feat: Introduce Playwright for UI testing
Instead of using Robot Framework which does not run during a `mvn install`. Playwright seems to be the better approach. We can now write them as normal JUnit test and they are executed during a build. Additionally this PR solves some interesting bugs found during writing Playwright tests: - A reset of a lesson removes all assignments as a result another user wouldn't see any assignments - If someone solves an assignment the assignment automatically got solved for a new user since the assignment included the `solved` flag which immediately got copied to new lesson progress. - Introduction of assignment progress linking a assignment not directly to all users.
This commit is contained in:
Nanne Baars
GitHub
@ -0,0 +1,85 @@
|
||||
package org.owasp.webgoat.integration;
|
||||
|
||||
import static org.hamcrest.CoreMatchers.containsString;
|
||||
|
||||
import io.restassured.RestAssured;
|
||||
import io.restassured.http.ContentType;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
|
||||
|
||||
@Test
|
||||
public void runTests() {
|
||||
startLesson("SqlInjectionMitigations");
|
||||
|
||||
Map<String, Object> params = new HashMap<>();
|
||||
params.clear();
|
||||
params.put("field1", "getConnection");
|
||||
params.put("field2", "PreparedStatement prep");
|
||||
params.put("field3", "prepareStatement");
|
||||
params.put("field4", "?");
|
||||
params.put("field5", "?");
|
||||
params.put("field6", "prep.setString(1,\"\")");
|
||||
params.put("field7", "prep.setString(2,\\\"\\\")");
|
||||
checkAssignment(url("SqlInjectionMitigations/attack10a"), params, true);
|
||||
|
||||
params.put(
|
||||
"editor",
|
||||
"try {\r\n"
|
||||
+ " Connection conn = DriverManager.getConnection(DBURL,DBUSER,DBPW);\r\n"
|
||||
+ " PreparedStatement prep = conn.prepareStatement(\"select id from users where name"
|
||||
+ " = ?\");\r\n"
|
||||
+ " prep.setString(1,\"me\");\r\n"
|
||||
+ " prep.execute();\r\n"
|
||||
+ " System.out.println(conn); //should output 'null'\r\n"
|
||||
+ "} catch (Exception e) {\r\n"
|
||||
+ " System.out.println(\"Oops. Something went wrong!\");\r\n"
|
||||
+ "}");
|
||||
checkAssignment(url("SqlInjectionMitigations/attack10b"), params, true);
|
||||
|
||||
params.clear();
|
||||
params.put(
|
||||
"userid_sql_only_input_validation", "Smith';SELECT/**/*/**/from/**/user_system_data;--");
|
||||
checkAssignment(url("SqlOnlyInputValidation/attack"), params, true);
|
||||
|
||||
params.clear();
|
||||
params.put(
|
||||
"userid_sql_only_input_validation_on_keywords",
|
||||
"Smith';SESELECTLECT/**/*/**/FRFROMOM/**/user_system_data;--");
|
||||
checkAssignment(url("SqlOnlyInputValidationOnKeywords/attack"), params, true);
|
||||
|
||||
RestAssured.given()
|
||||
.when()
|
||||
.relaxedHTTPSValidation()
|
||||
.cookie("JSESSIONID", getWebGoatCookie())
|
||||
.contentType(ContentType.JSON)
|
||||
.get(
|
||||
url(
|
||||
"SqlInjectionMitigations/servers?column=(case when (true) then hostname"
|
||||
+ " else id end)"))
|
||||
.then()
|
||||
.statusCode(200);
|
||||
|
||||
RestAssured.given()
|
||||
.when()
|
||||
.relaxedHTTPSValidation()
|
||||
.cookie("JSESSIONID", getWebGoatCookie())
|
||||
.contentType(ContentType.JSON)
|
||||
.get(url("SqlInjectionMitigations/servers?column=unknown"))
|
||||
.then()
|
||||
.statusCode(500)
|
||||
.body(
|
||||
"trace",
|
||||
containsString(
|
||||
"select id, hostname, ip, mac, status, description from SERVERS where status <>"
|
||||
+ " 'out of order' order by"));
|
||||
|
||||
params.clear();
|
||||
params.put("ip", "104.130.219.202");
|
||||
checkAssignment(url("SqlInjectionMitigations/attack12a"), params, true);
|
||||
|
||||
checkResults("SqlInjectionMitigations");
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user