Convert lesson into using DB instead of using regular expression to check the solution

2021-03-14 11:09:07 +01:00
parent c798e4be32
commit d4da2d0efa
5 changed files with 83 additions and 21 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
@ -30,11 +30,36 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;

+import javax.annotation.PostConstruct;
+import javax.sql.DataSource;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+

@RestController
@AssignmentHints(value = {"SqlStringInjectionHint5-a"})
 public class SqlInjectionLesson5 extends AssignmentEndpoint {

+    private final DataSource dataSource;
+
+    public SqlInjectionLesson5(DataSource dataSource) {
+        this.dataSource = dataSource;
+    }
+
+    @PostConstruct
+    public void createUser() {
+        // HSQLDB does not support CREATE USER with IF NOT EXISTS so we need to do it in code (DROP first will throw error if user does not exists)
+        try (Connection connection = dataSource.getConnection()) {
+            try (var statement = connection.prepareStatement("CREATE USER unauthorized_user PASSWORD test")) {
+                statement.execute();
+            }
+        } catch (Exception e) {
+            //user already exists continue
+        }
+    }
+
    @PostMapping("/SqlInjection/attack5")
    @ResponseBody
    public AttackResult completed(String query) {
@ -42,19 +67,29 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint {
    }

    protected AttackResult injectableQuery(String query) {
-        try {
-            String regex = "(?i)^(grant alter table to [']?unauthorizedUser[']?)(?:[;]?)$";
-            StringBuffer output = new StringBuffer();
-
-            // user completes lesson if the query is correct
-            if (query.matches(regex)) {
-                output.append("<span class='feedback-positive'>" + query + "</span>");
-                return success(this).output(output.toString()).build();
-            } else {
-                return failed(this).output(output.toString()).build();
+        try (Connection connection = dataSource.getConnection()) {
+            try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
+                statement.executeQuery(query);
+                if (checkSolution(connection)) {
+                    return success(this).build();
+                }
+                return failed(this).output("Your query was: " + query).build();
            }
        } catch (Exception e) {
-            return failed(this).output(this.getClass().getName() + " : " + e.getMessage()).build();
+            return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build();
        }
    }
+
+    private boolean checkSolution(Connection connection) {
+        try {
+            var stmt = connection.prepareStatement("SELECT * FROM INFORMATION_SCHEMA.TABLE_PRIVILEGES WHERE TABLE_NAME = ? AND GRANTEE = ?");
+            stmt.setString(1, "GRANT_RIGHTS");
+            stmt.setString(2, "UNAUTHORIZED_USER");
+            var resultSet = stmt.executeQuery();
+            return resultSet.next();
+        } catch (SQLException throwables) {
+            return false;
+        }
+
+    }
 }
--- a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2021_03_13_8__grant.sql
+++ b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2021_03_13_8__grant.sql
@ -0,0 +1,14 @@
+CREATE TABLE grant_rights(
+  userid varchar(6) not null primary key,
+  first_name varchar(20),
+  last_name varchar(20),
+  department varchar(20),
+  salary int
+);
+
+INSERT INTO grant_rights VALUES ('32147','Paulina',  'Travers', 'Accounting',  46000);
+INSERT INTO grant_rights VALUES ('89762','Tobi',     'Barnett', 'Development', 77000);
+INSERT INTO grant_rights VALUES ('96134','Bob',      'Franco',  'Marketing',   83700);
+INSERT INTO grant_rights VALUES ('34477','Abraham ', 'Holman',  'Development', 50000);
+INSERT INTO grant_rights VALUES ('37648','John',     'Smith',   'Marketing',   64350);
+
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -25,7 +25,8 @@ SqlStringInjectionHint4-1=ALTER TABLE alters the structure of an existing databa
 SqlStringInjectionHint4-2=Do not forget the data type of the new column (e.g. varchar(size) or int(size))
 SqlStringInjectionHint4-3=ALTER TABLE table name ADD column name data type(size);

-SqlStringInjectionHint5-a=Look at the example. There is everything you will need.
+SqlStringInjectionHint5-1=Take a look at how to use a grant statement.
+SqlStringInjectionHint5-2=You are using 'tom' trying to grant access to tom 

 sql-injection.5a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
 sql-injection.5a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>