diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java new file mode 100644 index 000000000..277be746d --- /dev/null +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java @@ -0,0 +1,99 @@ +package org.owasp.webgoat.plugin.introduction; + +import org.hsqldb.lib.MultiValueHashMap; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.owasp.webgoat.plugins.LessonTest; +import org.owasp.webgoat.session.WebgoatContext; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.util.LinkedMultiValueMap; +import org.springframework.util.MultiValueMap; + +import static org.hamcrest.CoreMatchers.containsString; +import static org.hamcrest.CoreMatchers.is; +import static org.mockito.Mockito.when; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +/** + * @author nbaars + * @since 5/21/17. + */ +@RunWith(SpringJUnit4ClassRunner.class) +public class SqlInjectionLesson5aTest extends LessonTest { + + @Autowired + private WebgoatContext context; + + @Before + public void setup() throws Exception { + SqlInjection sql = new SqlInjection(); + when(webSession.getCurrentLesson()).thenReturn(sql); + when(webSession.getWebgoatContext()).thenReturn(context); + this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build(); + } + + @Test + public void knownAccountShouldDisplayData() throws Exception { + LinkedMultiValueMap map = new LinkedMultiValueMap<>(); + map.add("account", "Smith"); + map.add("operator", ""); + map.add("injection", ""); + mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5a") + .params(map)) + + .andExpect(status().isOk()) + .andExpect(jsonPath("lessonCompleted", is(false))) + .andExpect(jsonPath("$.feedback", is(messages.getMessage("assignment.not.solved")))) + .andExpect(jsonPath("$.output", containsString("

USERID, FIRST_NAME"))); + } + + @Test + public void unknownAccount() throws Exception { + LinkedMultiValueMap map = new LinkedMultiValueMap<>(); + map.add("account", "Smithh"); + map.add("operator", ""); + map.add("injection", ""); + mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5a") + .params(map)) + + .andExpect(status().isOk()) + .andExpect(jsonPath("lessonCompleted", is(false))) + .andExpect(jsonPath("$.feedback", is(messages.getMessage("NoResultsMatched")))) + .andExpect(jsonPath("$.output").doesNotExist()); + } + + @Test + public void sqlInjection() throws Exception { + LinkedMultiValueMap map = new LinkedMultiValueMap<>(); + map.add("account", "Smith'"); + map.add("operator", "OR"); + map.add("injection", "'1' = '1"); + mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5a") + .params(map)) + + .andExpect(status().isOk()) + .andExpect(jsonPath("lessonCompleted", is(true))) + .andExpect(jsonPath("$.feedback", containsString("You have succeed"))) + .andExpect(jsonPath("$.output").doesNotExist()); + } + + @Test + public void sqlInjectionWrongShouldDisplayError() throws Exception { + LinkedMultiValueMap map = new LinkedMultiValueMap<>(); + map.add("account", "Smith'"); + map.add("operator", "OR"); + map.add("injection", "'1' = '1'"); + mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5a") + .params(map)) + + .andExpect(status().isOk()) + .andExpect(jsonPath("lessonCompleted", is(false))) + .andExpect(jsonPath("$.feedback", containsString(messages.getMessage("assignment.not.solved")))) + .andExpect(jsonPath("$.output", is("malformed string: '1''"))); + } +} \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java index 344db1dbe..2eb75edf4 100644 --- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java @@ -77,5 +77,13 @@ public class SqlInjectionLesson6aTest extends LessonTest { .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.6a.no.results")))); } + @Test + public void noUnionUsed() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a") + .param("userid_6a", "S'; Select * from user_system_data; --")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.lessonCompleted", is(false))) + .andExpect(jsonPath("$.output", containsString("To succesfully complete this Assignement you have to use a UNION"))); + } } \ No newline at end of file