diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java index 9e8a05b92..790f1298f 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java @@ -71,15 +71,15 @@ public class SqlInjectionLesson2 extends AssignmentEndpoint { output.append(results); // user completes lesson if department is "Marketing" if (results.getString("department").equals("Marketing")) { - output.append(SqlInjectionLesson8.generateTable(results, results.getMetaData())); - return trackProgress(success().feedbackArgs(output.toString()).build()); + output.append(SqlInjectionLesson8.generateTable(results)); + return trackProgress(success().feedback("sql-injection.2.success").output(output.toString()).build()); } else { - return trackProgress(failed().output(output.toString()).build()); + return trackProgress(failed().feedback("sql-injection.2.failed").output(output.toString()).build()); } } catch (SQLException sqle) { - return trackProgress(failed().output(sqle.getMessage()).build()); + return trackProgress(failed().feedback("sql-injection.2.failed").output(sqle.getMessage()).build()); } } catch (Exception e) { return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build()); diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java index 5d9f835fa..283ad1060 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java @@ -75,7 +75,7 @@ public class SqlInjectionLesson3 extends AssignmentEndpoint { output.append(_results); // user completes lesson if the department of Tobi Barnett now is 'Sales' if (_results.getString("department").equals("Sales")) { - output.append(SqlInjectionLesson8.generateTable(_results, _results.getMetaData())); + output.append(SqlInjectionLesson8.generateTable(_results)); return trackProgress(success().feedbackArgs(output.toString()).build()); } else { return trackProgress(failed().output(output.toString()).build()); diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 059447558..47063a525 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -11,6 +11,9 @@ SqlInjectionChallenge2=The vulnerability is on the register form SqlInjectionChallenge3=Use tooling to automate this attack sql-injection.error=Sorry, this solution is not correct. Try again! +sql-injection.2.success=You have succeded! +sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above + NoResultsMatched=No results matched. Try Again. SqlInjectionChallengeHint1=The Table Name is randomized at each start of Webgoat, try to figure out the name first. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc index 7a1ef424a..ed1ef042a 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc @@ -8,23 +8,32 @@ Example SQL table with employees: Employees Table |=== -|IdNum |LName |FName |JobCode |Salary |Phone | +|userid |first_name |last_name |department |salary |auth_tan | -|1876 |CHIN |JACK |TA1 |42400 |212/558-5634 | +|32147|Paulina|Travers|Accounting|$46.000|P45JSI| +|89762|Tobi|Barnett|Development|$77.000|TA9LL1| +|96134|Bob|Franco|Marketing|$83.700|LO9S2V| +|34477|Abraham|Holman|Development|$50.000|UU2ALK| +|37648|John|Smith|Marketing|$64.350|3SL99A| -|1114 |GREENWALD |JANICE |ME3 |38000 |212/558-1092 | - -|1556 |PENNINGTION|MICHAEL |ME1 |29860 |718/383-5681 | - -|1354 |PARKER |MARY |FA3 |65800 |914/455-2337 | - -|1130 |WOOD |DEBORAH |PT2 |36514 |212/587-0013 | |=== -Each employee has an index (IdNum), lastname, firstname, job title (JobCode), salary and a phone number. All his data from this table is represented in a single row. +A company saves the following information of an employee in their databases: +a unique employee number, the lastnname, the firstname, the department of the employee, the salary and an auth_tan. + +One row represents one employee of the company. By using SQL queries you can modify a database table and its index structures, add, update and delete rows of data. There are three types of SQL commands in the SQL database language: +Each type of command carries the danger of violating different protection goals if an intruder attacks your database system. + +The 3 main protection goals in information security are confidentiality, integrity, and availability are considered the three most crucial components of information security. +Go ahead to the next pages to get some details on the different types of commands and protections goals. If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training. + +=== It's your turn! +Look at the example table. +Try to retrieve the department of the employee Bob Franco. +Note that you have been granted full administrator privileges in this assignment and can access all data without authentication. \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc index e65e237a0..9ded8dfb1 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc @@ -1,6 +1,15 @@ === Data Manipulation Language (DML) + +As the name says data manipulation language deals with the manipulation of data and includes the most common SQL statements such as SELECT, INSERT, UPDATE, DELETE, etc., and it is used for requesting a result set of records from database tables (select), adding (insert), deleting and modifying (update) data in a database. + +If an attacker uses a SQL injection of the DML type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (…) & integrity (update) (Only people authorized to read the data can do so). + + * DML commands are used for storing, retrieving, modifying, and deleting data. -* SELECT, INSERT, UPDATE, DELETE, … +* SELECT - retrieve data from a database +* INSERT - insert data into a table +* UPDATE - updates existing data within a table +* DELETE - Delete all records from a database table * Example: ** Retrieve data: ** SELECT Phone + @@ -8,3 +17,9 @@ WHERE IdNum = 1354; ** This statement delivers the phone number of the employee with the number 1354. +=== It's your turn! +Try to change the department of Tobi Barnett to 'Sales'. +Note that you have been granted full administrator privileges in this assignment and can access all data without authentication. + + + diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc index e44df7b88..08dd4cc37 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc @@ -1,8 +1,16 @@ === Data Definition Language (DDL) + +Data definition language includes commands for defining data structures, especially database schemas which tell how the data should reside in the database. + +If an attacker uses a SQL injection of the DDL type to manipulate your database, he will violate the following of the three protection goals in information security: integrity (alter) & availability (drop). (Only people authorized to change/delete the data can do so.) + + * DDL commands are used for creating, modifying, and dropping the structure of database objects. -* CREATE, ALTER, DROP,TRUNCATE,… +* CREATE - to create a database and its objects like (table, views, …) +* ALTER - alters the structure of the existing database +* DROP - delete objects from the database * Example: -** CREATE TABLE Customers( + +** CREATE TABLE Employees( +     IdNum INT NOT NULL, +     LName VARCHAR (20) NOT NULL, +     FName VARCHAR (20) NOT NULL, + @@ -11,4 +19,7 @@     Phone VARCHAR (20), +     PRIMARY KEY (IdNum) + ); -** This statement creates the employees example table given above. \ No newline at end of file +** This statement creates the employees example table given on page 2. + +Now try to modify the schneme by removing the column "Phone" from the table "Employees": + diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc index dd59992fa..5271d942a 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc @@ -1,7 +1,18 @@ === Data Control Language (DCL) + +Data control language is used to create privileges to allow users to access and manipulate the database. + +If an attacker uses a SQL injection of the DCL type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (grant) & availability (revoke) (Unwanted people could grand themselves admin privileges or revoke the admin rights from an administrator) + + * DCL commands are used for providing security to database objects. -* GRANT, REVOKE, … +* GRANT - allow users access privileges to the database +* REVOKE - withdraw users access privileges given by using the GRANT command * Example: ** GRANT CREATE TABLE + TO operator; ** This statement gives all users of the operator-role the privilege to create new tables in the database. + + +Try to grant the usergroup "UnauthorizedUser" the right to alter tables: +