Modified and improved explanations for SQL Injections (basics)

webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html

@@ -23,7 +23,24 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content5.adoc"></div>
+    <div class="adoc-content" th:replace="doc:SqlInjection_content5_before.adoc"></div>
+    <div>
+        <label for="username-preview">Username:</label>
+        <input id="preview-input" type="text" name="username" val=""/>
+        <div class="listingblock">
+            <div class="content">
+                <pre>"SELECT * FROM users WHERE name = '<span id="input-preview" style="font-weight: bold;"></span>'";</pre>
+            </div>
+        </div>
+        <script>
+            $(document).ready( () => {
+                $("#preview-input").on("keyup", (e) => {
+                    $("#input-preview").text(e.target.value);
+                });
+            });
+        </script>
+    </div>
+    <div class="adoc-content" th:replace="doc:SqlInjection_content5_after.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc

@@ -1,17 +1,63 @@
 == What is SQL
 
-SQL is a way to interact with databases and is interpreted by the database.
+SQL is a standardized (ANSI in 1986, ISO in 1987) programming language which is used for managing relational databases and performing various operations on the data in them.
 
-=== SQL - Structured Query Language 
+A database is a collection of data. Data is organized into rows, columns and tables, and it is indexed to make it easier to find relevant information.
-* Not “Standard Query Language”
+
-* Multiple versions of SQL. Most databases have some custom functions
+Example SQL table with employees:
-* Most vendors have a proprietary extension
+
+Employees Table
+|===
+|IdNum |LName |FName |JobCode |Salary |Phone |
+
+|1876 |CHIN |JACK |TA1 |42400 |212/558-5634 |
+
+|1114 |GREENWALD |JANICE |ME3 |38000 |212/558-1092 |
+
+|1556 |PENNINGTION|MICHAEL |ME1 |29860 |718/383-5681 |
+
+|1354 |PARKER |MARY |FA3 |65800 |914/455-2337 |
+
+|1130 |WOOD |DEBORAH |PT2 |36514 |212/587-0013 |
+|===
+
+Each employee has an index (IdNum), lastname, firstname, job title (JobCode), salary and a phone number. All his data from this table is represented in a single row.
+
+By using SQL queries you can modify a database table and its index structures, add, update and delete rows of data.
+
+There are three types of SQL commands in the SQL database language:
 
 === Data Manipulation Language (DML)
+* DML commands are used for storing, retrieving, modifying, and deleting data.
 * SELECT, INSERT, UPDATE, DELETE, …
+* Example:
+** Retrieve data:
+** SELECT Phone  +
+   FROM Employees +
+   WHERE IdNum = 1354;
+** This statement delivers the phone number of the employee with the number 1354.
 
 === Data Definition Language (DDL)
+* DDL commands are used for creating, modifying, and dropping the structure of database objects.
 * CREATE, ALTER, DROP,TRUNCATE,…
+* Example:
+** CREATE TABLE Customers( +
+       IdNum INT NOT NULL, +
+       LName VARCHAR (20) NOT NULL, +
+       FName VARCHAR (20) NOT NULL, +
+       JobCode VARCHAR (3) NOT NULL, +
+       Salary DECIMAL (18, 2), +
+       Phone VARCHAR (20), +
+       PRIMARY KEY (IdNum) +
+);
+** This statement creates the employees example table given above.
 
 === Data Control Language (DCL)
+* DCL commands are used for providing security to database objects.
 * GRANT, REVOKE, …
+* Example:
+** GRANT CREATE TABLE +
+   TO operator;
+** This statement gives all users of the operator-role the privilege to create new tables in the database.
+
+If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training.

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc

@@ -1,13 +1,7 @@
 == What is SQL Injection?
 
-==== A SQL injection attack consists of insertion or "injection" of an malicious data via the SQL query input from the client to the application
+SQL Injections are the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, such an injection of code into the application can have an serious impact on e.g. data integrity and security.
 
-=== A successful SQL injection exploit can:
+SQL Injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL-Interpreter of the application itself. If the input from the client does not get checked for containing SQL Commands, hackers can easily manipulate the underlying SQL-Statement to their advantages. +
-* Read and modify sensitive data from the database
+Per example if the input is not filtered for SQL metacharacters like *--* (comments out the rest of the line) or *;* (ends a SQL-query and that way can be used to chain them)
-* Execute administration operations on the database
-** Shutdown auditing or the DBMS
-** Truncate tables and logs
-** Add users
-* Recover the content of a given file present on the DBMS file system 
-* Issue commands to the operating system 
 

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc

@@ -1,14 +1,18 @@
 == Consequences of SQL Injection
 
+=== A successful SQL injection exploit can:
+* Read and modify sensitive data from the database
+* Execute administration operations on the database
+** Shutdown auditing or the DBMS
+** Truncate tables and logs
+** Add users
+* Recover the content of a given file present on the DBMS file system
+* Issue commands to the operating system
+
 === SQL injection attacks allow attackers to 
 * Spoof identity
 * Tamper with existing data
 * Cause repudiation issues such as voiding transactions or changing balances
 * Allow the complete disclosure of all data on the system
 * Destroy the data or make it otherwise unavailable
-* Become administrator of the database server 
+* Become administrator of the database server
-
-=== SQL Injection is more common in PHP, Classic ASP, Cold Fusion and older languages
-* Languages that do not provide parameterized query support
-* Parameterized queries have been added to newer versions
-* Early adopters of web technology (i.e. Old Code)

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc

@@ -12,6 +12,11 @@
 * MySQL Connector/J and C
 * Oracle
 
+=== SQL Injection is more common in PHP, Classic ASP, Cold Fusion and older languages
+* Languages that do not provide parameterized query support
+* Parameterized queries have been added to newer versions
+* Early adopters of web technology (i.e. Old Code)
+
 === Not all databases are equal (SQL Server)
 * Command shell: `master.dbo.xp_cmdshell 'cmd.exe dir c:'` 
 * Reqistry commands: `xp_regread`, `xp_regdeletekey`, …

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5.adoc

@@ -1,27 +0,0 @@
-== Example of SQL Injection
-
-=== Dynamic query in application
-
-==== Potential String Injection
--------------------------------------------------------
-"select * from users where name = '" + userName + "'";
--------------------------------------------------------
-
-==== Potential Numeric Injection
--------------------------------------------------------
-
-"select * from users where employee_id = "  + userID;
--------------------------------------------------------
-
-=== Attacker supplies unexpected text
-* userName = [red]*Smith' or '1'='1*
-* userName =[red]*' or 1=1 --*
-* userID = [red]*1234567 or 1=1*
-* UserName = [red]*Smith’;drop table users; truncate audit_log;--*
-
-=== Application executes query
-* select * from users where name = [red]*'Smith' or '1' = '1'*
-** select * from users where name = [red]*'Smith' or TRUE*
-* select * from users where employee_id = 1234567 or 1=1
-
-*All records are returned from database*

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_after.adoc

@@ -0,0 +1,11 @@
+{nbsp} +
+{nbsp} +
+
+==== Here are some examples of what a hacker could supply to the input field to perform actions on the database that go further than just reading the data of a single user:
+
+* `+Smith’ OR ‘1’ = ‘1+` +
+results in `+"SELECT * FROM users WHERE name = 'Smith' OR TRUE;+` and that way will return all entries from the users table
+* `+Smith’ OR 1 = 1; --+` +
+results in `+"SELECT * FROM users WHERE name = 'Smith' OR TRUE;--';+` and that way will return all entries from the users table
+* `+Smith’; DROP TABLE USERS; truncate audit_log; --+` +
+chains multiple SQL-Commands and deletes the USERS table as well as entries from the audit_log

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_before.adoc

@@ -0,0 +1,23 @@
+== Example of SQL Injection
+
+Think of a web application, that allows to display user information, by typing a username into an input field.
+
+The input will then be sent to the server and gets inserted into a SQL-query which then is processed by an SQL-Interpreter.
+
+The SQL-query to retrieve the user information from the database looks like that: +
+-------------------------------------------------------
+"SELECT * FROM users WHERE name = '" + userName + "'";
+-------------------------------------------------------
+
+The variable *userName* holds the input from the client and “injects” it into the query. +
+If the Input would be Smith the query then looks like that +
+-------------------------------------------------------
+"SELECT * FROM users WHERE name = 'Smith'";
+-------------------------------------------------------
+and would retrieve all data for the user with the name Smith.
+
+But if an attacker supplies an unexpected input which could be part of a SQL-query, the query itself can be modified and that way be used to perform other (malicious) actions on the database.
+{nbsp} +
+{nbsp} +
+
+Here is an input field. Try typing some SQL in here to better understand how the query changes.