Added an assignment for compromising integrity by query chaining to the sql injections (introduction)

2018-11-05 17:31:56 +01:00
parent 75b1895122
commit 4e6c721545
5 changed files with 131 additions and 31 deletions
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
@ -62,12 +62,12 @@
              autocomplete="off">
            <table>
                <tr>
-                    <td><label for="name">Employee Name:</label></td>
-                    <td><input id="name" name="name" value="" type="TEXT" placeholder="Lastname"/></td>
+                    <td><label>Employee Name:</label></td>
+                    <td><input name="name" value="" type="TEXT" placeholder="Lastname"/></td>
                </tr>
                <tr>
-                    <td><label for="auth_tan">Authentication TAN:</label></td>
-                    <td><input id="auth_tan" name="auth_tan" value="" type="TEXT" placeholder="TAN"/></td>
+                    <td><label>Authentication TAN:</label></td>
+                    <td><input name="auth_tan" value="" type="TEXT" placeholder="TAN"/></td>
                </tr>
                <tr>
                    <td><button type="SUBMIT">Get department</button></td>
@ -85,21 +85,19 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="/WebGoat/SqlInjection/attack5b"
+              action="/WebGoat/SqlInjection/attack9"
              enctype="application/json;charset=UTF-8">
            <table>
                <tr>
-                    <td>Login_Count:</td>
-                    <td><input name="login_count" value="" type="text"/></td>
+                    <td><label>Employee Name:</label></td>
+                    <td><input name="name" value="" type="TEXT" placeholder="Lastname"/></td>
                </tr>
                <tr>
-                    <td>Name:</td>
-                    <td><input name="userid" value="" type="TEXT"/></td>
+                    <td><label>Authentication TAN:</label></td>
+                    <td><input name="auth_tan" value="" type="TEXT" placeholder="TAN"/></td>
                </tr>
                <tr>
-                    <td></td>
-                    <td><input
-                            name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
+                    <td><button type="SUBMIT">Get department</button></td>
                </tr>
            </table>
        </form>
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -11,15 +11,6 @@ SqlInjectionChallenge2=The vulnerability is on the register form
 SqlInjectionChallenge3=Use tooling to automate this attack

 NoResultsMatched=No results matched. Try Again.
-SqlStringInjectionHint5a1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
-SqlStringInjectionHint5a2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
-SqlStringInjectionHint5a3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
-SqlStringInjectionHint5a4=Make sure all quotes (" ' ") are opened and closed properly.
-SqlStringInjectionHint5a5=Try appending the Statement with something like: OR 1 = 1.
-SqlStringInjectionHint5b1=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE Login_Count = "Login_Count" and User_Id = "Name"
-SqlStringInjectionHint5b2=Note that you don't need to insert any quotations.
-SqlStringInjectionHint5b3=Remember how you solved the previous assignment.
-SqlStringInjectionHint5b4=It does not matter where you insert a statement that always resolves to true.
 SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query.
 SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT ... FROM ...
 SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- "
@ -45,7 +36,7 @@ sql-injection.6a.no.results=No results matched. Try Again.
 sql-injection.6b.success=You have succeeded: {0}
 sql-injection.6b.no.results=No results matched. Try Again.

-sql-injection.8.success=You have succeed: {0}
+sql-injection.8.success=You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done! {0}
 sql-injection.8.no.results=No employee found with matching lastname. Or maybe your authentication TAN is incorrect?

 SqlStringInjectionHint8-1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command.
@ -53,3 +44,11 @@ SqlStringInjectionHint8-2=Compound SQL statements can be made by expanding the W
 SqlStringInjectionHint8-3=Try appending a SQL statement that always resolves to true.
 SqlStringInjectionHint8-4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct.
 SqlStringInjectionHint8-5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1.
+
+sql-injection.9.success=Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary. {0}
+
+SqlStringInjectionHint9-1=Try to find a way, to chain another query to the end of the existing one.
+SqlStringInjectionHint9-2=Use the ; metacharacter to do so.
+SqlStringInjectionHint9-3=Make use of DML to change your salary.
+SqlStringInjectionHint9-4=Make sure that the resulting query is syntactically correct.
+SqlStringInjectionHint9-5=How about something like '; UPDATE employees....
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content9.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content9.adoc
@ -1,11 +1,11 @@
-Integrity
+== Compromising Integrity with Query Chaining
+After compromising the confidentiality of data in the previous lesson, this time we are gonna compromise the integrity of data by using a SQL query chaining.

-== Try It!   Numeric SQL Injection
+== What is SQL query chaining?
+Query chaining is exactly what it sounds like. When query chaining, you try to append one or more queries to the end of the actual query.
+You can do this by using the *;* metacharacter which marks the end of a query and that way allows to start another one right after it within the same line.

-The query in the code builds a dynamic query as seen in the previous example.  The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection: 
-
--------------------------------------------------
-"select * from users where Login_Count = " + Login_Count + " and USERID = "  + userID;
--------------------------------------------------
-
-Using the form below try to retrieve all the users from the users table. You shouldn't need to know any specific user name or Login_Count to get the complete list.
+=== It's your turn!
+You just found out that Tobi and Bob both seem to earn more money than you!
+Of course you cannot leave it at that. +
+Better go and change your salary so you're at the earner.