Added testcase for SQL lesson 6b

2017-06-16 00:33:02 +02:00 · 2017-06-16 00:33:02 +02:00 · bf210de013
commit bf210de013
parent e808abd504
3 changed files with 84 additions and 45 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java
@ -10,7 +10,6 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;

-import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.sql.Connection;
 import java.sql.ResultSet;
@ -18,7 +17,6 @@ import java.sql.SQLException;
 import java.sql.Statement;


-
 /***************************************************************************************************
 *
 *
@ -53,7 +51,8 @@ import java.sql.Statement;
 public class SqlInjectionLesson6b extends AssignmentEndpoint {

    @RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
+    @ResponseBody
+    public AttackResult completed(@RequestParam String userid_6b) throws IOException {
        if (userid_6b.toString().equals(getPassword())) {
            return trackProgress(success().build());
        } else {
@ -61,32 +60,26 @@ public class SqlInjectionLesson6b extends AssignmentEndpoint {
        }
    }

-    protected String getPassword()
-    {
+    protected String getPassword() {

-    	String password="dave";
-        try
-        {
+        String password = "dave";
+        try {
            Connection connection = DatabaseUtilities.getConnection(getWebSession());
            String query = "SELECT password FROM user_system_data WHERE user_name = 'dave'";

-            try
-            {
+            try {
                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
                        ResultSet.CONCUR_READ_ONLY);
                ResultSet results = statement.executeQuery(query);

-                if ((results != null) && (results.first() == true))
-                {
+                if ((results != null) && (results.first() == true)) {
                    password = results.getString("password");
                }
-            } catch (SQLException sqle)
-            {
+            } catch (SQLException sqle) {
                sqle.printStackTrace();
                // do nothing
            }
-        } catch (Exception e)
-        {
+        } catch (Exception e) {
            e.printStackTrace();
            // do nothing
        }
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java
@ -34,7 +34,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
                .param("userid_6a", "John"))
                .andDo(MockMvcResultHandlers.print())
                .andExpect(status().isOk())
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
+                .andExpect(jsonPath("$.lessonCompleted", is(false)));
    }

    @Test
@ -43,7 +43,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
                .param("userid_6a", "Smith' union select userid,user_name, password,cookie from user_system_data --"))
                .andDo(MockMvcResultHandlers.print())
                .andExpect(status().isOk())
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)))
+                .andExpect(jsonPath("$.lessonCompleted", is(false)))
                .andExpect(jsonPath("$.output", is("column number mismatch detected in rows of UNION, INTERSECT, EXCEPT, or VALUES operation")));
    }

@ -53,7 +53,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
                .param("userid_6a", "Smith' union select 1,password, 1,'2','3', '4',1 from user_system_data --"))
                .andDo(MockMvcResultHandlers.print())
                .andExpect(status().isOk())
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)))
+                .andExpect(jsonPath("$.lessonCompleted", is(false)))
                .andExpect(jsonPath("$.output", containsString("incompatible data types in combination")));
    }

@ -63,7 +63,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
                .param("userid_6a", "Smith' union select 1,password, '1','2','3', '4',1 from user_system_data --"))
                .andDo(MockMvcResultHandlers.print())
                .andExpect(status().isOk())
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)))
+                .andExpect(jsonPath("$.lessonCompleted", is(true)))
                .andExpect(jsonPath("$.feedback", containsString("dave")));
    }

@ -73,7 +73,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
                .param("userid_6a", "Smith' and 1 = 2 --"))
                .andDo(MockMvcResultHandlers.print())
                .andExpect(status().isOk())
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)))
+                .andExpect(jsonPath("$.lessonCompleted", is(false)))
                .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.6a.no.results"))));
    }

--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java
@ -0,0 +1,46 @@
+package org.owasp.webgoat.plugin.introduction;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.owasp.webgoat.plugins.LessonTest;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
+import static org.hamcrest.Matchers.is;
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**a
+ * @author nbaars
+ * @since 6/16/17.
+ */
+@RunWith(SpringJUnit4ClassRunner.class)
+public class SqlInjectionLesson6bTest extends LessonTest {
+
+    @Before
+    public void setup() throws Exception {
+        when(webSession.getCurrentLesson()).thenReturn(new SqlInjection());
+        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    }
+
+    @Test
+    public void submitCorrectPassword() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6b")
+                .param("userid_6b", "dave"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
+    }
+
+    @Test
+    public void submitWrongPassword() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6b")
+                .param("userid_6b", "John"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
+    }
+
+}