dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

display query string to user after success, added hints

Browse Source
This commit is contained in:
PhilippeSteinbach 2019-02-04 14:09:40 +01:00 committed by Nanne Baars
parent 2be2de8ce1
commit 7c32232faa
2 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java
View File

@ -46,7 +46,7 @@ import java.sql.*;
* @created October 28, 2003
*/
@AssignmentPath("/SqlInjection/attack2")
@AssignmentHints(value = {"SqlStringInjectionHint2-1", "SqlStringInjectionHint2-2"})
@AssignmentHints(value = {"SqlStringInjectionHint2-1", "SqlStringInjectionHint2-2", "SqlStringInjectionHint2-3", "SqlStringInjectionHint2-4"})
public class SqlInjectionLesson2 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
@ -68,9 +68,9 @@ public class SqlInjectionLesson2 extends AssignmentEndpoint {
StringBuffer output = new StringBuffer();
results.first();
// user completes lesson if department is "Marketing"
// what if other employee with same dept is result?
if (results.getString("department").equals("Marketing")) {
output.append("<span class='feedback-positive'>" + _query + "</span>");
output.append(SqlInjectionLesson8.generateTable(results));
return trackProgress(success().feedback("sql-injection.2.success").output(output.toString()).build());
} else {

2
webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -14,6 +14,8 @@ sql-injection.2.success=<span class='feedback-positive'>You have succeeded!</spa
sql-injection.2.failed=<span class='feedback-negative'>Something went wrong! You got no results, check your SQL Statement and the table above.</span>
SqlStringInjectionHint2-1=You want the data from the column with the name department. You know the database name (employees) and you know the first- and lastname of the employee (first_name, last_name).
SqlStringInjectionHint2-2=SELECT column FROM tablename WHERE condition;
SqlStringInjectionHint2-3=Use ' instead of " when comparing two strings.
SqlStringInjectionHint2-4=Pay attention to case sensitivity when comparing two strings.
SqlStringInjectionHint3-1=Try the UPDATE statement
SqlStringInjectionHint3-2=UPDATE tablename SET columnname=value WHERE condition;