dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Renamed hints

Browse Source
This commit is contained in:
Benedikt - Desktop
2018-11-07 11:46:38 +01:00
committed by Nanne Baars
parent 3b0c09add7
commit 46e71a8bcd
4 changed files with 19 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson10.java
View File

@ -14,7 +14,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import java.sql.*;
@AssignmentPath("/SqlInjection/attack10")
@AssignmentHints(value = {"SqlStringInjectionHint10-1", "SqlStringInjectionHint10-2", "SqlStringInjectionHint10-3", "SqlStringInjectionHint10-4", "SqlStringInjectionHint10-5", "SqlStringInjectionHint10-6"})
@AssignmentHints(value = {"SqlStringInjectionHint.10.1", "SqlStringInjectionHint.10.2", "SqlStringInjectionHint.10.3", "SqlStringInjectionHint.10.4", "SqlStringInjectionHint.10.5", "SqlStringInjectionHint.10.6"})
public class SqlInjectionLesson10 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson8.java
View File

@ -16,7 +16,7 @@ import java.text.SimpleDateFormat;
import java.sql.*;
@AssignmentPath("/SqlInjection/attack8")
@AssignmentHints(value = {"SqlStringInjectionHint8-1", "SqlStringInjectionHint8-2", "SqlStringInjectionHint8-3", "SqlStringInjectionHint8-4", "SqlStringInjectionHint8-5"})
@AssignmentHints(value = {"SqlStringInjectionHint.8.1", "SqlStringInjectionHint.8.2", "SqlStringInjectionHint.8.3", "SqlStringInjectionHint.8.4", "SqlStringInjectionHint.8.5"})
public class SqlInjectionLesson8 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson9.java
View File

@ -14,7 +14,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import java.sql.*;
@AssignmentPath("/SqlInjection/attack9")
@AssignmentHints(value = {"SqlStringInjectionHint9-1", "SqlStringInjectionHint9-2", "SqlStringInjectionHint9-3", "SqlStringInjectionHint9-4", "SqlStringInjectionHint9-5"})
@AssignmentHints(value = {"SqlStringInjectionHint.9.1", "SqlStringInjectionHint.9.2", "SqlStringInjectionHint.9.3", "SqlStringInjectionHint.9.4", "SqlStringInjectionHint.9.5"})
public class SqlInjectionLesson9 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)

32
webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -42,29 +42,29 @@ sql-injection.8.success=<span class='feedback-positive'>You have succeeded! You
sql-injection.8.no.results=<span class='feedback-negative'>No employee found with matching lastname. Or maybe your authentication TAN is incorrect?</span>
sql-injection.8.one=<span class='feedback-negative'>That's only one account. You want them all! Try again.</span>
SqlStringInjectionHint8-1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command.
SqlStringInjectionHint8-2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR.
SqlStringInjectionHint8-3=Try appending a SQL statement that always resolves to true.
SqlStringInjectionHint8-4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct.
SqlStringInjectionHint8-5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1.
SqlStringInjectionHint.8.1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command.
SqlStringInjectionHint.8.2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR.
SqlStringInjectionHint.8.3=Try appending a SQL statement that always resolves to true.
SqlStringInjectionHint.8.4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct.
SqlStringInjectionHint.8.5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1.
sql-injection.9.success=<span class='feedback-positive'>Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary!</span>
sql-injection.9.one=<span class='feedback-negative'>Still not earning enough! Better try again and change that.</span>
SqlStringInjectionHint9-1=Try to find a way, to chain another query to the end of the existing one.
SqlStringInjectionHint9-2=Use the ; metacharacter to do so.
SqlStringInjectionHint9-3=Make use of DML to change your salary.
SqlStringInjectionHint9-4=Make sure that the resulting query is syntactically correct.
SqlStringInjectionHint9-5=How about something like '; UPDATE employees....
SqlStringInjectionHint.9.1=Try to find a way, to chain another query to the end of the existing one.
SqlStringInjectionHint.9.2=Use the ; metacharacter to do so.
SqlStringInjectionHint.9.3=Make use of DML to change your salary.
SqlStringInjectionHint.9.4=Make sure that the resulting query is syntactically correct.
SqlStringInjectionHint.9.5=How about something like '; UPDATE employees....
sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span>
sql-injection.10.entries=<span class='feedback-negative'>There's still evidence of what you did. Better remove the whole table.</span>
SqlStringInjectionHint10-1=Use the techniques that you have learned before.
SqlStringInjectionHint10-2=The application takes your input and filters for entries that are LIKE it.
SqlStringInjectionHint10-3=Try query chaining to reach the goal.
SqlStringInjectionHint10-4=The DDL allows you to delete (DROP) database tables.
SqlStringInjectionHint10-5=The underlying sql query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'".
SqlStringInjectionHint10-6=Remember that you can use the -- metacharacter to comment out the rest of the line.
SqlStringInjectionHint.10.1=Use the techniques that you have learned before.
SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it.
SqlStringInjectionHint.10.3=Try query chaining to reach the goal.
SqlStringInjectionHint.10.4=The DDL allows you to delete (DROP) database tables.
SqlStringInjectionHint.10.5=The underlying sql query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'".
SqlStringInjectionHint.10.6=Remember that you can use the -- metacharacter to comment out the rest of the line.