dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* Hints added

Browse Source 
* Solutions added
* Bugfixes
* Introduction added (including how to start with webgoat and useful tools)
* New lesson: Password strength
* New lessons: Multi Level Login
* Not yet working new lesson: Session fixation (inital release)

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@301 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
wirth.marcel
2008-04-07 14:28:38 +00:00
parent 84f01ba70a
commit 5d930ec235
137 changed files with 4230 additions and 479 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
main/project/WebContent/lesson_solutions/Lab SQL Injection/Lab Numeric SQL Injection.html Normal file
View File

@ -0,0 +1,41 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab SQL Injection Stage3</title>
<link rel="stylesheet" type="text/css"
href="/WebGoat/lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform a SQLInjection</p>
<p><b>Concept / Topic To Teach:</b><br />
SQL injection attacks represent a serious threat to any database-driven
site. The methods behind an attack are easy to learn and the damage
caused can range from considerable to complete system compromise.
Despite these risks, an incredible number of systems on the internet are
susceptible to this form of attack.</p>
<p>Not only is it a threat easily instigated, it is also a threat
that, with a little common-sense and forethought, can easily be
prevented.</p>
<p>It is always good practice to sanitize all input data, especially
data that will used in OS command, scripts, and database queiries, even
if the threat of SQL injection has been prevented in some other manner.
</p>
<p><b>General Goal(s):</b><br />
For this exercise, you will perform SQLInjection attacks. You will also
implement code changes in the web application to defeat these attacks.</p>
<p><b>Solution:</b><br />
Choose Larry to log in with password larry. Select yourself from the list
and make sure that WebScarab will intercept the next request. Replace the id 101 with following:
<br/>
101 OR 1=1 ORDER BY salary desc <br/>
<p>With '101 OR 1=1' we have a SQL Statement which is always true. It will
get all the employees from the db but only return one of them. That is why we have to ensure we get
the "Big Fish" which is the employee earning most. With 'ORDER BY SALARY DESC' we guarantee exactly this.
</body>
</html>

87
main/project/WebContent/lesson_solutions/Lab SQL Injection/Lab Parameterized Query #1.html Normal file
View File

@ -0,0 +1,87 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab SQL Injection Stage2</title>
<link rel="stylesheet" type="text/css"
href="/WebGoat/lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform a SQLInjection</p>
<p><b>Concept / Topic To Teach:</b><br />
SQL injection attacks represent a serious threat to any database-driven
site. The methods behind an attack are easy to learn and the damage
caused can range from considerable to complete system compromise.
Despite these risks, an incredible number of systems on the internet are
susceptible to this form of attack.</p>
<p>Not only is it a threat easily instigated, it is also a threat
that, with a little common-sense and forethought, can easily be
prevented.</p>
<p>It is always good practice to sanitize all input data, especially
data that will used in OS command, scripts, and database queiries, even
if the threat of SQL injection has been prevented in some other manner.
</p>
<p><b>General Goal(s):</b><br />
For this exercise, you will perform SQLInjection attacks. You will also
implement code changes in the web application to defeat these attacks.</p>
<b>Solution:</b><br />
To prevent a SQLInjection you can use "Parametreized Queries". This kind of
query makes it possible to use every input of an user as a parameter.
In this lesson you have to change org.owasp.webgoat.lessons.SQLInjection.Login.java
The query execution in the method login looks like this:<pre><code>
String query = "SELECT * FROM employee WHERE userid = " + userId + " and password = '" + password + "'";
// System.out.println("Query:" + query);
try
{
Statement answer_statement = WebSession.getConnection(s)
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
ResultSet answer_results = answer_statement.executeQuery(query);
etc...
</code></pre>
<p>
To paramerize the Query you have to replace the userinput with questionmarks:<br/>
<code>String query = "SELECT * FROM employee WHERE userid = ? and password = ?";</code><br/>
</p>
<p>
Now follows the try block with the getConnection method:<br/>
<code>
try <br/>
{<br/>
&nbsp;&nbsp;Connection connection = WebSession.getConnections(s);
</code></p>
<p>
The next step is to do a so called "PrepareStatement":<br/>
<code>PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
</code><br/></p>
<p>
Now that the query is prepared we have to add the parameters to the query:<br/>
<code>
statement.setString(1, userId);<br/>
statement.setString(2, password);<br>
</code>
</p>
<p>
We are ready to execute the query!<br/>
<code>
ResultSet answer_results = statement.executeQuery();</code>
</p>
<p>Putting everything together results in:<br/>
<pre><code>
String query = "SELECT * FROM employee WHERE userid = ? and password = ?";
try
{
Connection connection = WebSession.getConnections(s);
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
statement.setString(1, userId);
statement.setString(2, password);
ResultSet answer_results = statement.executeQuery();
etc...
</code></pre>
</body>
</html>

51
main/project/WebContent/lesson_solutions/Lab SQL Injection/Lab Parameterized Query #2.html Normal file
View File

@ -0,0 +1,51 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab SQL Injection Stage4</title>
<link rel="stylesheet" type="text/css"
href="/WebGoat/lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform a SQLInjection</p>
<p><b>Concept / Topic To Teach:</b><br />
SQL injection attacks represent a serious threat to any database-driven
site. The methods behind an attack are easy to learn and the damage
caused can range from considerable to complete system compromise.
Despite these risks, an incredible number of systems on the internet are
susceptible to this form of attack.</p>
<p>Not only is it a threat easily instigated, it is also a threat
that, with a little common-sense and forethought, can easily be
prevented.</p>
<p>It is always good practice to sanitize all input data, especially
data that will used in OS command, scripts, and database queiries, even
if the threat of SQL injection has been prevented in some other manner.
</p>
<p><b>General Goal(s):</b><br />
For this exercise, you will perform SQLInjection attacks. You will also
implement code changes in the web application to defeat these attacks.</p>
<b>Solution:</b><br />
The solution is simular to Stage2. That is why here is only a short solution.<br/>
You have to alter the class org.owasp.webgoat.lessons.SQLInjection.ViewProfile.java<br/>
Alter the method getEmployeeProfile to something like this:
<pre><code>
String query = "SELECT employee.* "
+ "FROM employee,ownership WHERE employee.userid = ownership.employee_id and "
+ "ownership.employer_id = ? and ownership.employee_id = ?";
try
{
Connection connection = WebSession.getConnections(s);
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
statement.setString(1, userId);
statement.setString(2, subjectUserId);
ResultSet answer_results = statement.executeQuery();
etc...
</code></pre>
</body>
</html>

39
main/project/WebContent/lesson_solutions/Lab SQL Injection/Lab String SQL Injection.html Normal file
View File

@ -0,0 +1,39 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab SQL Injection Stage1</title>
<link rel="stylesheet" type="text/css"
href="/WebGoat/lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform a SQLInjection</p>
<p><b>Concept / Topic To Teach:</b><br />
SQL injection attacks represent a serious threat to any database-driven
site. The methods behind an attack are easy to learn and the damage
caused can range from considerable to complete system compromise.
Despite these risks, an incredible number of systems on the internet are
susceptible to this form of attack.</p>
<p>Not only is it a threat easily instigated, it is also a threat
that, with a little common-sense and forethought, can easily be
prevented.</p>
<p>It is always good practice to sanitize all input data, especially
data that will used in OS command, scripts, and database queiries, even
if the threat of SQL injection has been prevented in some other manner.
</p>
<p><b>General Goal(s):</b><br />
For this exercise, you will perform SQLInjection attacks. You will also
implement code changes in the web application to defeat these attacks.</p>
<p><b>Solution:</b><br />
Select Neville as user to log in. Make sure WebScarab will intercept the next request.
Hit the Login Button and Change the password parameter in WebScarab to smith' OR '1' = '1.
Et voila you are logged in as Neville without knowing the password as the query
will lookup if the password is smith and if not it controls if 1=1 what
return true.</p>
</body>
</html>