assignment 5: display query string to user after success, improved regex to allow missing semicolon after query

2019-02-04 14:45:40 +01:00 · 2019-02-04 14:45:40 +01:00 · 5c2d9cd8e9
commit 5c2d9cd8e9
parent e976dbe10f
1 changed files with 3 additions and 2 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java
@ -59,13 +59,14 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint {
    protected AttackResult injectableQuery(String _query) {
        try {
            String query = _query;
-            String regex = "(?i)^grant alter table to unauthorizedUser;$";
+            String regex = "(?i)^(grant alter table to unauthorizedUser)(?:[;]?)$";
            Boolean isCorrect = false;
            StringBuffer output = new StringBuffer();

            // user completes lesson if the query is correct
            if (_query.matches(regex)) {
-                return trackProgress(success().feedbackArgs(output.toString()).build());
+                output.append("<span class='feedback-positive'>" + _query + "</span>");
+                return trackProgress(success().output(output.toString()).build());
            } else {
                return trackProgress(failed().output(output.toString()).build());
            }