dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Corrected typos and poor grammar found in the SQL Injection lessons.

Browse Source
This commit is contained in:
unknown 2021-04-10 11:42:38 -04:00 committed by Nanne Baars
parent e49f5d610f
commit 38f1d52bf3
5 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc
View File

@ -1,7 +1,7 @@
== Input validation alone is not enough!! == Input validation alone is not enough!!
You need to do both use parametrized queries and validate the input received from the user. On StackOverflow you will You need to do both, use parametrized queries and validate the input received from the user. On StackOverflow you will
see alot of answers stating that input validation is enough. *However* it only takes you so far before you know it see a lot of answers stating that input validation is enough. *However* it only takes you so far before you know
the validation is broken, and you have an SQL injection in your application. the validation is broken, and you have an SQL injection in your application.
A nice read why it is not enough can be found https://twitter.com/marcan42/status/1238004834806067200?s=21 A nice read why it is not enough can be found https://twitter.com/marcan42/status/1238004834806067200?s=21

4
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc
View File

@ -38,10 +38,10 @@ SELECT * FROM users ORDER BY (CASE WHEN (TRUE) THEN lastname ELSE firstname)
---- ----
So we can substitute any kind of boolean operation in the `when(....)` part. The statement will just work because So we can substitute any kind of boolean operation in the `when(....)` part. The statement will just work because
it is a valid query whether you use a prepared statement or not an order by clause can by definition contain a it is a valid query whether you use a prepared statement or not. An order by clause can by definition contain an
expression. expression.
=== Mitigation === Mitigation
If you need to provide a sorting column in your web application you should implement a whitelist to validate the value If you need to provide a sorting column in your web application you should implement a whitelist to validate the value
of the `order by` statement it should always be limited to something like 'first name' or 'last name'. of the `order by` statement. It should always be limited to something like 'first name' or 'last name'.

2
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_completion.adoc
View File

@ -1,5 +1,5 @@
== Try it! Writing safe code == Try it! Writing safe code
You can see some code down below, but the code is incomplete. Complete the code, so that is no longer vulnerable for an SQL injection! Use the classes and methods you have learned before. You can see some code down below, but the code is incomplete. Complete the code, so that it's no longer vulnerable to a SQL injection! Use the classes and methods you have learned before.
The code has to retrieve the status of the user based on the name and the mail address of the user. Both the name and the mail are in the string format. The code has to retrieve the status of the user based on the name and the mail address of the user. Both the name and the mail are in the string format.

6
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc
View File

@ -12,11 +12,11 @@ Your task is to use JDBC to connect to a database and request data from it.
*Some tips before you start:* + *Some tips before you start:* +
For connecting to the database, you can simply assume the constants *DBURL*, *DBUSER* and *DBPW* as given. + For connecting to the database, you can simply assume the constants *DBURL*, *DBUSER* and *DBPW* as given. +
The content of your query does not matter, as long as the SQL is valid and meets the requirements. + The content of your query does not matter, as long as the SQL is valid and meets the requirements. +
All the code you write gets inserted into the main method of a java class with the name "TestClass" that already imports *java.sql.** for your. All the code you write gets inserted into the main method of a Java class with the name "TestClass" that already imports *java.sql.** for you.
Not creative enough to think of your own query? How about you try to retrieve the data for a user with a specific name from a fictional database table called *users*. Not creative enough to think of your own query? How about you try to retrieve the data of a user with a specific name from a fictional database table called *users*.
For example; following coding would compile without any error (but of course does not meet the requirements to complete this lesson). For example; the following code would compile without any error (but of course does not meet the requirements to complete this lesson).
[source,java] [source,java]
------------------------------------------------------- -------------------------------------------------------

2
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc
View File

@ -2,4 +2,4 @@ In this assignment try to perform an SQL injection through the ORDER BY field.
Try to find the ip address of the `webgoat-prd` server, guessing the complete Try to find the ip address of the `webgoat-prd` server, guessing the complete
ip address might take too long so we give you the last part: `xxx.130.219.202` ip address might take too long so we give you the last part: `xxx.130.219.202`
Note: The submit field of this assignment is *NOT* vulnerable for an SQL injection. Note: The submit field of this assignment is *NOT* vulnerable to an SQL injection.