added hints to sql injection assignment 4 & 5, minor text changes to be consistent to other assignments

2018-11-12 11:19:55 +01:00 · 2018-11-12 11:19:55 +01:00 · 90da672be2
commit 90da672be2
parent 0098f07d00
5 changed files with 11 additions and 7 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java
@ -46,7 +46,7 @@ import java.sql.*;
 * @created October 28, 2003
 */
@AssignmentPath("/SqlInjection/attack4")
-@AssignmentHints(value = {"SqlStringInjectionHint4a1", "SqlStringInjectionHint4a2"})
+@AssignmentHints(value = {"SqlStringInjectionHint4a1", "SqlStringInjectionHint4a2", "SqlStringInjectionHint4a3"})
 public class SqlInjectionLesson4 extends AssignmentEndpoint {

    @RequestMapping(method = RequestMethod.POST)
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java
@ -46,7 +46,7 @@ import java.sql.*;
 * @created October 28, 2003
 */
@AssignmentPath("/SqlInjection/attack5")
-@AssignmentHints(value = {"SqlStringInjectionHint5a1", "SqlStringInjectionHint5a2"})
+@AssignmentHints(value = {"SqlStringInjectionHint5a1"})
 public class SqlInjectionLesson5 extends AssignmentEndpoint {

    @RequestMapping(method = RequestMethod.POST)
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -33,6 +33,10 @@ SqlStringInjectionHint2a1=You want the data from the column with the name depart
 SqlStringInjectionHint2a2=SELECT column FROM tablename WHERE condition;
 SqlStringInjectionHint3a1=Try the UPDATE statement
 SqlStringInjectionHint3a2=UPDATE tablename SET columnname=value WHERE condition;
+SqlStringInjectionHint4a1=ALTER TABLE alters the structure of an existing database
+SqlStringInjectionHint4a2=Don't forget the data type of the new column (e.g. varchar(size) or int(size))
+SqlStringInjectionHint4a3=ALTER TABLE tablename ADD columnname data type(size);
+SqlStringInjectionHint5a1=Look at the example. There's everything you'll need.
 SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query.
 SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT ... FROM ...
 SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- "
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc
@ -12,10 +12,10 @@ If an attacker uses a SQL injection of the DML type to manipulate your database,
 * DELETE - Delete all records from a database table
 * Example:
 ** Retrieve data:
-** SELECT Phone  +
-   FROM Employees +
-   WHERE IdNum = 1354;
-** This statement delivers the phone number of the employee with the number 1354.
+** SELECT phone  +
+   FROM employees +
+   WHERE userid = 96134;
+** This statement delivers the phone number of the employee with the userid 96134.

 === It's your turn!
 Try to change the department of Tobi Barnett to 'Sales'.
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc
@ -10,7 +10,7 @@ If an attacker uses a SQL injection of the DDL type to manipulate your database,
 * ALTER - alters the structure of the existing database
 * DROP - delete objects from the database
 * Example:
-** CREATE TABLE Employees( +
+** CREATE TABLE employees( +
   &nbsp;&nbsp;&nbsp;&nbsp;userid varchar(6) not null primary key, +
   &nbsp;&nbsp;&nbsp;&nbsp;first_name varchar(20), +
   &nbsp;&nbsp;&nbsp;&nbsp;last_name varchar(20), +