Adding extra lesson for order by clauses
This commit is contained in:
		| @ -1,4 +1,4 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
| package org.owasp.webgoat.plugin.advanced; | ||||
| 
 | ||||
| import org.owasp.webgoat.lessons.Category; | ||||
| import org.owasp.webgoat.lessons.NewLesson; | ||||
| @ -1,4 +1,4 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
| package org.owasp.webgoat.plugin.advanced; | ||||
| 
 | ||||
| import lombok.extern.slf4j.Slf4j; | ||||
| import org.apache.commons.lang3.RandomStringUtils; | ||||
| @ -1,4 +1,4 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
| package org.owasp.webgoat.plugin.introduction; | ||||
| 
 | ||||
| import java.util.ArrayList; | ||||
| import java.util.List; | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| package org.owasp.webgoat.plugin; | ||||
| package org.owasp.webgoat.plugin.introduction; | ||||
| 
 | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| @ -1,4 +1,4 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
| package org.owasp.webgoat.plugin.introduction; | ||||
| 
 | ||||
| 
 | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| package org.owasp.webgoat.plugin; | ||||
| package org.owasp.webgoat.plugin.introduction; | ||||
| 
 | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| @ -14,8 +14,6 @@ import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import java.io.IOException; | ||||
| import java.sql.*; | ||||
| 
 | ||||
| import static org.owasp.webgoat.plugin.SqlInjectionLesson5a.writeTable; | ||||
| 
 | ||||
| 
 | ||||
| /*************************************************************************************************** | ||||
|  * | ||||
| @ -74,7 +72,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint { | ||||
|                     ResultSetMetaData resultsMetaData = results.getMetaData(); | ||||
|                     StringBuffer output = new StringBuffer(); | ||||
| 
 | ||||
|                     output.append(writeTable(results, resultsMetaData)); | ||||
|                     output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); | ||||
|                     results.last(); | ||||
| 
 | ||||
|                     // If they get back more than one user they succeeded | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| package org.owasp.webgoat.plugin; | ||||
| package org.owasp.webgoat.plugin.introduction; | ||||
| 
 | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| @ -0,0 +1,56 @@ | ||||
| package org.owasp.webgoat.plugin.mitigation; | ||||
|  | ||||
| import com.google.common.collect.Lists; | ||||
| import lombok.AllArgsConstructor; | ||||
| import lombok.Getter; | ||||
| import lombok.SneakyThrows; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.http.MediaType; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.sql.Connection; | ||||
| import java.sql.PreparedStatement; | ||||
| import java.sql.ResultSet; | ||||
| import java.util.List; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 6/13/17. | ||||
|  */ | ||||
| @RestController | ||||
| @RequestMapping("SqlInjection/servers") | ||||
| public class Servers { | ||||
|  | ||||
|     @AllArgsConstructor | ||||
|     @Getter | ||||
|     private class Server { | ||||
|  | ||||
|         private String id; | ||||
|         private String hostname; | ||||
|         private String ip; | ||||
|         private String mac; | ||||
|         private String status; | ||||
|         private String description; | ||||
|     } | ||||
|  | ||||
|     @Autowired | ||||
|     private WebSession webSession; | ||||
|  | ||||
|     @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE) | ||||
|     @SneakyThrows | ||||
|     @ResponseBody | ||||
|     public List<Server> sort(@RequestParam String column) { | ||||
|         Connection connection = DatabaseUtilities.getConnection(webSession); | ||||
|         PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by " + column); | ||||
|         ResultSet rs = preparedStatement.executeQuery(); | ||||
|         List<Server> servers = Lists.newArrayList(); | ||||
|         while (rs.next()) { | ||||
|             Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6)); | ||||
|             servers.add(server); | ||||
|         } | ||||
|         return servers; | ||||
|     } | ||||
|  | ||||
| } | ||||
| @ -0,0 +1,46 @@ | ||||
| package org.owasp.webgoat.plugin.mitigation; | ||||
|  | ||||
| import lombok.SneakyThrows; | ||||
| import lombok.extern.slf4j.Slf4j; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import java.sql.*; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 6/13/17. | ||||
|  */ | ||||
| @AssignmentPath("SqlInjection/attack12a") | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint8", "SqlStringInjectionHint9", "SqlStringInjectionHint10", "SqlStringInjectionHint11"}) | ||||
| @Slf4j | ||||
| public class SqlInjectionLesson12a extends AssignmentEndpoint { | ||||
|  | ||||
|     @Autowired | ||||
|     private WebSession webSession; | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     @ResponseBody | ||||
|     @SneakyThrows | ||||
|     public AttackResult completed(@RequestParam String ip) { | ||||
|         Connection connection = DatabaseUtilities.getConnection(webSession); | ||||
|         PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ?"); | ||||
|         preparedStatement.setString(1, ip); | ||||
|         ResultSet resultSet = preparedStatement.executeQuery(); | ||||
|         if (resultSet.next()) { | ||||
|             return trackProgress(success().build()); | ||||
|         } | ||||
|         return trackProgress(failed().build()); | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| @ -1,4 +1,4 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
| package org.owasp.webgoat.plugin.mitigation; | ||||
| 
 | ||||
| import org.owasp.webgoat.lessons.Category; | ||||
| import org.owasp.webgoat.lessons.NewLesson; | ||||
| @ -27,6 +27,84 @@ | ||||
|     <div class="adoc-content" th:replace="doc:SqlInjection_content12.adoc"></div> | ||||
| </div> | ||||
|  | ||||
| <div class="lesson-page-wrapper"> | ||||
|     <div class="adoc-content" th:replace="doc:SqlInjection_content12a.adoc"></div> | ||||
| </div> | ||||
|  | ||||
| <div class="lesson-page-wrapper"> | ||||
|     <div class="adoc-content" th:replace="doc:SqlInjection_order_by.adoc"></div> | ||||
|     <script th:src="@{/lesson_js/assignment12.js}" language="JavaScript"></script> | ||||
|     <div class="attack-container"> | ||||
|         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|         <form class="attack-form" accept-charset="UNKNOWN" | ||||
|               method="POST" name="form" | ||||
|               action="/WebGoat/SqlInjection/attack12a" | ||||
|               enctype="application/json;charset=UTF-8"> | ||||
|             <div class="container-fluid"> | ||||
|                 <div class="row"> | ||||
|                     <div class="panel panel-primary"> | ||||
|                         <div class="panel-heading"> | ||||
|                             <h3>List of servers | ||||
|                                 <div class="pull-right"> | ||||
|                                     <button id="btn-admin" class="btn btn-default"><span | ||||
|                                             class="glyphicon glyphicon-pencil"></span> Edit | ||||
|                                     </button> | ||||
|                                 </div> | ||||
|                             </h3> | ||||
|                         </div> | ||||
|                         <div id="toolbar-admin" class="panel-body"> | ||||
|                             <div class="btn-toolbar" role="toolbar" aria-label="admin"> | ||||
|                                 <div class="btn-group pull-right" role="group"> | ||||
|                                     <button id="btn-online" type="button" class="btn btn-success">Online</button> | ||||
|                                     <button id="btn-offline" type="button" class="btn btn-warning">Offline</button> | ||||
|                                     <button id="btn-out-of-order" type="button" class="btn btn-danger">Out Of Order | ||||
|                                     </button> | ||||
|                                 </div> | ||||
|                             </div> | ||||
|                         </div> | ||||
|                         <table class="table table-striped table-hover"> | ||||
|                             <thead> | ||||
|                             <tr> | ||||
|                                 <th class="col-check"></th> | ||||
|                                 <th></th> | ||||
|                                 <th>Hostname <span onclick="getServers('hostname')"><i | ||||
|                                         class="fa fa-fw fa-sort"></i></span> | ||||
|                                 </th> | ||||
|                                 <th>IP <span onclick="getServers('ip')"><i class="fa fa-fw fa-sort"></i></span></th> | ||||
|                                 <th>MAC <span onclick="getServers('mac')"><i class="fa fa-fw fa-sort"></i></span></th> | ||||
|                                 <th>Status <span onclick="getServers('status')"><i class="fa fa-fw fa-sort"></i></span> | ||||
|                                 </th> | ||||
|                                 <th>Description <span onclick="getServers('description')"><i | ||||
|                                         class="fa fa-fw fa-sort"></i></span> | ||||
|                                 </th> | ||||
|                             </tr> | ||||
|                             </thead> | ||||
|                             <tbody id="servers"> | ||||
|                             </tbody> | ||||
|                         </table> | ||||
|                     </div> | ||||
|                 </div> | ||||
|                 <br/> | ||||
|                 <br/> | ||||
|             </div> | ||||
|         </form> | ||||
|         <form class="attack-form" method="POST" name="form" action="SqlInjection/attack12a"> | ||||
|             <div class="form-group"> | ||||
|                 <div class="input-group"> | ||||
|                     <div class="input-group-addon">IP address webgoat-prd server:</div> | ||||
|                     <input type="text" class="form-control" id="ip" name="ip" | ||||
|                            placeholder="192.1.0.12"/> | ||||
|                 </div> | ||||
|                 <div class="input-group" style="margin-top: 10px"> | ||||
|                     <button type="submit" class="btn btn-primary">Submit</button> | ||||
|                 </div> | ||||
|             </div> | ||||
|         </form> | ||||
|         <div class="attack-feedback"></div> | ||||
|         <div class="attack-output"></div> | ||||
|     </div> | ||||
| </div> | ||||
|  | ||||
| <div class="lesson-page-wrapper"> | ||||
|     <div class="adoc-content" th:replace="doc:SqlInjection_content13.adoc"></div> | ||||
| </div> | ||||
|  | ||||
| @ -9,6 +9,10 @@ SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ]. | ||||
| SqlStringInjectionHint5=First try to find out the number of columns by adding a group by 1,2,3 etc to the query. | ||||
| SqlStringInjectionHint6=Try adding a union to the query, the number of columns should match. | ||||
| SqlStringInjectionHint7=Try entering [ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- ]. | ||||
| SqlStringInjectionHint8=Try sorting and look at the request | ||||
| SqlStringInjectionHint9=Intercept the request and try to specify a different order by | ||||
| SqlStringInjectionHint10=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens | ||||
| SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens | ||||
|  | ||||
| sql-injection.5a.success=You have succeed: {0} | ||||
| sql-injection.5a.no.results=No results matched. Try Again. | ||||
|  | ||||
| @ -0,0 +1,61 @@ | ||||
| $(function () { | ||||
|     $('.col-check').hide(); | ||||
|     $('#btn-admin').on('click', function () { | ||||
|         if ($("#toolbar-admin").is(":visible")) { | ||||
|             $("#toolbar-admin").hide(); | ||||
|             $(".col-check").hide(); | ||||
|         } | ||||
|         else { | ||||
|             $("#toolbar-admin").show(); | ||||
|             $(".col-check").show(); | ||||
|         } | ||||
|     }); | ||||
|  | ||||
|     $('#btn-online').on('click', function () { | ||||
|         $('table tr').filter(':has(:checkbox:checked)').find('td').parent().removeClass().addClass('success'); | ||||
|         $('table tr').filter(':has(:checkbox:checked)').find('td.status').text('online'); | ||||
|     }); | ||||
|     $('#btn-offline').on('click', function () { | ||||
|         $('table tr').filter(':has(:checkbox:checked)').find('td').parent().removeClass().addClass('warning'); | ||||
|         $('table tr').filter(':has(:checkbox:checked)').find('td.status').text('offline'); | ||||
|     }); | ||||
|     $('#btn-out-of-order').on('click', function () { | ||||
|         $('table tr').filter(':has(:checkbox:checked)').find('td').parent().removeClass().addClass('danger'); | ||||
|         $('table tr').filter(':has(:checkbox:checked)').find('td.status').text('out of order'); | ||||
|     }); | ||||
|  | ||||
| }); | ||||
|  | ||||
| $(document).ready(function () { | ||||
|     getServers('id'); | ||||
| }); | ||||
|  | ||||
| var html = '<tr class="STATUS">' + | ||||
|     '<td class="col-check"><input type="checkbox" class="form-check-input"/></td>' + | ||||
|     '<td>HOSTNAME</td>' + | ||||
|     '<td>IP</td>' + | ||||
|     '<td>MAC</td>' + | ||||
|     '<td class="status">ONLINE</td>' + | ||||
|     '<td>DESCRIPTION</td>' + | ||||
|     '</tr>'; | ||||
|  | ||||
| function getServers(column) { | ||||
|     $.get("SqlInjection/servers?column=" + column, function (result, status) { | ||||
|         $("#servers").empty(); | ||||
|         for (var i = 0; i < result.length; i++) { | ||||
|             var server = html.replace('ID', result[i].id); | ||||
|             var status = "success"; | ||||
|             if (result[i].status === 'offline') { | ||||
|                 status = "danger"; | ||||
|             } | ||||
|             server = server.replace('ONLINE', status); | ||||
|             server = server.replace('STATUS', status); | ||||
|             server = server.replace('HOSTNAME', result[i].hostname); | ||||
|             server = server.replace('IP', result[i].ip); | ||||
|             server = server.replace('MAC', result[i].mac); | ||||
|             server = server.replace('DESCRIPTION', result[i].description); | ||||
|             $("#servers").append(server); | ||||
|         } | ||||
|  | ||||
|     }); | ||||
| } | ||||
| @ -0,0 +1,48 @@ | ||||
| == Order by clause | ||||
|  | ||||
| Question: Does a preparared statement always prevent against an SQL injection? | ||||
| Answer: No it does not | ||||
|  | ||||
| Let's take a look at the following statement: | ||||
|  | ||||
| ---- | ||||
| select * from users order by lastname; | ||||
| ---- | ||||
|  | ||||
| If we look at the specification of the SQL grammar the definition is as follows: | ||||
|  | ||||
| ---- | ||||
| SELECT ... | ||||
| FROM tableList | ||||
| [WHERE Expression] | ||||
| [ORDER BY orderExpression [, ...]] | ||||
|  | ||||
| orderExpression: | ||||
| { columnNr | columnAlias | selectExpression } | ||||
|     [ASC | DESC] | ||||
|  | ||||
| selectExpression: | ||||
| { Expression | COUNT(*) | { | ||||
|     COUNT | MIN | MAX | SUM | AVG | SOME | EVERY | | ||||
|     VAR_POP | VAR_SAMP | STDDEV_POP | STDDEV_SAMP | ||||
| } ([ALL | DISTINCT][2]] Expression) } [[AS] label] | ||||
|  | ||||
| Based on HSQLDB | ||||
| ---- | ||||
|  | ||||
| This means an `orderExpression` van be a `selectExpression` which can be a function as well, so for example with | ||||
| a `case` statement we might be able to ask the database some questions, like: | ||||
|  | ||||
| ---- | ||||
| select * from users order by | ||||
|     (select case when (true) then lastname else firstname) | ||||
| ---- | ||||
|  | ||||
| So we can substitute any kind of boolean operation in the `when(....)` part. The statement will just work because | ||||
| it is a valid query whether you use a prepared statement or not an order by clause can by definition contain a | ||||
| expression. | ||||
|  | ||||
| === Mitigation | ||||
|  | ||||
| If you need to provide a sorting column in your web application you should implement a whitelist to validate the value | ||||
| of the `order by` statement it should always be limited to something like 'firstname' or 'lastname'. | ||||
| @ -1,11 +1,11 @@ | ||||
| === Blind SQL Injection | ||||
| == Blind SQL Injection | ||||
|  | ||||
| Blind SQL injection is a type of SQL injection attack that asks the database true or false | ||||
| questions and determines the answer based on the applications response. This attack is often used when the web | ||||
| application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL | ||||
| injection. | ||||
|  | ||||
| ==== Difference | ||||
| === Difference | ||||
|  | ||||
| Let's first start with the difference between a normal SQL injection and a blind SQL injection. In a normal | ||||
| SQL injection the error messages from the database are displayed and gives enough information to find out how | ||||
| @ -16,7 +16,7 @@ based on a true or false statement. That's why a blind SQL injection is much mor | ||||
| There are several different types of blind SQL injections: content based and time based SQL injections. | ||||
|  | ||||
|  | ||||
| ==== Example | ||||
| === Example | ||||
|  | ||||
| In this case we are trying to ask the database a boolean question based on for example a unique id, for example | ||||
| suppose we have the following url: `https://my-shop.com?article=4` | ||||
|  | ||||
| @ -0,0 +1,4 @@ | ||||
| In this assignment try to perform an SQL injection through the ORDER BY field. | ||||
| Try to find the ip address of the `webgoat-prd` server. | ||||
|  | ||||
| Note: The submit field of this assignment is *NOT* vulnerable for an SQL injection. | ||||
| @ -0,0 +1,80 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import org.junit.Before; | ||||
| import org.junit.Test; | ||||
| import org.junit.runner.RunWith; | ||||
| import org.owasp.webgoat.plugin.introduction.SqlInjection; | ||||
| import org.owasp.webgoat.plugins.LessonTest; | ||||
| import org.owasp.webgoat.session.WebgoatContext; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; | ||||
| import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; | ||||
| import org.springframework.test.web.servlet.result.MockMvcResultHandlers; | ||||
| import org.springframework.test.web.servlet.setup.MockMvcBuilders; | ||||
|  | ||||
| import static org.hamcrest.Matchers.is; | ||||
| import static org.mockito.Mockito.when; | ||||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; | ||||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 5/21/17. | ||||
|  */ | ||||
| @RunWith(SpringJUnit4ClassRunner.class) | ||||
| public class SqlInjectionLesson12aTest extends LessonTest { | ||||
|  | ||||
|     @Autowired | ||||
|     private WebgoatContext context; | ||||
|  | ||||
|     @Before | ||||
|     public void setup() throws Exception { | ||||
|         SqlInjection sql = new SqlInjection(); | ||||
|  | ||||
|         when(webSession.getCurrentLesson()).thenReturn(sql); | ||||
|         when(webSession.getWebgoatContext()).thenReturn(context); | ||||
|         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build(); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void knownAccountShouldDisplayData() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") | ||||
|                 .param("column", "id")) | ||||
|                 .andDo(MockMvcResultHandlers.print()) | ||||
|                 .andExpect(status().isOk()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void trueShouldSortByHostname() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") | ||||
|                 .param("column", "(case when (true) then hostname else id end)")) | ||||
|                 .andDo(MockMvcResultHandlers.print()) | ||||
|                 .andExpect(status().isOk()) | ||||
|                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void falseShouldSortById() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") | ||||
|                 .param("column", "(case when (true) then hostname else id end)")) | ||||
|                 .andDo(MockMvcResultHandlers.print()) | ||||
|                 .andExpect(status().isOk()) | ||||
|                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void passwordIncorrectShouldOrderByHostname() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") | ||||
|                 .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%' THEN hostname ELSE id END")) | ||||
|                 .andDo(MockMvcResultHandlers.print()) | ||||
|                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev"))); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void passwordCorrectShouldOrderByHostname() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") | ||||
|                 .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END")) | ||||
|                 .andDo(MockMvcResultHandlers.print()) | ||||
|                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); | ||||
|     } | ||||
| } | ||||
| @ -3,6 +3,7 @@ package org.owasp.webgoat.plugin; | ||||
| import org.junit.Before; | ||||
| import org.junit.Test; | ||||
| import org.junit.runner.RunWith; | ||||
| import org.owasp.webgoat.plugin.introduction.SqlInjection; | ||||
| import org.owasp.webgoat.plugins.LessonTest; | ||||
| import org.owasp.webgoat.session.WebgoatContext; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
|  | ||||
		Reference in New Issue
	
	Block a user