diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java b/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java index 9200a8a5a..6e9e89985 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java @@ -4,6 +4,7 @@ import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression; import org.springframework.context.annotation.Configuration; +import org.springframework.util.FileSystemUtils; import javax.annotation.PostConstruct; import java.io.File; @@ -23,14 +24,6 @@ public class CleanupLocalProgressFiles { @PostConstruct public void clean() { File dir = new File(webgoatHome); - if (dir.exists()) { - File[] progressFiles = dir.listFiles(f -> f.getName().endsWith(".progress")); - if (progressFiles != null) { - log.info("Removing stored user preferences..."); - for (File f : progressFiles) { - f.delete(); - } - } - } + FileSystemUtils.deleteRecursively(dir); } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java index 4031e0c82..725507cac 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java @@ -7,756 +7,708 @@ import java.sql.Statement; /** - ************************************************************************************************* - * - * + * ************************************************************************************************ + *

+ *

* This file is part of WebGoat, an Open Web Application Security Project utility. For details, * please see http://www.owasp.org/ - * + *

* Copyright (c) 2002 - 20014 Bruce Mayhew - * + *

* This program is free software; you can redistribute it and/or modify it under the terms of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the * License, or (at your option) any later version. - * + *

* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. - * + *

* You should have received a copy of the GNU General Public License along with this program; if * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. - * + *

* Getting Source ============== - * + *

* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software * projects. * * @author Jeff Williams Aspect Security * @version $Id: $Id */ -public class CreateDB -{ - - /** - * Description of the Method - * - * @param connection - * Description of the Parameter - * - * @exception SQLException - * Description of the Exception - */ - private void createMessageTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Drop admin user table - try - { - String dropTable = "DROP TABLE messages"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop message database"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50)," - + "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating message database " + e.getLocalizedMessage()); - } - } +public class CreateDB { /** * Description of the Method * * @param connection Description of the Parameter - * - * @exception SQLException Description of the Exception + * @throws SQLException Description of the Exception */ - private void createMFEImagesTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Drop mfe_images table - try - { - String dropTable = "DROP TABLE mfe_images"; - statement.executeUpdate(dropTable); - } - catch (SQLException e) - { - System.out.println("Info - Could not drop mfe_images table from database"); - } - - // Create the new mfe_images table - try - { - String createTableStatement = "CREATE TABLE mfe_images (" - + "user_name varchar(50) not null, " - + "image_relative_url varchar(50) not null" - + ")"; - statement.executeUpdate(createTableStatement); - } - catch (SQLException e) - { - System.out.println("Error creating mfe_images table in database " + e.getLocalizedMessage()); - } + private void createServersTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); + + // Drop servers table + try { + String dropTable = "DROP TABLE servers"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop servers table"); + } + + // Create the new table + try { + String createTableStatement = "CREATE TABLE servers" + + " (" + "id varchar(10)," + + "hostname varchar(20)," + + "ip varchar(20)," + + "mac varchar(20)," + + "status varchar(20)," + + "description varchar(40)" + + ")"; + statement.executeUpdate(createTableStatement); + + String insertData1 = "INSERT INTO servers VALUES ('1', 'webgoat-dev', '192.168.4.0', 'AA:BB:11:22:CC:DD', 'online', 'Development server')"; + String insertData2 = "INSERT INTO servers VALUES ('2', 'webgoat-tst', '192.168.2.1', 'EE:FF:33:44:AB:CD', 'online', 'Test server')"; + String insertData3 = "INSERT INTO servers VALUES ('3', 'webgoat-acc', '192.168.3.3', 'EF:12:FE:34:AA:CC', 'offline', 'Acceptance server')"; + String insertData4 = "INSERT INTO servers VALUES ('4', 'webgoat-pre-prod', '192.168.6.4', 'EF:12:FE:34:AA:CC', 'offline', 'Pre-production server')"; + String insertData5 = "INSERT INTO servers VALUES ('4', 'webgoat-prd', '104.130.219.202', 'FA:91:EB:82:DC:73', 'out of order', 'Production server')"; + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + } catch (SQLException e) { + System.out.println("Error creating product table " + e.getLocalizedMessage()); + } + } + + + /** + * Description of the Method + * + * @param connection Description of the Parameter + * @throws SQLException Description of the Exception + */ + private void createMessageTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); + + // Drop admin user table + try { + String dropTable = "DROP TABLE messages"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop message database"); + } + + // Create the new table + try { + String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50)," + + "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" + + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) { + System.out.println("Error creating message database " + e.getLocalizedMessage()); + } + } + + /** + * Description of the Method + * + * @param connection Description of the Parameter + * @throws SQLException Description of the Exception + */ + private void createMFEImagesTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); + + // Drop mfe_images table + try { + String dropTable = "DROP TABLE mfe_images"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop mfe_images table from database"); + } + + // Create the new mfe_images table + try { + String createTableStatement = "CREATE TABLE mfe_images (" + + "user_name varchar(50) not null, " + + "image_relative_url varchar(50) not null" + + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) { + System.out.println("Error creating mfe_images table in database " + e.getLocalizedMessage()); + } } - - /** - * Description of the Method - * - * @param connection - * Description of the Parameter - * - * @exception SQLException - * Description of the Exception - */ - private void createProductTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - // Drop admin user table - try - { - String dropTable = "DROP TABLE product_system_data"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop product table"); - } + /** + * Description of the Method + * + * @param connection Description of the Parameter + * @throws SQLException Description of the Exception + */ + private void createProductTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); - // Create the new table - try - { - String createTableStatement = "CREATE TABLE product_system_data (" - + "productid varchar(6) not null primary key," + "product_name varchar(20)," + "price varchar(10)" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating product table " + e.getLocalizedMessage()); - } + // Drop admin user table + try { + String dropTable = "DROP TABLE product_system_data"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop product table"); + } - // Populate - String insertData1 = "INSERT INTO product_system_data VALUES ('32226','Dog Bone','$1.99')"; - String insertData2 = "INSERT INTO product_system_data VALUES ('35632','DVD Player','$214.99')"; - String insertData3 = "INSERT INTO product_system_data VALUES ('24569','60 GB Hard Drive','$149.99')"; - String insertData4 = "INSERT INTO product_system_data VALUES ('56970','80 GB Hard Drive','$179.99')"; - String insertData5 = "INSERT INTO product_system_data VALUES ('14365','56 inch HDTV','$6999.99')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - } + // Create the new table + try { + String createTableStatement = "CREATE TABLE product_system_data (" + + "productid varchar(6) not null primary key," + "product_name varchar(20)," + "price varchar(10)" + + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) { + System.out.println("Error creating product table " + e.getLocalizedMessage()); + } - /** - * Description of the Method - * - * @param connection - * Description of the Parameter - * - * @exception SQLException - * Description of the Exception - */ - private void createUserAdminTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Drop admin user table - try - { - String dropTable = "DROP TABLE user_system_data"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop user admin table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE user_system_data (" + "userid varchar(5) not null primary key," - + "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating user admin table " + e.getLocalizedMessage()); - } - - // Populate - String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')"; - String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')"; - String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')"; - String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')"; - String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - } - - /** - * Description of the Method - * - * @param connection - * Description of the Parameter - * - * @exception SQLException - * Description of the Exception - */ - private void createUserDataTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try - { - String dropTable = "DROP TABLE user_data"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop user table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE user_data (" + "userid int not null," - + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30)," - + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int" + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating user table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO user_data VALUES (101,'Joe','Snow','987654321','VISA',' ',0)"; - String insertData2 = "INSERT INTO user_data VALUES (101,'Joe','Snow','2234200065411','MC',' ',0)"; - String insertData3 = "INSERT INTO user_data VALUES (102,'John','Smith','2435600002222','MC',' ',0)"; - String insertData4 = "INSERT INTO user_data VALUES (102,'John','Smith','4352209902222','AMEX',' ',0)"; - String insertData5 = "INSERT INTO user_data VALUES (103,'Jane','Plane','123456789','MC',' ',0)"; - String insertData6 = "INSERT INTO user_data VALUES (103,'Jane','Plane','333498703333','AMEX',' ',0)"; - String insertData7 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','176896789','MC',' ',0)"; - String insertData8 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','333300003333','AMEX',' ',0)"; - String insertData9 = "INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','673834489','MC',' ',0)"; - String insertData10 = "INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','33413003333','AMEX',' ',0)"; - String insertData11 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','123609789','MC',' ',0)"; - String insertData12 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','338893453333','AMEX',' ',0)"; - String insertData13 = "INSERT INTO user_data VALUES (15613,'Joesph','Something','33843453533','AMEX',' ',0)"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData8); - statement.executeUpdate(insertData9); - statement.executeUpdate(insertData10); - statement.executeUpdate(insertData11); - statement.executeUpdate(insertData12); - statement.executeUpdate(insertData13); - - } - - private void createLoginTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try - { - String dropTable = "DROP TABLE user_login"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop user_login table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE user_login (" + "userid varchar(5)," - + "webgoat_user varchar(20)" + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating user_login table " + e.getLocalizedMessage()); - } - - } - - // creates the table pins which is used in the blind sql injection lesson - private void createBlindSQLLessonTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try - { - String dropTable = "DROP TABLE pins"; - statement.executeUpdate(dropTable); - } - catch (SQLException e) - { - System.out.println("Info - Could not drop pins table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE pins (" - + "cc_number varchar(30)," - + "pin int," - + "name varchar(20)" - + ")"; - statement.executeUpdate(createTableStatement); - } - catch (SQLException e) - { - System.out.println("Error creating pins table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO pins VALUES ('987654321098765', 1234, 'Joe')"; - String insertData2 = "INSERT INTO pins VALUES ('1234567890123456', 4567, 'Jack')"; - String insertData3 = "INSERT INTO pins VALUES ('4321432143214321', 4321, 'Jill')"; - String insertData4 = "INSERT INTO pins VALUES ('1111111111111111', 7777, 'Jim')"; - String insertData5 = "INSERT INTO pins VALUES ('1111222233334444', 2364, 'John')"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - + // Populate + String insertData1 = "INSERT INTO product_system_data VALUES ('32226','Dog Bone','$1.99')"; + String insertData2 = "INSERT INTO product_system_data VALUES ('35632','DVD Player','$214.99')"; + String insertData3 = "INSERT INTO product_system_data VALUES ('24569','60 GB Hard Drive','$149.99')"; + String insertData4 = "INSERT INTO product_system_data VALUES ('56970','80 GB Hard Drive','$179.99')"; + String insertData5 = "INSERT INTO product_system_data VALUES ('14365','56 inch HDTV','$6999.99')"; + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); } - - // creates the table salaries which is used in the lessons - // which add or modify data using sql injection - private void createModifyWithSQLLessonTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try - { - String dropTable = "DROP TABLE salaries"; - statement.executeUpdate(dropTable); - } - catch (SQLException e) - { - System.out.println("Info - Could not drop salaries table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE salaries (" - + "userid varchar(50)," - + "salary int" - + ")"; - statement.executeUpdate(createTableStatement); - } - catch (SQLException e) - { - System.out.println("Error creating salaries table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO salaries VALUES ('jsmith', 20000)"; - String insertData2 = "INSERT INTO salaries VALUES ('lsmith', 45000)"; - String insertData3 = "INSERT INTO salaries VALUES ('wgoat', 100000)"; - String insertData4 = "INSERT INTO salaries VALUES ('rjones', 777777)"; - String insertData5 = "INSERT INTO salaries VALUES ('manderson', 65000)"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - + + /** + * Description of the Method + * + * @param connection Description of the Parameter + * @throws SQLException Description of the Exception + */ + private void createUserAdminTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); + + // Drop admin user table + try { + String dropTable = "DROP TABLE user_system_data"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop user admin table"); + } + + // Create the new table + try { + String createTableStatement = "CREATE TABLE user_system_data (" + "userid varchar(5) not null primary key," + + "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) { + System.out.println("Error creating user admin table " + e.getLocalizedMessage()); + } + + // Populate + String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')"; + String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')"; + String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')"; + String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')"; + String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')"; + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); } - - /** - * Description of the Method - * - * @param connection - * Description of the Parameter - * - * @exception SQLException - * Description of the Exception - */ - private void createWeatherDataTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - // Delete table if there is one - try - { - String dropTable = "DROP TABLE weather_data"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop weather table"); - } + /** + * Description of the Method + * + * @param connection Description of the Parameter + * @throws SQLException Description of the Exception + */ + private void createUserDataTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); - // Create the new table - try - { - String createTableStatement = "CREATE TABLE weather_data (" + "station int not null," - + "name varchar(20) not null," + "state char(2) not null," + "min_temp int not null," - + "max_temp int not null" + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating weather table " + e.getLocalizedMessage()); - } + // Delete table if there is one + try { + String dropTable = "DROP TABLE user_data"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop user table"); + } - // Populate it - String insertData1 = "INSERT INTO weather_data VALUES (101,'Columbia','MD',-10,102)"; - String insertData2 = "INSERT INTO weather_data VALUES (102,'Seattle','WA',-15,90)"; - String insertData3 = "INSERT INTO weather_data VALUES (103,'New York','NY',-10,110)"; - String insertData4 = "INSERT INTO weather_data VALUES (104,'Houston','TX',20,120)"; - String insertData5 = "INSERT INTO weather_data VALUES (10001,'Camp David','MD',-10,100)"; - String insertData6 = "INSERT INTO weather_data VALUES (11001,'Ice Station Zebra','NA',-60,30)"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - } + // Create the new table + try { + String createTableStatement = "CREATE TABLE user_data (" + "userid int not null," + + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30)," + + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int" + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) { + System.out.println("Error creating user table " + e.getLocalizedMessage()); + } - /** - * Create users with tans - * - * @param connection - * @throws SQLException - */ - private void createTanUserDataTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); + // Populate it + String insertData1 = "INSERT INTO user_data VALUES (101,'Joe','Snow','987654321','VISA',' ',0)"; + String insertData2 = "INSERT INTO user_data VALUES (101,'Joe','Snow','2234200065411','MC',' ',0)"; + String insertData3 = "INSERT INTO user_data VALUES (102,'John','Smith','2435600002222','MC',' ',0)"; + String insertData4 = "INSERT INTO user_data VALUES (102,'John','Smith','4352209902222','AMEX',' ',0)"; + String insertData5 = "INSERT INTO user_data VALUES (103,'Jane','Plane','123456789','MC',' ',0)"; + String insertData6 = "INSERT INTO user_data VALUES (103,'Jane','Plane','333498703333','AMEX',' ',0)"; + String insertData7 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','176896789','MC',' ',0)"; + String insertData8 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','333300003333','AMEX',' ',0)"; + String insertData9 = "INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','673834489','MC',' ',0)"; + String insertData10 = "INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','33413003333','AMEX',' ',0)"; + String insertData11 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','123609789','MC',' ',0)"; + String insertData12 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','338893453333','AMEX',' ',0)"; + String insertData13 = "INSERT INTO user_data VALUES (15613,'Joesph','Something','33843453533','AMEX',' ',0)"; + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + statement.executeUpdate(insertData6); + statement.executeUpdate(insertData7); + statement.executeUpdate(insertData8); + statement.executeUpdate(insertData9); + statement.executeUpdate(insertData10); + statement.executeUpdate(insertData11); + statement.executeUpdate(insertData12); + statement.executeUpdate(insertData13); - // Delete table if there is one - try - { - String dropTable = "DROP TABLE user_data_tan"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop user_data_tan table"); - } + } - // Create the new table - try - { - String createTableStatement = "CREATE TABLE user_data_tan (" + "userid int not null," - + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30)," - + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int," + "password varchar(20)" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating user_data_tan table " + e.getLocalizedMessage()); - } + private void createLoginTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); - // Populate it - String insertData1 = "INSERT INTO user_data_tan VALUES (101,'Joe','Snow','987654321','VISA',' ',0, 'banana')"; - String insertData2 = "INSERT INTO user_data_tan VALUES (102,'Jane','Plane','74589864','MC',' ',0, 'tarzan')"; - String insertData3 = "INSERT INTO user_data_tan VALUES (103,'Jack','Sparrow','68659365','MC',' ',0, 'sniffy')"; + // Delete table if there is one + try { + String dropTable = "DROP TABLE user_login"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop user_login table"); + } - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - } + // Create the new table + try { + String createTableStatement = "CREATE TABLE user_login (" + "userid varchar(5)," + + "webgoat_user varchar(20)" + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) { + System.out.println("Error creating user_login table " + e.getLocalizedMessage()); + } - /** - * Create the Table for the tans - * - * @param connection - * @throws SQLException - */ - private void createTanTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); + } - // Delete table if there is one - try - { - String dropTable = "DROP TABLE tan"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop tan table"); - } + // creates the table pins which is used in the blind sql injection lesson + private void createBlindSQLLessonTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); - // Create the new table - try - { - String createTableStatement = "CREATE TABLE tan (" + "userid int not null," + "tanNr int," + "tanValue int" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating tan table " + e.getLocalizedMessage()); - } + // Delete table if there is one + try { + String dropTable = "DROP TABLE pins"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop pins table"); + } - // Populate it - String insertData1 = "INSERT INTO tan VALUES (101,1,15161)"; - String insertData2 = "INSERT INTO tan VALUES (101,2,4894)"; - String insertData3 = "INSERT INTO tan VALUES (101,3,18794)"; - String insertData4 = "INSERT INTO tan VALUES (101,4,1564)"; - String insertData5 = "INSERT INTO tan VALUES (101,5,45751)"; + // Create the new table + try { + String createTableStatement = "CREATE TABLE pins (" + + "cc_number varchar(30)," + + "pin int," + + "name varchar(20)" + + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) { + System.out.println("Error creating pins table " + e.getLocalizedMessage()); + } - String insertData6 = "INSERT INTO tan VALUES (102,1,15648)"; - String insertData7 = "INSERT INTO tan VALUES (102,2,92156)"; - String insertData8 = "INSERT INTO tan VALUES (102,3,4879)"; - String insertData9 = "INSERT INTO tan VALUES (102,4,9458)"; - String insertData10 = "INSERT INTO tan VALUES (102,5,4879)"; + // Populate it + String insertData1 = "INSERT INTO pins VALUES ('987654321098765', 1234, 'Joe')"; + String insertData2 = "INSERT INTO pins VALUES ('1234567890123456', 4567, 'Jack')"; + String insertData3 = "INSERT INTO pins VALUES ('4321432143214321', 4321, 'Jill')"; + String insertData4 = "INSERT INTO pins VALUES ('1111111111111111', 7777, 'Jim')"; + String insertData5 = "INSERT INTO pins VALUES ('1111222233334444', 2364, 'John')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData8); - statement.executeUpdate(insertData9); - statement.executeUpdate(insertData10); + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); - } + } - // -------------------------------------------------------------------------- - // -------------------------------------------------------------------------- - // - // The tables below are for WebGoat Financials - // - // DO NOT MODIFY THESE TABLES - unless you change the org chart - // and access control matrix documents - // - // -------------------------------------------------------------------------- - // -------------------------------------------------------------------------- + // creates the table salaries which is used in the lessons + // which add or modify data using sql injection + private void createModifyWithSQLLessonTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); - private void createEmployeeTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); + // Delete table if there is one + try { + String dropTable = "DROP TABLE salaries"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop salaries table"); + } - try - { - String dropTable = "DROP TABLE employee"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop employee table"); - } + // Create the new table + try { + String createTableStatement = "CREATE TABLE salaries (" + + "userid varchar(50)," + + "salary int" + + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) { + System.out.println("Error creating salaries table " + e.getLocalizedMessage()); + } - // Create Table - try - { - String createTable = "CREATE TABLE employee (" - // + "userid INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY," - + "userid INT NOT NULL PRIMARY KEY," + "first_name VARCHAR(20)," + "last_name VARCHAR(20)," - + "ssn VARCHAR(12)," + "password VARCHAR(10)," + "title VARCHAR(20)," + "phone VARCHAR(13)," - + "address1 VARCHAR(80)," + "address2 VARCHAR(80)," + "manager INT," + "start_date CHAR(8)," - + "salary INT," + "ccn VARCHAR(30)," + "ccn_limit INT," + "email VARCHAR(30)," // reason - // for the recent write-up - + "disciplined_date CHAR(8)," // date of write up, NA otherwise - + "disciplined_notes VARCHAR(60)," // reason for the recent write-up - + "personal_description VARCHAR(60)" // We can be rude here - // + ",CONSTRAINT fl UNIQUE NONCLUSTERED (first_name, last_name)" - + ")"; + // Populate it + String insertData1 = "INSERT INTO salaries VALUES ('jsmith', 20000)"; + String insertData2 = "INSERT INTO salaries VALUES ('lsmith', 45000)"; + String insertData3 = "INSERT INTO salaries VALUES ('wgoat', 100000)"; + String insertData4 = "INSERT INTO salaries VALUES ('rjones', 777777)"; + String insertData5 = "INSERT INTO salaries VALUES ('manderson', 65000)"; - statement.executeUpdate(createTable); - } catch (SQLException e) - { - System.out.println("Error: unable to create employee table " + e.getLocalizedMessage()); - } + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); - String insertData1 = "INSERT INTO employee VALUES (101, 'Larry', 'Stooge', '386-09-5451', 'larry'," - + "'Technician','443-689-0192','9175 Guilford Rd','New York, NY', 102, 01012000,55000,'2578546969853547'," - + "5000,'larry@stooges.com',010106,'Constantly harassing coworkers','Does not work well with others')"; + } - String insertData2 = "INSERT INTO employee VALUES (102, 'Moe', 'Stooge', '936-18-4524','moe'," - + "'CSO','443-938-5301', '3013 AMD Ave', 'New York, NY', 112, 03082003, 140000, 'NA', 0, 'moe@stooges.com', 0101013, " - + "'Hit Curly over head', 'Very dominating over Larry and Curly')"; + /** + * Description of the Method + * + * @param connection Description of the Parameter + * @throws SQLException Description of the Exception + */ + private void createWeatherDataTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); - String insertData3 = "INSERT INTO employee VALUES (103, 'Curly', 'Stooge', '961-08-0047','curly'," - + "'Technician','410-667-6654', '1112 Crusoe Lane', 'New York, NY', 102, 02122001, 50000, 'NA', 0, 'curly@stooges.com', 0101014, " - + "'Hit Moe back', 'Owes three-thousand to company for fradulent purchases')"; + // Delete table if there is one + try { + String dropTable = "DROP TABLE weather_data"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop weather table"); + } - String insertData4 = "INSERT INTO employee VALUES (104, 'Eric', 'Walker', '445-66-5565','eric'," - + "'Engineer','410-887-1193', '1160 Prescott Rd', 'New York, NY', 107, 12152005, 13000, 'NA', 0, 'eric@modelsrus.com',0101013, " - + "'Bothering Larry about webgoat problems', 'Late. Always needs help. Too intern-ish.')"; + // Create the new table + try { + String createTableStatement = "CREATE TABLE weather_data (" + "station int not null," + + "name varchar(20) not null," + "state char(2) not null," + "min_temp int not null," + + "max_temp int not null" + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) { + System.out.println("Error creating weather table " + e.getLocalizedMessage()); + } - String insertData5 = "INSERT INTO employee VALUES (105, 'Tom', 'Cat', '792-14-6364','tom'," - + "'Engineer','443-599-0762', '2211 HyperThread Rd.', 'New York, NY', 106, 01011999, 80000, '5481360857968521', 30000, 'tom@wb.com', 0, " - + "'NA', 'Co-Owner.')"; + // Populate it + String insertData1 = "INSERT INTO weather_data VALUES (101,'Columbia','MD',-10,102)"; + String insertData2 = "INSERT INTO weather_data VALUES (102,'Seattle','WA',-15,90)"; + String insertData3 = "INSERT INTO weather_data VALUES (103,'New York','NY',-10,110)"; + String insertData4 = "INSERT INTO weather_data VALUES (104,'Houston','TX',20,120)"; + String insertData5 = "INSERT INTO weather_data VALUES (10001,'Camp David','MD',-10,100)"; + String insertData6 = "INSERT INTO weather_data VALUES (11001,'Ice Station Zebra','NA',-60,30)"; + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + statement.executeUpdate(insertData6); + } - String insertData6 = "INSERT INTO employee VALUES (106, 'Jerry', 'Mouse', '858-55-4452','jerry'," - + "'Human Resources','443-699-3366', '3011 Unix Drive', 'New York, NY', 102, 01011999, 70000, '6981754825013564', 20000, 'jerry@wb.com', 0, " - + "'NA', 'Co-Owner.')"; + /** + * Create users with tans + * + * @param connection + * @throws SQLException + */ + private void createTanUserDataTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); - String insertData7 = "INSERT INTO employee VALUES (107, 'David', 'Giambi', '439-20-9405','david'," - + "'Human Resources','610-521-8413', '5132 DIMM Avenue', 'New York, NY', 102, 05011999, 100000, '6981754825018101', 10000, 'david@modelsrus.com', 061402, " - + "'Hacked into accounting server. Modified personal pay.', 'Strong work habbit. Questionable ethics.')"; + // Delete table if there is one + try { + String dropTable = "DROP TABLE user_data_tan"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop user_data_tan table"); + } - String insertData8 = "INSERT INTO employee VALUES (108, 'Bruce', 'McGuirre', '707-95-9482','bruce'," - + "'Engineer','610-282-1103', '8899 FreeBSD Drive ', 'New York, NY', 107, 03012000, 110000, '6981754825854136', 30000, 'bruce@modelsrus.com', 061502, " - + "'Tortuous Boot Camp workout at 5am. Employees felt sick.', 'Enjoys watching others struggle in exercises.')"; + // Create the new table + try { + String createTableStatement = "CREATE TABLE user_data_tan (" + "userid int not null," + + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30)," + + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int," + "password varchar(20)" + + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) { + System.out.println("Error creating user_data_tan table " + e.getLocalizedMessage()); + } - String insertData9 = "INSERT INTO employee VALUES (109, 'Sean', 'Livingston', '136-55-1046','sean'," - + "'Engineer','610-878-9549', '6422 dFlyBSD Road', 'New York, NY', 107, 06012003, 130000, '6981754825014510', 5000, 'sean@modelsrus.com', 072804, " - + "'Late to work 30 days in row due to excessive Halo 2', 'Has some fascination with Steelers. Go Ravens.')"; + // Populate it + String insertData1 = "INSERT INTO user_data_tan VALUES (101,'Joe','Snow','987654321','VISA',' ',0, 'banana')"; + String insertData2 = "INSERT INTO user_data_tan VALUES (102,'Jane','Plane','74589864','MC',' ',0, 'tarzan')"; + String insertData3 = "INSERT INTO user_data_tan VALUES (103,'Jack','Sparrow','68659365','MC',' ',0, 'sniffy')"; - String insertData10 = "INSERT INTO employee VALUES (110, 'Joanne', 'McDougal', '789-54-2413','joanne'," - + "'Human Resources','610-213-6341', '5567 Broadband Lane', 'New York, NY', 106, 01012001, 90000, '6981754825081054', 300, 'joanne@modelsrus.com', 112005, " - + "'Used company cc to purchase new car. Limit adjusted.', 'Finds it necessary to leave early every day.')"; + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + } - String insertData11 = "INSERT INTO employee VALUES (111, 'John', 'Wayne', '129-69-4572', 'john'," - + "'CTO','610-213-1134', '129 Third St', 'New York, NY', 112, 01012001, 200000, '4437334565679921', 300, 'john@guns.com', 112005, " - + "'', '')"; - String insertData12 = "INSERT INTO employee VALUES (112, 'Neville', 'Bartholomew', '111-111-1111', 'socks'," - + "'CEO','408-587-0024', '1 Corporate Headquarters', 'San Jose, CA', 112, 03012000, 450000, '4803389267684109', 300000, 'neville@modelsrus.com', 112005, " - + "'', '')"; + /** + * Create the Table for the tans + * + * @param connection + * @throws SQLException + */ + private void createTanTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData8); - statement.executeUpdate(insertData9); - statement.executeUpdate(insertData10); - statement.executeUpdate(insertData11); - statement.executeUpdate(insertData12); + // Delete table if there is one + try { + String dropTable = "DROP TABLE tan"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop tan table"); + } - } + // Create the new table + try { + String createTableStatement = "CREATE TABLE tan (" + "userid int not null," + "tanNr int," + "tanValue int" + + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) { + System.out.println("Error creating tan table " + e.getLocalizedMessage()); + } - private void createRolesTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); + // Populate it + String insertData1 = "INSERT INTO tan VALUES (101,1,15161)"; + String insertData2 = "INSERT INTO tan VALUES (101,2,4894)"; + String insertData3 = "INSERT INTO tan VALUES (101,3,18794)"; + String insertData4 = "INSERT INTO tan VALUES (101,4,1564)"; + String insertData5 = "INSERT INTO tan VALUES (101,5,45751)"; - try - { - String dropTable = "DROP TABLE roles"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop roles table"); - } + String insertData6 = "INSERT INTO tan VALUES (102,1,15648)"; + String insertData7 = "INSERT INTO tan VALUES (102,2,92156)"; + String insertData8 = "INSERT INTO tan VALUES (102,3,4879)"; + String insertData9 = "INSERT INTO tan VALUES (102,4,9458)"; + String insertData10 = "INSERT INTO tan VALUES (102,5,4879)"; - try - { - String createTable = "CREATE TABLE roles (" + "userid INT NOT NULL," + "role VARCHAR(10) NOT NULL," - + "PRIMARY KEY (userid, role)" + ")"; + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + statement.executeUpdate(insertData6); + statement.executeUpdate(insertData7); + statement.executeUpdate(insertData8); + statement.executeUpdate(insertData9); + statement.executeUpdate(insertData10); - statement.executeUpdate(createTable); - } catch (SQLException e) - { - System.out.println("Error: Unable to create role table: " + e.getLocalizedMessage()); - } + } - String insertData1 = "INSERT INTO roles VALUES (101, 'employee')"; - String insertData2 = "INSERT INTO roles VALUES (102, 'manager')"; - String insertData3 = "INSERT INTO roles VALUES (103, 'employee')"; - String insertData4 = "INSERT INTO roles VALUES (104, 'employee')"; - String insertData5 = "INSERT INTO roles VALUES (105, 'employee')"; - String insertData6 = "INSERT INTO roles VALUES (106, 'hr')"; - String insertData7 = "INSERT INTO roles VALUES (107, 'manager')"; - String insertData8 = "INSERT INTO roles VALUES (108, 'employee')"; - String insertData9 = "INSERT INTO roles VALUES (109, 'employee')"; - String insertData10 = "INSERT INTO roles VALUES (110, 'hr')"; - String insertData11 = "INSERT INTO roles VALUES (111, 'admin')"; - String insertData12 = "INSERT INTO roles VALUES (112, 'admin')"; + // -------------------------------------------------------------------------- + // -------------------------------------------------------------------------- + // + // The tables below are for WebGoat Financials + // + // DO NOT MODIFY THESE TABLES - unless you change the org chart + // and access control matrix documents + // + // -------------------------------------------------------------------------- + // -------------------------------------------------------------------------- - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData8); - statement.executeUpdate(insertData9); - statement.executeUpdate(insertData10); - statement.executeUpdate(insertData11); - statement.executeUpdate(insertData12); - } + private void createEmployeeTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); - private void createAuthTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); + try { + String dropTable = "DROP TABLE employee"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop employee table"); + } - try - { - String dropTable = "DROP TABLE auth"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop auth table"); - } + // Create Table + try { + String createTable = "CREATE TABLE employee (" + // + "userid INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY," + + "userid INT NOT NULL PRIMARY KEY," + "first_name VARCHAR(20)," + "last_name VARCHAR(20)," + + "ssn VARCHAR(12)," + "password VARCHAR(10)," + "title VARCHAR(20)," + "phone VARCHAR(13)," + + "address1 VARCHAR(80)," + "address2 VARCHAR(80)," + "manager INT," + "start_date CHAR(8)," + + "salary INT," + "ccn VARCHAR(30)," + "ccn_limit INT," + "email VARCHAR(30)," // reason + // for the recent write-up + + "disciplined_date CHAR(8)," // date of write up, NA otherwise + + "disciplined_notes VARCHAR(60)," // reason for the recent write-up + + "personal_description VARCHAR(60)" // We can be rude here + // + ",CONSTRAINT fl UNIQUE NONCLUSTERED (first_name, last_name)" + + ")"; - try - { - String createTable = "CREATE TABLE auth (" + "role VARCHAR(10) NOT NULL," - + "functionid VARCHAR(20) NOT NULL," + "PRIMARY KEY (role, functionid)" + ")"; + statement.executeUpdate(createTable); + } catch (SQLException e) { + System.out.println("Error: unable to create employee table " + e.getLocalizedMessage()); + } - statement.executeUpdate(createTable); - } catch (SQLException e) - { - System.out.println("Error: unable to create auth table: " + e.getLocalizedMessage()); - } + String insertData1 = "INSERT INTO employee VALUES (101, 'Larry', 'Stooge', '386-09-5451', 'larry'," + + "'Technician','443-689-0192','9175 Guilford Rd','New York, NY', 102, 01012000,55000,'2578546969853547'," + + "5000,'larry@stooges.com',010106,'Constantly harassing coworkers','Does not work well with others')"; - String insertData1 = "INSERT INTO auth VALUES('employee', 'Logout')"; - String insertData2 = "INSERT INTO auth VALUES('employee', 'ListStaff')"; - String insertData3 = "INSERT INTO auth VALUES('employee', 'ViewProfile')"; - String insertData4 = "INSERT INTO auth VALUES('employee', 'EditProfile')"; - String insertData4_1 = "INSERT INTO auth VALUES('employee', 'SearchStaff')"; - String insertData4_2 = "INSERT INTO auth VALUES('employee', 'FindProfile')"; - String insertData5 = "INSERT INTO auth VALUES('manager', 'Logout')"; - String insertData6 = "INSERT INTO auth VALUES('manager', 'ListStaff')"; - String insertData7 = "INSERT INTO auth VALUES('manager', 'ViewProfile')"; - String insertData7_1 = "INSERT INTO auth VALUES('manager', 'SearchStaff')"; - String insertData7_2 = "INSERT INTO auth VALUES('manager', 'FindProfile')"; - // String insertData8 = "INSERT INTO auth VALUES('manager', 'EditProfile')"; - // String insertData9 = "INSERT INTO auth VALUES('manager', 'CreateProfile')"; - // String insertData10 = "INSERT INTO auth VALUES('manager', 'DeleteProfile')"; - // String insertData11 = "INSERT INTO auth VALUES('manager', 'UpdateProfile')"; - String insertData12 = "INSERT INTO auth VALUES('hr', 'Logout')"; - String insertData13 = "INSERT INTO auth VALUES('hr', 'ListStaff')"; - String insertData14 = "INSERT INTO auth VALUES('hr', 'ViewProfile')"; - String insertData15 = "INSERT INTO auth VALUES('hr', 'EditProfile')"; - String insertData16 = "INSERT INTO auth VALUES('hr', 'CreateProfile')"; - String insertData17 = "INSERT INTO auth VALUES('hr', 'DeleteProfile')"; - String insertData18 = "INSERT INTO auth VALUES('hr', 'UpdateProfile')"; - String insertData18_1 = "INSERT INTO auth VALUES('hr', 'SearchStaff')"; - String insertData18_2 = "INSERT INTO auth VALUES('hr', 'FindProfile')"; - String insertData19 = "INSERT INTO auth VALUES('admin', 'Logout')"; - String insertData20 = "INSERT INTO auth VALUES('admin', 'ListStaff')"; - String insertData21 = "INSERT INTO auth VALUES('admin', 'ViewProfile')"; - String insertData22 = "INSERT INTO auth VALUES('admin', 'EditProfile')"; - String insertData23 = "INSERT INTO auth VALUES('admin', 'CreateProfile')"; - String insertData24 = "INSERT INTO auth VALUES('admin', 'DeleteProfile')"; - String insertData25 = "INSERT INTO auth VALUES('admin', 'UpdateProfile')"; - String insertData25_1 = "INSERT INTO auth VALUES('admin', 'SearchStaff')"; - String insertData25_2 = "INSERT INTO auth VALUES('admin', 'FindProfile')"; + String insertData2 = "INSERT INTO employee VALUES (102, 'Moe', 'Stooge', '936-18-4524','moe'," + + "'CSO','443-938-5301', '3013 AMD Ave', 'New York, NY', 112, 03082003, 140000, 'NA', 0, 'moe@stooges.com', 0101013, " + + "'Hit Curly over head', 'Very dominating over Larry and Curly')"; + + String insertData3 = "INSERT INTO employee VALUES (103, 'Curly', 'Stooge', '961-08-0047','curly'," + + "'Technician','410-667-6654', '1112 Crusoe Lane', 'New York, NY', 102, 02122001, 50000, 'NA', 0, 'curly@stooges.com', 0101014, " + + "'Hit Moe back', 'Owes three-thousand to company for fradulent purchases')"; + + String insertData4 = "INSERT INTO employee VALUES (104, 'Eric', 'Walker', '445-66-5565','eric'," + + "'Engineer','410-887-1193', '1160 Prescott Rd', 'New York, NY', 107, 12152005, 13000, 'NA', 0, 'eric@modelsrus.com',0101013, " + + "'Bothering Larry about webgoat problems', 'Late. Always needs help. Too intern-ish.')"; + + String insertData5 = "INSERT INTO employee VALUES (105, 'Tom', 'Cat', '792-14-6364','tom'," + + "'Engineer','443-599-0762', '2211 HyperThread Rd.', 'New York, NY', 106, 01011999, 80000, '5481360857968521', 30000, 'tom@wb.com', 0, " + + "'NA', 'Co-Owner.')"; + + String insertData6 = "INSERT INTO employee VALUES (106, 'Jerry', 'Mouse', '858-55-4452','jerry'," + + "'Human Resources','443-699-3366', '3011 Unix Drive', 'New York, NY', 102, 01011999, 70000, '6981754825013564', 20000, 'jerry@wb.com', 0, " + + "'NA', 'Co-Owner.')"; + + String insertData7 = "INSERT INTO employee VALUES (107, 'David', 'Giambi', '439-20-9405','david'," + + "'Human Resources','610-521-8413', '5132 DIMM Avenue', 'New York, NY', 102, 05011999, 100000, '6981754825018101', 10000, 'david@modelsrus.com', 061402, " + + "'Hacked into accounting server. Modified personal pay.', 'Strong work habbit. Questionable ethics.')"; + + String insertData8 = "INSERT INTO employee VALUES (108, 'Bruce', 'McGuirre', '707-95-9482','bruce'," + + "'Engineer','610-282-1103', '8899 FreeBSD Drive ', 'New York, NY', 107, 03012000, 110000, '6981754825854136', 30000, 'bruce@modelsrus.com', 061502, " + + "'Tortuous Boot Camp workout at 5am. Employees felt sick.', 'Enjoys watching others struggle in exercises.')"; + + String insertData9 = "INSERT INTO employee VALUES (109, 'Sean', 'Livingston', '136-55-1046','sean'," + + "'Engineer','610-878-9549', '6422 dFlyBSD Road', 'New York, NY', 107, 06012003, 130000, '6981754825014510', 5000, 'sean@modelsrus.com', 072804, " + + "'Late to work 30 days in row due to excessive Halo 2', 'Has some fascination with Steelers. Go Ravens.')"; + + String insertData10 = "INSERT INTO employee VALUES (110, 'Joanne', 'McDougal', '789-54-2413','joanne'," + + "'Human Resources','610-213-6341', '5567 Broadband Lane', 'New York, NY', 106, 01012001, 90000, '6981754825081054', 300, 'joanne@modelsrus.com', 112005, " + + "'Used company cc to purchase new car. Limit adjusted.', 'Finds it necessary to leave early every day.')"; + + String insertData11 = "INSERT INTO employee VALUES (111, 'John', 'Wayne', '129-69-4572', 'john'," + + "'CTO','610-213-1134', '129 Third St', 'New York, NY', 112, 01012001, 200000, '4437334565679921', 300, 'john@guns.com', 112005, " + + "'', '')"; + String insertData12 = "INSERT INTO employee VALUES (112, 'Neville', 'Bartholomew', '111-111-1111', 'socks'," + + "'CEO','408-587-0024', '1 Corporate Headquarters', 'San Jose, CA', 112, 03012000, 450000, '4803389267684109', 300000, 'neville@modelsrus.com', 112005, " + + "'', '')"; + + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + statement.executeUpdate(insertData6); + statement.executeUpdate(insertData7); + statement.executeUpdate(insertData8); + statement.executeUpdate(insertData9); + statement.executeUpdate(insertData10); + statement.executeUpdate(insertData11); + statement.executeUpdate(insertData12); + + } + + private void createRolesTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); + + try { + String dropTable = "DROP TABLE roles"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop roles table"); + } + + try { + String createTable = "CREATE TABLE roles (" + "userid INT NOT NULL," + "role VARCHAR(10) NOT NULL," + + "PRIMARY KEY (userid, role)" + ")"; + + statement.executeUpdate(createTable); + } catch (SQLException e) { + System.out.println("Error: Unable to create role table: " + e.getLocalizedMessage()); + } + + String insertData1 = "INSERT INTO roles VALUES (101, 'employee')"; + String insertData2 = "INSERT INTO roles VALUES (102, 'manager')"; + String insertData3 = "INSERT INTO roles VALUES (103, 'employee')"; + String insertData4 = "INSERT INTO roles VALUES (104, 'employee')"; + String insertData5 = "INSERT INTO roles VALUES (105, 'employee')"; + String insertData6 = "INSERT INTO roles VALUES (106, 'hr')"; + String insertData7 = "INSERT INTO roles VALUES (107, 'manager')"; + String insertData8 = "INSERT INTO roles VALUES (108, 'employee')"; + String insertData9 = "INSERT INTO roles VALUES (109, 'employee')"; + String insertData10 = "INSERT INTO roles VALUES (110, 'hr')"; + String insertData11 = "INSERT INTO roles VALUES (111, 'admin')"; + String insertData12 = "INSERT INTO roles VALUES (112, 'admin')"; + + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + statement.executeUpdate(insertData6); + statement.executeUpdate(insertData7); + statement.executeUpdate(insertData8); + statement.executeUpdate(insertData9); + statement.executeUpdate(insertData10); + statement.executeUpdate(insertData11); + statement.executeUpdate(insertData12); + } + + private void createAuthTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); + + try { + String dropTable = "DROP TABLE auth"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop auth table"); + } + + try { + String createTable = "CREATE TABLE auth (" + "role VARCHAR(10) NOT NULL," + + "functionid VARCHAR(20) NOT NULL," + "PRIMARY KEY (role, functionid)" + ")"; + + statement.executeUpdate(createTable); + } catch (SQLException e) { + System.out.println("Error: unable to create auth table: " + e.getLocalizedMessage()); + } + + String insertData1 = "INSERT INTO auth VALUES('employee', 'Logout')"; + String insertData2 = "INSERT INTO auth VALUES('employee', 'ListStaff')"; + String insertData3 = "INSERT INTO auth VALUES('employee', 'ViewProfile')"; + String insertData4 = "INSERT INTO auth VALUES('employee', 'EditProfile')"; + String insertData4_1 = "INSERT INTO auth VALUES('employee', 'SearchStaff')"; + String insertData4_2 = "INSERT INTO auth VALUES('employee', 'FindProfile')"; + String insertData5 = "INSERT INTO auth VALUES('manager', 'Logout')"; + String insertData6 = "INSERT INTO auth VALUES('manager', 'ListStaff')"; + String insertData7 = "INSERT INTO auth VALUES('manager', 'ViewProfile')"; + String insertData7_1 = "INSERT INTO auth VALUES('manager', 'SearchStaff')"; + String insertData7_2 = "INSERT INTO auth VALUES('manager', 'FindProfile')"; + // String insertData8 = "INSERT INTO auth VALUES('manager', 'EditProfile')"; + // String insertData9 = "INSERT INTO auth VALUES('manager', 'CreateProfile')"; + // String insertData10 = "INSERT INTO auth VALUES('manager', 'DeleteProfile')"; + // String insertData11 = "INSERT INTO auth VALUES('manager', 'UpdateProfile')"; + String insertData12 = "INSERT INTO auth VALUES('hr', 'Logout')"; + String insertData13 = "INSERT INTO auth VALUES('hr', 'ListStaff')"; + String insertData14 = "INSERT INTO auth VALUES('hr', 'ViewProfile')"; + String insertData15 = "INSERT INTO auth VALUES('hr', 'EditProfile')"; + String insertData16 = "INSERT INTO auth VALUES('hr', 'CreateProfile')"; + String insertData17 = "INSERT INTO auth VALUES('hr', 'DeleteProfile')"; + String insertData18 = "INSERT INTO auth VALUES('hr', 'UpdateProfile')"; + String insertData18_1 = "INSERT INTO auth VALUES('hr', 'SearchStaff')"; + String insertData18_2 = "INSERT INTO auth VALUES('hr', 'FindProfile')"; + String insertData19 = "INSERT INTO auth VALUES('admin', 'Logout')"; + String insertData20 = "INSERT INTO auth VALUES('admin', 'ListStaff')"; + String insertData21 = "INSERT INTO auth VALUES('admin', 'ViewProfile')"; + String insertData22 = "INSERT INTO auth VALUES('admin', 'EditProfile')"; + String insertData23 = "INSERT INTO auth VALUES('admin', 'CreateProfile')"; + String insertData24 = "INSERT INTO auth VALUES('admin', 'DeleteProfile')"; + String insertData25 = "INSERT INTO auth VALUES('admin', 'UpdateProfile')"; + String insertData25_1 = "INSERT INTO auth VALUES('admin', 'SearchStaff')"; + String insertData25_2 = "INSERT INTO auth VALUES('admin', 'FindProfile')"; // // Add a permission for the webgoat role to see the source. // // The challenge(s) will change the default role to "challenge" @@ -764,274 +716,261 @@ public class CreateDB // + "')"; // String insertData27 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS // + "')"; - // Add a permission for the webgoat role to see the solution. - // The challenge(s) will change the default role to "challenge" + // Add a permission for the webgoat role to see the solution. + // The challenge(s) will change the default role to "challenge" // String insertData28 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION // + "')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData4_1); - statement.executeUpdate(insertData4_2); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData7_1); - statement.executeUpdate(insertData7_2); - // statement.executeUpdate(insertData8); - // statement.executeUpdate(insertData9); - // statement.executeUpdate(insertData10); - // statement.executeUpdate(insertData11); - statement.executeUpdate(insertData12); - statement.executeUpdate(insertData13); - statement.executeUpdate(insertData14); - statement.executeUpdate(insertData15); - statement.executeUpdate(insertData16); - statement.executeUpdate(insertData17); - statement.executeUpdate(insertData18); - statement.executeUpdate(insertData18_1); - statement.executeUpdate(insertData18_2); - statement.executeUpdate(insertData19); - statement.executeUpdate(insertData20); - statement.executeUpdate(insertData21); - statement.executeUpdate(insertData22); - statement.executeUpdate(insertData23); - statement.executeUpdate(insertData24); - statement.executeUpdate(insertData25); - statement.executeUpdate(insertData25_1); - statement.executeUpdate(insertData25_2); - //statement.executeUpdate(insertData26); - //statement.executeUpdate(insertData27); - //statement.executeUpdate(insertData28); - } + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData4_1); + statement.executeUpdate(insertData4_2); + statement.executeUpdate(insertData5); + statement.executeUpdate(insertData6); + statement.executeUpdate(insertData7); + statement.executeUpdate(insertData7_1); + statement.executeUpdate(insertData7_2); + // statement.executeUpdate(insertData8); + // statement.executeUpdate(insertData9); + // statement.executeUpdate(insertData10); + // statement.executeUpdate(insertData11); + statement.executeUpdate(insertData12); + statement.executeUpdate(insertData13); + statement.executeUpdate(insertData14); + statement.executeUpdate(insertData15); + statement.executeUpdate(insertData16); + statement.executeUpdate(insertData17); + statement.executeUpdate(insertData18); + statement.executeUpdate(insertData18_1); + statement.executeUpdate(insertData18_2); + statement.executeUpdate(insertData19); + statement.executeUpdate(insertData20); + statement.executeUpdate(insertData21); + statement.executeUpdate(insertData22); + statement.executeUpdate(insertData23); + statement.executeUpdate(insertData24); + statement.executeUpdate(insertData25); + statement.executeUpdate(insertData25_1); + statement.executeUpdate(insertData25_2); + //statement.executeUpdate(insertData26); + //statement.executeUpdate(insertData27); + //statement.executeUpdate(insertData28); + } - private void createOwnershipTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); + private void createOwnershipTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); - try - { - String dropTable = "DROP TABLE ownership"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop ownership table"); - } + try { + String dropTable = "DROP TABLE ownership"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop ownership table"); + } - try - { - String createTable = "CREATE TABLE ownership (" + "employer_id INT NOT NULL," + "employee_id INT NOT NULL," - + "PRIMARY KEY (employee_id, employer_id)" + ")"; + try { + String createTable = "CREATE TABLE ownership (" + "employer_id INT NOT NULL," + "employee_id INT NOT NULL," + + "PRIMARY KEY (employee_id, employer_id)" + ")"; - statement.executeUpdate(createTable); - } catch (SQLException e) - { - System.out.println("Error: unable to create ownership table: " + e.getLocalizedMessage()); - } + statement.executeUpdate(createTable); + } catch (SQLException e) { + System.out.println("Error: unable to create ownership table: " + e.getLocalizedMessage()); + } - String inputData = "INSERT INTO ownership VALUES (112, 101)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 102)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 103)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 104)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 105)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 106)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 107)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 108)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 109)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 110)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 111)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 112)"; - statement.executeUpdate(inputData); + String inputData = "INSERT INTO ownership VALUES (112, 101)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 102)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 103)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 104)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 105)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 106)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 107)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 108)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 109)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 110)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 111)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 112)"; + statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 101)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 102)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 103)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 104)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 105)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 106)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 107)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 108)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 109)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 110)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 111)"; - statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 101)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 102)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 103)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 104)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 105)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 106)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 107)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 108)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 109)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 110)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 111)"; + statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 101)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 102)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 103)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 104)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 105)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 106)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 107)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 108)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 109)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 110)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 111)"; - statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 101)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 102)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 103)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 104)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 105)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 106)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 107)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 108)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 109)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 110)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 111)"; + statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (106, 105)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (106, 106)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (106, 110)"; - statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (106, 105)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (106, 106)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (106, 110)"; + statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (101, 101)"; - statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (101, 101)"; + statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (103, 103)"; - statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (103, 103)"; + statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (107, 104)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (107, 108)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (107, 109)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (107, 107)"; - statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (107, 104)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (107, 108)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (107, 109)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (107, 107)"; + statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (105, 105)"; - statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (105, 105)"; + statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (110, 110)"; - statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (110, 110)"; + statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (104, 104)"; - statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (104, 104)"; + statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (108, 108)"; - statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (108, 108)"; + statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (109, 109)"; - statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (109, 109)"; + statement.executeUpdate(inputData); - } + } - // -------------------------------------------------------------------------- - // - // End of WebGoat Financials - // - // -------------------------------------------------------------------------- + // -------------------------------------------------------------------------- + // + // End of WebGoat Financials + // + // -------------------------------------------------------------------------- - /** - * Start creation of data for WebServices labs - */ + /** + * Start creation of data for WebServices labs + */ - private void createTransactionTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); + private void createTransactionTable(Connection connection) throws SQLException { + Statement statement = connection.createStatement(); - try - { - String dropTable = "DROP TABLE transactions"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop transactions table"); - } + try { + String dropTable = "DROP TABLE transactions"; + statement.executeUpdate(dropTable); + } catch (SQLException e) { + System.out.println("Info - Could not drop transactions table"); + } - try - { - String createTable = "CREATE TABLE Transactions (" + "userName VARCHAR(16) NOT NULL, " - + "sequence INTEGER NOT NULL, " + "from_account VARCHAR(16) NOT NULL, " - + "to_account VARCHAR(16) NOT NULL, " + "transactionDate TIMESTAMP NOT NULL, " - + "description VARCHAR(255) NOT NULL, " + "amount INTEGER NOT NULL" + ")"; + try { + String createTable = "CREATE TABLE Transactions (" + "userName VARCHAR(16) NOT NULL, " + + "sequence INTEGER NOT NULL, " + "from_account VARCHAR(16) NOT NULL, " + + "to_account VARCHAR(16) NOT NULL, " + "transactionDate TIMESTAMP NOT NULL, " + + "description VARCHAR(255) NOT NULL, " + "amount INTEGER NOT NULL" + ")"; - statement.executeUpdate(createTable); - } catch (SQLException e) - { - System.out.println("Error: unable to create transactions table: " + e.getLocalizedMessage()); - throw e; - } + statement.executeUpdate(createTable); + } catch (SQLException e) { + System.out.println("Error: unable to create transactions table: " + e.getLocalizedMessage()); + throw e; + } - String[] data = new String[] { - "'dave', 0, '238-4723-4024', '324-7635-9867', '2008-02-06 21:40:00', 'Mortgage', '150'", - "'dave', 1, '238-4723-4024', '324-7635-9867', '2008-02-12 21:41:00', 'Car', '150'", - "'dave', 2, '238-4723-4024', '324-7635-9867', '2008-02-20 21:42:00', 'School fees', '150'", - "'CEO', 3, '348-6324-9872', '345-3490-8345', '2008-02-15 21:40:00', 'Rolls Royce', '-150000'", - "'CEO', 4, '348-6324-9872', '342-5893-4503', '2008-02-25 21:41:00', 'Mansion', '-150000'", - "'CEO', 5, '348-6324-9872', '980-2344-5492', '2008-02-27 21:42:00', 'Vacation', '-150000'", - "'jeff', 6, '934-2002-3485', '783-2409-8234', '2008-02-01 21:40:00', 'Vet', '250'", - "'jeff', 7, '934-2002-3485', '634-5879-0345', '2008-02-19 21:41:00', 'Doctor', '800'", - "'jeff', 8, '934-2002-3485', '435-4325-3358', '2008-02-20 21:42:00', 'X-rays', '200'", }; - try - { - for (int i = 0; i < data.length; i++) - { - statement.executeUpdate("INSERT INTO Transactions VALUES (" + data[i] + ");"); - } - } catch (SQLException sqle) - { - System.out.println("Error: Unable to insert transactions: " + sqle.getLocalizedMessage()); - int errorCode = sqle.getErrorCode(); - System.out.println("Error Code: " + errorCode); - // ignore exceptions for Oracle and SQL Server - if (errorCode != 911 && errorCode != 273) { throw sqle; } - } - } + String[] data = new String[]{ + "'dave', 0, '238-4723-4024', '324-7635-9867', '2008-02-06 21:40:00', 'Mortgage', '150'", + "'dave', 1, '238-4723-4024', '324-7635-9867', '2008-02-12 21:41:00', 'Car', '150'", + "'dave', 2, '238-4723-4024', '324-7635-9867', '2008-02-20 21:42:00', 'School fees', '150'", + "'CEO', 3, '348-6324-9872', '345-3490-8345', '2008-02-15 21:40:00', 'Rolls Royce', '-150000'", + "'CEO', 4, '348-6324-9872', '342-5893-4503', '2008-02-25 21:41:00', 'Mansion', '-150000'", + "'CEO', 5, '348-6324-9872', '980-2344-5492', '2008-02-27 21:42:00', 'Vacation', '-150000'", + "'jeff', 6, '934-2002-3485', '783-2409-8234', '2008-02-01 21:40:00', 'Vet', '250'", + "'jeff', 7, '934-2002-3485', '634-5879-0345', '2008-02-19 21:41:00', 'Doctor', '800'", + "'jeff', 8, '934-2002-3485', '435-4325-3358', '2008-02-20 21:42:00', 'X-rays', '200'",}; + try { + for (int i = 0; i < data.length; i++) { + statement.executeUpdate("INSERT INTO Transactions VALUES (" + data[i] + ");"); + } + } catch (SQLException sqle) { + System.out.println("Error: Unable to insert transactions: " + sqle.getLocalizedMessage()); + int errorCode = sqle.getErrorCode(); + System.out.println("Error Code: " + errorCode); + // ignore exceptions for Oracle and SQL Server + if (errorCode != 911 && errorCode != 273) { + throw sqle; + } + } + } - /** - * Description of the Method - * - * @param connection - * Description of the Parameter - * @exception SQLException - * Description of the Exception - * @throws java.sql.SQLException if any. - */ - public void makeDB(Connection connection) throws SQLException - { - System.out.println("Successful connection to database"); - createUserDataTable(connection); - createLoginTable(connection); - createBlindSQLLessonTable(connection); - createUserAdminTable(connection); - createProductTable(connection); - createMessageTable(connection); - createEmployeeTable(connection); - createRolesTable(connection); - createAuthTable(connection); - createOwnershipTable(connection); - createWeatherDataTable(connection); - createTransactionTable(connection); - createTanUserDataTable(connection); - createTanTable(connection); - createMFEImagesTable(connection); - createModifyWithSQLLessonTable(connection); - System.out.println("Success: creating tables."); - } + /** + * Description of the Method + * + * @param connection Description of the Parameter + * @throws SQLException Description of the Exception + * @throws java.sql.SQLException if any. + */ + public void makeDB(Connection connection) throws SQLException { + System.out.println("Successful connection to database"); + createServersTable(connection); + createUserDataTable(connection); + createLoginTable(connection); + createBlindSQLLessonTable(connection); + createUserAdminTable(connection); + createProductTable(connection); + createMessageTable(connection); + createEmployeeTable(connection); + createRolesTable(connection); + createAuthTable(connection); + createOwnershipTable(connection); + createWeatherDataTable(connection); + createTransactionTable(connection); + createTanUserDataTable(connection); + createTanTable(connection); + createMFEImagesTable(connection); + createModifyWithSQLLessonTable(connection); + System.out.println("Success: creating tables."); + } } diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionAdvanced.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionAdvanced.java similarity index 97% rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionAdvanced.java rename to webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionAdvanced.java index 5a8a28c25..3df685705 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionAdvanced.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionAdvanced.java @@ -1,4 +1,4 @@ -package org.owasp.webgoat.plugin; +package org.owasp.webgoat.plugin.advanced; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.NewLesson; diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionChallenge.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java similarity index 99% rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionChallenge.java rename to webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java index f47076500..a81fa8299 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionChallenge.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java @@ -1,4 +1,4 @@ -package org.owasp.webgoat.plugin; +package org.owasp.webgoat.plugin.advanced; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.RandomStringUtils; diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjection.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjection.java similarity index 97% rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjection.java rename to webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjection.java index 2ac3acc10..d5df3c88a 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjection.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjection.java @@ -1,4 +1,4 @@ -package org.owasp.webgoat.plugin; +package org.owasp.webgoat.plugin.introduction; import java.util.ArrayList; import java.util.List; diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java similarity index 99% rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java rename to webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java index 9eea9b173..87a776d2f 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java @@ -1,5 +1,5 @@ -package org.owasp.webgoat.plugin; +package org.owasp.webgoat.plugin.introduction; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5b.java similarity index 98% rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java rename to webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5b.java index 595bb490d..deeaa7666 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5b.java @@ -1,4 +1,4 @@ -package org.owasp.webgoat.plugin; +package org.owasp.webgoat.plugin.introduction; import org.owasp.webgoat.assignments.AssignmentEndpoint; diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6a.java similarity index 95% rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java rename to webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6a.java index 701e9a0e4..136723f8d 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6a.java @@ -1,5 +1,5 @@ -package org.owasp.webgoat.plugin; +package org.owasp.webgoat.plugin.introduction; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; @@ -14,8 +14,6 @@ import org.springframework.web.bind.annotation.ResponseBody; import java.io.IOException; import java.sql.*; -import static org.owasp.webgoat.plugin.SqlInjectionLesson5a.writeTable; - /*************************************************************************************************** * @@ -74,7 +72,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint { ResultSetMetaData resultsMetaData = results.getMetaData(); StringBuffer output = new StringBuffer(); - output.append(writeTable(results, resultsMetaData)); + output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); results.last(); // If they get back more than one user they succeeded diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java similarity index 98% rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java rename to webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java index 2bf828c90..df3f490e7 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java @@ -1,5 +1,5 @@ -package org.owasp.webgoat.plugin; +package org.owasp.webgoat.plugin.introduction; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentPath; diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java new file mode 100644 index 000000000..cb7ee35c0 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java @@ -0,0 +1,56 @@ +package org.owasp.webgoat.plugin.mitigation; + +import com.google.common.collect.Lists; +import lombok.AllArgsConstructor; +import lombok.Getter; +import lombok.SneakyThrows; +import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.session.WebSession; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.http.MediaType; +import org.springframework.web.bind.annotation.*; + +import java.sql.Connection; +import java.sql.PreparedStatement; +import java.sql.ResultSet; +import java.util.List; + +/** + * @author nbaars + * @since 6/13/17. + */ +@RestController +@RequestMapping("SqlInjection/servers") +public class Servers { + + @AllArgsConstructor + @Getter + private class Server { + + private String id; + private String hostname; + private String ip; + private String mac; + private String status; + private String description; + } + + @Autowired + private WebSession webSession; + + @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE) + @SneakyThrows + @ResponseBody + public List sort(@RequestParam String column) { + Connection connection = DatabaseUtilities.getConnection(webSession); + PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column); + ResultSet rs = preparedStatement.executeQuery(); + List servers = Lists.newArrayList(); + while (rs.next()) { + Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6)); + servers.add(server); + } + return servers; + } + +} diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java new file mode 100644 index 000000000..b8237b8df --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java @@ -0,0 +1,46 @@ +package org.owasp.webgoat.plugin.mitigation; + +import lombok.SneakyThrows; +import lombok.extern.slf4j.Slf4j; +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentHints; +import org.owasp.webgoat.assignments.AssignmentPath; +import org.owasp.webgoat.assignments.AttackResult; +import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.session.WebSession; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; + +import java.sql.*; + +/** + * @author nbaars + * @since 6/13/17. + */ +@AssignmentPath("SqlInjection/attack12a") +@AssignmentHints(value = {"SqlStringInjectionHint8", "SqlStringInjectionHint9", "SqlStringInjectionHint10", "SqlStringInjectionHint11"}) +@Slf4j +public class SqlInjectionLesson12a extends AssignmentEndpoint { + + @Autowired + private WebSession webSession; + + @RequestMapping(method = RequestMethod.POST) + @ResponseBody + @SneakyThrows + public AttackResult completed(@RequestParam String ip) { + Connection connection = DatabaseUtilities.getConnection(webSession); + PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ?"); + preparedStatement.setString(1, ip); + ResultSet resultSet = preparedStatement.executeQuery(); + if (resultSet.next()) { + return trackProgress(success().build()); + } + return trackProgress(failed().build()); + } +} + + diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionMitigations.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionMitigations.java similarity index 97% rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionMitigations.java rename to webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionMitigations.java index 291d9c98f..463c4dfdc 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionMitigations.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionMitigations.java @@ -1,4 +1,4 @@ -package org.owasp.webgoat.plugin; +package org.owasp.webgoat.plugin.mitigation; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.NewLesson; diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html index 6bb7187f3..f34037088 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html +++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html @@ -27,6 +27,84 @@

+
+
+
+ +
+
+ +
+
+
+
+
+
+
+

List of servers +
+ +
+

+
+
+ +
+ + + + + + + + + + + + + + +
Hostname + IP MAC Status + Description +
+
+
+
+
+
+
+
+
+
+
IP address webgoat-prd server:
+ +
+
+ +
+
+
+
+
+
+
+
diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 52cc02fe2..8f4c69431 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -9,6 +9,10 @@ SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ]. SqlStringInjectionHint5=First try to find out the number of columns by adding a group by 1,2,3 etc to the query. SqlStringInjectionHint6=Try adding a union to the query, the number of columns should match. SqlStringInjectionHint7=Try entering [ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- ]. +SqlStringInjectionHint8=Try sorting and look at the request +SqlStringInjectionHint9=Intercept the request and try to specify a different order by +SqlStringInjectionHint10=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens +SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens sql-injection.5a.success=You have succeed: {0} sql-injection.5a.no.results=No results matched. Try Again. diff --git a/webgoat-lessons/sql-injection/src/main/resources/js/assignment12.js b/webgoat-lessons/sql-injection/src/main/resources/js/assignment12.js new file mode 100644 index 000000000..b001e4572 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/js/assignment12.js @@ -0,0 +1,61 @@ +$(function () { + $('.col-check').hide(); + $('#btn-admin').on('click', function () { + if ($("#toolbar-admin").is(":visible")) { + $("#toolbar-admin").hide(); + $(".col-check").hide(); + } + else { + $("#toolbar-admin").show(); + $(".col-check").show(); + } + }); + + $('#btn-online').on('click', function () { + $('table tr').filter(':has(:checkbox:checked)').find('td').parent().removeClass().addClass('success'); + $('table tr').filter(':has(:checkbox:checked)').find('td.status').text('online'); + }); + $('#btn-offline').on('click', function () { + $('table tr').filter(':has(:checkbox:checked)').find('td').parent().removeClass().addClass('warning'); + $('table tr').filter(':has(:checkbox:checked)').find('td.status').text('offline'); + }); + $('#btn-out-of-order').on('click', function () { + $('table tr').filter(':has(:checkbox:checked)').find('td').parent().removeClass().addClass('danger'); + $('table tr').filter(':has(:checkbox:checked)').find('td.status').text('out of order'); + }); + +}); + +$(document).ready(function () { + getServers('id'); +}); + +var html = '' + + '' + + 'HOSTNAME' + + 'IP' + + 'MAC' + + 'ONLINE' + + 'DESCRIPTION' + + ''; + +function getServers(column) { + $.get("SqlInjection/servers?column=" + column, function (result, status) { + $("#servers").empty(); + for (var i = 0; i < result.length; i++) { + var server = html.replace('ID', result[i].id); + var status = "success"; + if (result[i].status === 'offline') { + status = "danger"; + } + server = server.replace('ONLINE', status); + server = server.replace('STATUS', status); + server = server.replace('HOSTNAME', result[i].hostname); + server = server.replace('IP', result[i].ip); + server = server.replace('MAC', result[i].mac); + server = server.replace('DESCRIPTION', result[i].description); + $("#servers").append(server); + } + + }); +} \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc new file mode 100644 index 000000000..88d1a4f4c --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc @@ -0,0 +1,48 @@ +== Order by clause + +Question: Does a preparared statement always prevent against an SQL injection? +Answer: No it does not + +Let's take a look at the following statement: + +---- +select * from users order by lastname; +---- + +If we look at the specification of the SQL grammar the definition is as follows: + +---- +SELECT ... +FROM tableList +[WHERE Expression] +[ORDER BY orderExpression [, ...]] + +orderExpression: +{ columnNr | columnAlias | selectExpression } + [ASC | DESC] + +selectExpression: +{ Expression | COUNT(*) | { + COUNT | MIN | MAX | SUM | AVG | SOME | EVERY | + VAR_POP | VAR_SAMP | STDDEV_POP | STDDEV_SAMP +} ([ALL | DISTINCT][2]] Expression) } [[AS] label] + +Based on HSQLDB +---- + +This means an `orderExpression` van be a `selectExpression` which can be a function as well, so for example with +a `case` statement we might be able to ask the database some questions, like: + +---- +select * from users order by + (select case when (true) then lastname else firstname) +---- + +So we can substitute any kind of boolean operation in the `when(....)` part. The statement will just work because +it is a valid query whether you use a prepared statement or not an order by clause can by definition contain a +expression. + +=== Mitigation + +If you need to provide a sorting column in your web application you should implement a whitelist to validate the value +of the `order by` statement it should always be limited to something like 'firstname' or 'lastname'. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6c.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6c.adoc index d81a9d1c9..53fc5e140 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6c.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6c.adoc @@ -1,11 +1,11 @@ -=== Blind SQL Injection +== Blind SQL Injection Blind SQL injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection. -==== Difference +=== Difference Let's first start with the difference between a normal SQL injection and a blind SQL injection. In a normal SQL injection the error messages from the database are displayed and gives enough information to find out how @@ -16,7 +16,7 @@ based on a true or false statement. That's why a blind SQL injection is much mor There are several different types of blind SQL injections: content based and time based SQL injections. -==== Example +=== Example In this case we are trying to ask the database a boolean question based on for example a unique id, for example suppose we have the following url: `https://my-shop.com?article=4` diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc new file mode 100644 index 000000000..6adb9156b --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc @@ -0,0 +1,4 @@ +In this assignment try to perform an SQL injection through the ORDER BY field. +Try to find the ip address of the `webgoat-prd` server. + +Note: The submit field of this assignment is *NOT* vulnerable for an SQL injection. \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/SqlInjectionLesson12aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/SqlInjectionLesson12aTest.java new file mode 100644 index 000000000..b71e93191 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/SqlInjectionLesson12aTest.java @@ -0,0 +1,80 @@ +package org.owasp.webgoat.plugin; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.owasp.webgoat.plugin.introduction.SqlInjection; +import org.owasp.webgoat.plugins.LessonTest; +import org.owasp.webgoat.session.WebgoatContext; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; +import org.springframework.test.web.servlet.result.MockMvcResultHandlers; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; + +import static org.hamcrest.Matchers.is; +import static org.mockito.Mockito.when; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +/** + * @author nbaars + * @since 5/21/17. + */ +@RunWith(SpringJUnit4ClassRunner.class) +public class SqlInjectionLesson12aTest extends LessonTest { + + @Autowired + private WebgoatContext context; + + @Before + public void setup() throws Exception { + SqlInjection sql = new SqlInjection(); + + when(webSession.getCurrentLesson()).thenReturn(sql); + when(webSession.getWebgoatContext()).thenReturn(context); + this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build(); + } + + @Test + public void knownAccountShouldDisplayData() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "id")) + .andDo(MockMvcResultHandlers.print()) + .andExpect(status().isOk()); + } + + @Test + public void trueShouldSortByHostname() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "(case when (true) then hostname else id end)")) + .andDo(MockMvcResultHandlers.print()) + .andExpect(status().isOk()) + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + } + + @Test + public void falseShouldSortById() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "(case when (true) then hostname else id end)")) + .andDo(MockMvcResultHandlers.print()) + .andExpect(status().isOk()) + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + } + + @Test + public void passwordIncorrectShouldOrderByHostname() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%' THEN hostname ELSE id END")) + .andDo(MockMvcResultHandlers.print()) + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev"))); + } + + @Test + public void passwordCorrectShouldOrderByHostname() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END")) + .andDo(MockMvcResultHandlers.print()) + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + } +} \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/SqlInjectionLesson5aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/SqlInjectionLesson5aTest.java index 54c99b481..b829546a6 100644 --- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/SqlInjectionLesson5aTest.java +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/SqlInjectionLesson5aTest.java @@ -3,6 +3,7 @@ package org.owasp.webgoat.plugin; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.owasp.webgoat.plugin.introduction.SqlInjection; import org.owasp.webgoat.plugins.LessonTest; import org.owasp.webgoat.session.WebgoatContext; import org.springframework.beans.factory.annotation.Autowired;