From 38f1d52bf38d4f075a6830c025c1d2cf54e608c8 Mon Sep 17 00:00:00 2001 From: unknown Date: Sat, 10 Apr 2021 11:42:38 -0400 Subject: [PATCH] Corrected typos and poor grammar found in the SQL Injection lessons. --- .../resources/lessonPlans/en/SqlInjection_content12a.adoc | 4 ++-- .../resources/lessonPlans/en/SqlInjection_content13.adoc | 4 ++-- .../lessonPlans/en/SqlInjection_jdbc_completion.adoc | 2 +- .../resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc | 6 +++--- .../resources/lessonPlans/en/SqlInjection_order_by.adoc | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc index 7c06661d1..e7fb9721b 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc @@ -1,7 +1,7 @@ == Input validation alone is not enough!! -You need to do both use parametrized queries and validate the input received from the user. On StackOverflow you will -see alot of answers stating that input validation is enough. *However* it only takes you so far before you know it +You need to do both, use parametrized queries and validate the input received from the user. On StackOverflow you will +see a lot of answers stating that input validation is enough. *However* it only takes you so far before you know the validation is broken, and you have an SQL injection in your application. A nice read why it is not enough can be found https://twitter.com/marcan42/status/1238004834806067200?s=21 diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc index 22e79ab66..749459d10 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc @@ -38,10 +38,10 @@ SELECT * FROM users ORDER BY (CASE WHEN (TRUE) THEN lastname ELSE firstname) ---- So we can substitute any kind of boolean operation in the `when(....)` part. The statement will just work because -it is a valid query whether you use a prepared statement or not an order by clause can by definition contain a +it is a valid query whether you use a prepared statement or not. An order by clause can by definition contain an expression. === Mitigation If you need to provide a sorting column in your web application you should implement a whitelist to validate the value -of the `order by` statement it should always be limited to something like 'first name' or 'last name'. +of the `order by` statement. It should always be limited to something like 'first name' or 'last name'. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_completion.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_completion.adoc index dbf7ce2f8..1a65e1288 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_completion.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_completion.adoc @@ -1,5 +1,5 @@ == Try it! Writing safe code -You can see some code down below, but the code is incomplete. Complete the code, so that is no longer vulnerable for an SQL injection! Use the classes and methods you have learned before. +You can see some code down below, but the code is incomplete. Complete the code, so that it's no longer vulnerable to a SQL injection! Use the classes and methods you have learned before. The code has to retrieve the status of the user based on the name and the mail address of the user. Both the name and the mail are in the string format. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc index 94ba8e436..1aa707560 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc @@ -12,11 +12,11 @@ Your task is to use JDBC to connect to a database and request data from it. *Some tips before you start:* + For connecting to the database, you can simply assume the constants *DBURL*, *DBUSER* and *DBPW* as given. + The content of your query does not matter, as long as the SQL is valid and meets the requirements. + -All the code you write gets inserted into the main method of a java class with the name "TestClass" that already imports *java.sql.** for your. +All the code you write gets inserted into the main method of a Java class with the name "TestClass" that already imports *java.sql.** for you. -Not creative enough to think of your own query? How about you try to retrieve the data for a user with a specific name from a fictional database table called *users*. +Not creative enough to think of your own query? How about you try to retrieve the data of a user with a specific name from a fictional database table called *users*. -For example; following coding would compile without any error (but of course does not meet the requirements to complete this lesson). +For example; the following code would compile without any error (but of course does not meet the requirements to complete this lesson). [source,java] ------------------------------------------------------- diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc index 6e8ff54e0..e654687f0 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc @@ -2,4 +2,4 @@ In this assignment try to perform an SQL injection through the ORDER BY field. Try to find the ip address of the `webgoat-prd` server, guessing the complete ip address might take too long so we give you the last part: `xxx.130.219.202` -Note: The submit field of this assignment is *NOT* vulnerable for an SQL injection. \ No newline at end of file +Note: The submit field of this assignment is *NOT* vulnerable to an SQL injection. \ No newline at end of file