lesson: sql-injection-mitigation

added new assignment for jdbc code completion
2018-10-27 14:56:45 +02:00 · 2018-10-27 14:56:45 +02:00 · bca50e8ca5
commit bca50e8ca5
parent 6e36cc1ea4
3 changed files with 68 additions and 0 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java
@ -0,0 +1,45 @@
 package org.owasp.webgoat.plugin.mitigation;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@AssignmentPath("SqlInjection/attack10a")
@Slf4j
 public class SqlInjectionLesson10a extends AssignmentEndpoint {
    @Autowired
    private WebSession webSession;
    // @TODO: Maybe provide regex instead of "hard coded" strings
    private String[] results = {"getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"};
    // @TODO Method head too big, better solution?
    @RequestMapping(method = RequestMethod.POST)
    @ResponseBody
    @SneakyThrows
    public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7) {
        String[] userInput = {field1, field2, field3, field4, field5, field6, field7};
        int position = 0;
        boolean completed = false;
        for(String input : userInput) {
            if(input.toLowerCase().contains(this.results[position].toLowerCase())) {
                completed = true;
            } else {
                return trackProgress(failed().build());
            }
            position++;
        }
        if(completed) {
            return trackProgress(success().build());
        }
        return trackProgress(failed().build());
    }
 }
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
@ -19,6 +19,24 @@
    <div class="adoc-content" th:replace="doc:SqlInjection_content10.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_completion.adoc"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10a" enctype="application/json;charset=UTF-8">
            <div>
                <p>Connection conn = DriverManager.<input type="text" name="field1" id="field1" />(DBURL, DBUSER, DBPW);</p>
                <p><input type="text" name="field2" id="field2" /> = conn.<input type="text" name="field3" id="field3" />("SELECT status FROM users WHERE name=<input type="text" name="field4" id="field4" /> AND mail=<input type="text" name="field5" id="field5" />");</p>
                <p><input type="text" name="field6" id="field6" />;</p>
                <p><input type="text" name="field7" id="field7" />;</p>
            </div>
            <div class="input-group" style="margin-top: 10px">
                <button type="submit" class="btn btn-primary">Submit</button>
            </div>
        </form>
    </div>
 </div>
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_content11.adoc"></div>
 </div>
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_completion.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_completion.adoc
@ -0,0 +1,5 @@
 == Try it! Writing safe code
 You can see some code down below, but the Code is incomplete. Complete the code, so that is no longer vulnerable for an SQL Injection! Use the classes and methods you have learned before.
 The code has to retrieve the status of the user based on the name and the mail address of the user. Both the name and the mail are in the string format.