Bug fixes due to changed fuction, Updated text

2018-11-10 19:41:35 +01:00 · 2018-11-10 19:41:35 +01:00 · 7733ea0c85
commit 7733ea0c85
parent 295b5a4772
7 changed files with 69 additions and 20 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java
@ -71,15 +71,15 @@ public class SqlInjectionLesson2 extends AssignmentEndpoint {
                output.append(results);
                // user completes lesson if department is "Marketing"
                if (results.getString("department").equals("Marketing")) {
-                    output.append(SqlInjectionLesson8.generateTable(results, results.getMetaData()));
-                    return trackProgress(success().feedbackArgs(output.toString()).build());
+                    output.append(SqlInjectionLesson8.generateTable(results));
+                    return trackProgress(success().feedback("sql-injection.2.success").output(output.toString()).build());
                } else {
-                    return trackProgress(failed().output(output.toString()).build());
+                    return trackProgress(failed().feedback("sql-injection.2.failed").output(output.toString()).build());
                }

            } catch (SQLException sqle) {

-                return trackProgress(failed().output(sqle.getMessage()).build());
+                return trackProgress(failed().feedback("sql-injection.2.failed").output(sqle.getMessage()).build());
            }
        } catch (Exception e) {
            return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java
@ -75,7 +75,7 @@ public class SqlInjectionLesson3 extends AssignmentEndpoint {
                output.append(_results);
                // user completes lesson if the department of Tobi Barnett now is 'Sales'
                if (_results.getString("department").equals("Sales")) {
-                    output.append(SqlInjectionLesson8.generateTable(_results, _results.getMetaData()));
+                    output.append(SqlInjectionLesson8.generateTable(_results));
                    return trackProgress(success().feedbackArgs(output.toString()).build());
                } else {
                    return trackProgress(failed().output(output.toString()).build());
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -11,6 +11,9 @@ SqlInjectionChallenge2=The vulnerability is on the register form
 SqlInjectionChallenge3=Use tooling to automate this attack
 sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span>

+sql-injection.2.success=You have succeded!
+sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above
+
 NoResultsMatched=No results matched. Try Again.

 SqlInjectionChallengeHint1=The Table Name is randomized at each start of Webgoat, try to figure out the name first.
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc
@ -8,23 +8,32 @@ Example SQL table with employees:

 Employees Table
 |===
-|IdNum |LName |FName |JobCode |Salary |Phone |
+|userid |first_name |last_name |department |salary |auth_tan |

-|1876 |CHIN |JACK |TA1 |42400 |212/558-5634 |
+|32147|Paulina|Travers|Accounting|$46.000|P45JSI|
+|89762|Tobi|Barnett|Development|$77.000|TA9LL1|
+|96134|Bob|Franco|Marketing|$83.700|LO9S2V|
+|34477|Abraham|Holman|Development|$50.000|UU2ALK|
+|37648|John|Smith|Marketing|$64.350|3SL99A|

-|1114 |GREENWALD |JANICE |ME3 |38000 |212/558-1092 |
-
-|1556 |PENNINGTION|MICHAEL |ME1 |29860 |718/383-5681 |
-
-|1354 |PARKER |MARY |FA3 |65800 |914/455-2337 |
-
-|1130 |WOOD |DEBORAH |PT2 |36514 |212/587-0013 |
 |===

-Each employee has an index (IdNum), lastname, firstname, job title (JobCode), salary and a phone number. All his data from this table is represented in a single row.
+A company saves the following information of an employee in their databases:
+a unique employee number, the lastnname, the firstname, the department of the employee, the salary and an auth_tan.
+
+One row represents one employee of the company.

 By using SQL queries you can modify a database table and its index structures, add, update and delete rows of data.

 There are three types of SQL commands in the SQL database language:
+Each type of command carries the danger of violating different protection goals if an intruder attacks your database system.
+
+The 3 main protection goals in information security are confidentiality, integrity, and availability are considered the three most crucial components of information security.
+Go ahead to the next pages to get some details on the different types of commands and protections goals.

 If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training.
+
+=== It's your turn!
+Look at the example table.
+Try to retrieve the department of the employee Bob Franco.
+Note that you have been granted full administrator privileges in this assignment and can access all data without authentication.
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc
@ -1,6 +1,15 @@
 === Data Manipulation Language (DML)
+
+As the name says data manipulation language deals with the manipulation of data and includes the most common SQL statements such as SELECT, INSERT, UPDATE, DELETE, etc., and it is used for requesting a result set of records from database tables (select), adding (insert), deleting and modifying (update) data in a database.
+
+If an attacker uses a SQL injection of the DML type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (…) & integrity (update) (Only people authorized to read the data can do so).
+
+
 * DML commands are used for storing, retrieving, modifying, and deleting data.
-* SELECT, INSERT, UPDATE, DELETE, …
+* SELECT - retrieve data from a database
+* INSERT - insert data into a table
+* UPDATE - updates existing data within a table
+* DELETE - Delete all records from a database table
 * Example:
 ** Retrieve data:
 ** SELECT Phone  +
@ -8,3 +17,9 @@
   WHERE IdNum = 1354;
 ** This statement delivers the phone number of the employee with the number 1354.

+=== It's your turn!
+Try to change the department of Tobi Barnett to 'Sales'.
+Note that you have been granted full administrator privileges in this assignment and can access all data without authentication.
+
+
+
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc
@ -1,8 +1,16 @@
 === Data Definition Language (DDL)
+
+Data definition language includes commands for defining data structures, especially database schemas which tell how the data should reside in the database.
+
+If an attacker uses a SQL injection of the DDL type to manipulate your database, he will violate the following of the three protection goals in information security: integrity (alter) & availability (drop). (Only people authorized to change/delete the data can do so.)
+
+
 * DDL commands are used for creating, modifying, and dropping the structure of database objects.
-* CREATE, ALTER, DROP,TRUNCATE,…
+* CREATE - to create a database and its objects like (table, views, …)
+* ALTER - alters the structure of the existing database
+* DROP - delete objects from the database
 * Example:
-** CREATE TABLE Customers( +
+** CREATE TABLE Employees( +
   &nbsp;&nbsp;&nbsp;&nbsp;IdNum INT NOT NULL, +
   &nbsp;&nbsp;&nbsp;&nbsp;LName VARCHAR (20) NOT NULL, +
   &nbsp;&nbsp;&nbsp;&nbsp;FName VARCHAR (20) NOT NULL, +
@ -11,4 +19,7 @@
   &nbsp;&nbsp;&nbsp;&nbsp;Phone VARCHAR (20), +
   &nbsp;&nbsp;&nbsp;&nbsp;PRIMARY KEY (IdNum) +
 );
-** This statement creates the employees example table given above.
+** This statement creates the employees example table given on page 2.
+
+Now try to modify the schneme by removing the column "Phone" from the table "Employees":
+
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc
@ -1,7 +1,18 @@
 === Data Control Language (DCL)
+
+Data control language is used to create privileges to allow users to access and manipulate the database.
+
+If an attacker uses a SQL injection of the DCL type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (grant) & availability (revoke) (Unwanted people could grand themselves admin privileges or revoke the admin rights from an administrator)
+
+
 * DCL commands are used for providing security to database objects.
-* GRANT, REVOKE, …
+* GRANT - allow users access privileges to the database
+* REVOKE - withdraw users access privileges given by using the GRANT command
 * Example:
 ** GRANT CREATE TABLE +
   TO operator;
 ** This statement gives all users of the operator-role the privilege to create new tables in the database.
+
+
+Try to grant the usergroup "UnauthorizedUser" the right to alter tables:
+