SQL injection add hints #470

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java

@@ -3,6 +3,7 @@ package org.owasp.webgoat.plugin.advanced;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
@@ -23,6 +24,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
  * @since 4/8/17.
  */
 @AssignmentPath("SqlInjection/challenge")
+@AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
 @Slf4j
 public class SqlInjectionChallenge extends AssignmentEndpoint {
 

webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties

@@ -6,6 +6,9 @@ sql.injection.title=SQL Injection
 sql.mitigation.title=SQL Injection (mitigation)
 sql.advanced.title=SQL Injection (advanced)
 
+SqlInjectionChallenge1=Look at the different response you receive from the server
+SqlInjectionChallenge2=The vulnerability is on the register form
+SqlInjectionChallenge3=Use tooling to automate this attack
 
 NoResultsMatched=No results matched. Try Again.
 SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.