fixed sql adv 5 progress and added prove in integration test

2019-08-22 13:48:48 +02:00 · 2019-08-22 13:48:48 +02:00 · 924a53c22a
commit 924a53c22a
parent c93563da3f
4 changed files with 43 additions and 8 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
@ -51,7 +51,11 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
                ResultSet resultSet = statement.executeQuery(checkUserQuery);

                if (resultSet.next()) {
-                    attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build();
+                	if (username_reg.contains("tom'")) {
+                		attackResult = trackProgress(success().feedback("user.exists").build());
+                	} else {
+                		attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build();
+                	}
                } else {
                    PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO " + USERS_TABLE_NAME + " VALUES (?, ?, ?)");
                    preparedStatement.setString(1, username_reg);
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java
@ -1,7 +1,5 @@
 package org.owasp.webgoat.plugin.advanced;

-import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.lang3.RandomStringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
@ -18,7 +16,6 @@ import java.sql.*;
 import static org.springframework.web.bind.annotation.RequestMethod.POST;

@AssignmentPath("/SqlInjectionAdvanced/challenge_Login")
-@Slf4j
@AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
 public class SqlInjectionChallengeLogin extends AssignmentEndpoint {

@ -29,7 +26,6 @@ public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
  @RequestMapping(method = POST)
  @ResponseBody
  public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
-    System.out.println("right Method");
    Connection connection = DatabaseUtilities.getConnection(webSession);
    SqlInjectionChallenge.checkDatabase(connection);

@ -39,8 +35,8 @@ public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
    ResultSet resultSet = statement.executeQuery();

    if (resultSet.next()) {
-        return ("tom".equals(username_login)) ? success().build()
-                : success().feedback("ResultsButNotTom").build();
+        return ("tom".equals(username_login)) ? trackProgress(success().build())
+        		: success().feedback("ResultsButNotTom").build();
    } else {
      return failed().feedback("NoResultsMatched").build();
    }
--- a/webgoat-server/src/test/java/org/owasp/webgoat/SqlInjectionAdvanced_TestHelper.java
+++ b/webgoat-server/src/test/java/org/owasp/webgoat/SqlInjectionAdvanced_TestHelper.java
@ -10,6 +10,18 @@ public class SqlInjectionAdvanced_TestHelper extends TestHelper {
 		startLesson(cookie, webgoatURL, "SqlInjectionAdvanced");
 		
 		Map<String, Object> params = new HashMap<>();
+		params.clear();
+		params.put("username_reg", "tom' AND substring(password,1,1)='t");	
+		params.put("password_reg", "password");	
+		params.put("email_reg", "someone@microsoft.com");	
+		params.put("confirm_password", "password");	
+		checkAssignmentWithPUT(cookie, webgoatURL+"/WebGoat/SqlInjectionAdvanced/challenge", params, true);
+		
+		params.clear();
+		params.put("username_login", "tom");	
+		params.put("password_login", "thisisasecretfortomonly");	
+		checkAssignment(cookie, webgoatURL+"/WebGoat/SqlInjectionAdvanced/challenge_Login", params, true);
+				
 		params.clear();
 		params.put("userid_6a", "'; SELECT * FROM user_system_data;--");		
 		checkAssignment(cookie, webgoatURL+"/WebGoat/SqlInjectionAdvanced/attack6a", params, true);
@ -30,7 +42,7 @@ public class SqlInjectionAdvanced_TestHelper extends TestHelper {
 		params.put("question_4_solution", "Solution 4: The database registers 'Robert' ); DROP TABLE Students;--'.");
 		checkAssignment(cookie, webgoatURL+"/WebGoat/SqlInjectionAdvanced/quiz", params, true);
 		
-		//checkResults(cookie, webgoatURL, "/SqlInjectionAdvanced/");
+		checkResults(cookie, webgoatURL, "/SqlInjectionAdvanced/");
 	
 	}
 }
--- a/webgoat-server/src/test/java/org/owasp/webgoat/TestHelper.java
+++ b/webgoat-server/src/test/java/org/owasp/webgoat/TestHelper.java
@ -64,6 +64,29 @@ public class TestHelper {
 					.extract().path("lessonCompleted"), is(expectedResult));
 	}
 	
+	/**
+	 * Helper method for most common type of test.
+	 * PUT with parameters.
+	 * Checks for 200 and lessonCompleted as indicated by expectedResult
+	 * @param webgoatCookie
+	 * @param url
+	 * @param params
+	 * @param expectedResult
+	 */
+	public void checkAssignmentWithPUT(String webgoatCookie, String url, Map<String, ?> params, boolean expectedResult) {
+		assertThat(
+			given()
+				.when()
+					.config(restConfig)
+					.cookie("JSESSIONID", webgoatCookie)
+					.formParams(params)
+				.put(url)
+				.then()
+					//.log().all()
+					.statusCode(200)
+					.extract().path("lessonCompleted"), is(expectedResult));
+	}
+	
 	/**
 	 * Helper method at the end of a lesson.
 	 * Check if all path paramters are correct for the progress.