Add two more assignments for SQL injection where only filtering is applied.

This commit is contained in:
Nanne Baars
2020-04-13 15:17:43 +02:00
committed by Nanne Baars
parent 122cc323f2
commit 407e19638f
16 changed files with 341 additions and 75 deletions

View File

@ -15,7 +15,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* @since 5/21/17.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class SqlInjectionLesson12aTest extends SqlLessonTest {
public class SqlInjectionLesson13Test extends SqlLessonTest {
@Test
public void knownAccountShouldDisplayData() throws Exception {

View File

@ -0,0 +1,34 @@
package org.owasp.webgoat.sql_injection.mitigation;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.sql_injection.SqlLessonTest;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@RunWith(SpringJUnit4ClassRunner.class)
public class SqlOnlyInputValidationOnKeywordsTest extends SqlLessonTest {
@Test
public void solve() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlOnlyInputValidationOnKeywords/attack")
.param("userid_sql_only_input_validation_on_keywords", "Smith';SESELECTLECT/**/*/**/FRFROMOM/**/user_system_data;--"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", containsString("passW0rD")));
}
@Test
public void containsForbiddenSqlKeyword() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlOnlyInputValidationOnKeywords/attack")
.param("userid_sql_only_input_validation_on_keywords", "Smith';SELECT/**/*/**/from/**/user_system_data;--"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.lessonCompleted", is(false)))
.andExpect(jsonPath("$.output", containsString("unexpected token: *<br> Your query was: SELECT * FROM user_data WHERE last_name = 'SMITH';\\\\\\/**\\\\\\/*\\\\\\/**\\\\\\/\\\\\\/**\\\\\\/USER_SYSTEM_DATA;--'")));
}
}

View File

@ -0,0 +1,34 @@
package org.owasp.webgoat.sql_injection.mitigation;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.sql_injection.SqlLessonTest;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@RunWith(SpringJUnit4ClassRunner.class)
public class SqlOnlyInputValidationTest extends SqlLessonTest {
@Test
public void solve() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlOnlyInputValidation/attack")
.param("userid_sql_only_input_validation", "Smith';SELECT/**/*/**/from/**/user_system_data;--"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", containsString("passW0rD")));
}
@Test
public void containsSpace() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlOnlyInputValidation/attack")
.param("userid_sql_only_input_validation", "Smith' ;SELECT from user_system_data;--"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", containsString("Using spaces is not allowed!")));
}
}