dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Deleted old assignments (introduction) and added tests for the new ones

Browse Source
This commit is contained in:
Benedikt - Desktop 2018-11-07 13:31:29 +01:00 committed by Nanne Baars
parent 46e71a8bcd
commit 41998a0143
7 changed files with 313 additions and 259 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java
View File

@ -5,7 +5,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a; import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson8;
import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
@ -72,7 +72,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
ResultSetMetaData resultsMetaData = results.getMetaData(); ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuffer output = new StringBuffer(); StringBuffer output = new StringBuffer();
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); output.append(SqlInjectionLesson8.generateTable(results));
if(! (query.toLowerCase().contains("union") || query.toLowerCase().contains("join")) ) if(! (query.toLowerCase().contains("union") || query.toLowerCase().contains("join")) )
output.append("There is also a way to retrieve the Data by using a UNION or JOIN. Can you figure out, how this is done?"); output.append("There is also a way to retrieve the Data by using a UNION or JOIN. Can you figure out, how this is done?");
results.last(); results.last();

128
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java
View File

@ -1,128 +0,0 @@
package org.owasp.webgoat.plugin.introduction;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import java.io.IOException;
import java.sql.*;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/SqlInjection/attack5a")
@AssignmentHints(value = {"SqlStringInjectionHint5a1", "SqlStringInjectionHint5a2", "SqlStringInjectionHint5a3", "SqlStringInjectionHint5a4", "SqlStringInjectionHint5a5"})
public class SqlInjectionLesson5a extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@ResponseBody
AttackResult completed(@RequestParam String account) {
return injectableQuery(account);
}
protected AttackResult injectableQuery(String accountName) {
try {
Connection connection = DatabaseUtilities.getConnection(getWebSession());
String query = "SELECT userid, first_name, last_name, CC_Number, CC_Type, Cookie, Login_Count FROM user_data WHERE last_name = '" + accountName + "'";
try {
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(query);
if ((results != null) && (results.first())) {
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuffer output = new StringBuffer();
output.append(writeTable(results, resultsMetaData));
results.last();
// If they get back more than one user they succeeded
if (results.getRow() >= 6) {
return trackProgress(success().feedback("sql-injection.5a.success").feedbackArgs(output.toString()).build());
} else {
return trackProgress(failed().output(output.toString()).build());
}
} else {
return trackProgress(failed().feedback("sql-injection.5a.no.results").build());
}
} catch (SQLException sqle) {
return trackProgress(failed().output(sqle.getMessage()).build());
}
} catch (Exception e) {
return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
}
}
public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
SQLException {
int numColumns = resultsMetaData.getColumnCount();
results.beforeFirst();
StringBuffer t = new StringBuffer();
t.append("<p>");
if (results.next()) {
for (int i = 1; i < (numColumns + 1); i++) {
t.append(resultsMetaData.getColumnName(i));
t.append(", ");
}
t.append("<br />");
results.beforeFirst();
while (results.next()) {
for (int i = 1; i < (numColumns + 1); i++) {
t.append(results.getString(i));
t.append(", ");
}
t.append("<br />");
}
} else {
t.append("Query Successful; however no data was returned from this query.");
}
t.append("</p>");
return (t.toString());
}
}

98
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5b.java
View File

@ -1,98 +0,0 @@
package org.owasp.webgoat.plugin.introduction;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.sql.*;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/SqlInjection/attack5b")
@AssignmentHints(value = {"SqlStringInjectionHint5b1", "SqlStringInjectionHint5b2", "SqlStringInjectionHint5b3", "SqlStringInjectionHint5b4"})
public class SqlInjectionLesson5b extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@ResponseBody
AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
return injectableQuery(login_count, userid);
}
protected AttackResult injectableQuery(String login_count, String accountName) {
try {
Connection connection = DatabaseUtilities.getConnection(getWebSession());
String query = "SELECT * FROM user_data WHERE Login_Count = " + login_count + " and userid = " + accountName;
System.err.println("Querry: " + query);
try {
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(query);
if ((results != null) && (results.first() == true)) {
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuffer output = new StringBuffer();
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
results.last();
// If they get back more than one user they succeeded
if (results.getRow() >= 6) {
return trackProgress(success().feedback("sql-injection.5b.success").feedbackArgs(output.toString()).build());
} else {
return trackProgress(failed().output(output.toString()).build());
}
} else {
return trackProgress(failed().feedback("sql-injection.5b.no.results").build());
// output.append(getLabelManager().get("NoResultsMatched"));
}
} catch (SQLException sqle) {
return trackProgress(failed().output(sqle.getMessage()).build());
}
} catch (Exception e) {
e.printStackTrace();
return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
}
}
}

8
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson9.java
View File

@ -36,8 +36,14 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint {
SqlInjectionLesson8.log(connection, query); SqlInjectionLesson8.log(connection, query);
ResultSet results = statement.executeQuery(query); ResultSet results = statement.executeQuery(query);
if (results.getStatement() != null && results.first()) { if (results.getStatement() != null) {
if (results.first()) {
output.append(SqlInjectionLesson8.generateTable(results)); output.append(SqlInjectionLesson8.generateTable(results));
} else {
// no results
return trackProgress(failed().feedback("sql-injection.8.no.results").build());
}
} }
} catch (SQLException e) { } catch (SQLException e) {
System.err.println(e.getMessage()); System.err.println(e.getMessage());

75
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson10Test.java Normal file
View File

@ -0,0 +1,75 @@
package org.owasp.webgoat.plugin.introduction;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.owasp.webgoat.session.WebgoatContext;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import java.sql.SQLException;
import static org.hamcrest.CoreMatchers.containsString;
import static org.hamcrest.CoreMatchers.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* @author Benedikt Stuhrmann
* @since 11/07/18.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class SqlInjectionLesson10Test extends LessonTest {
@Autowired
private WebgoatContext context;
private String completedError = "JSON path \"lessonCompleted\"";
@Before
public void setup() {
SqlInjection sql = new SqlInjection();
when(webSession.getCurrentLesson()).thenReturn(sql);
when(webSession.getWebgoatContext()).thenReturn(context);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
@Test
public void tableExistsIsFailure() throws Exception {
try {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack10")
.param("action", ""))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.10.entries")))));
} catch (AssertionError e) {
if (!e.getMessage().contains(completedError)) throw e;
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack10")
.param("action", ""))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.10.success")))));
}
}
@Test
public void tableMissingIsSuccess() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack10")
.param("action", "%'; DROP TABLE access_log;--"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.10.success")))));
}
private String modifySpan(String message) {
return message.replace("</span>", "<\\/span>");
}
}

78
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java → webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson8Test.java
View File

@ -17,17 +17,17 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/** /**
* @author nbaars * @author Benedikt Stuhrmann
* @since 5/21/17. * @since 11/07/18.
*/ */
@RunWith(SpringJUnit4ClassRunner.class) @RunWith(SpringJUnit4ClassRunner.class)
public class SqlInjectionLesson5aTest extends LessonTest { public class SqlInjectionLesson8Test extends LessonTest {
@Autowired @Autowired
private WebgoatContext context; private WebgoatContext context;
@Before @Before
public void setup() throws Exception { public void setup() {
SqlInjection sql = new SqlInjection(); SqlInjection sql = new SqlInjection();
when(webSession.getCurrentLesson()).thenReturn(sql); when(webSession.getCurrentLesson()).thenReturn(sql);
when(webSession.getWebgoatContext()).thenReturn(context); when(webSession.getWebgoatContext()).thenReturn(context);
@ -35,46 +35,66 @@ public class SqlInjectionLesson5aTest extends LessonTest {
} }
@Test @Test
public void knownAccountShouldDisplayData() throws Exception { public void oneAccount() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5a") mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack8")
.param("account", "Smith")) .param("name", "Smith")
.param("auth_tan", "3SL99A"))
.andExpect(status().isOk()) .andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false))) .andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("assignment.not.solved")))) .andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.8.one")))))
.andExpect(jsonPath("$.output", containsString("<p>USERID, FIRST_NAME"))); .andExpect(jsonPath("$.output", containsString("<table><tr><th>")));
} }
@Test @Test
public void unknownAccount() throws Exception { public void multipleAccounts() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5a") mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack8")
.param("account", "Smithh")) .param("name", "Smith")
.param("auth_tan", "3SL99A' OR '1' = '1"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("NoResultsMatched"))))
.andExpect(jsonPath("$.output").doesNotExist());
}
@Test
public void sqlInjection() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5a")
.param("account", "smith' OR '1' = '1"))
.andExpect(status().isOk()) .andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true))) .andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", containsString("You have succeeded"))) .andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.8.success")))))
.andExpect(jsonPath("$.output", containsString("<tr><td>96134<\\/td><td>Bob<\\/td><td>Franco<\\/td><td>Marketing<\\/td><td>83700<\\/td><td>LO9S2V<\\/td><\\/tr>")));
}
@Test
public void wrongNameReturnsNoAccounts() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack8")
.param("name", "Smithh")
.param("auth_tan", "3SL99A"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.8.no.results")))))
.andExpect(jsonPath("$.output").doesNotExist()); .andExpect(jsonPath("$.output").doesNotExist());
} }
@Test @Test
public void sqlInjectionWrongShouldDisplayError() throws Exception { public void wrongTANReturnsNoAccounts() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5a") mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack8")
.param("account", "smith' OR '1' = '1'")) .param("name", "Smithh")
.param("auth_tan", ""))
.andExpect(status().isOk()) .andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false))) .andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", containsString(messages.getMessage("assignment.not.solved")))) .andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.8.no.results")))))
.andExpect(jsonPath("$.output", is("malformed string: '1''"))); .andExpect(jsonPath("$.output").doesNotExist());
}
@Test
public void malformedQueryReturnsError() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack8")
.param("name", "Smith")
.param("auth_tan", "3SL99A' OR '1' = '1'"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.error")))))
.andExpect(jsonPath("$.output", containsString("feedback-negative")));
}
private String modifySpan(String message) {
return message.replace("</span>", "<\\/span>");
} }
} }

179
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson9Test.java Normal file
View File

@ -0,0 +1,179 @@
package org.owasp.webgoat.plugin.introduction;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.owasp.webgoat.session.WebgoatContext;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import static org.hamcrest.CoreMatchers.containsString;
import static org.hamcrest.CoreMatchers.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* @author Benedikt Stuhrmann
* @since 11/07/18.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class SqlInjectionLesson9Test extends LessonTest {
@Autowired
private WebgoatContext context;
private String completedError = "JSON path \"lessonCompleted\"";
@Before
public void setup() {
SqlInjection sql = new SqlInjection();
when(webSession.getCurrentLesson()).thenReturn(sql);
when(webSession.getWebgoatContext()).thenReturn(context);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
@Test
public void oneAccount() throws Exception {
try {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.9.one")))))
.andExpect(jsonPath("$.output", containsString("<table><tr><th>")));
} catch (AssertionError e) {
if (!e.getMessage().contains(completedError)) throw e;
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.9.success")))))
.andExpect(jsonPath("$.output", containsString("<table><tr><th>")));
}
}
@Test
public void multipleAccounts() throws Exception {
try {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A' OR '1' = '1"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.9.one")))))
.andExpect(jsonPath("$.output", containsString("<tr><td>96134<\\/td><td>Bob<\\/td><td>Franco<\\/td><td>Marketing<\\/td><td>83700<\\/td><td>LO9S2V<\\/td><\\/tr>")));
} catch (AssertionError e) {
if (!e.getMessage().contains(completedError)) throw e;
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A' OR '1' = '1"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.9.success")))))
.andExpect(jsonPath("$.output", containsString("<tr><td>96134<\\/td><td>Bob<\\/td><td>Franco<\\/td><td>Marketing<\\/td><td>83700<\\/td><td>LO9S2V<\\/td><\\/tr>")));
}
}
@Test
public void wrongNameReturnsNoAccounts() throws Exception {
try {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smithh")
.param("auth_tan", "3SL99A"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.8.no.results")))))
.andExpect(jsonPath("$.output").doesNotExist());
} catch (AssertionError e) {
if (!e.getMessage().contains(completedError)) throw e;
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smithh")
.param("auth_tan", "3SL99A"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.8.no.success")))))
.andExpect(jsonPath("$.output").doesNotExist());
}
}
@Test
public void wrongTANReturnsNoAccounts() throws Exception {
try {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smithh")
.param("auth_tan", ""))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.8.no.results")))))
.andExpect(jsonPath("$.output").doesNotExist());
} catch (AssertionError e) {
if (!e.getMessage().contains(completedError)) throw e;
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smithh")
.param("auth_tan", ""))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.9.success")))))
.andExpect(jsonPath("$.output").doesNotExist());
}
}
@Test
public void malformedQueryReturnsError() throws Exception {
try {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A' OR '1' = '1'"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.error")))))
.andExpect(jsonPath("$.output", containsString("feedback-negative")));
} catch (AssertionError e) {
if (!e.getMessage().contains(completedError)) throw e;
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A' OR '1' = '1'"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.9.success")))))
.andExpect(jsonPath("$.output", containsString("feedback-negative")));
}
}
@Test
public void SmithIsMostEarningCompletesAssignment() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A'; UPDATE employees SET salary = '300000' WHERE last_name = 'Smith"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(this.modifySpan(messages.getMessage("sql-injection.9.success")))))
.andExpect(jsonPath("$.output", containsString("300000")));
}
private String modifySpan(String message) {
return message.replace("</span>", "<\\/span>");
}
}