Add support for MS SQL Server in the DB Labs
git-svn-id: http://webgoat.googlecode.com/svn/trunk@240 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
@ -143,8 +143,10 @@ public class DBCrossSiteScripting extends GoatHillsFinancial
|
||||
else if (STAGE2.equals(stage))
|
||||
{
|
||||
instructions = "Stage 2: Block Stored XSS using Input Validation.<br>"
|
||||
+ "Implement a fix in the stored procedure to prevent the stored XSS from being written to the database. "
|
||||
+ "A sample regluar expression pattern: ^[a-zA-Z0-9,\\. ]{0,80}$ "
|
||||
+ "Implement a fix in the stored procedure to prevent the stored XSS from being written to the database. ";
|
||||
if (getWebgoatContext().getDatabaseDriver().contains("jtds"))
|
||||
instructions += "Use the provided user-defined function RegexMatch to test the data against a pattern. ";
|
||||
instructions += "A sample regular expression pattern: ^[a-zA-Z0-9,\\. ]{0,80}$ "
|
||||
+ "Repeat stage 1 as 'Eric' with 'David' as the manager. Verify that 'David' is not affected by the attack.";
|
||||
}
|
||||
}
|
||||
|
||||
@ -125,7 +125,8 @@ public class UpdateProfile extends DefaultLessonAction
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
e.printStackTrace();
|
||||
if (DBCrossSiteScripting.STAGE2.equals(getStage(s)) && e.getMessage().contains("ORA-06512") &&
|
||||
if (DBCrossSiteScripting.STAGE2.equals(getStage(s)) &&
|
||||
(e.getMessage().contains("ORA-06512") || e.getMessage().contains("Illegal characters")) &&
|
||||
!employee.getAddress1().matches("^[a-zA-Z0-9,\\. ]{0,80}$"))
|
||||
{
|
||||
setStageComplete(s, DBCrossSiteScripting.STAGE2);
|
||||
|
||||
@ -0,0 +1,17 @@
|
||||
using System.Data.SqlTypes;
|
||||
using System.Text.RegularExpressions;
|
||||
using Microsoft.SqlServer.Server;
|
||||
|
||||
public static partial class UserDefinedFunctions
|
||||
{
|
||||
public static readonly RegexOptions Options =
|
||||
RegexOptions.IgnorePatternWhitespace |
|
||||
RegexOptions.Compiled | RegexOptions.Singleline;
|
||||
|
||||
[SqlFunction]
|
||||
public static SqlBoolean RegexMatch( SqlChars input, SqlString pattern )
|
||||
{
|
||||
Regex regex = new Regex( pattern.Value, Options );
|
||||
return regex.IsMatch( new string( input.Value ) );
|
||||
}
|
||||
}
|
||||
Binary file not shown.
@ -73,6 +73,19 @@ END;
|
||||
3. Apply a table column constraint
|
||||
ALTER TABLE EMPLOYEE
|
||||
ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\. ]{0,80}$'));
|
||||
|
||||
|
||||
FOR SQL SERVER, the following process is required:
|
||||
|
||||
Compile the C# RegexMatch user defined class routine to a DLL:
|
||||
|
||||
C:> c:\windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /t:library RegexMatch.cs
|
||||
C:> copy RegexMatch.dll C:\TEMP\
|
||||
|
||||
execute the following script as the SA user, using SQuirreL SQL client:
|
||||
|
||||
sqlserver.sql
|
||||
|
||||
*/
|
||||
|
||||
public class UpdateProfile_i extends UpdateProfile
|
||||
|
||||
@ -0,0 +1,58 @@
|
||||
|
||||
|
||||
IF EXISTS
|
||||
(
|
||||
SELECT 1
|
||||
FROM INFORMATION_SCHEMA.ROUTINES
|
||||
WHERE ROUTINE_NAME = 'UPDATE_EMPLOYEE'
|
||||
AND ROUTINE_SCHEMA = 'webgoat_guest'
|
||||
AND ROUTINE_TYPE = 'PROCEDURE'
|
||||
)
|
||||
BEGIN
|
||||
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
|
||||
END
|
||||
GO
|
||||
|
||||
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
|
||||
@v_userid INT,
|
||||
@v_first_name VARCHAR(20),
|
||||
@v_last_name VARCHAR(20),
|
||||
@v_ssn VARCHAR(12),
|
||||
@v_title VARCHAR(20),
|
||||
@v_phone VARCHAR(13),
|
||||
@v_address1 VARCHAR(80),
|
||||
@v_address2 VARCHAR(80),
|
||||
@v_manager INT,
|
||||
@v_start_date CHAR(8),
|
||||
@v_salary INT,
|
||||
@v_ccn VARCHAR(30),
|
||||
@v_ccn_limit INT,
|
||||
@v_disciplined_date CHAR(8),
|
||||
@v_disciplined_notes VARCHAR(60),
|
||||
@v_personal_description VARCHAR(60)
|
||||
AS
|
||||
IF [webgoat_guest].RegexMatch(@v_address1, N'^[a-zA-Z0-9,\. ]{0,80}$') = 0
|
||||
BEGIN
|
||||
RAISERROR('Illegal characters in address1', 11, 1)
|
||||
RETURN
|
||||
END
|
||||
UPDATE EMPLOYEE
|
||||
SET
|
||||
first_name = @v_first_name,
|
||||
last_name = @v_last_name,
|
||||
ssn = @v_ssn,
|
||||
title = @v_title,
|
||||
phone = @v_phone,
|
||||
address1 = @v_address1,
|
||||
address2 = @v_address2,
|
||||
manager = @v_manager,
|
||||
start_date = @v_Start_date,
|
||||
salary = @v_salary,
|
||||
ccn = @v_ccn,
|
||||
ccn_limit = @v_ccn_limit,
|
||||
disciplined_date = @v_disciplined_date,
|
||||
disciplined_notes = @v_disciplined_notes,
|
||||
personal_description = @v_personal_description
|
||||
WHERE
|
||||
userid = @v_userid;
|
||||
GO
|
||||
@ -3,9 +3,10 @@ package org.owasp.webgoat.lessons.instructor.DBSQLInjection;
|
||||
/*
|
||||
* The solution is to choose Neville's userid, and enter a password like:
|
||||
* ' OR '1'='1
|
||||
* Modify the Stored procedure LOGIN_EMPLOYEE to use fixed statements or bind variables
|
||||
* Modify the Stored function LOGIN_EMPLOYEE to use fixed statements or bind variables
|
||||
*
|
||||
*
|
||||
* For ORACLE:
|
||||
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
|
||||
cnt NUMBER;
|
||||
BEGIN
|
||||
@ -27,4 +28,17 @@ BEGIN
|
||||
END;
|
||||
/
|
||||
|
||||
* For SQL SERVER
|
||||
|
||||
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
|
||||
@v_id INT,
|
||||
@v_password VARCHAR(100)
|
||||
) RETURNS INTEGER
|
||||
AS
|
||||
BEGIN
|
||||
DECLARE @count int
|
||||
SELECT @count = COUNT(*) FROM EMPLOYEE WHERE USERID = @v_id AND PASSWORD = @v_password;
|
||||
return @count
|
||||
END
|
||||
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user