diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java index 557f510c1..970209122 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java @@ -39,7 +39,7 @@ import java.sql.Statement; @RestController -@AssignmentHints(value = {"SqlStringInjectionHint5-a"}) +@AssignmentHints(value = {"SqlStringInjectionHint5-1", "SqlStringInjectionHint5-2", "SqlStringInjectionHint5-3", "SqlStringInjectionHint5-4"}) public class SqlInjectionLesson5 extends AssignmentEndpoint { private final LessonDataSource dataSource; @@ -50,7 +50,7 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint { @PostConstruct public void createUser() { - // HSQLDB does not support CREATE USER with IF NOT EXISTS so we need to do it in code (DROP first will throw error if user does not exists) + // HSQLDB does not support CREATE USER with IF NOT EXISTS so we need to do it in code (using DROP first will throw error if user does not exists) try (Connection connection = dataSource.getConnection()) { try (var statement = connection.prepareStatement("CREATE USER unauthorized_user PASSWORD test")) { statement.execute(); diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 22ab599cf..103820d34 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -24,8 +24,10 @@ SqlStringInjectionHint4-1=ALTER TABLE alters the structure of an existing databa SqlStringInjectionHint4-2=Do not forget the data type of the new column (e.g. varchar(size) or int(size)) SqlStringInjectionHint4-3=ALTER TABLE table name ADD column name data type(size); -SqlStringInjectionHint5-1=Take a look at how to use a grant statement. -SqlStringInjectionHint5-2=You are using 'tom' trying to grant access to tom +SqlStringInjectionHint5-1=Take a look at how to use a grant statement (WebGoat uses HSQLDB) +SqlStringInjectionHint5-2=You can grant to a user or a role. +SqlStringInjectionHint5-3=Try to grant 'select' privilege to 'unauthorized_user'. +SqlStringInjectionHint5-4=Use 'grant select on <> to <>' to solve the assignment. sql-injection.5a.success=You have succeeded: {0} sql-injection.5a.no.results=No results matched. Try Again. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc index 552965523..eb529ef28 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc @@ -8,9 +8,6 @@ If an attacker successfully "injects" DCL type SQL commands into a database, he * DCL commands are used to implement access control on database objects. * GRANT - give a user access privileges on database objects * REVOKE - withdraw user privileges that were previously given using GRANT -* Example: -** GRANT CREATE TABLE TO operator; -** This statement gives all users of the operator-role the privilege to create new tables in the database. Try to grant rights to the table `grant_rights` to user `unauthorized_user`: