From 924a53c22ae1e0762e1bc6b19bb83682e486b15c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= Date: Thu, 22 Aug 2019 13:48:48 +0200 Subject: [PATCH] fixed sql adv 5 progress and added prove in integration test --- .../advanced/SqlInjectionChallenge.java | 6 ++++- .../advanced/SqlInjectionChallengeLogin.java | 8 ++----- .../SqlInjectionAdvanced_TestHelper.java | 14 ++++++++++- .../java/org/owasp/webgoat/TestHelper.java | 23 +++++++++++++++++++ 4 files changed, 43 insertions(+), 8 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java index 3f13d819f..88368f96c 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java @@ -51,7 +51,11 @@ public class SqlInjectionChallenge extends AssignmentEndpoint { ResultSet resultSet = statement.executeQuery(checkUserQuery); if (resultSet.next()) { - attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build(); + if (username_reg.contains("tom'")) { + attackResult = trackProgress(success().feedback("user.exists").build()); + } else { + attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build(); + } } else { PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO " + USERS_TABLE_NAME + " VALUES (?, ?, ?)"); preparedStatement.setString(1, username_reg); diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java index 4ca99b883..29095667b 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java @@ -1,7 +1,5 @@ package org.owasp.webgoat.plugin.advanced; -import lombok.extern.slf4j.Slf4j; -import org.apache.commons.lang3.RandomStringUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentPath; @@ -18,7 +16,6 @@ import java.sql.*; import static org.springframework.web.bind.annotation.RequestMethod.POST; @AssignmentPath("/SqlInjectionAdvanced/challenge_Login") -@Slf4j @AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"}) public class SqlInjectionChallengeLogin extends AssignmentEndpoint { @@ -29,7 +26,6 @@ public class SqlInjectionChallengeLogin extends AssignmentEndpoint { @RequestMapping(method = POST) @ResponseBody public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { - System.out.println("right Method"); Connection connection = DatabaseUtilities.getConnection(webSession); SqlInjectionChallenge.checkDatabase(connection); @@ -39,8 +35,8 @@ public class SqlInjectionChallengeLogin extends AssignmentEndpoint { ResultSet resultSet = statement.executeQuery(); if (resultSet.next()) { - return ("tom".equals(username_login)) ? success().build() - : success().feedback("ResultsButNotTom").build(); + return ("tom".equals(username_login)) ? trackProgress(success().build()) + : success().feedback("ResultsButNotTom").build(); } else { return failed().feedback("NoResultsMatched").build(); } diff --git a/webgoat-server/src/test/java/org/owasp/webgoat/SqlInjectionAdvanced_TestHelper.java b/webgoat-server/src/test/java/org/owasp/webgoat/SqlInjectionAdvanced_TestHelper.java index 13673a352..7328475f2 100644 --- a/webgoat-server/src/test/java/org/owasp/webgoat/SqlInjectionAdvanced_TestHelper.java +++ b/webgoat-server/src/test/java/org/owasp/webgoat/SqlInjectionAdvanced_TestHelper.java @@ -10,6 +10,18 @@ public class SqlInjectionAdvanced_TestHelper extends TestHelper { startLesson(cookie, webgoatURL, "SqlInjectionAdvanced"); Map params = new HashMap<>(); + params.clear(); + params.put("username_reg", "tom' AND substring(password,1,1)='t"); + params.put("password_reg", "password"); + params.put("email_reg", "someone@microsoft.com"); + params.put("confirm_password", "password"); + checkAssignmentWithPUT(cookie, webgoatURL+"/WebGoat/SqlInjectionAdvanced/challenge", params, true); + + params.clear(); + params.put("username_login", "tom"); + params.put("password_login", "thisisasecretfortomonly"); + checkAssignment(cookie, webgoatURL+"/WebGoat/SqlInjectionAdvanced/challenge_Login", params, true); + params.clear(); params.put("userid_6a", "'; SELECT * FROM user_system_data;--"); checkAssignment(cookie, webgoatURL+"/WebGoat/SqlInjectionAdvanced/attack6a", params, true); @@ -30,7 +42,7 @@ public class SqlInjectionAdvanced_TestHelper extends TestHelper { params.put("question_4_solution", "Solution 4: The database registers 'Robert' ); DROP TABLE Students;--'."); checkAssignment(cookie, webgoatURL+"/WebGoat/SqlInjectionAdvanced/quiz", params, true); - //checkResults(cookie, webgoatURL, "/SqlInjectionAdvanced/"); + checkResults(cookie, webgoatURL, "/SqlInjectionAdvanced/"); } } diff --git a/webgoat-server/src/test/java/org/owasp/webgoat/TestHelper.java b/webgoat-server/src/test/java/org/owasp/webgoat/TestHelper.java index dfad6d538..fd2b67141 100644 --- a/webgoat-server/src/test/java/org/owasp/webgoat/TestHelper.java +++ b/webgoat-server/src/test/java/org/owasp/webgoat/TestHelper.java @@ -64,6 +64,29 @@ public class TestHelper { .extract().path("lessonCompleted"), is(expectedResult)); } + /** + * Helper method for most common type of test. + * PUT with parameters. + * Checks for 200 and lessonCompleted as indicated by expectedResult + * @param webgoatCookie + * @param url + * @param params + * @param expectedResult + */ + public void checkAssignmentWithPUT(String webgoatCookie, String url, Map params, boolean expectedResult) { + assertThat( + given() + .when() + .config(restConfig) + .cookie("JSESSIONID", webgoatCookie) + .formParams(params) + .put(url) + .then() + //.log().all() + .statusCode(200) + .extract().path("lessonCompleted"), is(expectedResult)); + } + /** * Helper method at the end of a lesson. * Check if all path paramters are correct for the progress.