diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson10.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson10.java index 2ea38957d..ca59512bd 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson10.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson10.java @@ -14,7 +14,7 @@ import org.springframework.web.bind.annotation.ResponseBody; import java.sql.*; @AssignmentPath("/SqlInjection/attack10") -@AssignmentHints(value = {"SqlStringInjectionHint10-1", "SqlStringInjectionHint10-2", "SqlStringInjectionHint10-3", "SqlStringInjectionHint10-4", "SqlStringInjectionHint10-5", "SqlStringInjectionHint10-6"}) +@AssignmentHints(value = {"SqlStringInjectionHint.10.1", "SqlStringInjectionHint.10.2", "SqlStringInjectionHint.10.3", "SqlStringInjectionHint.10.4", "SqlStringInjectionHint.10.5", "SqlStringInjectionHint.10.6"}) public class SqlInjectionLesson10 extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson8.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson8.java index f03b19c6c..45a86560a 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson8.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson8.java @@ -16,7 +16,7 @@ import java.text.SimpleDateFormat; import java.sql.*; @AssignmentPath("/SqlInjection/attack8") -@AssignmentHints(value = {"SqlStringInjectionHint8-1", "SqlStringInjectionHint8-2", "SqlStringInjectionHint8-3", "SqlStringInjectionHint8-4", "SqlStringInjectionHint8-5"}) +@AssignmentHints(value = {"SqlStringInjectionHint.8.1", "SqlStringInjectionHint.8.2", "SqlStringInjectionHint.8.3", "SqlStringInjectionHint.8.4", "SqlStringInjectionHint.8.5"}) public class SqlInjectionLesson8 extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson9.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson9.java index 4ef63c4e3..e4c2b1cc1 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson9.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson9.java @@ -14,7 +14,7 @@ import org.springframework.web.bind.annotation.ResponseBody; import java.sql.*; @AssignmentPath("/SqlInjection/attack9") -@AssignmentHints(value = {"SqlStringInjectionHint9-1", "SqlStringInjectionHint9-2", "SqlStringInjectionHint9-3", "SqlStringInjectionHint9-4", "SqlStringInjectionHint9-5"}) +@AssignmentHints(value = {"SqlStringInjectionHint.9.1", "SqlStringInjectionHint.9.2", "SqlStringInjectionHint.9.3", "SqlStringInjectionHint.9.4", "SqlStringInjectionHint.9.5"}) public class SqlInjectionLesson9 extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 4b10380ab..3472a053d 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -42,29 +42,29 @@ sql-injection.8.success=You have succeeded! You sql-injection.8.no.results=No employee found with matching lastname. Or maybe your authentication TAN is incorrect? sql-injection.8.one=That's only one account. You want them all! Try again. -SqlStringInjectionHint8-1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command. -SqlStringInjectionHint8-2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR. -SqlStringInjectionHint8-3=Try appending a SQL statement that always resolves to true. -SqlStringInjectionHint8-4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct. -SqlStringInjectionHint8-5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1. +SqlStringInjectionHint.8.1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command. +SqlStringInjectionHint.8.2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR. +SqlStringInjectionHint.8.3=Try appending a SQL statement that always resolves to true. +SqlStringInjectionHint.8.4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct. +SqlStringInjectionHint.8.5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1. sql-injection.9.success=Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary! sql-injection.9.one=Still not earning enough! Better try again and change that. -SqlStringInjectionHint9-1=Try to find a way, to chain another query to the end of the existing one. -SqlStringInjectionHint9-2=Use the ; metacharacter to do so. -SqlStringInjectionHint9-3=Make use of DML to change your salary. -SqlStringInjectionHint9-4=Make sure that the resulting query is syntactically correct. -SqlStringInjectionHint9-5=How about something like '; UPDATE employees.... +SqlStringInjectionHint.9.1=Try to find a way, to chain another query to the end of the existing one. +SqlStringInjectionHint.9.2=Use the ; metacharacter to do so. +SqlStringInjectionHint.9.3=Make use of DML to change your salary. +SqlStringInjectionHint.9.4=Make sure that the resulting query is syntactically correct. +SqlStringInjectionHint.9.5=How about something like '; UPDATE employees.... sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data. sql-injection.10.entries=There's still evidence of what you did. Better remove the whole table. -SqlStringInjectionHint10-1=Use the techniques that you have learned before. -SqlStringInjectionHint10-2=The application takes your input and filters for entries that are LIKE it. -SqlStringInjectionHint10-3=Try query chaining to reach the goal. -SqlStringInjectionHint10-4=The DDL allows you to delete (DROP) database tables. -SqlStringInjectionHint10-5=The underlying sql query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'". -SqlStringInjectionHint10-6=Remember that you can use the -- metacharacter to comment out the rest of the line. \ No newline at end of file +SqlStringInjectionHint.10.1=Use the techniques that you have learned before. +SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it. +SqlStringInjectionHint.10.3=Try query chaining to reach the goal. +SqlStringInjectionHint.10.4=The DDL allows you to delete (DROP) database tables. +SqlStringInjectionHint.10.5=The underlying sql query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'". +SqlStringInjectionHint.10.6=Remember that you can use the -- metacharacter to comment out the rest of the line. \ No newline at end of file