From bf210de0132ddb844cb17dfedc58962d52c8854a Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 16 Jun 2017 00:33:02 +0200 Subject: [PATCH] Added testcase for SQL lesson 6b --- .../introduction/SqlInjectionLesson6b.java | 73 +++++++++---------- .../SqlInjectionLesson6aTest.java | 10 +-- .../SqlInjectionLesson6bTest.java | 46 ++++++++++++ 3 files changed, 84 insertions(+), 45 deletions(-) create mode 100644 webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java index df3f490e7..77bd7b66e 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java @@ -10,7 +10,6 @@ import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; -import javax.servlet.http.HttpServletRequest; import java.io.IOException; import java.sql.Connection; import java.sql.ResultSet; @@ -18,77 +17,71 @@ import java.sql.SQLException; import java.sql.Statement; - /*************************************************************************************************** - * - * + * + * * This file is part of WebGoat, an Open Web Application Security Project utility. For details, * please see http://www.owasp.org/ - * + * * Copyright (c) 2002 - 20014 Bruce Mayhew - * + * * This program is free software; you can redistribute it and/or modify it under the terms of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the * License, or (at your option) any later version. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along with this program; if * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. - * + * * Getting Source ============== - * + * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software * projects. - * + * * For details, please see http://webgoat.github.io - * + * * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ @AssignmentPath("/SqlInjection/attack6b") public class SqlInjectionLesson6b extends AssignmentEndpoint { - @RequestMapping(method = RequestMethod.POST) - public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException { - if (userid_6b.toString().equals(getPassword())) { - return trackProgress(success().build()); - } else { - return trackProgress(failed().build()); - } - } + @RequestMapping(method = RequestMethod.POST) + @ResponseBody + public AttackResult completed(@RequestParam String userid_6b) throws IOException { + if (userid_6b.toString().equals(getPassword())) { + return trackProgress(success().build()); + } else { + return trackProgress(failed().build()); + } + } - protected String getPassword() - { - - String password="dave"; - try - { + protected String getPassword() { + + String password = "dave"; + try { Connection connection = DatabaseUtilities.getConnection(getWebSession()); String query = "SELECT password FROM user_system_data WHERE user_name = 'dave'"; - - try - { + + try { Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); + ResultSet.CONCUR_READ_ONLY); ResultSet results = statement.executeQuery(query); - if ((results != null) && (results.first() == true)) - { + if ((results != null) && (results.first() == true)) { password = results.getString("password"); } - } catch (SQLException sqle) - { - sqle.printStackTrace(); - // do nothing + } catch (SQLException sqle) { + sqle.printStackTrace(); + // do nothing } - } catch (Exception e) - { - e.printStackTrace(); - // do nothing + } catch (Exception e) { + e.printStackTrace(); + // do nothing } return (password); } diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java index 83f5b7777..be735f9c0 100644 --- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java @@ -34,7 +34,7 @@ public class SqlInjectionLesson6aTest extends LessonTest { .param("userid_6a", "John")) .andDo(MockMvcResultHandlers.print()) .andExpect(status().isOk()) - .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false))); + .andExpect(jsonPath("$.lessonCompleted", is(false))); } @Test @@ -43,7 +43,7 @@ public class SqlInjectionLesson6aTest extends LessonTest { .param("userid_6a", "Smith' union select userid,user_name, password,cookie from user_system_data --")) .andDo(MockMvcResultHandlers.print()) .andExpect(status().isOk()) - .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false))) + .andExpect(jsonPath("$.lessonCompleted", is(false))) .andExpect(jsonPath("$.output", is("column number mismatch detected in rows of UNION, INTERSECT, EXCEPT, or VALUES operation"))); } @@ -53,7 +53,7 @@ public class SqlInjectionLesson6aTest extends LessonTest { .param("userid_6a", "Smith' union select 1,password, 1,'2','3', '4',1 from user_system_data --")) .andDo(MockMvcResultHandlers.print()) .andExpect(status().isOk()) - .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false))) + .andExpect(jsonPath("$.lessonCompleted", is(false))) .andExpect(jsonPath("$.output", containsString("incompatible data types in combination"))); } @@ -63,7 +63,7 @@ public class SqlInjectionLesson6aTest extends LessonTest { .param("userid_6a", "Smith' union select 1,password, '1','2','3', '4',1 from user_system_data --")) .andDo(MockMvcResultHandlers.print()) .andExpect(status().isOk()) - .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))) + .andExpect(jsonPath("$.lessonCompleted", is(true))) .andExpect(jsonPath("$.feedback", containsString("dave"))); } @@ -73,7 +73,7 @@ public class SqlInjectionLesson6aTest extends LessonTest { .param("userid_6a", "Smith' and 1 = 2 --")) .andDo(MockMvcResultHandlers.print()) .andExpect(status().isOk()) - .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false))) + .andExpect(jsonPath("$.lessonCompleted", is(false))) .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.6a.no.results")))); } diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java new file mode 100644 index 000000000..394d5baa9 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java @@ -0,0 +1,46 @@ +package org.owasp.webgoat.plugin.introduction; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.owasp.webgoat.plugins.LessonTest; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; +import org.springframework.test.web.servlet.result.MockMvcResultHandlers; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; + +import static org.hamcrest.Matchers.is; +import static org.mockito.Mockito.when; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +/**a + * @author nbaars + * @since 6/16/17. + */ +@RunWith(SpringJUnit4ClassRunner.class) +public class SqlInjectionLesson6bTest extends LessonTest { + + @Before + public void setup() throws Exception { + when(webSession.getCurrentLesson()).thenReturn(new SqlInjection()); + this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build(); + } + + @Test + public void submitCorrectPassword() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6b") + .param("userid_6b", "dave")) + .andDo(MockMvcResultHandlers.print()) + .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))); + } + + @Test + public void submitWrongPassword() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6b") + .param("userid_6b", "John")) + .andDo(MockMvcResultHandlers.print()) + .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false))); + } + +} \ No newline at end of file