From 2fdde982ebd7e17202038dff7a1295f133463144 Mon Sep 17 00:00:00 2001 From: Benedikt - Desktop Date: Fri, 2 Nov 2018 11:33:52 +0100 Subject: [PATCH] Restructured SQL Injection introduction lesson and created new required lesson-pages. --- .../src/main/resources/html/SqlInjection.html | 30 ++++++--- .../lessonPlans/en/SqlInjection_content1.adoc | 63 ------------------- .../lessonPlans/en/SqlInjection_content2.adoc | 7 --- .../SqlInjection_introduction_content1.adoc | 30 +++++++++ .../SqlInjection_introduction_content10.adoc | 1 + .../SqlInjection_introduction_content2.adoc | 10 +++ .../SqlInjection_introduction_content3.adoc | 14 +++++ .../SqlInjection_introduction_content4.adoc | 7 +++ ...njection_introduction_content5_after.adoc} | 0 ...jection_introduction_content5_before.adoc} | 8 +++ ...> SqlInjection_introduction_content6.adoc} | 2 +- ...> SqlInjection_introduction_content7.adoc} | 6 +- ...> SqlInjection_introduction_content8.adoc} | 2 + ...> SqlInjection_introduction_content9.adoc} | 2 + ...oc => SqlInjection_introduction_plan.adoc} | 0 15 files changed, 99 insertions(+), 83 deletions(-) delete mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc delete mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc create mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc create mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content10.adoc create mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc create mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc create mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc rename webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/{SqlInjection_content5_after.adoc => SqlInjection_introduction_content5_after.adoc} (100%) rename webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/{SqlInjection_content5_before.adoc => SqlInjection_introduction_content5_before.adoc} (58%) rename webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/{SqlInjection_content3.adoc => SqlInjection_introduction_content6.adoc} (93%) rename webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/{SqlInjection_content4.adoc => SqlInjection_introduction_content7.adoc} (76%) rename webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/{SqlInjection_content5a.adoc => SqlInjection_introduction_content8.adoc} (97%) rename webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/{SqlInjection_content5b.adoc => SqlInjection_introduction_content9.adoc} (98%) rename webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/{SqlInjection_plan.adoc => SqlInjection_introduction_plan.adoc} (100%) diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html index aa86be670..877dba24c 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html +++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html @@ -3,27 +3,27 @@
-
+
-
+
-
+
-
+
-
+
-
+
@@ -40,11 +40,19 @@ });
-
+
-
+
+
+ +
+
+
+ +
+
-
+
+
+
+
+ diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc deleted file mode 100644 index 76be22e6e..000000000 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc +++ /dev/null @@ -1,63 +0,0 @@ -== What is SQL - -SQL is a standardized (ANSI in 1986, ISO in 1987) programming language which is used for managing relational databases and performing various operations on the data in them. - -A database is a collection of data. Data is organized into rows, columns and tables, and it is indexed to make it easier to find relevant information. - -Example SQL table with employees: - -Employees Table -|=== -|IdNum |LName |FName |JobCode |Salary |Phone | - -|1876 |CHIN |JACK |TA1 |42400 |212/558-5634 | - -|1114 |GREENWALD |JANICE |ME3 |38000 |212/558-1092 | - -|1556 |PENNINGTION|MICHAEL |ME1 |29860 |718/383-5681 | - -|1354 |PARKER |MARY |FA3 |65800 |914/455-2337 | - -|1130 |WOOD |DEBORAH |PT2 |36514 |212/587-0013 | -|=== - -Each employee has an index (IdNum), lastname, firstname, job title (JobCode), salary and a phone number. All his data from this table is represented in a single row. - -By using SQL queries you can modify a database table and its index structures, add, update and delete rows of data. - -There are three types of SQL commands in the SQL database language: - -=== Data Manipulation Language (DML) -* DML commands are used for storing, retrieving, modifying, and deleting data. -* SELECT, INSERT, UPDATE, DELETE, … -* Example: -** Retrieve data: -** SELECT Phone + - FROM Employees + - WHERE IdNum = 1354; -** This statement delivers the phone number of the employee with the number 1354. - -=== Data Definition Language (DDL) -* DDL commands are used for creating, modifying, and dropping the structure of database objects. -* CREATE, ALTER, DROP,TRUNCATE,… -* Example: -** CREATE TABLE Customers( + -     IdNum INT NOT NULL, + -     LName VARCHAR (20) NOT NULL, + -     FName VARCHAR (20) NOT NULL, + -     JobCode VARCHAR (3) NOT NULL, + -     Salary DECIMAL (18, 2), + -     Phone VARCHAR (20), + -     PRIMARY KEY (IdNum) + -); -** This statement creates the employees example table given above. - -=== Data Control Language (DCL) -* DCL commands are used for providing security to database objects. -* GRANT, REVOKE, … -* Example: -** GRANT CREATE TABLE + - TO operator; -** This statement gives all users of the operator-role the privilege to create new tables in the database. - -If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc deleted file mode 100644 index d9456f9e3..000000000 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc +++ /dev/null @@ -1,7 +0,0 @@ -== What is SQL Injection? - -SQL Injections are the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, such an injection of code into the application can have an serious impact on e.g. data integrity and security. - -SQL Injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL-Interpreter of the application itself. If the input from the client does not get checked for containing SQL Commands, hackers can easily manipulate the underlying SQL-Statement to their advantages. + -Per example if the input is not filtered for SQL metacharacters like *--* (comments out the rest of the line) or *;* (ends a SQL-query and that way can be used to chain them) - diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc new file mode 100644 index 000000000..7a1ef424a --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc @@ -0,0 +1,30 @@ +== What is SQL + +SQL is a standardized (ANSI in 1986, ISO in 1987) programming language which is used for managing relational databases and performing various operations on the data in them. + +A database is a collection of data. Data is organized into rows, columns and tables, and it is indexed to make it easier to find relevant information. + +Example SQL table with employees: + +Employees Table +|=== +|IdNum |LName |FName |JobCode |Salary |Phone | + +|1876 |CHIN |JACK |TA1 |42400 |212/558-5634 | + +|1114 |GREENWALD |JANICE |ME3 |38000 |212/558-1092 | + +|1556 |PENNINGTION|MICHAEL |ME1 |29860 |718/383-5681 | + +|1354 |PARKER |MARY |FA3 |65800 |914/455-2337 | + +|1130 |WOOD |DEBORAH |PT2 |36514 |212/587-0013 | +|=== + +Each employee has an index (IdNum), lastname, firstname, job title (JobCode), salary and a phone number. All his data from this table is represented in a single row. + +By using SQL queries you can modify a database table and its index structures, add, update and delete rows of data. + +There are three types of SQL commands in the SQL database language: + +If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content10.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content10.adoc new file mode 100644 index 000000000..b3a12d370 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content10.adoc @@ -0,0 +1 @@ +Availiability \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc new file mode 100644 index 000000000..e65e237a0 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc @@ -0,0 +1,10 @@ +=== Data Manipulation Language (DML) +* DML commands are used for storing, retrieving, modifying, and deleting data. +* SELECT, INSERT, UPDATE, DELETE, … +* Example: +** Retrieve data: +** SELECT Phone + + FROM Employees + + WHERE IdNum = 1354; +** This statement delivers the phone number of the employee with the number 1354. + diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc new file mode 100644 index 000000000..e44df7b88 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc @@ -0,0 +1,14 @@ +=== Data Definition Language (DDL) +* DDL commands are used for creating, modifying, and dropping the structure of database objects. +* CREATE, ALTER, DROP,TRUNCATE,… +* Example: +** CREATE TABLE Customers( + +     IdNum INT NOT NULL, + +     LName VARCHAR (20) NOT NULL, + +     FName VARCHAR (20) NOT NULL, + +     JobCode VARCHAR (3) NOT NULL, + +     Salary DECIMAL (18, 2), + +     Phone VARCHAR (20), + +     PRIMARY KEY (IdNum) + +); +** This statement creates the employees example table given above. \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc new file mode 100644 index 000000000..dd59992fa --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc @@ -0,0 +1,7 @@ +=== Data Control Language (DCL) +* DCL commands are used for providing security to database objects. +* GRANT, REVOKE, … +* Example: +** GRANT CREATE TABLE + + TO operator; +** This statement gives all users of the operator-role the privilege to create new tables in the database. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_after.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content5_after.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_after.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content5_after.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_before.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content5_before.adoc similarity index 58% rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_before.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content5_before.adoc index 942e166f2..bbe6358e2 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_before.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content5_before.adoc @@ -1,3 +1,11 @@ +== What is SQL Injection? + +SQL Injections are the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, such an injection of code into the application can have an serious impact on e.g. data integrity and security. + +SQL Injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL-Interpreter of the application itself. If the input from the client does not get checked for containing SQL Commands, hackers can easily manipulate the underlying SQL-Statement to their advantages. + +Per example if the input is not filtered for SQL metacharacters like *--* (comments out the rest of the line) or *;* (ends a SQL-query and that way can be used to chain them) + + == Example of SQL Injection Think of a web application, that allows to display user information, by typing a username into an input field. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content6.adoc similarity index 93% rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content6.adoc index 348aae4eb..d28969ee9 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content6.adoc @@ -9,7 +9,7 @@ * Recover the content of a given file present on the DBMS file system * Issue commands to the operating system -=== SQL injection attacks allow attackers to +=== SQL injection attacks allow attackers to * Spoof identity * Tamper with existing data * Cause repudiation issues such as voiding transactions or changing balances diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content7.adoc similarity index 76% rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content7.adoc index 3e1b224fe..567e3ef70 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content7.adoc @@ -1,6 +1,6 @@ == Severity of SQL Injection -=== The severity of SQL Injection attacks is limited by +=== The severity of SQL Injection attacks is limited by * Attacker’s skill and imagination * Defense in depth countermeasures ** Input validation @@ -18,5 +18,5 @@ * Early adopters of web technology (i.e. Old Code) === Not all databases are equal (SQL Server) -* Command shell: `master.dbo.xp_cmdshell 'cmd.exe dir c:'` -* Reqistry commands: `xp_regread`, `xp_regdeletekey`, … +* Command shell: `master.dbo.xp_cmdshell 'cmd.exe dir c:'` +* Reqistry commands: `xp_regread`, `xp_regdeletekey`, … \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5a.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content8.adoc similarity index 97% rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5a.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content8.adoc index 00f271d18..c3568a95d 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5a.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content8.adoc @@ -1,3 +1,5 @@ +Confidentiality + == Try It! String SQL Injection The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating strings making it susceptible to String SQL injection: diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5b.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content9.adoc similarity index 98% rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5b.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content9.adoc index 3665882f5..2f2e70fd0 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5b.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content9.adoc @@ -1,3 +1,5 @@ +Integrity + == Try It! Numeric SQL Injection The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection: diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_plan.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_plan.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_plan.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_plan.adoc