Merge branch 'release/v8.0.0.M22'

2019-01-18 08:38:10 +01:00
parent 6699456ee1 9be4361afc
commit 7b8e3cdb52
65 changed files with 791 additions and 332 deletions
--- a/webgoat-lessons/sql-injection/pom.xml
+++ b/webgoat-lessons/sql-injection/pom.xml
@ -6,6 +6,6 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
    </parent>
 </project>
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -20,14 +20,14 @@ SqlStringInjectionHint9=Intercept the request and try to specify a different ord
 SqlStringInjectionHint10=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
 SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens

-sql-injection.5a.success=You have succeed: {0}
+sql-injection.5a.success=You have succeeded: {0}
 sql-injection.5a.no.results=No results matched. Try Again.

-sql-injection.5b.success=You have succeed: {0}
+sql-injection.5b.success=You have succeeded: {0}
 sql-injection.5b.no.results=No results matched. Try Again.

-sql-injection.6a.success=You have succeed: {0}
+sql-injection.6a.success=You have succeeded: {0}
 sql-injection.6a.no.results=No results matched. Try Again.

-sql-injection.6b.success=You have succeed: {0}
+sql-injection.6b.success=You have succeeded: {0}
 sql-injection.6b.no.results=No results matched. Try Again.
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc
@ -1,4 +1,5 @@
 In this assignment try to perform an SQL injection through the ORDER BY field.
-Try to find the ip address of the `webgoat-prd` server.
+Try to find the ip address of the `webgoat-prd` server, guessing the complete
+ip address might take too long so we give you the last part: `xxx.130.219.202`

 Note: The submit field of this assignment is *NOT* vulnerable for an SQL injection.
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java
@ -63,7 +63,7 @@ public class SqlInjectionLesson5aTest extends LessonTest {

                .andExpect(status().isOk())
                .andExpect(jsonPath("lessonCompleted", is(true)))
-                .andExpect(jsonPath("$.feedback", containsString("You have succeed")))
+                .andExpect(jsonPath("$.feedback", containsString("You have succeeded")))
                .andExpect(jsonPath("$.output").doesNotExist());
    }

@ -77,4 +77,4 @@ public class SqlInjectionLesson5aTest extends LessonTest {
                .andExpect(jsonPath("$.feedback", containsString(messages.getMessage("assignment.not.solved"))))
                .andExpect(jsonPath("$.output", is("malformed string: '1''")));
    }
-}
+}
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java
@ -28,7 +28,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
    private WebgoatContext context;

    @Before
-    public void setup() throws Exception {
+    public void setup()  {
        SqlInjection sql = new SqlInjection();

        when(webSession.getCurrentLesson()).thenReturn(sql);
@ -44,6 +44,40 @@ public class SqlInjectionLesson12aTest extends LessonTest {
                .andExpect(status().isOk());
    }

+    @Test
+    public void addressCorrectShouldOrderByHostname() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END"))
+
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+    }
+
+    @Test
+    public void addressCorrectShouldOrderByHostnameUsingSubstr() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '1') IS NOT NULL then hostname else id end"))
+
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,2,1) = '0') IS NOT NULL then hostname else id end"))
+
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,3,1) = '4') IS NOT NULL then hostname else id end"))
+
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+    }
+
+    @Test
+    public void addressIncorrectShouldOrderByIdUsingSubstr() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '9') IS NOT NULL then hostname else id end"))
+
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
+    }
+
    @Test
    public void trueShouldSortByHostname() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
@ -63,21 +97,13 @@ public class SqlInjectionLesson12aTest extends LessonTest {
    }

    @Test
-    public void passwordIncorrectShouldOrderByHostname() throws Exception {
+    public void addressIncorrectShouldOrderByHostname() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
                .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%' THEN hostname ELSE id END"))

                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
    }

-    @Test
-    public void passwordCorrectShouldOrderByHostname() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
-                .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END"))
-
-                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
-    }
-
    @Test
    public void postingCorrectAnswerShouldPassTheLesson() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack12a")