Add two more assignments for SQL injection where only filtering is applied.

2020-04-13 15:17:43 +02:00
parent 122cc323f2
commit 407e19638f
16 changed files with 341 additions and 75 deletions
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
@ -227,14 +227,9 @@ public abstract class IntegrationTest {
                        .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
    }

+    //TODO is prefix useful? not every lesson endpoint needs to start with a certain prefix (they are only required to be in the same package)
    public void checkResults(String prefix) {
-        Assert.assertThat(RestAssured.given()
-                .when()
-                .relaxedHTTPSValidation()
-                .cookie("JSESSIONID", getWebGoatCookie())
-                .get(url("service/lessonoverview.mvc"))
-                .then()
-                .statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true)));
+        checkResults();

        Assert.assertThat(RestAssured.given()
                .when()
@ -246,6 +241,16 @@ public abstract class IntegrationTest {

    }

+    public void checkResults() {
+        Assert.assertThat(RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("service/lessonoverview.mvc"))
+                .then()
+                .statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true)));
+    }
+
    public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
        Assert.assertThat(
                RestAssured.given()
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java
@ -38,6 +38,14 @@ public class SqlInjectionMitigationTest extends IntegrationTest {
                "}");
        checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10b"), params, true);

+        params.clear();
+        params.put("userid_sql_only_input_validation", "Smith';SELECT/**/*/**/from/**/user_system_data;--");
+        checkAssignment(url("/WebGoat/SqlOnlyInputValidation/attack"), params, true);
+
+        params.clear();
+        params.put("userid_sql_only_input_validation_on_keywords", "Smith';SESELECTLECT/**/*/**/FRFROMOM/**/user_system_data;--");
+        checkAssignment(url("/WebGoat/SqlOnlyInputValidationOnKeywords/attack"), params, true);
+
        RestAssured.given()
                .when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie())
                .contentType(ContentType.JSON)
@ -57,7 +65,6 @@ public class SqlInjectionMitigationTest extends IntegrationTest {
        params.put("ip", "104.130.219.202");
        checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack12a"), params, true);

-        checkResults("/SqlInjectionMitigations/");
-
+        checkResults();
    }
 }