diff --git a/pom.xml b/pom.xml
index 92f26f2ae..2c9880848 100644
--- a/pom.xml
+++ b/pom.xml
@@ -134,7 +134,7 @@
4.0.0
18.0
1.4.190
- 1.8.0.10
+ 2.3.2
1.3.1
2.6.3
2.6.3
diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml
index 095d2fcfc..c67c21a8c 100644
--- a/webgoat-container/pom.xml
+++ b/webgoat-container/pom.xml
@@ -162,7 +162,7 @@
${h2.version}
- hsqldb
+ org.hsqldb
hsqldb
${hsqldb.version}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
index da57ca356..1d015ff3d 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
@@ -38,6 +38,7 @@ import java.util.Map;
* @version $Id: $Id
*/
//TODO: class we need to refactor to new structure, we can put the connection in the current session of the user
+ // start using jdbc template
public class DatabaseUtilities
{
diff --git a/webgoat-container/src/main/resources/db/changelog/db.changelog-master.xml b/webgoat-container/src/main/resources/db/changelog/db.changelog-master.xml
index f3b67826b..e2f25133e 100644
--- a/webgoat-container/src/main/resources/db/changelog/db.changelog-master.xml
+++ b/webgoat-container/src/main/resources/db/changelog/db.changelog-master.xml
@@ -6,9 +6,7 @@
-
-
-
+
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
index 44a9a8012..a6a3418b7 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
@@ -8,6 +8,7 @@ package org.owasp.webgoat.plugin;
*/
public interface SolutionConstants {
+ //TODO should be random generated when starting the server
String PASSWORD = "!!webgoat_admin_1234!!";
String SUPER_COUPON_CODE = "get_it_for_free";
String PASSWORD_TOM = "thisisasecretfortomonly";
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java
index 4c3447aa8..5d11bb839 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java
@@ -28,7 +28,8 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
@Slf4j
public class Assignment4 extends AssignmentEndpoint {
- private static final String USERS_TABLE_NAME = "challenge_users_" + RandomStringUtils.randomAlphabetic(6);
+ //Make it more random at runtime (good luck guessing)
+ private static final String USERS_TABLE_NAME = "challenge_users_" + RandomStringUtils.randomAlphabetic(16);
@Autowired
private WebSession webSession;
@@ -64,7 +65,7 @@ public class Assignment4 extends AssignmentEndpoint {
if (StringUtils.isEmpty(username_reg) || StringUtils.isEmpty(email_reg) || StringUtils.isEmpty(password_reg)) {
return failed().feedback("input.invalid").build();
}
- if (username_reg.length() > 30 || email_reg.length() > 30 || password_reg.length() > 30) {
+ if (username_reg.length() > 250 || email_reg.length() > 30 || password_reg.length() > 30) {
return failed().feedback("input.invalid").build();
}
return null;
@@ -76,17 +77,16 @@ public class Assignment4 extends AssignmentEndpoint {
Connection connection = DatabaseUtilities.getConnection(webSession);
checkDatabase(connection);
- if ("tom".equals(username_login)) {
- PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = ? and password = ?");
- statement.setString(1, username_login);
- statement.setString(2, password_login);
- ResultSet resultSet = statement.executeQuery();
+ PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = ? and password = ?");
+ statement.setString(1, username_login);
+ statement.setString(2, password_login);
+ ResultSet resultSet = statement.executeQuery();
- if (resultSet.next()) {
- return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(4)).build();
- }
+ if (resultSet.next() && "tom".equals(username_login)) {
+ return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(4)).build();
+ } else {
+ return failed().feedback("challenge.close").build();
}
- return failed().build();
}
private void checkDatabase(Connection connection) throws SQLException {
@@ -107,10 +107,10 @@ public class Assignment4 extends AssignmentEndpoint {
} catch (SQLException e) {
log.info("Delete failed, this does not point to an error table might not have been present...");
}
-
+ log.debug("Challenge 4 - Creating tables for users {}", USERS_TABLE_NAME);
try {
String createTableStatement = "CREATE TABLE " + USERS_TABLE_NAME
- + " (" + "userid varchar(30),"
+ + " (" + "userid varchar(250),"
+ "email varchar(30),"
+ "password varchar(30)"
+ ")";
diff --git a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
index 0ff47dacb..0c9d885c8 100644
--- a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
@@ -4,6 +4,7 @@ challenge2.title=Get it for free
challenge3.title=Photo comments
challenge4.title=Creating a new account
challenge.solved=Congratulations, you solved the challenge. Here is your flag: {0}
+challenge.close=This is not the correct password for tom, please try again.
user.exists=User {0} already exists please try to register with a different username.
user.created=User {0} created, please proceed to the login page.