dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

assignment 5: display query string to user after success, improved regex to allow missing semicolon after query

Browse Source
This commit is contained in:
PhilippeSteinbach 2019-02-04 14:45:40 +01:00 committed by Nanne Baars
parent e976dbe10f
commit 5c2d9cd8e9
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java
View File

@ -59,13 +59,14 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint {
protected AttackResult injectableQuery(String _query) { protected AttackResult injectableQuery(String _query) {
try { try {
String query = _query; String query = _query;
String regex = "(?i)^grant alter table to unauthorizedUser;$"; String regex = "(?i)^(grant alter table to unauthorizedUser)(?:[;]?)$";
Boolean isCorrect = false; Boolean isCorrect = false;
StringBuffer output = new StringBuffer(); StringBuffer output = new StringBuffer();
// user completes lesson if the query is correct // user completes lesson if the query is correct
if (_query.matches(regex)) { if (_query.matches(regex)) {
return trackProgress(success().feedbackArgs(output.toString()).build()); output.append("<span class='feedback-positive'>" + _query + "</span>");
return trackProgress(success().output(output.toString()).build());
} else { } else {
return trackProgress(failed().output(output.toString()).build()); return trackProgress(failed().output(output.toString()).build());
} }