Add two more assignments for SQL injection where only filtering is applied.
This commit is contained in:
@ -15,7 +15,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
|
||||
* @since 5/21/17.
|
||||
*/
|
||||
@RunWith(SpringJUnit4ClassRunner.class)
|
||||
public class SqlInjectionLesson12aTest extends SqlLessonTest {
|
||||
public class SqlInjectionLesson13Test extends SqlLessonTest {
|
||||
|
||||
@Test
|
||||
public void knownAccountShouldDisplayData() throws Exception {
|
@ -0,0 +1,34 @@
|
||||
package org.owasp.webgoat.sql_injection.mitigation;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.owasp.webgoat.sql_injection.SqlLessonTest;
|
||||
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
|
||||
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
|
||||
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
@RunWith(SpringJUnit4ClassRunner.class)
|
||||
public class SqlOnlyInputValidationOnKeywordsTest extends SqlLessonTest {
|
||||
|
||||
@Test
|
||||
public void solve() throws Exception {
|
||||
mockMvc.perform(MockMvcRequestBuilders.post("/SqlOnlyInputValidationOnKeywords/attack")
|
||||
.param("userid_sql_only_input_validation_on_keywords", "Smith';SESELECTLECT/**/*/**/FRFROMOM/**/user_system_data;--"))
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(jsonPath("$.lessonCompleted", is(true)))
|
||||
.andExpect(jsonPath("$.feedback", containsString("passW0rD")));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void containsForbiddenSqlKeyword() throws Exception {
|
||||
mockMvc.perform(MockMvcRequestBuilders.post("/SqlOnlyInputValidationOnKeywords/attack")
|
||||
.param("userid_sql_only_input_validation_on_keywords", "Smith';SELECT/**/*/**/from/**/user_system_data;--"))
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(jsonPath("$.lessonCompleted", is(false)))
|
||||
.andExpect(jsonPath("$.output", containsString("unexpected token: *<br> Your query was: SELECT * FROM user_data WHERE last_name = 'SMITH';\\\\\\/**\\\\\\/*\\\\\\/**\\\\\\/\\\\\\/**\\\\\\/USER_SYSTEM_DATA;--'")));
|
||||
}
|
||||
}
|
@ -0,0 +1,34 @@
|
||||
package org.owasp.webgoat.sql_injection.mitigation;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.owasp.webgoat.sql_injection.SqlLessonTest;
|
||||
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
|
||||
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
|
||||
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
@RunWith(SpringJUnit4ClassRunner.class)
|
||||
public class SqlOnlyInputValidationTest extends SqlLessonTest {
|
||||
|
||||
@Test
|
||||
public void solve() throws Exception {
|
||||
mockMvc.perform(MockMvcRequestBuilders.post("/SqlOnlyInputValidation/attack")
|
||||
.param("userid_sql_only_input_validation", "Smith';SELECT/**/*/**/from/**/user_system_data;--"))
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(jsonPath("$.lessonCompleted", is(true)))
|
||||
.andExpect(jsonPath("$.feedback", containsString("passW0rD")));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void containsSpace() throws Exception {
|
||||
mockMvc.perform(MockMvcRequestBuilders.post("/SqlOnlyInputValidation/attack")
|
||||
.param("userid_sql_only_input_validation", "Smith' ;SELECT from user_system_data;--"))
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(jsonPath("$.lessonCompleted", is(false)))
|
||||
.andExpect(jsonPath("$.feedback", containsString("Using spaces is not allowed!")));
|
||||
}
|
||||
}
|
Reference in New Issue
Block a user