dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix SQL injection mitigation answer (fixes #505)

Browse Source 
You need to submit the IP of the webgoat-prd server, not just any of the IPs.
This commit is contained in:
Omniscimus 2018-10-03 09:30:30 +02:00 committed by Nanne Baars
parent 3536fd0b6d
commit 5921a06747
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
View File

@ -33,7 +33,7 @@ public class SqlInjectionLesson12a extends AssignmentEndpoint {
@SneakyThrows @SneakyThrows
public AttackResult completed(@RequestParam String ip) { public AttackResult completed(@RequestParam String ip) {
Connection connection = DatabaseUtilities.getConnection(webSession); Connection connection = DatabaseUtilities.getConnection(webSession);
PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ?"); PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where hostname = 'webgoat-prd' and ip = ?");
preparedStatement.setString(1, ip); preparedStatement.setString(1, ip);
ResultSet resultSet = preparedStatement.executeQuery(); ResultSet resultSet = preparedStatement.executeQuery();
if (resultSet.next()) { if (resultSet.next()) {