dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

style sheet and advanced sql

Browse Source
This commit is contained in:
Rene Zubcevic 2019-07-19 16:49:30 +02:00
parent 99435a1073
commit 656fa40182
11 changed files with 38 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat-container/src/main/resources/application.properties
View File

@ -1,3 +1,7 @@
spring.mandatory-file-encoding=UTF-8
spring.http.encoding.charset=UTF-8
spring.http.encoding.enabled=true
server.error.include-stacktrace=always server.error.include-stacktrace=always
server.error.path=/error.html server.error.path=/error.html
server.session.timeout=600 server.session.timeout=600

8
webgoat-container/src/main/resources/static/css/main.css
View File

@ -1001,9 +1001,15 @@ cookie-container {
margin: 3px; margin: 3px;
} }
@keyframes blink {
50% { border-color: white; }
}
.cur-page { .cur-page {
border-bottom: 2px solid #000; animation: blink 1.5s 2 forwards;
border: 3px solid blue;
color:#aaa; color:#aaa;
background-color: lightsalmon;
} }
span.show-next-page, span.show-prev-page { span.show-next-page, span.show-prev-page {

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
View File

@ -20,7 +20,7 @@ import java.sql.*;
* @author nbaars * @author nbaars
* @since 4/8/17. * @since 4/8/17.
*/ */
@AssignmentPath("SqlInjection/challenge") @AssignmentPath("/SqlInjectionAdvanced/challenge")
@AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"}) @AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
@Slf4j @Slf4j
public class SqlInjectionChallenge extends AssignmentEndpoint { public class SqlInjectionChallenge extends AssignmentEndpoint {

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java
View File

@ -17,7 +17,7 @@ import java.sql.*;
import static org.springframework.web.bind.annotation.RequestMethod.POST; import static org.springframework.web.bind.annotation.RequestMethod.POST;
@AssignmentPath("SqlInjection/challenge_Login") @AssignmentPath("/SqlInjectionAdvanced/challenge_Login")
@Slf4j @Slf4j
@AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"}) @AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
public class SqlInjectionChallengeLogin extends AssignmentEndpoint { public class SqlInjectionChallengeLogin extends AssignmentEndpoint {

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java
View File

@ -42,7 +42,7 @@ import java.sql.*;
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @created October 28, 2003
*/ */
@AssignmentPath("/SqlInjection/attack6a") @AssignmentPath("/SqlInjectionAdvanced/attack6a")
@AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3", @AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3",
"SqlStringInjectionHint-advanced-6a-4"}) "SqlStringInjectionHint-advanced-6a-4"})
public class SqlInjectionLesson6a extends AssignmentEndpoint { public class SqlInjectionLesson6a extends AssignmentEndpoint {

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6b.java
View File

@ -47,7 +47,7 @@ import java.sql.Statement;
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @created October 28, 2003
*/ */
@AssignmentPath("/SqlInjection/attack6b") @AssignmentPath("/SqlInjectionAdvanced/attack6b")
public class SqlInjectionLesson6b extends AssignmentEndpoint { public class SqlInjectionLesson6b extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST) @RequestMapping(method = RequestMethod.POST)

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionQuiz.java
View File

@ -21,7 +21,7 @@ import java.sql.Statement;
* 3. add Request param with name of question to method head * 3. add Request param with name of question to method head
* For a more detailed description how to implement the quiz go to the quiz.js file in webgoat-container -> js * For a more detailed description how to implement the quiz go to the quiz.js file in webgoat-container -> js
*/ */
@AssignmentPath("/SqlInjection/quiz") @AssignmentPath("/SqlInjectionAdvanced/quiz")
public class SqlInjectionQuiz extends AssignmentEndpoint { public class SqlInjectionQuiz extends AssignmentEndpoint {
String[] solutions = {"Solution 4", "Solution 3", "Solution 2", "Solution 3", "Solution 4"}; String[] solutions = {"Solution 4", "Solution 3", "Solution 2", "Solution 3", "Solution 4"};

20
webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
View File

@ -3,22 +3,24 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/>
<!-- 1 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:SqlInjectionAdvanced_plan.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjectionAdvanced_plan.adoc"></div>
</div> </div>
<!-- 2 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
</div> </div>
<!-- 3 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" <form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form" method="POST" name="form"
action="/WebGoat/SqlInjection/attack6a" action="/WebGoat/SqlInjectionAdvanced/attack6a"
enctype="application/json;charset=UTF-8"> enctype="application/json;charset=UTF-8">
<table> <table>
<tr> <tr>
@ -30,14 +32,9 @@
</tr> </tr>
</table> </table>
</form> </form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" <form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form" method="POST" name="form"
action="/WebGoat/SqlInjection/attack6b" action="/WebGoat/SqlInjectionAdvanced/attack6b"
enctype="application/json;charset=UTF-8"> enctype="application/json;charset=UTF-8">
<table> <table>
<tr> <tr>
@ -54,6 +51,7 @@
</div> </div>
</div> </div>
<!-- 4 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:SqlInjection_content6c.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content6c.adoc"></div>
</div> </div>
@ -83,7 +81,7 @@
<div class="col-lg-12"> <div class="col-lg-12">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN" <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form" method="POST" name="form"
action="SqlInjection/challenge_Login" action="SqlInjectionAdvanced/challenge_Login"
enctype="application/json;charset=UTF-8" role="form"> enctype="application/json;charset=UTF-8" role="form">
<div class="form-group"> <div class="form-group">
<input type="text" name="username_login" id="username4" tabindex="1" <input type="text" name="username_login" id="username4" tabindex="1"
@ -119,7 +117,7 @@
</form> </form>
<form id="register-form" class="attack-form" accept-charset="UNKNOWN" <form id="register-form" class="attack-form" accept-charset="UNKNOWN"
method="PUT" name="form" method="PUT" name="form"
action="SqlInjection/challenge" action="SqlInjectionAdvanced/challenge"
enctype="application/json;charset=UTF-8" style="display: none;" role="form"> enctype="application/json;charset=UTF-8" style="display: none;" role="form">
<div class="form-group"> <div class="form-group">
<input type="text" name="username_reg" id="username" tabindex="1" <input type="text" name="username_reg" id="username" tabindex="1"
@ -172,7 +170,7 @@
<div class="container-fluid"> <div class="container-fluid">
<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN" <form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form" method="POST" name="form"
action="SqlInjection/quiz" action="/WebGoat/SqlInjectionAdvanced/quiz"
enctype="application/json;charset=UTF-8" role="form"> enctype="application/json;charset=UTF-8" role="form">
<div id="q_container"></div> <div id="q_container"></div>
<br /> <br />

12
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java
View File

@ -30,7 +30,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
@Test @Test
public void wrongSolution() throws Exception { public void wrongSolution() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a") mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
.param("userid_6a", "John")) .param("userid_6a", "John"))
.andExpect(status().isOk()) .andExpect(status().isOk())
@ -39,7 +39,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
@Test @Test
public void wrongNumberOfColumns() throws Exception { public void wrongNumberOfColumns() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a") mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
.param("userid_6a", "Smith' union select userid,user_name, password,cookie from user_system_data --")) .param("userid_6a", "Smith' union select userid,user_name, password,cookie from user_system_data --"))
.andExpect(status().isOk()) .andExpect(status().isOk())
@ -49,7 +49,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
@Test @Test
public void wrongDataTypeOfColumns() throws Exception { public void wrongDataTypeOfColumns() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a") mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
.param("userid_6a", "Smith' union select 1,password, 1,'2','3', '4',1 from user_system_data --")) .param("userid_6a", "Smith' union select 1,password, 1,'2','3', '4',1 from user_system_data --"))
.andExpect(status().isOk()) .andExpect(status().isOk())
@ -59,7 +59,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
@Test @Test
public void correctSolution() throws Exception { public void correctSolution() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a") mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
.param("userid_6a", "Smith'; SELECT * from user_system_data; --")) .param("userid_6a", "Smith'; SELECT * from user_system_data; --"))
.andExpect(status().isOk()) .andExpect(status().isOk())
.andExpect(jsonPath("$.lessonCompleted", is(false))) .andExpect(jsonPath("$.lessonCompleted", is(false)))
@ -68,7 +68,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
@Test @Test
public void noResultsReturned() throws Exception { public void noResultsReturned() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a") mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
.param("userid_6a", "Smith' and 1 = 2 --")) .param("userid_6a", "Smith' and 1 = 2 --"))
.andExpect(status().isOk()) .andExpect(status().isOk())
@ -78,7 +78,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
@Test @Test
public void noUnionUsed() throws Exception { public void noUnionUsed() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a") mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
.param("userid_6a", "S'; Select * from user_system_data; --")) .param("userid_6a", "S'; Select * from user_system_data; --"))
.andExpect(status().isOk()) .andExpect(status().isOk())

4
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java
View File

@ -29,7 +29,7 @@ public class SqlInjectionLesson6bTest extends LessonTest {
@Test @Test
public void submitCorrectPassword() throws Exception { public void submitCorrectPassword() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6b") mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6b")
.param("userid_6b", "passW0rD")) .param("userid_6b", "passW0rD"))
.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))); .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
@ -37,7 +37,7 @@ public class SqlInjectionLesson6bTest extends LessonTest {
@Test @Test
public void submitWrongPassword() throws Exception { public void submitWrongPassword() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6b") mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6b")
.param("userid_6b", "John")) .param("userid_6b", "John"))
.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false))); .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));

4
webwolf/src/main/resources/application.properties
View File

@ -1,3 +1,7 @@
spring.mandatory-file-encoding=UTF-8
spring.http.encoding.charset=UTF-8
spring.http.encoding.enabled=true
server.error.include-stacktrace=always server.error.include-stacktrace=always
server.error.path=/error.html server.error.path=/error.html
server.session.timeout=6000 server.session.timeout=6000