dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add a new DBSQLInjection lesson

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@171 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
2007-07-11 12:55:23 +00:00
parent 17fe003f2f
commit bc2faede19
17 changed files with 966 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

253
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBSQLInjection/DBSQLInjection.java Executable file
View File

@ -0,0 +1,253 @@
package org.owasp.webgoat.lessons.DBSQLInjection;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff;
import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
import org.owasp.webgoat.lessons.GoatHillsFinancial.UpdateProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.ViewProfile;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class DBSQLInjection extends GoatHillsFinancial
{
private final static Integer DEFAULT_RANKING = new Integer(75);
public final static int PRIZE_EMPLOYEE_ID = 112;
public final static String PRIZE_EMPLOYEE_NAME = "Neville Bartholomew";
public final static String STAGE1 = "Stage 1";
public final static String STAGE2 = "Stage 2";
public void registerActions(String className)
{
registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
// These actions are special in that they chain to other actions.
registerAction(new Login(this, className, LOGIN_ACTION,
getAction(LISTSTAFF_ACTION)));
registerAction(new Logout(this, className, LOGOUT_ACTION,
getAction(LOGIN_ACTION)));
registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
getAction(VIEWPROFILE_ACTION)));
registerAction(new UpdateProfile(this, className,
UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
registerAction(new DeleteProfile(this, className,
DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
}
/**
* Gets the category attribute of the CrossSiteScripting object
*
* @return The category value
*/
public Category getDefaultCategory()
{
return Category.A6;
}
/**
* Gets the hints attribute of the DirectoryScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints
.add("The application is taking your input and inserting it at the end of a pre-formed SQL command.");
hints
.add("This is the code for the query being built and issued by WebGoat:<br><br> "
+ "stmt := 'SELECT USERID FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';<br>"
+ "EXECUTE IMMEDIATE stmt INTO v_userid;");
hints
.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
+ "Remember: You need to end up with a SQL statement that only returns one row, since we are using an INTO clause");
// Stage 1
hints
.add("You may need to use WebScarab to remove a field length limit to fit your attack.");
hints.add("Try entering a password of [ ' OR userid=112 OR password=' ].");
// Stage 2
hints
.add("Change the Stored procedure to use bind variables.");
return hints;
}
@Override
public String[] getStages() {
return new String[] {STAGE1, STAGE2};
}
/**
* Gets the instructions attribute of the ParameterInjection object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "";
if (!getLessonTracker(s).getCompleted())
{
String stage = getStage(s);
if (STAGE1.equals(stage))
{
instructions = "Use String SQL Injection to bypass authentication. "
+ "The goal here is to login as the user "
+ PRIZE_EMPLOYEE_NAME
+ ", who is in the Admin group. "
+ "You do not have the password, but the form is SQL injectable.";
}
else if (STAGE2.equals(stage))
{
instructions = "Use bind variables.<br>"
+ "Update the stored procedure in the database to use bind variables, rather than string concatenation";
}
}
return instructions;
}
public void handleRequest(WebSession s)
{
if (s.getLessonSession(this) == null)
s.openLessonSession(this);
String requestedActionName = null;
try
{
requestedActionName = s.getParser().getStringParameter("action");
}
catch (ParameterNotFoundException pnfe)
{
// Let them eat login page.
requestedActionName = LOGIN_ACTION;
}
if (requestedActionName != null)
{
try
{
LessonAction action = getAction(requestedActionName);
if (action != null)
{
//System.out.println("CrossSiteScripting.handleRequest() dispatching to: " + action.getActionName());
if (!action.requiresAuthentication()
|| action.isAuthenticated(s))
{
action.handleRequest(s);
//setCurrentAction(s, action.getNextPage(s));
}
}
else
setCurrentAction(s, ERROR_ACTION);
}
catch (ParameterNotFoundException pnfe)
{
System.out.println("Missing parameter");
pnfe.printStackTrace();
setCurrentAction(s, ERROR_ACTION);
}
catch (ValidationException ve)
{
System.out.println("Validation failed");
ve.printStackTrace();
setCurrentAction(s, ERROR_ACTION);
}
catch (UnauthenticatedException ue)
{
s.setMessage("Login failed");
System.out.println("Authentication failure");
ue.printStackTrace();
}
catch (UnauthorizedException ue2)
{
s.setMessage("You are not authorized to perform this function");
System.out.println("Authorization failure");
ue2.printStackTrace();
}
catch (Exception e)
{
// All other errors send the user to the generic error page
System.out.println("handleRequest() error");
e.printStackTrace();
setCurrentAction(s, ERROR_ACTION);
}
}
// All this does for this lesson is ensure that a non-null content exists.
setContent(new ElementContainer());
}
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the CrossSiteScripting object
*
* @return The title value
*/
public String getTitle()
{
return "LAB: DB SQL Injection";
}
@Override
protected boolean getDefaultHidden() {
return ! getWebgoatContext().getDatabaseDriver().contains("oracle");
}
}

240
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBSQLInjection/Login.java Executable file
View File

@ -0,0 +1,240 @@
package org.owasp.webgoat.lessons.DBSQLInjection;
import java.sql.CallableStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.List;
import java.util.Vector;
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
import org.owasp.webgoat.session.EmployeeStub;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class Login extends DefaultLessonAction
{
private LessonAction chainedAction;
public Login(GoatHillsFinancial lesson, String lessonName, String actionName,
LessonAction chainedAction)
{
super(lesson, lessonName, actionName);
this.chainedAction = chainedAction;
}
public void handleRequest(WebSession s) throws ParameterNotFoundException,
ValidationException
{
//System.out.println("Login.handleRequest()");
getLesson().setCurrentAction(s, getActionName());
List employees = getAllEmployees(s);
setSessionAttribute(s, getLessonName() + "."
+ DBSQLInjection.STAFF_ATTRIBUTE_KEY, employees);
String employeeId = null;
try
{
employeeId = s.getParser().getStringParameter(
DBSQLInjection.EMPLOYEE_ID);
String password = s.getParser().getRawParameter(
DBSQLInjection.PASSWORD);
// Attempt authentication
boolean authenticated = login(s, employeeId, password);
if (authenticated)
{
// Execute the chained Action if authentication succeeded.
try
{
chainedAction.handleRequest(s);
}
catch (UnauthenticatedException ue1)
{
System.out.println("Internal server error");
ue1.printStackTrace();
}
catch (UnauthorizedException ue2)
{
System.out.println("Internal server error");
ue2.printStackTrace();
}
}
else
s.setMessage("Login failed");
}
catch (ParameterNotFoundException pnfe)
{
// No credentials offered, so we log them out
setSessionAttribute(s, getLessonName() + ".isAuthenticated",
Boolean.FALSE);
}
}
public String getNextPage(WebSession s)
{
String nextPage = DBSQLInjection.LOGIN_ACTION;
if (isAuthenticated(s))
nextPage = chainedAction.getNextPage(s);
return nextPage;
}
public boolean requiresAuthentication()
{
return false;
}
public boolean login(WebSession s, String userId, String password)
{
System.out.println("Using \"" + password + "\"");
boolean authenticated = false;
try
{
String call = "{ CALL EMPLOYEE_LOGIN(?,?) }";
try
{
CallableStatement statement = WebSession.getConnection(s)
.prepareCall(call, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.setInt(1, Integer.parseInt(userId));
statement.setString(2, password);
// if this executes successfully, we are authenticated
statement.execute();
setSessionAttribute(s,
getLessonName() + ".isAuthenticated", Boolean.TRUE);
setSessionAttribute(s, getLessonName() + "."
+ DBSQLInjection.USER_ID, userId);
authenticated = true;
if (DBSQLInjection.STAGE1.equals(getStage(s)) &&
DBSQLInjection.PRIZE_EMPLOYEE_ID == Integer.parseInt(userId))
{
setStageComplete(s, DBSQLInjection.STAGE1);
s.setMessage("Congratulations, you have completed " + DBSQLInjection.STAGE1);
}
}
catch (SQLException sqle)
{
s.setMessage("Error logging in: " + sqle.getLocalizedMessage());
sqle.printStackTrace();
if (DBSQLInjection.STAGE2.equals(getStage(s)))
{
try
{
String call2 = "{ CALL EMPLOYEE_LOGIN_BACKUP(?,?) }";
CallableStatement statement = WebSession.getConnection(s)
.prepareCall(call2, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.setInt(1, Integer.parseInt(userId));
statement.setString(2, password);
statement.execute();
setStageComplete(s, DBSQLInjection.STAGE2);
s.setMessage("Congratulations, you have completed " + DBSQLInjection.STAGE2);
}
catch (SQLException sqle2){}
}
}
}
catch (Exception e)
{
s.setMessage("Error logging in: " + e.getLocalizedMessage());
e.printStackTrace();
}
//System.out.println("Lesson login result: " + authenticated);
return authenticated;
}
public List getAllEmployees(WebSession s)
{
List<EmployeeStub> employees = new Vector<EmployeeStub>();
// Query the database for all roles the given employee belongs to
// Query the database for all employees "owned" by these roles
try
{
String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles "
+ "where employee.userid=roles.userid";
try
{
Statement answer_statement = WebSession.getConnection(s)
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet answer_results = answer_statement.executeQuery(query);
answer_results.beforeFirst();
while (answer_results.next())
{
int employeeId = answer_results.getInt("userid");
String firstName = answer_results.getString("first_name");
String lastName = answer_results.getString("last_name");
String role = answer_results.getString("role");
EmployeeStub stub = new EmployeeStub(employeeId, firstName,
lastName, role);
employees.add(stub);
}
}
catch (SQLException sqle)
{
s.setMessage("Error getting employees");
sqle.printStackTrace();
}
}
catch (Exception e)
{
s.setMessage("Error getting employees");
e.printStackTrace();
}
return employees;
}
}

29
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBSQLInjection/Login_i.java Executable file
View File

@ -0,0 +1,29 @@
package org.owasp.webgoat.lessons.instructor.DBSQLInjection;
/*
* The solution is to choose Neville's userid, and enter a password like:
* ' OR userid=112 OR password='
* Modify the Stored procedure LOGIN_EMPLOYEE to use fixed statements or bind variables
*
*
CREATE OR REPLACE PROCEDURE EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) AS
v_userid NUMBER;
BEGIN
SELECT USERID INTO v_userid FROM EMPLOYEE
WHERE USERID = v_id
AND PASSWORD = v_password;
END;
/
* OR
CREATE OR REPLACE PROCEDURE EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) AS
stmt VARCHAR(32767);
v_userid NUMBER;
BEGIN
stmt := 'SELECT USERID FROM EMPLOYEE WHERE USERID = :1 AND PASSWORD = :2';
EXECUTE IMMEDIATE stmt INTO v_userid USING v_id, v_password;
END;
/
*/

BIN
webgoat/main/project/WebContent/WEB-INF/lib/ojdbc14.jar Executable file
View File

Binary file not shown.

14
webgoat/main/project/WebContent/lessons/DBSQLInjection/DBSQLInjection.css Executable file
View File

@ -0,0 +1,14 @@
#lesson_wrapper {height: 435px;width: 500px;}
#lesson_header {background-image: url(lessons/DBSQLInjection/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}
.lesson_workspace {background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}
.lesson_text {height: 240px;width: 460px;padding-top: 5px;}
#lesson_buttons_bottom {height: 20px;width: 460px;}
#lesson_b_b_left {width: 300px;float: left;}
#lesson_b_b_right input {width: 100px;float: right;}
.lesson_title_box {height: 20px;width: 420px;padding-left: 30px;}
.lesson_workspace { }
.lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;}
.lesson_text_db {color: #0066FF}
#lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}
#lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;}
#lesson_search {background-image: url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}

26
webgoat/main/project/WebContent/lessons/DBSQLInjection/DBSQLInjection.jsp Executable file
View File

@ -0,0 +1,26 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBSQLInjection.DBSQLInjection"
errorPage="" %>
<style>
<jsp:include page="DBSQLInjection.css" />
</style>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
DBSQLInjection currentLesson = (DBSQLInjection) webSession.getCurrentLesson();
%>
<div id="lesson_wrapper">
<div id="lesson_header"></div>
<div class="lesson_workspace">
<%
String subViewPage = currentLesson.getPage(webSession);
if (subViewPage != null)
{
//System.out.println("Including sub view page: " + subViewPage);
%>
<jsp:include page="<%=subViewPage%>" />
<%
}
%>
</div>
</div>

133
webgoat/main/project/WebContent/lessons/DBSQLInjection/EditProfile.jsp Executable file
View File

@ -0,0 +1,133 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBSQLInjection.DBSQLInjection"
errorPage="" %>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
Employee employee = (Employee) session.getAttribute("DBDBSQLInjection.Employee");
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
<div class="lesson_text">
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<Table>
<TR><TD>
First Name:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBSQLInjection.FIRST_NAME%>" type="text" value="<%=employee.getFirstName()%>"/>
</TD>
<TD>
Last Name:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBSQLInjection.LAST_NAME%>" type="text" value="<%=employee.getLastName()%>"/>
</TD>
</TR>
<TR><TD>
Street:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBSQLInjection.ADDRESS1%>" type="text" value="<%=employee.getAddress1()%>"/>
</TD>
<TD>
City/State:
<TD>
<input class="lesson_text_db" name="<%=DBSQLInjection.ADDRESS2%>" type="text" value="<%=employee.getAddress2()%>"/>
</TD>
</TR>
<TR><TD>
Phone:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBSQLInjection.PHONE_NUMBER%>" type="text" value="<%=employee.getPhoneNumber()%>"/>
</TD>
<TD>
Start Date:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBSQLInjection.START_DATE%>" type="text" value="<%=employee.getStartDate()%>"/>
</TD>
</TR>
<TR><TD>
SSN:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBSQLInjection.SSN%>" type="text" value="<%=employee.getSsn()%>"/>
</TD>
<TD>
Salary:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBSQLInjection.SALARY%>" type="text" value="<%=employee.getSalary()%>"/>
</TD>
</TR>
<TR><TD>
Credit Card:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBSQLInjection.CCN%>" type="text" value="<%=employee.getCcn()%>"/>
</TD>
<TD>
Credit Card Limit:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBSQLInjection.CCN_LIMIT%>" type="text" value="<%=employee.getCcnLimit()%>"/>
</TD>
</TR>
<TR><TD>
Comments:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBSQLInjection.DESCRIPTION%>" type="text" value="<%=employee.getPersonalDescription()%>"/>
</TD>
<TD>
Manager:
</TD>
<TD>
<select class="lesson_text_db" name="<%=DBSQLInjection.MANAGER%>">
<%
List employees = (List) session.getAttribute("DBSQLInjection.Staff");
Iterator i = employees.iterator();
while (i.hasNext())
{
EmployeeStub stub = (EmployeeStub) i.next();
%>
<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()%></option>
<%}%>
</select>
</TD>
</TR>
<TR><TD>
Disciplinary Explanation:
</TD>
<TD>
<textarea name="<%=DBSQLInjection.DISCIPLINARY_NOTES%>" cols="16" rows="3" class="lesson_text_db" ><%=employee.getDisciplinaryActionNotes()%></textarea>
</TD>
<TD>
Disciplinary Action Dates:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBSQLInjection.DISCIPLINARY_DATE%>" type="text" value="<%=employee.getDisciplinaryActionDate()%>"/>
</TD>
</TR>
</Table>
<BR>
<div class="lesson_buttons_bottom">
<table width="460" height="20" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="57">
<input type="submit" name="action" value="<%=DBSQLInjection.VIEWPROFILE_ACTION%>"/>
</td>
<td width="81">
<input name="<%=DBSQLInjection.EMPLOYEE_ID%>" type="hidden" value="<%=employee.getId()%>">
<input name="<%=DBSQLInjection.TITLE%>" type="hidden" value="<%=employee.getTitle()%>">
<input type="submit" name="action" value="<%=DBSQLInjection.UPDATEPROFILE_ACTION%>"/>
</td>
<td width="211"></td>
<td width="83">
<input type="submit" name="action" value="<%=DBSQLInjection.LOGOUT_ACTION%>"/>
</td>
</tr>
</table>
</div></form>
</div>

55
webgoat/main/project/WebContent/lessons/DBSQLInjection/ListStaff.jsp Executable file
View File

@ -0,0 +1,55 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBSQLInjection.DBSQLInjection"
errorPage="" %>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
int myUserId = webSession.getUserIdInLesson();
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Staff Listing Page</div>
<br>
<br>
<br>
<p>Select from the list below </p>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<table width="60%" border="0" cellpadding="3">
<tr>
<td> <label>
<select name="<%=DBSQLInjection.EMPLOYEE_ID%>" size="11">
<%
List employees = (List) session.getAttribute("DBSQLInjection." + DBSQLInjection.STAFF_ATTRIBUTE_KEY);
Iterator i = employees.iterator();
while (i.hasNext())
{
EmployeeStub stub = (EmployeeStub) i.next();%>
<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
}%>
</select>
</label></td>
<td>
<input type="submit" name="action" value="<%=DBSQLInjection.SEARCHSTAFF_ACTION%>"/><br>
<input type="submit" name="action" value="<%=DBSQLInjection.VIEWPROFILE_ACTION%>"/><br>
<%
if (webSession.isAuthorizedInLesson(myUserId, DBSQLInjection.CREATEPROFILE_ACTION))
{
%>
<input type="submit" name="action" value="<%=DBSQLInjection.CREATEPROFILE_ACTION%>"/><br>
<%
}
%>
<%
if (webSession.isAuthorizedInLesson(myUserId, DBSQLInjection.DELETEPROFILE_ACTION))
{
%>
<input type="submit" name="action" value="<%=DBSQLInjection.DELETEPROFILE_ACTION%>"/><br>
<%
}
%>
<br>
<input type="submit" name="action" value="<%=DBSQLInjection.LOGOUT_ACTION%>"/>
</td>
</tr>
</table>
</form>

37
webgoat/main/project/WebContent/lessons/DBSQLInjection/Login.jsp Executable file
View File

@ -0,0 +1,37 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBSQLInjection.DBSQLInjection"
errorPage="" %>
<div id="lesson_login">
<div id="lesson_login_txt">
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<label>
<select name="<%=DBSQLInjection.EMPLOYEE_ID%>">
<%
Vector attrs = new Vector();
Enumeration ee = session.getAttributeNames();
while (ee.hasMoreElements())
attrs.add(ee.nextElement());
//System.out.println("Login.jsp inspecting session attributes: " + attrs);
//System.out.println("Retrieving employees list");
List employees = (List) session.getAttribute("DBSQLInjection." + DBSQLInjection.STAFF_ATTRIBUTE_KEY);
Iterator i = employees.iterator();
while (i.hasNext())
{
EmployeeStub stub = (EmployeeStub) i.next();
%>
<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName() + " (" + stub.getRole() + ")"%></option>
<%}%>
</select>
</label>
<br>
<label>Password
<input name="password" type="password" size="10" maxlength="8" />
</label>
<br>
<input type="submit" name="action" value="<%=DBSQLInjection.LOGIN_ACTION%>"/>
</form>
</div>
</div>

22
webgoat/main/project/WebContent/lessons/DBSQLInjection/SearchStaff.jsp Executable file
View File

@ -0,0 +1,22 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBSQLInjection.DBSQLInjection"
errorPage="" %>
<div id="lesson_search">
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
String searchedName = request.getParameter(DBSQLInjection.SEARCHNAME);
if (searchedName != null)
{
%>
Employee <%=searchedName%> not found.
<%
}
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<label>Name
<input class="lesson_text_db" type="text" name="<%=DBSQLInjection.SEARCHNAME%>"/>
</label>
<br>
<input type="submit" name="action" value="<%=DBSQLInjection.FINDPROFILE_ACTION%>"/>
</form>
</div>

154
webgoat/main/project/WebContent/lessons/DBSQLInjection/ViewProfile.jsp Executable file
View File

@ -0,0 +1,154 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBSQLInjection.DBSQLInjection"
errorPage="" %>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
Employee employee = (Employee) session.getAttribute("DBSQLInjection." + DBSQLInjection.EMPLOYEE_ATTRIBUTE_KEY);
// int myUserId = getIntSessionAttribute(webSession, "DBSQLInjection." + DBSQLInjection.USER_ID);
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
<div class="lesson_text">
<Table>
<TR><TD>
First Name:
</TD>
<TD>
<%=employee.getFirstName()%>
</TD>
<TD>
Last Name:
</TD>
<TD>
<%=employee.getLastName()%>
</TD>
</TR>
<TR><TD>
Street:
</TD>
<TD>
<%=employee.getAddress1()%>
</TD>
<TD>
City/State:
<TD>
<%=employee.getAddress2()%>
</TD>
</TR>
<TR><TD>
Phone:
</TD>
<TD>
<%=employee.getPhoneNumber()%>
</TD>
<TD>
Start Date:
</TD>
<TD>
<%=employee.getStartDate()%>
</TD>
</TR>
<TR><TD>
SSN:
</TD>
<TD>
<%=employee.getSsn()%>
</TD>
<TD>
Salary:
</TD>
<TD>
<%=employee.getSalary()%>
</TD>
</TR>
<TR><TD>
Credit Card:
</TD>
<TD>
<%=employee.getCcn()%>
</TD>
<TD>
Credit Card Limit:
</TD>
<TD>
<%=employee.getCcnLimit()%>
</TD>
</TR>
<TR><TD>
Comments:
</TD>
<TD>
<%=employee.getPersonalDescription()%>
</TD>
<TD>
Manager:
</TD>
<TD>
<%=employee.getManager()%>
</TD>
</TR>
<TR><TD>
Disciplinary Explanation:
</TD>
<TD>
<%=employee.getDisciplinaryActionNotes()%>
</TD>
<TD>
Disciplinary Action Dates:
</TD>
<TD>
<%=employee.getDisciplinaryActionDate()%>
</TD>
</TR>
</Table>
</div>
<div class="lesson_buttons_bottom">
<table width="460" height="20" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="50">
<%
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.LISTSTAFF_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=DBSQLInjection.LISTSTAFF_ACTION%>"/>
</form>
<%
}
%>
</td>
<td width="50">
<%
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.EDITPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=DBSQLInjection.EDITPROFILE_ACTION%>"/>
</form>
<%
}
%>
</td>
<td width="60">
<%
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.DELETEPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=DBSQLInjection.DELETEPROFILE_ACTION%>"/>
</form>
<%
}
%>
</td>
<td width="190">&nbsp;</td>
<td width="76">
<form method="POST">
<input type="submit" name="action" value="<%=DBSQLInjection.LOGOUT_ACTION%>"/>
</form>
</td>
</tr>
</table>
</div>

3
webgoat/main/project/WebContent/lessons/DBSQLInjection/error.jsp Executable file
View File

@ -0,0 +1,3 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage="" %>
<br><br><br>An error has occurred.

BIN
webgoat/main/project/WebContent/lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
webgoat/main/project/WebContent/lessons/DBSQLInjection/images/lesson1_header.jpg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
webgoat/main/project/WebContent/lessons/DBSQLInjection/images/lesson1_loginWindow.jpg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.7 KiB

BIN
webgoat/main/project/WebContent/lessons/DBSQLInjection/images/lesson1_menu.jpg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.5 KiB

BIN
webgoat/main/project/WebContent/lessons/DBSQLInjection/images/lesson1_workspace.jpg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB