Convert lesson into using DB instead of using regular expression to check the solution

2021-03-14 11:09:07 +01:00 · 2021-03-14 11:09:07 +01:00 · d4da2d0efa
commit d4da2d0efa
parent c798e4be32
5 changed files with 83 additions and 21 deletions
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java
@ -11,7 +11,7 @@ public class SqlInjectionLessonTest extends IntegrationTest {
    public static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'";
    public static final String sql_4_drop = "alter table employees drop column phone";
    public static final String sql_4_add = "alter table employees add column phone varchar(20)";
-    public static final String sql_5 = "grant alter table to UnauthorizedUser";
+    public static final String sql_5 = "grant select on grant_rights to unauthorized_user";
    public static final String sql_9_account = " ' ";
    public static final String sql_9_operator = "or";
    public static final String sql_9_injection = "'1'='1";
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
@ -30,11 +30,36 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 import javax.annotation.PostConstruct;
 import javax.sql.DataSource;
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
@RestController
@AssignmentHints(value = {"SqlStringInjectionHint5-a"})
 public class SqlInjectionLesson5 extends AssignmentEndpoint {
    private final DataSource dataSource;
    public SqlInjectionLesson5(DataSource dataSource) {
        this.dataSource = dataSource;
    }
    @PostConstruct
    public void createUser() {
        // HSQLDB does not support CREATE USER with IF NOT EXISTS so we need to do it in code (DROP first will throw error if user does not exists)
        try (Connection connection = dataSource.getConnection()) {
            try (var statement = connection.prepareStatement("CREATE USER unauthorized_user PASSWORD test")) {
                statement.execute();
            }
        } catch (Exception e) {
            //user already exists continue
        }
    }
    @PostMapping("/SqlInjection/attack5")
    @ResponseBody
    public AttackResult completed(String query) {
@ -42,19 +67,29 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint {
    }
    protected AttackResult injectableQuery(String query) {
-        try {
+        try (Connection connection = dataSource.getConnection()) {
-            String regex = "(?i)^(grant alter table to [']?unauthorizedUser[']?)(?:[;]?)$";
+            try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
-            StringBuffer output = new StringBuffer();
+                statement.executeQuery(query);
-
+                if (checkSolution(connection)) {
-            // user completes lesson if the query is correct
+                    return success(this).build();
-            if (query.matches(regex)) {
+                }
-                output.append("<span class='feedback-positive'>" + query + "</span>");
+                return failed(this).output("Your query was: " + query).build();
                return success(this).output(output.toString()).build();
            } else {
                return failed(this).output(output.toString()).build();
            }
        } catch (Exception e) {
-            return failed(this).output(this.getClass().getName() + " : " + e.getMessage()).build();
+            return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build();
        }
    }
    private boolean checkSolution(Connection connection) {
        try {
            var stmt = connection.prepareStatement("SELECT * FROM INFORMATION_SCHEMA.TABLE_PRIVILEGES WHERE TABLE_NAME = ? AND GRANTEE = ?");
            stmt.setString(1, "GRANT_RIGHTS");
            stmt.setString(2, "UNAUTHORIZED_USER");
            var resultSet = stmt.executeQuery();
            return resultSet.next();
        } catch (SQLException throwables) {
            return false;
        }
    }
 }
--- a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2021_03_13_8__grant.sql
+++ b/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2021_03_13_8__grant.sql
@ -0,0 +1,14 @@
 CREATE TABLE grant_rights(
  userid varchar(6) not null primary key,
  first_name varchar(20),
  last_name varchar(20),
  department varchar(20),
  salary int
 );
 INSERT INTO grant_rights VALUES ('32147','Paulina',  'Travers', 'Accounting',  46000);
 INSERT INTO grant_rights VALUES ('89762','Tobi',     'Barnett', 'Development', 77000);
 INSERT INTO grant_rights VALUES ('96134','Bob',      'Franco',  'Marketing',   83700);
 INSERT INTO grant_rights VALUES ('34477','Abraham ', 'Holman',  'Development', 50000);
 INSERT INTO grant_rights VALUES ('37648','John',     'Smith',   'Marketing',   64350);
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -25,7 +25,8 @@ SqlStringInjectionHint4-1=ALTER TABLE alters the structure of an existing databa
 SqlStringInjectionHint4-2=Do not forget the data type of the new column (e.g. varchar(size) or int(size))
 SqlStringInjectionHint4-3=ALTER TABLE table name ADD column name data type(size);
-SqlStringInjectionHint5-a=Look at the example. There is everything you will need.
+SqlStringInjectionHint5-1=Take a look at how to use a grant statement.
 SqlStringInjectionHint5-2=You are using 'tom' trying to grant access to tom 
 sql-injection.5a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
 sql-injection.5a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5Test.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5Test.java
@ -23,16 +23,22 @@
 package org.owasp.webgoat.sql_injection.introduction;
 import org.hamcrest.CoreMatchers;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.junit.MockitoJUnitRunner;
 import org.owasp.webgoat.assignments.AssignmentEndpointTest;
 import org.owasp.webgoat.sql_injection.SqlLessonTest;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import javax.sql.DataSource;
 import java.sql.SQLException;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -41,28 +47,34 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
@RunWith(SpringJUnit4ClassRunner.class)
 public class SqlInjectionLesson5Test extends SqlLessonTest {
    @Autowired
    private DataSource dataSource;
    @After
    public void removeGrant() throws SQLException {
        dataSource.getConnection().prepareStatement("revoke select on grant_rights from unauthorized_user cascade").execute();
    }
    @Test
    public void grantSolution() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5")
-                .param("query","grant alter table to unauthorizedUser"))
+                .param("query", "grant select on grant_rights to unauthorized_user"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.output", CoreMatchers.containsString("grant")))
                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
    }
    @Test
-    public void grantSolutionWithSingleQuotes() throws Exception {
+    public void differentTableShouldNotSolveIt() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5")
-                .param("query","grant alter table to 'unauthorizedUser';"))
+                .param("query", "grant select on users to unauthorized_user"))
                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.output", CoreMatchers.containsString("grant")))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
    }
    @Test
-    public void grantSolutionWrong() throws Exception {
+    public void noGrantShouldNotSolveIt() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5")
-                .param("query","grant alter table to me"))
+                .param("query", "select * from grant_rights"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
    }