Implemented better lesson description, hints and feedback

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java

@@ -46,7 +46,8 @@ import java.sql.*;
  * @created October 28, 2003
  */
 @AssignmentPath("/SqlInjection/attack6a")
-@AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3"})
+@AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3",
+"SqlStringInjectionHint-advanced-6a-4", "SqlStringInjectionHint-advanced-6a-5"})
 public class SqlInjectionLesson6a extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST)
@@ -58,10 +59,11 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
     }
 
     protected AttackResult injectableQuery(String accountName) {
+        String query = "";
         try {
             boolean usedUnion = true;
             Connection connection = DatabaseUtilities.getConnection(getWebSession());
-            String query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
+            query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
             //Check if Union is used
             if(!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) {
                 usedUnion = false;
@@ -77,27 +79,26 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
 
                     output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
                     if(! usedUnion)
-                        output.append("To succesfully complete this Assignement you have to use a UNION");
+                        output.append("To successfully complete this Assignment you have to use a UNION");
                     results.last();
 
                     // If they get back more than one user they succeeded
                     if (results.getRow() >= 5 && usedUnion) {
-                        return trackProgress(success().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).build());
+                        return trackProgress(success().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build());
                     } else if((output.toString().contains("dave") && output.toString().contains("passW0rD")) && !usedUnion) {
-                        return trackProgress(failed().output("To succesfully complete this Assignement you have to use a UNION").build());
+                        return trackProgress(failed().output("To successfully complete this Assignment you have to use a UNION" + "<br> Your query was: " + query).build());
                     } else {
-                        return trackProgress(failed().output(output.toString()).build());
+                        return trackProgress(failed().output(output.toString() + "<br> Your query was: " + query).build());
                     }
                 } else {
-                    return trackProgress(failed().feedback("sql-injection.advanced.6a.no.results").build());
+                    return trackProgress(failed().feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build());
-
                 }
             } catch (SQLException sqle) {
-                return trackProgress(failed().output(sqle.getMessage()).build());
+                return trackProgress(failed().output(sqle.getMessage() + "<br> Your query was: " + query).build());
             }
         } catch (Exception e) {
             e.printStackTrace();
-            return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
+            return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build());
         }
     }
 }

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java

@@ -55,10 +55,11 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
   }
 
   protected AttackResult injectableQuery(String accountName) {
+    String query = "";
     try {
       Connection connection = DatabaseUtilities.getConnection(getWebSession());
       System.out.println(accountName);
-      String query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
+      query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
       try {
         Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
                 ResultSet.CONCUR_READ_ONLY);
@@ -73,20 +74,20 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
 
           // If they get back more than one user they succeeded
           if (results.getRow() >= 6) {
-            return trackProgress(success().feedback("sql-injection.5a.success").feedbackArgs(output.toString()).build());
+            return trackProgress(success().feedback("sql-injection.5a.success").output("Your query was: " + query).feedbackArgs(output.toString()).build());
           } else {
-            return trackProgress(failed().output(output.toString()).build());
+            return trackProgress(failed().output(output.toString() + "<br> Your query was: " + query).build());
           }
         } else {
-          return trackProgress(failed().feedback("sql-injection.5a.no.results").build());
+          return trackProgress(failed().feedback("sql-injection.5a.no.results").output("Your query was: " + query).build());
 
         }
       } catch (SQLException sqle) {
 
-        return trackProgress(failed().output(sqle.getMessage()).build());
+        return trackProgress(failed().output(sqle.getMessage() + "<br> Your query was: " + query).build());
       }
     } catch (Exception e) {
-      return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
+      return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build());
     }
   }
 

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5b.java

@@ -57,22 +57,24 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {
     return injectableQuery(login_count, userid);
   }
 
+
   protected AttackResult injectableQuery(String login_count, String accountName) {
+    String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
     try {
       Connection connection = DatabaseUtilities.getConnection(getWebSession());
-      PreparedStatement query = connection.prepareStatement("SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName, ResultSet.TYPE_SCROLL_INSENSITIVE,
+      PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE,
               ResultSet.CONCUR_READ_ONLY);
 
       int count = 0;
       try {
         count = Integer.parseInt(login_count);
       } catch(Exception e) {
-        return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
+        return trackProgress(failed().output("Could not parse: " + login_count + " to a number" +
+                "<br> Your query was: " + queryString.replace("?", login_count)).build());
       }
 
       query.setInt(1, count);
       //String query = "SELECT * FROM user_data WHERE Login_Count = " + login_count + " and userid = " + accountName, ;
-      System.err.println("Querry: " + query);
       try {
         Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
                 ResultSet.CONCUR_READ_ONLY);
@@ -87,23 +89,22 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {
 
           // If they get back more than one user they succeeded
           if (results.getRow() >= 6) {
-            return trackProgress(success().feedback("sql-injection.5b.success").feedbackArgs(output.toString()).build());
+            return trackProgress(success().feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build());
           } else {
-            return trackProgress(failed().output(output.toString()).build());
+            return trackProgress(failed().output(output.toString() + "<br> Your query was: " + queryString.replace("?", login_count)).build());
           }
 
         } else {
-          return trackProgress(failed().feedback("sql-injection.5b.no.results").build());
+          return trackProgress(failed().feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build());
 
 //                    output.append(getLabelManager().get("NoResultsMatched"));
         }
       } catch (SQLException sqle) {
 
-        return trackProgress(failed().output(sqle.getMessage()).build());
+        return trackProgress(failed().output(sqle.getMessage() + "<br> Your query was: " + queryString.replace("?", login_count)).build());
       }
     } catch (Exception e) {
-      e.printStackTrace();
+      return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + queryString.replace("?", login_count)).build());
-      return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
     }
   }
 }

webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html

@@ -196,11 +196,11 @@
             <table>
                 <tr>
                     <td>Login_Count:</td>
-                    <td><input name="login_count" value="" type="text"/></td>
+                    <td><input name="login_count" type="text" required="true"/></td>
                 </tr>
                 <tr>
                     <td>User_Id:</td>
-                    <td><input name="userid" value="" type="TEXT"/></td>
+                    <td><input name="userid" type="TEXT" required="true"/></td>
                 </tr>
                 <tr>
                     <td></td>

webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties

@@ -30,7 +30,7 @@ sql-injection.5b.success=<span class='feedback-positive'>You have succeed: {0}</
 sql-injection.5b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
 
 SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack.
-SqlStringInjectionHint5b2=Insert 0 or 1 = 1 into the first input field. The Output should tell you if this field is injectable.
+SqlStringInjectionHint5b2=Insert: <span style="font-style: italic">0 or 1 = 1</span> into the first input field. The Output should tell you if this field is injectable.
 SqlStringInjectionHint5b3=The first Input field is not susceptible to sql injection.
 SqlStringInjectionHint5b4=You don't need to insert any quotations into your injection-string.
 
@@ -39,9 +39,11 @@ sql-injection.6a.no.results=<span class='feedback-negative'>No results matched.
 
 sql-injection.advanced.6a.success=<span class='feedback-positive'>You have succeed: {0}</span>
 sql-injection.advanced.6a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
-SqlStringInjectionHint-advanced-6a-1=Try Appending a new SQL Statement to the Query.
+SqlStringInjectionHint-advanced-6a-1=Remember, that when using a Union, Each SELECT statement within UNION must have the same number of columns.
-SqlStringInjectionHint-advanced-6a-2=The new SQL Statement can be really simple like: SELECT ... FROM ...
+SqlStringInjectionHint-advanced-6a-2=The Datatype of a column in the first SELECT statement must have a similar datatype to that in the second SELECT statement.
-SqlStringInjectionHint-advanced-6a-3=Your new SQL Query should start, with a " ; " and end with " -- "
+SqlStringInjectionHint-advanced-6a-3=Your new SQL Query must end with a comment. eg: --
+SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like <span style="font-style: italic">'a String'</span> for it. For an integer you could substitute a <span style="font-style: italic">1</span>.
+SqlStringInjectionHint-advanced-6a-5=Try something like: <span style="font-style: italic">Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data --</span> 
 
 sql-injection.6b.success=<span class='feedback-positive'>You have succeed: {0}</span>
 sql-injection.6b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc

@@ -1,8 +1,21 @@
 == Try It! Pulling data from other tables
 
-Lets try to exploit the fact that you can use a union to get the contents of another table.
+The input field below is used to get data from a user by their last name. +
+The table is called 'user_data':
 
-One of the tables in the WebGoat database is:
+-------------------------------------------------------
+CREATE TABLE user_data (userid int not null,
+                        first_name varchar(20),
+                        last_name varchar(20),
+                        cc_number varchar(30),
+                        cc_type varchar(10),
+                        cookie varchar(20),
+                        login_count int);
+-------------------------------------------------------
+
+Through experimentation you found that this field is susceptible to SQL Injection.
+Now you want to use that knowledge to get the contents of another table. +
+The table you want to pull data from is:
 
 -------------------------------------------------------
 CREATE TABLE user_system_data (userid int not null primary key,

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc

@@ -2,6 +2,4 @@ In this assignment try to perform an SQL injection through the ORDER BY field.
 Try to find the ip address of the `webgoat-prd` server, guessing the complete
 ip address might take too long so we give you the last part: `xxx.130.219.202`
 
-Tip: To complete this assignment a tool such as OWASP ZAP is required.
-
 Note: The submit field of this assignment is *NOT* vulnerable for an SQL injection.