Implemented better lesson description, hints and feedback

2019-01-14 19:00:44 +01:00 · 2019-01-14 19:00:44 +01:00 · d27577c1c4
commit d27577c1c4
parent cec60447c4
7 changed files with 51 additions and 35 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java
@ -46,7 +46,8 @@ import java.sql.*;
 * @created October 28, 2003
 */
@AssignmentPath("/SqlInjection/attack6a")
-@AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3"})
+@AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3",
+"SqlStringInjectionHint-advanced-6a-4", "SqlStringInjectionHint-advanced-6a-5"})
 public class SqlInjectionLesson6a extends AssignmentEndpoint {

    @RequestMapping(method = RequestMethod.POST)
@ -58,10 +59,11 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
    }

    protected AttackResult injectableQuery(String accountName) {
+        String query = "";
        try {
            boolean usedUnion = true;
            Connection connection = DatabaseUtilities.getConnection(getWebSession());
-            String query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
+            query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
            //Check if Union is used
            if(!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) {
                usedUnion = false;
@ -77,27 +79,26 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {

                    output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
                    if(! usedUnion)
-                        output.append("To succesfully complete this Assignement you have to use a UNION");
+                        output.append("To successfully complete this Assignment you have to use a UNION");
                    results.last();

                    // If they get back more than one user they succeeded
                    if (results.getRow() >= 5 && usedUnion) {
-                        return trackProgress(success().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).build());
+                        return trackProgress(success().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build());
                    } else if((output.toString().contains("dave") && output.toString().contains("passW0rD")) && !usedUnion) {
-                        return trackProgress(failed().output("To succesfully complete this Assignement you have to use a UNION").build());
+                        return trackProgress(failed().output("To successfully complete this Assignment you have to use a UNION" + "<br> Your query was: " + query).build());
                    } else {
-                        return trackProgress(failed().output(output.toString()).build());
+                        return trackProgress(failed().output(output.toString() + "<br> Your query was: " + query).build());
                    }
                } else {
-                    return trackProgress(failed().feedback("sql-injection.advanced.6a.no.results").build());
-
+                    return trackProgress(failed().feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build());
                }
            } catch (SQLException sqle) {
-                return trackProgress(failed().output(sqle.getMessage()).build());
+                return trackProgress(failed().output(sqle.getMessage() + "<br> Your query was: " + query).build());
            }
        } catch (Exception e) {
            e.printStackTrace();
-            return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
+            return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build());
        }
    }
 }
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java
@ -55,10 +55,11 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
  }

  protected AttackResult injectableQuery(String accountName) {
+    String query = "";
    try {
      Connection connection = DatabaseUtilities.getConnection(getWebSession());
      System.out.println(accountName);
-      String query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
+      query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
      try {
        Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
                ResultSet.CONCUR_READ_ONLY);
@ -73,20 +74,20 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {

          // If they get back more than one user they succeeded
          if (results.getRow() >= 6) {
-            return trackProgress(success().feedback("sql-injection.5a.success").feedbackArgs(output.toString()).build());
+            return trackProgress(success().feedback("sql-injection.5a.success").output("Your query was: " + query).feedbackArgs(output.toString()).build());
          } else {
-            return trackProgress(failed().output(output.toString()).build());
+            return trackProgress(failed().output(output.toString() + "<br> Your query was: " + query).build());
          }
        } else {
-          return trackProgress(failed().feedback("sql-injection.5a.no.results").build());
+          return trackProgress(failed().feedback("sql-injection.5a.no.results").output("Your query was: " + query).build());

        }
      } catch (SQLException sqle) {

-        return trackProgress(failed().output(sqle.getMessage()).build());
+        return trackProgress(failed().output(sqle.getMessage() + "<br> Your query was: " + query).build());
      }
    } catch (Exception e) {
-      return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
+      return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build());
    }
  }

--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5b.java
@ -57,22 +57,24 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {
    return injectableQuery(login_count, userid);
  }

+
  protected AttackResult injectableQuery(String login_count, String accountName) {
+    String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
    try {
      Connection connection = DatabaseUtilities.getConnection(getWebSession());
-      PreparedStatement query = connection.prepareStatement("SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName, ResultSet.TYPE_SCROLL_INSENSITIVE,
+      PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE,
              ResultSet.CONCUR_READ_ONLY);

      int count = 0;
      try {
        count = Integer.parseInt(login_count);
      } catch(Exception e) {
-        return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
+        return trackProgress(failed().output("Could not parse: " + login_count + " to a number" +
+                "<br> Your query was: " + queryString.replace("?", login_count)).build());
      }

      query.setInt(1, count);
      //String query = "SELECT * FROM user_data WHERE Login_Count = " + login_count + " and userid = " + accountName, ;
-      System.err.println("Querry: " + query);
      try {
        Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
                ResultSet.CONCUR_READ_ONLY);
@ -87,23 +89,22 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {

          // If they get back more than one user they succeeded
          if (results.getRow() >= 6) {
-            return trackProgress(success().feedback("sql-injection.5b.success").feedbackArgs(output.toString()).build());
+            return trackProgress(success().feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build());
          } else {
-            return trackProgress(failed().output(output.toString()).build());
+            return trackProgress(failed().output(output.toString() + "<br> Your query was: " + queryString.replace("?", login_count)).build());
          }

        } else {
-          return trackProgress(failed().feedback("sql-injection.5b.no.results").build());
+          return trackProgress(failed().feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build());

 //                    output.append(getLabelManager().get("NoResultsMatched"));
        }
      } catch (SQLException sqle) {

-        return trackProgress(failed().output(sqle.getMessage()).build());
+        return trackProgress(failed().output(sqle.getMessage() + "<br> Your query was: " + queryString.replace("?", login_count)).build());
      }
    } catch (Exception e) {
-      e.printStackTrace();
-      return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
+      return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + queryString.replace("?", login_count)).build());
    }
  }
 }
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
@ -196,11 +196,11 @@
            <table>
                <tr>
                    <td>Login_Count:</td>
-                    <td><input name="login_count" value="" type="text"/></td>
+                    <td><input name="login_count" type="text" required="true"/></td>
                </tr>
                <tr>
                    <td>User_Id:</td>
-                    <td><input name="userid" value="" type="TEXT"/></td>
+                    <td><input name="userid" type="TEXT" required="true"/></td>
                </tr>
                <tr>
                    <td></td>
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -30,7 +30,7 @@ sql-injection.5b.success=<span class='feedback-positive'>You have succeed: {0}</
 sql-injection.5b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>

 SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack.
-SqlStringInjectionHint5b2=Insert 0 or 1 = 1 into the first input field. The Output should tell you if this field is injectable.
+SqlStringInjectionHint5b2=Insert: <span style="font-style: italic">0 or 1 = 1</span> into the first input field. The Output should tell you if this field is injectable.
 SqlStringInjectionHint5b3=The first Input field is not susceptible to sql injection.
 SqlStringInjectionHint5b4=You don't need to insert any quotations into your injection-string.

@ -39,9 +39,11 @@ sql-injection.6a.no.results=<span class='feedback-negative'>No results matched.

 sql-injection.advanced.6a.success=<span class='feedback-positive'>You have succeed: {0}</span>
 sql-injection.advanced.6a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
-SqlStringInjectionHint-advanced-6a-1=Try Appending a new SQL Statement to the Query.
-SqlStringInjectionHint-advanced-6a-2=The new SQL Statement can be really simple like: SELECT ... FROM ...
-SqlStringInjectionHint-advanced-6a-3=Your new SQL Query should start, with a " ; " and end with " -- "
+SqlStringInjectionHint-advanced-6a-1=Remember, that when using a Union, Each SELECT statement within UNION must have the same number of columns.
+SqlStringInjectionHint-advanced-6a-2=The Datatype of a column in the first SELECT statement must have a similar datatype to that in the second SELECT statement.
+SqlStringInjectionHint-advanced-6a-3=Your new SQL Query must end with a comment. eg: --
+SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like <span style="font-style: italic">'a String'</span> for it. For an integer you could substitute a <span style="font-style: italic">1</span>.
+SqlStringInjectionHint-advanced-6a-5=Try something like: <span style="font-style: italic">Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data --</span> 

 sql-injection.6b.success=<span class='feedback-positive'>You have succeed: {0}</span>
 sql-injection.6b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc
@ -1,8 +1,21 @@
 == Try It! Pulling data from other tables

-Lets try to exploit the fact that you can use a union to get the contents of another table.
+The input field below is used to get data from a user by their last name. +
+The table is called 'user_data':

-One of the tables in the WebGoat database is:
+-------------------------------------------------------
+CREATE TABLE user_data (userid int not null,
+                        first_name varchar(20),
+                        last_name varchar(20),
+                        cc_number varchar(30),
+                        cc_type varchar(10),
+                        cookie varchar(20),
+                        login_count int);
+-------------------------------------------------------
+
+Through experimentation you found that this field is susceptible to SQL Injection.
+Now you want to use that knowledge to get the contents of another table. +
+The table you want to pull data from is:

 -------------------------------------------------------
 CREATE TABLE user_system_data (userid int not null primary key,
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc
@ -2,6 +2,4 @@ In this assignment try to perform an SQL injection through the ORDER BY field.
 Try to find the ip address of the `webgoat-prd` server, guessing the complete
 ip address might take too long so we give you the last part: `xxx.130.219.202`

-Tip: To complete this assignment a tool such as OWASP ZAP is required.
-
 Note: The submit field of this assignment is *NOT* vulnerable for an SQL injection.