From b65644edee7f1120a698e60ea111ed4be68ff8ba Mon Sep 17 00:00:00 2001 From: Rene Zubcevic Date: Mon, 22 Jul 2019 12:16:18 +0200 Subject: [PATCH] progress fix for SqlInjectionMitigations --- .../webgoat/plugin/mitigation/Servers.java | 2 +- .../mitigation/SqlInjectionLesson10a.java | 2 +- .../mitigation/SqlInjectionLesson10b.java | 2 +- .../mitigation/SqlInjectionLesson12a.java | 2 +- .../html/SqlInjectionMitigations.html | 6 ++--- .../mitigation/SqlInjectionLesson12aTest.java | 22 +++++++++---------- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java index cb7ee35c0..cef07f2c4 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java @@ -20,7 +20,7 @@ import java.util.List; * @since 6/13/17. */ @RestController -@RequestMapping("SqlInjection/servers") +@RequestMapping("SqlInjectionMitigations/servers") public class Servers { @AllArgsConstructor diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java index 57add71e3..1c531e2df 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java @@ -13,7 +13,7 @@ import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; -@AssignmentPath("SqlInjection/attack10a") +@AssignmentPath("SqlInjectionMitigations/attack10a") @Slf4j @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-10a2"}) public class SqlInjectionLesson10a extends AssignmentEndpoint { diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java index 3b358c99a..b47c7580c 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java @@ -18,7 +18,7 @@ import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; -@AssignmentPath("SqlInjection/attack10b") +@AssignmentPath("SqlInjectionMitigations/attack10b") @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3", "SqlStringInjectionHint-mitigation-10b-4", "SqlStringInjectionHint-mitigation-10b-5"}) public class SqlInjectionLesson10b extends AssignmentEndpoint { diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java index 8d1820cdd..d99be9505 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java @@ -20,7 +20,7 @@ import java.sql.*; * @author nbaars * @since 6/13/17. */ -@AssignmentPath("SqlInjection/attack12a") +@AssignmentPath("SqlInjectionMitigations/attack12a") @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-12a-1", "SqlStringInjectionHint-mitigation-12a-2", "SqlStringInjectionHint-mitigation-12a-3", "SqlStringInjectionHint-mitigation-12a-4"}) @Slf4j public class SqlInjectionLesson12a extends AssignmentEndpoint { diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html index 6f17f56ea..92cc1eca7 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html +++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html @@ -23,7 +23,7 @@
-
+

Connection conn = DriverManager.(DBURL, DBUSER, DBPW);

= conn.("SELECT status FROM users WHERE name= AND mail=");

@@ -42,7 +42,7 @@
- +
@@ -78,7 +78,7 @@
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java index cee8e8c13..974d48b7f 100644 --- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java @@ -38,7 +38,7 @@ public class SqlInjectionLesson12aTest extends LessonTest { @Test public void knownAccountShouldDisplayData() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers") .param("column", "id")) .andExpect(status().isOk()); @@ -46,7 +46,7 @@ public class SqlInjectionLesson12aTest extends LessonTest { @Test public void addressCorrectShouldOrderByHostname() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers") .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END")) .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); @@ -54,17 +54,17 @@ public class SqlInjectionLesson12aTest extends LessonTest { @Test public void addressCorrectShouldOrderByHostnameUsingSubstr() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers") .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '1') IS NOT NULL then hostname else id end")) .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); - mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers") .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,2,1) = '0') IS NOT NULL then hostname else id end")) .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); - mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers") .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,3,1) = '4') IS NOT NULL then hostname else id end")) .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); @@ -72,7 +72,7 @@ public class SqlInjectionLesson12aTest extends LessonTest { @Test public void addressIncorrectShouldOrderByIdUsingSubstr() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers") .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '9') IS NOT NULL then hostname else id end")) .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev"))); @@ -80,7 +80,7 @@ public class SqlInjectionLesson12aTest extends LessonTest { @Test public void trueShouldSortByHostname() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers") .param("column", "(case when (true) then hostname else id end)")) .andExpect(status().isOk()) @@ -89,7 +89,7 @@ public class SqlInjectionLesson12aTest extends LessonTest { @Test public void falseShouldSortById() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers") .param("column", "(case when (true) then hostname else id end)")) .andExpect(status().isOk()) @@ -98,7 +98,7 @@ public class SqlInjectionLesson12aTest extends LessonTest { @Test public void addressIncorrectShouldOrderByHostname() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers") .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%' THEN hostname ELSE id END")) .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev"))); @@ -106,7 +106,7 @@ public class SqlInjectionLesson12aTest extends LessonTest { @Test public void postingCorrectAnswerShouldPassTheLesson() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack12a") + mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionMitigations/attack12a") .param("ip", "104.130.219.202")) .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))); @@ -114,7 +114,7 @@ public class SqlInjectionLesson12aTest extends LessonTest { @Test public void postingWrongAnswerShouldNotPassTheLesson() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack12a") + mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionMitigations/attack12a") .param("ip", "192.168.219.202")) .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));