dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add sql lesson (#1370)

Browse Source
This commit is contained in:
Nanne Baars 2023-01-04 07:42:29 +01:00 committed by GitHub
parent 614235d913
commit 32468ff90b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 33 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -55,3 +55,5 @@ webgoat.script
TestClass.class TestClass.class
**/*.flattened-pom.xml **/*.flattened-pom.xml
/.gitconfig /.gitconfig
webgoat.gitconfig

4
src/main/resources/lessons/sqlinjection/documentation/SqlInjection_challenge.adoc
View File

@ -1,6 +1,6 @@
We now explained the basic steps involved in an SQL injection. In this assignment you will need to combine all We now explained the basic steps involved in an SQL injection. In this assignment you will need to combine all
the things we explained in the SQL lessons. the things we explained in the SQL lessons.
Goal: Can you login as Tom? Goal: Can you log in as Tom?
Have fun! Have fun!

32
src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content9.adoc
View File

@ -1,4 +1,5 @@
== Parameterized Queries - Java Snippet == Parameterized Queries - Java Snippet
[source,java] [source,java]
---- ----
public static bool isUsernameValid(string username) { public static bool isUsernameValid(string username) {
@ -12,14 +13,39 @@ RecordSet rs = null;
try { try {
pUserName = request.getParameter("UserName"); pUserName = request.getParameter("UserName");
if ( isUsernameValid (pUsername) ) { if ( isUsernameValid (pUsername) ) {
ps = conn.prepareStatement("SELECT * FROM user_table ps = conn.prepareStatement("SELECT * FROM user_table WHERE username = ? ");
WHERE username = ? ");
ps.setString(1, pUsername); ps.setString(1, pUsername);
rs = ps.execute(); rs = ps.execute();
if ( rs.next() ) { if ( rs.next() ) {
// do the work of making the user record active in some way // do the work of making the user record active in some way
} }
} else { // handle invalid input } } else {
// handle invalid input
}
} }
catch (...) { // handle all exceptions ... } catch (...) { // handle all exceptions ... }
---- ----
== Important
Use the prepared statement correctly; parameters should be set with `ps.set..()` and DO NOT use the following statement:
[source,java]
----
String insertStatement = "INSERT INTO USERS (id, name, email) VALUES (%s, %s, %s)".format("1", "webgoat", "webgoat@owasp.org");
PreparedStatement statement = conn.prepareStatement(insertStatement);
statement.executeUpdate();
----
(For the sake of the example, we assume that the passed values are based on user input).
The example above is not the correct way to use a prepared statement, use:
[source,java]
----
PreparedStatement statement = conn.prepareStatement("INSERT INTO USERS (id, name, email) VALUES (?, ?, ?)");
statement.setString(1, "1");
statement.setString(2, "webgoat");
statement.setString(3, "webgoat@owasp.org");
statement.executeUpdate();
----