Adding extra lesson for order by clauses

webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java

@@ -4,6 +4,7 @@ import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.util.FileSystemUtils;
 
 import javax.annotation.PostConstruct;
 import java.io.File;
@@ -23,14 +24,6 @@ public class CleanupLocalProgressFiles {
     @PostConstruct
     public void clean() {
         File dir = new File(webgoatHome);
-        if (dir.exists()) {
+        FileSystemUtils.deleteRecursively(dir);
-            File[] progressFiles = dir.listFiles(f -> f.getName().endsWith(".progress"));
-            if (progressFiles != null) {
-                log.info("Removing stored user preferences...");
-                for (File f : progressFiles) {
-                    f.delete();
-                }
-            }
-        }
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java

@@ -8,68 +8,104 @@ import java.sql.Statement;
 
 /**
  * ************************************************************************************************
- *
+ * <p>
- *
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- *
+ * <p>
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
  *
  * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
  * @version $Id: $Id
  */
-public class CreateDB
+public class CreateDB {
-{
 
     /**
      * Description of the Method
      *
-	 * @param connection
+     * @param connection Description of the Parameter
-	 *            Description of the Parameter
+     * @throws SQLException Description of the Exception
-	 * 
-	 * @exception SQLException
-	 *                Description of the Exception
      */
-	private void createMessageTable(Connection connection) throws SQLException
+    private void createServersTable(Connection connection) throws SQLException {
-	{
+        Statement statement = connection.createStatement();
+
+        // Drop servers table
+        try {
+            String dropTable = "DROP TABLE servers";
+            statement.executeUpdate(dropTable);
+        } catch (SQLException e) {
+            System.out.println("Info - Could not drop servers table");
+        }
+
+        // Create the new table
+        try {
+            String createTableStatement = "CREATE TABLE servers"
+                    + " (" + "id varchar(10),"
+                    + "hostname varchar(20),"
+                    + "ip varchar(20),"
+                    + "mac varchar(20),"
+                    + "status varchar(20),"
+                    + "description varchar(40)"
+                    + ")";
+            statement.executeUpdate(createTableStatement);
+
+            String insertData1 = "INSERT INTO servers VALUES ('1', 'webgoat-dev', '192.168.4.0', 'AA:BB:11:22:CC:DD', 'online', 'Development server')";
+            String insertData2 = "INSERT INTO servers VALUES ('2', 'webgoat-tst', '192.168.2.1', 'EE:FF:33:44:AB:CD', 'online', 'Test server')";
+            String insertData3 = "INSERT INTO servers VALUES ('3', 'webgoat-acc', '192.168.3.3', 'EF:12:FE:34:AA:CC', 'offline', 'Acceptance server')";
+            String insertData4 = "INSERT INTO servers VALUES ('4', 'webgoat-pre-prod', '192.168.6.4', 'EF:12:FE:34:AA:CC', 'offline', 'Pre-production server')";
+            String insertData5 = "INSERT INTO servers VALUES ('4', 'webgoat-prd', '104.130.219.202', 'FA:91:EB:82:DC:73', 'out of order', 'Production server')";
+            statement.executeUpdate(insertData1);
+            statement.executeUpdate(insertData2);
+            statement.executeUpdate(insertData3);
+            statement.executeUpdate(insertData4);
+            statement.executeUpdate(insertData5);
+        } catch (SQLException e) {
+            System.out.println("Error creating product table " + e.getLocalizedMessage());
+        }
+    }
+
+
+    /**
+     * Description of the Method
+     *
+     * @param connection Description of the Parameter
+     * @throws SQLException Description of the Exception
+     */
+    private void createMessageTable(Connection connection) throws SQLException {
         Statement statement = connection.createStatement();
 
         // Drop admin user table
-		try
+        try {
-		{
             String dropTable = "DROP TABLE messages";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop message database");
         }
 
         // Create the new table
-		try
+        try {
-		{
             String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50),"
                     + "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null"
                     + ")";
             statement.executeUpdate(createTableStatement);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error creating message database " + e.getLocalizedMessage());
         }
     }
@@ -78,35 +114,27 @@ public class CreateDB
      * Description of the Method
      *
      * @param connection Description of the Parameter
-     *
+     * @throws SQLException Description of the Exception
-     * @exception SQLException Description of the Exception
      */
-    private void createMFEImagesTable(Connection connection) throws SQLException
+    private void createMFEImagesTable(Connection connection) throws SQLException {
-    {
         Statement statement = connection.createStatement();
 
         // Drop mfe_images table
-		try
+        try {
-		{
             String dropTable = "DROP TABLE mfe_images";
             statement.executeUpdate(dropTable);
-		}
+        } catch (SQLException e) {
-		catch (SQLException e)
-		{
             System.out.println("Info - Could not drop mfe_images table from database");
         }
 
         // Create the new mfe_images table
-		try
+        try {
-		{
             String createTableStatement = "CREATE TABLE mfe_images ("
                     + "user_name varchar(50) not null, "
                     + "image_relative_url varchar(50) not null"
                     + ")";
             statement.executeUpdate(createTableStatement);
-		}
+        } catch (SQLException e) {
-		catch (SQLException e)
-		{
             System.out.println("Error creating mfe_images table in database " + e.getLocalizedMessage());
         }
 
@@ -115,35 +143,27 @@ public class CreateDB
     /**
      * Description of the Method
      *
-	 * @param connection
+     * @param connection Description of the Parameter
-	 *            Description of the Parameter
+     * @throws SQLException Description of the Exception
-	 * 
-	 * @exception SQLException
-	 *                Description of the Exception
      */
-	private void createProductTable(Connection connection) throws SQLException
+    private void createProductTable(Connection connection) throws SQLException {
-	{
         Statement statement = connection.createStatement();
 
         // Drop admin user table
-		try
+        try {
-		{
             String dropTable = "DROP TABLE product_system_data";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop product table");
         }
 
         // Create the new table
-		try
+        try {
-		{
             String createTableStatement = "CREATE TABLE product_system_data ("
                     + "productid varchar(6) not null primary key," + "product_name varchar(20)," + "price varchar(10)"
                     + ")";
             statement.executeUpdate(createTableStatement);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error creating product table " + e.getLocalizedMessage());
         }
 
@@ -163,34 +183,26 @@ public class CreateDB
     /**
      * Description of the Method
      *
-	 * @param connection
+     * @param connection Description of the Parameter
-	 *            Description of the Parameter
+     * @throws SQLException Description of the Exception
-	 * 
-	 * @exception SQLException
-	 *                Description of the Exception
      */
-	private void createUserAdminTable(Connection connection) throws SQLException
+    private void createUserAdminTable(Connection connection) throws SQLException {
-	{
         Statement statement = connection.createStatement();
 
         // Drop admin user table
-		try
+        try {
-		{
             String dropTable = "DROP TABLE user_system_data";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop user admin table");
         }
 
         // Create the new table
-		try
+        try {
-		{
             String createTableStatement = "CREATE TABLE user_system_data (" + "userid varchar(5) not null primary key,"
                     + "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")";
             statement.executeUpdate(createTableStatement);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error creating user admin table " + e.getLocalizedMessage());
         }
 
@@ -210,35 +222,27 @@ public class CreateDB
     /**
      * Description of the Method
      *
-	 * @param connection
+     * @param connection Description of the Parameter
-	 *            Description of the Parameter
+     * @throws SQLException Description of the Exception
-	 * 
-	 * @exception SQLException
-	 *                Description of the Exception
      */
-	private void createUserDataTable(Connection connection) throws SQLException
+    private void createUserDataTable(Connection connection) throws SQLException {
-	{
         Statement statement = connection.createStatement();
 
         // Delete table if there is one
-		try
+        try {
-		{
             String dropTable = "DROP TABLE user_data";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop user table");
         }
 
         // Create the new table
-		try
+        try {
-		{
             String createTableStatement = "CREATE TABLE user_data (" + "userid int not null,"
                     + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30),"
                     + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int" + ")";
             statement.executeUpdate(createTableStatement);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error creating user table " + e.getLocalizedMessage());
         }
 
@@ -272,61 +276,49 @@ public class CreateDB
 
     }
 
-	private void createLoginTable(Connection connection) throws SQLException
+    private void createLoginTable(Connection connection) throws SQLException {
-	{
         Statement statement = connection.createStatement();
 
         // Delete table if there is one
-		try
+        try {
-		{
             String dropTable = "DROP TABLE user_login";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop user_login table");
         }
 
         // Create the new table
-		try
+        try {
-		{
             String createTableStatement = "CREATE TABLE user_login (" + "userid varchar(5),"
                     + "webgoat_user varchar(20)" + ")";
             statement.executeUpdate(createTableStatement);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error creating user_login table " + e.getLocalizedMessage());
         }
 
     }
 
     // creates the table pins which is used in the blind sql injection lesson
-	private void createBlindSQLLessonTable(Connection connection) throws SQLException
+    private void createBlindSQLLessonTable(Connection connection) throws SQLException {
-    {
         Statement statement = connection.createStatement();
 
         // Delete table if there is one
-		try
+        try {
-		{
             String dropTable = "DROP TABLE pins";
             statement.executeUpdate(dropTable);
-		}
+        } catch (SQLException e) {
-		catch (SQLException e)
-		{
             System.out.println("Info - Could not drop pins table");
         }
 
         // Create the new table
-		try
+        try {
-		{
             String createTableStatement = "CREATE TABLE pins ("
                     + "cc_number varchar(30),"
                     + "pin int,"
                     + "name varchar(20)"
                     + ")";
             statement.executeUpdate(createTableStatement);
-		}
+        } catch (SQLException e) {
-		catch (SQLException e)
-		{
             System.out.println("Error creating pins table " + e.getLocalizedMessage());
         }
 
@@ -347,32 +339,25 @@ public class CreateDB
 
     // creates the table salaries which is used in the lessons
     // which add or modify data using sql injection
-	private void createModifyWithSQLLessonTable(Connection connection) throws SQLException
+    private void createModifyWithSQLLessonTable(Connection connection) throws SQLException {
-    {
         Statement statement = connection.createStatement();
 
         // Delete table if there is one
-		try
+        try {
-		{
             String dropTable = "DROP TABLE salaries";
             statement.executeUpdate(dropTable);
-		}
+        } catch (SQLException e) {
-		catch (SQLException e)
-		{
             System.out.println("Info - Could not drop salaries table");
         }
 
         // Create the new table
-		try
+        try {
-		{
             String createTableStatement = "CREATE TABLE salaries ("
                     + "userid varchar(50),"
                     + "salary int"
                     + ")";
             statement.executeUpdate(createTableStatement);
-		}
+        } catch (SQLException e) {
-		catch (SQLException e)
-		{
             System.out.println("Error creating salaries table " + e.getLocalizedMessage());
         }
 
@@ -394,35 +379,27 @@ public class CreateDB
     /**
      * Description of the Method
      *
-	 * @param connection
+     * @param connection Description of the Parameter
-	 *            Description of the Parameter
+     * @throws SQLException Description of the Exception
-	 * 
-	 * @exception SQLException
-	 *                Description of the Exception
      */
-	private void createWeatherDataTable(Connection connection) throws SQLException
+    private void createWeatherDataTable(Connection connection) throws SQLException {
-	{
         Statement statement = connection.createStatement();
 
         // Delete table if there is one
-		try
+        try {
-		{
             String dropTable = "DROP TABLE weather_data";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop weather table");
         }
 
         // Create the new table
-		try
+        try {
-		{
             String createTableStatement = "CREATE TABLE weather_data (" + "station int not null,"
                     + "name varchar(20) not null," + "state char(2) not null," + "min_temp int not null,"
                     + "max_temp int not null" + ")";
             statement.executeUpdate(createTableStatement);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error creating weather table " + e.getLocalizedMessage());
         }
 
@@ -447,30 +424,25 @@ public class CreateDB
      * @param connection
      * @throws SQLException
      */
-	private void createTanUserDataTable(Connection connection) throws SQLException
+    private void createTanUserDataTable(Connection connection) throws SQLException {
-	{
         Statement statement = connection.createStatement();
 
         // Delete table if there is one
-		try
+        try {
-		{
             String dropTable = "DROP TABLE user_data_tan";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop user_data_tan table");
         }
 
         // Create the new table
-		try
+        try {
-		{
             String createTableStatement = "CREATE TABLE user_data_tan (" + "userid int not null,"
                     + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30),"
                     + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int," + "password varchar(20)"
                     + ")";
             statement.executeUpdate(createTableStatement);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error creating user_data_tan table " + e.getLocalizedMessage());
         }
 
@@ -490,28 +462,23 @@ public class CreateDB
      * @param connection
      * @throws SQLException
      */
-	private void createTanTable(Connection connection) throws SQLException
+    private void createTanTable(Connection connection) throws SQLException {
-	{
         Statement statement = connection.createStatement();
 
         // Delete table if there is one
-		try
+        try {
-		{
             String dropTable = "DROP TABLE tan";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop tan table");
         }
 
         // Create the new table
-		try
+        try {
-		{
             String createTableStatement = "CREATE TABLE tan (" + "userid int not null," + "tanNr int," + "tanValue int"
                     + ")";
             statement.executeUpdate(createTableStatement);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error creating tan table " + e.getLocalizedMessage());
         }
 
@@ -552,22 +519,18 @@ public class CreateDB
     // --------------------------------------------------------------------------
     // --------------------------------------------------------------------------
 
-	private void createEmployeeTable(Connection connection) throws SQLException
+    private void createEmployeeTable(Connection connection) throws SQLException {
-	{
         Statement statement = connection.createStatement();
 
-		try
+        try {
-		{
             String dropTable = "DROP TABLE employee";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop employee table");
         }
 
         // Create Table
-		try
+        try {
-		{
             String createTable = "CREATE TABLE employee ("
                     // + "userid INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,"
                     + "userid INT NOT NULL PRIMARY KEY," + "first_name VARCHAR(20)," + "last_name VARCHAR(20),"
@@ -582,8 +545,7 @@ public class CreateDB
                     + ")";
 
             statement.executeUpdate(createTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error: unable to create employee table " + e.getLocalizedMessage());
         }
 
@@ -649,27 +611,22 @@ public class CreateDB
 
     }
 
-	private void createRolesTable(Connection connection) throws SQLException
+    private void createRolesTable(Connection connection) throws SQLException {
-	{
         Statement statement = connection.createStatement();
 
-		try
+        try {
-		{
             String dropTable = "DROP TABLE roles";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop roles table");
         }
 
-		try
+        try {
-		{
             String createTable = "CREATE TABLE roles (" + "userid INT NOT NULL," + "role VARCHAR(10) NOT NULL,"
                     + "PRIMARY KEY (userid, role)" + ")";
 
             statement.executeUpdate(createTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error: Unable to create role table: " + e.getLocalizedMessage());
         }
 
@@ -700,27 +657,22 @@ public class CreateDB
         statement.executeUpdate(insertData12);
     }
 
-	private void createAuthTable(Connection connection) throws SQLException
+    private void createAuthTable(Connection connection) throws SQLException {
-	{
         Statement statement = connection.createStatement();
 
-		try
+        try {
-		{
             String dropTable = "DROP TABLE auth";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop auth table");
         }
 
-		try
+        try {
-		{
             String createTable = "CREATE TABLE auth (" + "role VARCHAR(10) NOT NULL,"
                     + "functionid VARCHAR(20) NOT NULL," + "PRIMARY KEY (role, functionid)" + ")";
 
             statement.executeUpdate(createTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error: unable to create auth table: " + e.getLocalizedMessage());
         }
 
@@ -807,27 +759,22 @@ public class CreateDB
         //statement.executeUpdate(insertData28);
     }
 
-	private void createOwnershipTable(Connection connection) throws SQLException
+    private void createOwnershipTable(Connection connection) throws SQLException {
-	{
         Statement statement = connection.createStatement();
 
-		try
+        try {
-		{
             String dropTable = "DROP TABLE ownership";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop ownership table");
         }
 
-		try
+        try {
-		{
             String createTable = "CREATE TABLE ownership (" + "employer_id INT NOT NULL," + "employee_id INT NOT NULL,"
                     + "PRIMARY KEY (employee_id, employer_id)" + ")";
 
             statement.executeUpdate(createTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error: unable to create ownership table: " + e.getLocalizedMessage());
         }
 
@@ -951,29 +898,24 @@ public class CreateDB
      * Start creation of data for WebServices labs
      */
 
-	private void createTransactionTable(Connection connection) throws SQLException
+    private void createTransactionTable(Connection connection) throws SQLException {
-	{
         Statement statement = connection.createStatement();
 
-		try
+        try {
-		{
             String dropTable = "DROP TABLE transactions";
             statement.executeUpdate(dropTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Info - Could not drop transactions table");
         }
 
-		try
+        try {
-		{
             String createTable = "CREATE TABLE Transactions (" + "userName VARCHAR(16) NOT NULL, "
                     + "sequence INTEGER NOT NULL, " + "from_account VARCHAR(16) NOT NULL, "
                     + "to_account VARCHAR(16) NOT NULL, " + "transactionDate TIMESTAMP NOT NULL, "
                     + "description VARCHAR(255) NOT NULL, " + "amount INTEGER NOT NULL" + ")";
 
             statement.executeUpdate(createTable);
-		} catch (SQLException e)
+        } catch (SQLException e) {
-		{
             System.out.println("Error: unable to create transactions table: " + e.getLocalizedMessage());
             throw e;
         }
@@ -988,34 +930,31 @@ public class CreateDB
                 "'jeff', 6, '934-2002-3485', '783-2409-8234', '2008-02-01 21:40:00', 'Vet', '250'",
                 "'jeff', 7, '934-2002-3485', '634-5879-0345', '2008-02-19 21:41:00', 'Doctor', '800'",
                 "'jeff', 8, '934-2002-3485', '435-4325-3358', '2008-02-20 21:42:00', 'X-rays', '200'",};
-		try
+        try {
-		{
+            for (int i = 0; i < data.length; i++) {
-			for (int i = 0; i < data.length; i++)
-			{
                 statement.executeUpdate("INSERT INTO Transactions VALUES (" + data[i] + ");");
             }
-		} catch (SQLException sqle)
+        } catch (SQLException sqle) {
-		{
             System.out.println("Error: Unable to insert transactions:  " + sqle.getLocalizedMessage());
             int errorCode = sqle.getErrorCode();
             System.out.println("Error Code: " + errorCode);
             // ignore exceptions for Oracle and SQL Server
-			if (errorCode != 911 && errorCode != 273) { throw sqle; }
+            if (errorCode != 911 && errorCode != 273) {
+                throw sqle;
+            }
         }
     }
 
     /**
      * Description of the Method
      *
-	 * @param connection
+     * @param connection Description of the Parameter
-	 *            Description of the Parameter
+     * @throws SQLException          Description of the Exception
-	 * @exception SQLException
-	 *                Description of the Exception
      * @throws java.sql.SQLException if any.
      */
-	public void makeDB(Connection connection) throws SQLException
+    public void makeDB(Connection connection) throws SQLException {
-	{
         System.out.println("Successful connection to database");
+        createServersTable(connection);
         createUserDataTable(connection);
         createLoginTable(connection);
         createBlindSQLLessonTable(connection);

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionAdvanced.java

@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.advanced;
 
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.NewLesson;

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java

@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.advanced;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomStringUtils;

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjection.java

@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.introduction;
 
 import java.util.ArrayList;
 import java.util.List;

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java

@@ -1,5 +1,5 @@
 
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.introduction;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5b.java

@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.introduction;
 
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6a.java

@@ -1,5 +1,5 @@
 
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.introduction;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
@@ -14,8 +14,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import java.io.IOException;
 import java.sql.*;
 
-import static org.owasp.webgoat.plugin.SqlInjectionLesson5a.writeTable;
-
 
 /***************************************************************************************************
  *
@@ -74,7 +72,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
                     ResultSetMetaData resultsMetaData = results.getMetaData();
                     StringBuffer output = new StringBuffer();
 
-                    output.append(writeTable(results, resultsMetaData));
+                    output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
                     results.last();
 
                     // If they get back more than one user they succeeded

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java

@@ -1,5 +1,5 @@
 
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.introduction;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java

@@ -0,0 +1,56 @@
+package org.owasp.webgoat.plugin.mitigation;
+
+import com.google.common.collect.Lists;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.SneakyThrows;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.*;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.util.List;
+
+/**
+ * @author nbaars
+ * @since 6/13/17.
+ */
+@RestController
+@RequestMapping("SqlInjection/servers")
+public class Servers {
+
+    @AllArgsConstructor
+    @Getter
+    private class Server {
+
+        private String id;
+        private String hostname;
+        private String ip;
+        private String mac;
+        private String status;
+        private String description;
+    }
+
+    @Autowired
+    private WebSession webSession;
+
+    @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
+    @SneakyThrows
+    @ResponseBody
+    public List<Server> sort(@RequestParam String column) {
+        Connection connection = DatabaseUtilities.getConnection(webSession);
+        PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by " + column);
+        ResultSet rs = preparedStatement.executeQuery();
+        List<Server> servers = Lists.newArrayList();
+        while (rs.next()) {
+            Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6));
+            servers.add(server);
+        }
+        return servers;
+    }
+
+}

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java

@@ -0,0 +1,46 @@
+package org.owasp.webgoat.plugin.mitigation;
+
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.sql.*;
+
+/**
+ * @author nbaars
+ * @since 6/13/17.
+ */
+@AssignmentPath("SqlInjection/attack12a")
+@AssignmentHints(value = {"SqlStringInjectionHint8", "SqlStringInjectionHint9", "SqlStringInjectionHint10", "SqlStringInjectionHint11"})
+@Slf4j
+public class SqlInjectionLesson12a extends AssignmentEndpoint {
+
+    @Autowired
+    private WebSession webSession;
+
+    @RequestMapping(method = RequestMethod.POST)
+    @ResponseBody
+    @SneakyThrows
+    public AttackResult completed(@RequestParam String ip) {
+        Connection connection = DatabaseUtilities.getConnection(webSession);
+        PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ?");
+        preparedStatement.setString(1, ip);
+        ResultSet resultSet = preparedStatement.executeQuery();
+        if (resultSet.next()) {
+            return trackProgress(success().build());
+        }
+        return trackProgress(failed().build());
+    }
+}
+
+

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionMitigations.java

@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.mitigation;
 
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.NewLesson;

webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html

@@ -27,6 +27,84 @@
     <div class="adoc-content" th:replace="doc:SqlInjection_content12.adoc"></div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content12a.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_order_by.adoc"></div>
+    <script th:src="@{/lesson_js/assignment12.js}" language="JavaScript"></script>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/SqlInjection/attack12a"
+              enctype="application/json;charset=UTF-8">
+            <div class="container-fluid">
+                <div class="row">
+                    <div class="panel panel-primary">
+                        <div class="panel-heading">
+                            <h3>List of servers
+                                <div class="pull-right">
+                                    <button id="btn-admin" class="btn btn-default"><span
+                                            class="glyphicon glyphicon-pencil"></span> Edit
+                                    </button>
+                                </div>
+                            </h3>
+                        </div>
+                        <div id="toolbar-admin" class="panel-body">
+                            <div class="btn-toolbar" role="toolbar" aria-label="admin">
+                                <div class="btn-group pull-right" role="group">
+                                    <button id="btn-online" type="button" class="btn btn-success">Online</button>
+                                    <button id="btn-offline" type="button" class="btn btn-warning">Offline</button>
+                                    <button id="btn-out-of-order" type="button" class="btn btn-danger">Out Of Order
+                                    </button>
+                                </div>
+                            </div>
+                        </div>
+                        <table class="table table-striped table-hover">
+                            <thead>
+                            <tr>
+                                <th class="col-check"></th>
+                                <th></th>
+                                <th>Hostname <span onclick="getServers('hostname')"><i
+                                        class="fa fa-fw fa-sort"></i></span>
+                                </th>
+                                <th>IP <span onclick="getServers('ip')"><i class="fa fa-fw fa-sort"></i></span></th>
+                                <th>MAC <span onclick="getServers('mac')"><i class="fa fa-fw fa-sort"></i></span></th>
+                                <th>Status <span onclick="getServers('status')"><i class="fa fa-fw fa-sort"></i></span>
+                                </th>
+                                <th>Description <span onclick="getServers('description')"><i
+                                        class="fa fa-fw fa-sort"></i></span>
+                                </th>
+                            </tr>
+                            </thead>
+                            <tbody id="servers">
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+                <br/>
+                <br/>
+            </div>
+        </form>
+        <form class="attack-form" method="POST" name="form" action="SqlInjection/attack12a">
+            <div class="form-group">
+                <div class="input-group">
+                    <div class="input-group-addon">IP address webgoat-prd server:</div>
+                    <input type="text" class="form-control" id="ip" name="ip"
+                           placeholder="192.1.0.12"/>
+                </div>
+                <div class="input-group" style="margin-top: 10px">
+                    <button type="submit" class="btn btn-primary">Submit</button>
+                </div>
+            </div>
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjection_content13.adoc"></div>
 </div>

webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties

@@ -9,6 +9,10 @@ SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
 SqlStringInjectionHint5=First try to find out the number of columns by adding a group by 1,2,3 etc to the query.
 SqlStringInjectionHint6=Try adding a union to the query, the number of columns should match.
 SqlStringInjectionHint7=Try entering [ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- ].
+SqlStringInjectionHint8=Try sorting and look at the request
+SqlStringInjectionHint9=Intercept the request and try to specify a different order by
+SqlStringInjectionHint10=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
+SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
 
 sql-injection.5a.success=You have succeed: {0}
 sql-injection.5a.no.results=No results matched. Try Again.

webgoat-lessons/sql-injection/src/main/resources/js/assignment12.js

@@ -0,0 +1,61 @@
+$(function () {
+    $('.col-check').hide();
+    $('#btn-admin').on('click', function () {
+        if ($("#toolbar-admin").is(":visible")) {
+            $("#toolbar-admin").hide();
+            $(".col-check").hide();
+        }
+        else {
+            $("#toolbar-admin").show();
+            $(".col-check").show();
+        }
+    });
+
+    $('#btn-online').on('click', function () {
+        $('table tr').filter(':has(:checkbox:checked)').find('td').parent().removeClass().addClass('success');
+        $('table tr').filter(':has(:checkbox:checked)').find('td.status').text('online');
+    });
+    $('#btn-offline').on('click', function () {
+        $('table tr').filter(':has(:checkbox:checked)').find('td').parent().removeClass().addClass('warning');
+        $('table tr').filter(':has(:checkbox:checked)').find('td.status').text('offline');
+    });
+    $('#btn-out-of-order').on('click', function () {
+        $('table tr').filter(':has(:checkbox:checked)').find('td').parent().removeClass().addClass('danger');
+        $('table tr').filter(':has(:checkbox:checked)').find('td.status').text('out of order');
+    });
+
+});
+
+$(document).ready(function () {
+    getServers('id');
+});
+
+var html = '<tr class="STATUS">' +
+    '<td class="col-check"><input type="checkbox" class="form-check-input"/></td>' +
+    '<td>HOSTNAME</td>' +
+    '<td>IP</td>' +
+    '<td>MAC</td>' +
+    '<td class="status">ONLINE</td>' +
+    '<td>DESCRIPTION</td>' +
+    '</tr>';
+
+function getServers(column) {
+    $.get("SqlInjection/servers?column=" + column, function (result, status) {
+        $("#servers").empty();
+        for (var i = 0; i < result.length; i++) {
+            var server = html.replace('ID', result[i].id);
+            var status = "success";
+            if (result[i].status === 'offline') {
+                status = "danger";
+            }
+            server = server.replace('ONLINE', status);
+            server = server.replace('STATUS', status);
+            server = server.replace('HOSTNAME', result[i].hostname);
+            server = server.replace('IP', result[i].ip);
+            server = server.replace('MAC', result[i].mac);
+            server = server.replace('DESCRIPTION', result[i].description);
+            $("#servers").append(server);
+        }
+
+    });
+}

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc

@@ -0,0 +1,48 @@
+== Order by clause
+
+Question: Does a preparared statement always prevent against an SQL injection?
+Answer: No it does not
+
+Let's take a look at the following statement:
+
+----
+select * from users order by lastname;
+----
+
+If we look at the specification of the SQL grammar the definition is as follows:
+
+----
+SELECT ...
+FROM tableList
+[WHERE Expression]
+[ORDER BY orderExpression [, ...]]
+
+orderExpression:
+{ columnNr | columnAlias | selectExpression }
+    [ASC | DESC]
+
+selectExpression:
+{ Expression | COUNT(*) | {
+    COUNT | MIN | MAX | SUM | AVG | SOME | EVERY |
+    VAR_POP | VAR_SAMP | STDDEV_POP | STDDEV_SAMP
+} ([ALL | DISTINCT][2]] Expression) } [[AS] label]
+
+Based on HSQLDB
+----
+
+This means an `orderExpression` van be a `selectExpression` which can be a function as well, so for example with
+a `case` statement we might be able to ask the database some questions, like:
+
+----
+select * from users order by
+    (select case when (true) then lastname else firstname)
+----
+
+So we can substitute any kind of boolean operation in the `when(....)` part. The statement will just work because
+it is a valid query whether you use a prepared statement or not an order by clause can by definition contain a
+expression.
+
+=== Mitigation
+
+If you need to provide a sorting column in your web application you should implement a whitelist to validate the value
+of the `order by` statement it should always be limited to something like 'firstname' or 'lastname'.

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6c.adoc

@@ -1,11 +1,11 @@
-=== Blind SQL Injection
+== Blind SQL Injection
 
 Blind SQL injection is a type of SQL injection attack that asks the database true or false
 questions and determines the answer based on the applications response. This attack is often used when the web
 application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL
 injection.
 
-==== Difference
+=== Difference
 
 Let's first start with the difference between a normal SQL injection and a blind SQL injection. In a normal
 SQL injection the error messages from the database are displayed and gives enough information to find out how
@@ -16,7 +16,7 @@ based on a true or false statement. That's why a blind SQL injection is much mor
 There are several different types of blind SQL injections: content based and time based SQL injections.
 
 
-==== Example
+=== Example
 
 In this case we are trying to ask the database a boolean question based on for example a unique id, for example
 suppose we have the following url: `https://my-shop.com?article=4`

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc

@@ -0,0 +1,4 @@
+In this assignment try to perform an SQL injection through the ORDER BY field.
+Try to find the ip address of the `webgoat-prd` server.
+
+Note: The submit field of this assignment is *NOT* vulnerable for an SQL injection.

webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/SqlInjectionLesson12aTest.java

@@ -0,0 +1,80 @@
+package org.owasp.webgoat.plugin;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.owasp.webgoat.plugin.introduction.SqlInjection;
+import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.session.WebgoatContext;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
+import static org.hamcrest.Matchers.is;
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * @author nbaars
+ * @since 5/21/17.
+ */
+@RunWith(SpringJUnit4ClassRunner.class)
+public class SqlInjectionLesson12aTest extends LessonTest {
+
+    @Autowired
+    private WebgoatContext context;
+
+    @Before
+    public void setup() throws Exception {
+        SqlInjection sql = new SqlInjection();
+
+        when(webSession.getCurrentLesson()).thenReturn(sql);
+        when(webSession.getWebgoatContext()).thenReturn(context);
+        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    }
+
+    @Test
+    public void knownAccountShouldDisplayData() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "id"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(status().isOk());
+    }
+
+    @Test
+    public void trueShouldSortByHostname() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "(case when (true) then hostname else id end)"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(status().isOk())
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+    }
+
+    @Test
+    public void falseShouldSortById() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "(case when (true) then hostname else id end)"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(status().isOk())
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+    }
+
+    @Test
+    public void passwordIncorrectShouldOrderByHostname() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%' THEN hostname ELSE id END"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
+    }
+
+    @Test
+    public void passwordCorrectShouldOrderByHostname() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+    }
+}

webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/SqlInjectionLesson5aTest.java

@@ -3,6 +3,7 @@ package org.owasp.webgoat.plugin;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.owasp.webgoat.plugin.introduction.SqlInjection;
 import org.owasp.webgoat.plugins.LessonTest;
 import org.owasp.webgoat.session.WebgoatContext;
 import org.springframework.beans.factory.annotation.Autowired;