dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed Double Hints in SqlInjection Advanced Challenge

Browse Source
This commit is contained in:
Tobias_Melzer 2018-12-03 21:39:10 +01:00 committed by Nanne Baars
parent 5fa11a1b4b
commit 43504b9a7b
4 changed files with 73 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
View File

@ -3,7 +3,6 @@ package org.owasp.webgoat.plugin.advanced;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.RandomStringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
@ -11,14 +10,11 @@ import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import java.sql.*;
import static org.springframework.web.bind.annotation.RequestMethod.POST;
/**
* @author nbaars
* @since 4/8/17.
@ -26,12 +22,11 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
@AssignmentPath("SqlInjection/challenge")
@AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
@Slf4j
@AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
public class SqlInjectionChallenge extends AssignmentEndpoint {
private static final String PASSWORD_TOM = "thisisasecretfortomonly";
//Make it more random at runtime (good luck guessing)
private static final String USERS_TABLE_NAME = "challenge_users_6" + RandomStringUtils.randomAlphabetic(16);
static final String USERS_TABLE_NAME = "challenge_users_6" + RandomStringUtils.randomAlphabetic(16);
@Autowired
private WebSession webSession;
@ -49,6 +44,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
Connection connection = DatabaseUtilities.getConnection(webSession);
checkDatabase(connection);
try {
String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'";
Statement statement = connection.createStatement();
ResultSet resultSet = statement.executeQuery(checkUserQuery);
@ -63,6 +59,9 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
preparedStatement.execute();
attackResult = success().feedback("user.created").feedbackArgs(username_reg).build();
}
} catch(SQLException e) {
attackResult = failed().output("Something went wrong").build();
}
}
return attackResult;
}
@ -77,34 +76,17 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
return null;
}
@RequestMapping(method = POST)
@ResponseBody
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
Connection connection = DatabaseUtilities.getConnection(webSession);
checkDatabase(connection);
PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = ? and password = ?");
statement.setString(1, username_login);
statement.setString(2, password_login);
ResultSet resultSet = statement.executeQuery();
if (resultSet.next() && "tom".equals(username_login)) {
return success().build();
} else {
return failed().feedback("NoResultsMatched").build();
}
}
private void checkDatabase(Connection connection) throws SQLException {
static void checkDatabase(Connection connection) throws SQLException {
try {
Statement statement = connection.createStatement();
System.out.println(USERS_TABLE_NAME);
statement.execute("select 1 from " + USERS_TABLE_NAME);
} catch (SQLException e) {
createChallengeTable(connection);
}
}
private void createChallengeTable(Connection connection) {
static void createChallengeTable(Connection connection) {
Statement statement = null;
try {
statement = connection.createStatement();
@ -134,6 +116,5 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
log.error("Unable create table", e);
}
}
}

48
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java Normal file
View File

@ -0,0 +1,48 @@
package org.owasp.webgoat.plugin.advanced;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.RandomStringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import java.sql.*;
import static org.springframework.web.bind.annotation.RequestMethod.POST;
@AssignmentPath("SqlInjection/challenge_Login")
@Slf4j
@AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
@Autowired
private WebSession webSession;
@RequestMapping(method = POST)
@ResponseBody
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
System.out.println("right Method");
Connection connection = DatabaseUtilities.getConnection(webSession);
SqlInjectionChallenge.checkDatabase(connection);
PreparedStatement statement = connection.prepareStatement("select password from " + SqlInjectionChallenge.USERS_TABLE_NAME + " where userid = ? and password = ?");
statement.setString(1, username_login);
statement.setString(2, password_login);
ResultSet resultSet = statement.executeQuery();
if (resultSet.next()) {
return ("tom".equals(username_login)) ? success().build()
: success().feedback("ResultsButNotTom").build();
} else {
return failed().feedback("NoResultsMatched").build();
}
}
}

4
webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
View File

@ -83,7 +83,7 @@
<div class="col-lg-12">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/challenge"
action="SqlInjection/challenge_Login"
enctype="application/json;charset=UTF-8" role="form">
<div class="form-group">
<input type="text" name="username_login" id="username4" tabindex="1"
@ -162,7 +162,7 @@
</div>
<div class="lesson-page-wrapper">
<span id="quiz_id" data-quiz_id="sql_injection"></span>
<span id="quiz_id" data-quiz_id="sql_incjection"></span>
<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
<div class="adoc-content" th:replace="doc:SqlInjection_quiz.adoc"></div>

1
webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -8,6 +8,7 @@ SqlInjectionChallenge2=The vulnerability is on the register form
SqlInjectionChallenge3=Use tooling to automate this attack
sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span>
NoResultsMatched=<span class='feedback-negative'>No results matched. Try Again.</span>
ResultsButNotTom=<span class='feedback-negative'>Try To login as Tom!</span>
sql-injection.2.success=<span class='feedback-positive'>You have succeeded!</span>
sql-injection.2.failed=<span class='feedback-negative'>Something went wrong! You got no results, check your SQL Statement and the table above.</span>