Added a new lessons for sql injections on "Compromising confidentiality with String SQL Injection"

2018-11-05 15:47:09 +01:00
parent 083eb1b567
commit 75b1895122
5 changed files with 195 additions and 14 deletions
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
@ -57,14 +57,20 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="/WebGoat/SqlInjection/attack5a"
-              enctype="application/json;charset=UTF-8">
+              action="/WebGoat/SqlInjection/attack8"
+              enctype="application/json;charset=UTF-8"
+              autocomplete="off">
            <table>
                <tr>
-                    <td>Account Name:</td>
-                    <td><input name="account" value="" type="TEXT"/></td>
-                    <td><input
-                            name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
+                    <td><label for="name">Employee Name:</label></td>
+                    <td><input id="name" name="name" value="" type="TEXT" placeholder="Lastname"/></td>
+                </tr>
+                <tr>
+                    <td><label for="auth_tan">Authentication TAN:</label></td>
+                    <td><input id="auth_tan" name="auth_tan" value="" type="TEXT" placeholder="TAN"/></td>
+                </tr>
+                <tr>
+                    <td><button type="SUBMIT">Get department</button></td>
                </tr>
            </table>
        </form>
@ -104,6 +110,26 @@

 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content10.adoc"></div>
+
+    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content8.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/SqlInjection/attack5a"
+              enctype="application/json;charset=UTF-8">
+            <table>
+                <tr>
+                    <td>Account Name:</td>
+                    <td><input name="account" value="" type="TEXT"/></td>
+                    <td><input
+                            name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
+                </tr>
+            </table>
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
 </div>

 </html>