @@ SqlStringInjectionHint9-3=Make use of DML to change your salary. SqlStringInjectionHint9-4=Make sure that the resulting query is syntactically correct. SqlStringInjectionHint9-5=How about something like '; UPDATE employees.... -sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data. \ No newline at end of file +sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data. + +SqlStringInjectionHint10-1=Use the techniques that you have learned before. +SqlStringInjectionHint10-2=The application takes your input and filters for entries that are LIKE it. +SqlStringInjectionHint10-3=Try query chaining to reach the goal. +SqlStringInjectionHint10-4=The DDL allows you to delete (DROP) database tables. +SqlStringInjectionHint10-5=The underlying sql query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'". +SqlStringInjectionHint10-6=Remember that you can use the -- metacharacter to comment out the rest of the line. \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content9.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content9.adoc index 6b769bea7..86c71e85e 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content9.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content9.adoc @@ -1,7 +1,7 @@ == Compromising Integrity with Query Chaining After compromising the confidentiality of data in the previous lesson, this time we are gonna compromise the integrity of data by using a SQL query chaining. -== What is SQL query chaining? +=== What is SQL query chaining? Query chaining is exactly what it sounds like. When query chaining, you try to append one or more queries to the end of the actual query. You can do this by using the *;* metacharacter which marks the end of a query and that way allows to start another one right after it within the same line. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_plan.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_plan.adoc index bf014fa3c..23aa4d64a 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_plan.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_plan.adoc @@ -2,7 +2,7 @@ This lesson describes what is Structured Query Language (SQL) and how it can be manipulated to perform tasks that were not the original intent of the developer. -== Goals +=== Goals * The user will have a basic understanding of how SQL works and what it is used for * The user will have a basic understanding of what SQL-Injections are and how they work