Restructured SQL Injection introduction lesson and created new required lesson-pages.

webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html

@@ -3,27 +3,27 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_plan.adoc"></div>
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_plan.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content1.adoc"></div>
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content1.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content2.adoc"></div>
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content2.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content3.adoc"></div>
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content3.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content4.adoc"></div>
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content4.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content5_before.adoc"></div>
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content5_before.adoc"></div>
     <div>
         <label for="username-preview">Username:</label>
         <input id="preview-input" type="text" name="username" val=""/>
@@ -40,11 +40,19 @@
             });
         </script>
     </div>
-    <div class="adoc-content" th:replace="doc:SqlInjection_content5_after.adoc"></div>
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content5_after.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content5a.adoc"></div>
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content6.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content7.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content8.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -66,7 +74,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content5b.adoc"></div>
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content9.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -94,4 +102,8 @@
     </div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content10.adoc"></div>
+</div>
+
 </html>

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc

@@ -1,63 +0,0 @@
-== What is SQL
-
-SQL is a standardized (ANSI in 1986, ISO in 1987) programming language which is used for managing relational databases and performing various operations on the data in them.
-
-A database is a collection of data. Data is organized into rows, columns and tables, and it is indexed to make it easier to find relevant information.
-
-Example SQL table with employees:
-
-Employees Table
-|===
-|IdNum |LName |FName |JobCode |Salary |Phone |
-
-|1876 |CHIN |JACK |TA1 |42400 |212/558-5634 |
-
-|1114 |GREENWALD |JANICE |ME3 |38000 |212/558-1092 |
-
-|1556 |PENNINGTION|MICHAEL |ME1 |29860 |718/383-5681 |
-
-|1354 |PARKER |MARY |FA3 |65800 |914/455-2337 |
-
-|1130 |WOOD |DEBORAH |PT2 |36514 |212/587-0013 |
-|===
-
-Each employee has an index (IdNum), lastname, firstname, job title (JobCode), salary and a phone number. All his data from this table is represented in a single row.
-
-By using SQL queries you can modify a database table and its index structures, add, update and delete rows of data.
-
-There are three types of SQL commands in the SQL database language:
-
-=== Data Manipulation Language (DML)
-* DML commands are used for storing, retrieving, modifying, and deleting data.
-* SELECT, INSERT, UPDATE, DELETE, …
-* Example:
-** Retrieve data:
-** SELECT Phone  +
-   FROM Employees +
-   WHERE IdNum = 1354;
-** This statement delivers the phone number of the employee with the number 1354.
-
-=== Data Definition Language (DDL)
-* DDL commands are used for creating, modifying, and dropping the structure of database objects.
-* CREATE, ALTER, DROP,TRUNCATE,…
-* Example:
-** CREATE TABLE Customers( +
-       IdNum INT NOT NULL, +
-       LName VARCHAR (20) NOT NULL, +
-       FName VARCHAR (20) NOT NULL, +
-       JobCode VARCHAR (3) NOT NULL, +
-       Salary DECIMAL (18, 2), +
-       Phone VARCHAR (20), +
-       PRIMARY KEY (IdNum) +
-);
-** This statement creates the employees example table given above.
-
-=== Data Control Language (DCL)
-* DCL commands are used for providing security to database objects.
-* GRANT, REVOKE, …
-* Example:
-** GRANT CREATE TABLE +
-   TO operator;
-** This statement gives all users of the operator-role the privilege to create new tables in the database.
-
-If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training.

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc

@@ -1,7 +0,0 @@
-== What is SQL Injection?
-
-SQL Injections are the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, such an injection of code into the application can have an serious impact on e.g. data integrity and security.
-
-SQL Injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL-Interpreter of the application itself. If the input from the client does not get checked for containing SQL Commands, hackers can easily manipulate the underlying SQL-Statement to their advantages. +
-Per example if the input is not filtered for SQL metacharacters like *--* (comments out the rest of the line) or *;* (ends a SQL-query and that way can be used to chain them)
-

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc

@@ -0,0 +1,30 @@
+== What is SQL
+
+SQL is a standardized (ANSI in 1986, ISO in 1987) programming language which is used for managing relational databases and performing various operations on the data in them.
+
+A database is a collection of data. Data is organized into rows, columns and tables, and it is indexed to make it easier to find relevant information.
+
+Example SQL table with employees:
+
+Employees Table
+|===
+|IdNum |LName |FName |JobCode |Salary |Phone |
+
+|1876 |CHIN |JACK |TA1 |42400 |212/558-5634 |
+
+|1114 |GREENWALD |JANICE |ME3 |38000 |212/558-1092 |
+
+|1556 |PENNINGTION|MICHAEL |ME1 |29860 |718/383-5681 |
+
+|1354 |PARKER |MARY |FA3 |65800 |914/455-2337 |
+
+|1130 |WOOD |DEBORAH |PT2 |36514 |212/587-0013 |
+|===
+
+Each employee has an index (IdNum), lastname, firstname, job title (JobCode), salary and a phone number. All his data from this table is represented in a single row.
+
+By using SQL queries you can modify a database table and its index structures, add, update and delete rows of data.
+
+There are three types of SQL commands in the SQL database language:
+
+If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training.

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content10.adoc

@@ -0,0 +1 @@
+Availiability

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc

@@ -0,0 +1,10 @@
+=== Data Manipulation Language (DML)
+* DML commands are used for storing, retrieving, modifying, and deleting data.
+* SELECT, INSERT, UPDATE, DELETE, …
+* Example:
+** Retrieve data:
+** SELECT Phone  +
+   FROM Employees +
+   WHERE IdNum = 1354;
+** This statement delivers the phone number of the employee with the number 1354.
+

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc

@@ -0,0 +1,14 @@
+=== Data Definition Language (DDL)
+* DDL commands are used for creating, modifying, and dropping the structure of database objects.
+* CREATE, ALTER, DROP,TRUNCATE,…
+* Example:
+** CREATE TABLE Customers( +
+       IdNum INT NOT NULL, +
+       LName VARCHAR (20) NOT NULL, +
+       FName VARCHAR (20) NOT NULL, +
+       JobCode VARCHAR (3) NOT NULL, +
+       Salary DECIMAL (18, 2), +
+       Phone VARCHAR (20), +
+       PRIMARY KEY (IdNum) +
+);
+** This statement creates the employees example table given above.

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc

@@ -0,0 +1,7 @@
+=== Data Control Language (DCL)
+* DCL commands are used for providing security to database objects.
+* GRANT, REVOKE, …
+* Example:
+** GRANT CREATE TABLE +
+   TO operator;
+** This statement gives all users of the operator-role the privilege to create new tables in the database.

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content5_before.adoc

@@ -1,3 +1,11 @@
+== What is SQL Injection?
+
+SQL Injections are the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, such an injection of code into the application can have an serious impact on e.g. data integrity and security.
+
+SQL Injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL-Interpreter of the application itself. If the input from the client does not get checked for containing SQL Commands, hackers can easily manipulate the underlying SQL-Statement to their advantages. +
+Per example if the input is not filtered for SQL metacharacters like *--* (comments out the rest of the line) or *;* (ends a SQL-query and that way can be used to chain them)
+
+
 == Example of SQL Injection
 
 Think of a web application, that allows to display user information, by typing a username into an input field.

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content8.adoc

@@ -1,3 +1,5 @@
+Confidentiality
+
 == Try It!   String SQL Injection
 
 The query in the code builds a dynamic query as seen in the previous example.  The query in the code builds a dynamic query by concatenating strings making it susceptible to String SQL injection: 

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content9.adoc

@@ -1,3 +1,5 @@
+Integrity
+
 == Try It!   Numeric SQL Injection
 
 The query in the code builds a dynamic query as seen in the previous example.  The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection: