From dd8b067a5571a0ed0456146e471b784390499fff Mon Sep 17 00:00:00 2001 From: Benedikt - Desktop Date: Sun, 18 Nov 2018 14:41:37 +0100 Subject: [PATCH] Changed names of hints and messages fro SQL-Injection assignments for better readability in properties file. --- .../plugin/advanced/SqlInjectionLesson6a.java | 6 +- .../introduction/SqlInjectionLesson2.java | 2 +- .../introduction/SqlInjectionLesson3.java | 2 +- .../introduction/SqlInjectionLesson4.java | 2 +- .../introduction/SqlInjectionLesson5.java | 2 +- .../mitigation/SqlInjectionLesson10a.java | 2 +- .../mitigation/SqlInjectionLesson10b.java | 2 +- .../mitigation/SqlInjectionLesson12a.java | 2 +- .../resources/i18n/WebGoatLabels.properties | 86 +++++++++---------- 9 files changed, 52 insertions(+), 54 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java index 8ed18fa7d..3650ef760 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java @@ -46,7 +46,7 @@ import java.sql.*; * @created October 28, 2003 */ @AssignmentPath("/SqlInjection/attack6a") -@AssignmentHints(value = {"SqlStringInjectionHint6a1", "SqlStringInjectionHint6a2", "SqlStringInjectionHint6a3", "SqlStringInjectionHint6a4"}) +@AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3"}) public class SqlInjectionLesson6a extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) @@ -82,14 +82,14 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint { // If they get back more than one user they succeeded if (results.getRow() >= 5 && usedUnion) { - return trackProgress(success().feedback("sql-injection.6a.success").feedbackArgs(output.toString()).build()); + return trackProgress(success().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).build()); } else if((output.toString().contains("dave") && output.toString().contains("passW0rD")) && !usedUnion) { return trackProgress(failed().output("To succesfully complete this Assignement you have to use a UNION").build()); } else { return trackProgress(failed().output(output.toString()).build()); } } else { - return trackProgress(failed().feedback("sql-injection.6a.no.results").build()); + return trackProgress(failed().feedback("sql-injection.advanced.6a.no.results").build()); } } catch (SQLException sqle) { diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java index c5921ce11..6c1d48ce4 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java @@ -46,7 +46,7 @@ import java.sql.*; * @created October 28, 2003 */ @AssignmentPath("/SqlInjection/attack2") -@AssignmentHints(value = {"SqlStringInjectionHint2a1", "SqlStringInjectionHint2a2"}) +@AssignmentHints(value = {"SqlStringInjectionHint2-1", "SqlStringInjectionHint2-2"}) public class SqlInjectionLesson2 extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java index b34bca509..b1f4a21a0 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java @@ -46,7 +46,7 @@ import java.sql.*; * @created October 28, 2003 */ @AssignmentPath("/SqlInjection/attack3") -@AssignmentHints(value = {"SqlStringInjectionHint3a1", "SqlStringInjectionHint3a2"}) +@AssignmentHints(value = {"SqlStringInjectionHint3-1", "SqlStringInjectionHint3-2"}) public class SqlInjectionLesson3 extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java index bdcf9a864..efd64626a 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java @@ -46,7 +46,7 @@ import java.sql.*; * @created October 28, 2003 */ @AssignmentPath("/SqlInjection/attack4") -@AssignmentHints(value = {"SqlStringInjectionHint4a1", "SqlStringInjectionHint4a2", "SqlStringInjectionHint4a3"}) +@AssignmentHints(value = {"SqlStringInjectionHint4-1", "SqlStringInjectionHint4-2", "SqlStringInjectionHint4-3"}) public class SqlInjectionLesson4 extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java index 5934a854d..6adbd7f4a 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java @@ -46,7 +46,7 @@ import java.sql.*; * @created October 28, 2003 */ @AssignmentPath("/SqlInjection/attack5") -@AssignmentHints(value = {"SqlStringInjectionHint5a1"}) +@AssignmentHints(value = {"SqlStringInjectionHint5-1"}) public class SqlInjectionLesson5 extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java index 512eb30d5..57add71e3 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java @@ -15,7 +15,7 @@ import org.springframework.web.bind.annotation.ResponseBody; @AssignmentPath("SqlInjection/attack10a") @Slf4j -@AssignmentHints(value = {"SqlStringInjectionHint10a1", "SqlStringInjectionHint10a2"}) +@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-10a2"}) public class SqlInjectionLesson10a extends AssignmentEndpoint { @Autowired diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java index 05bfc8ebd..1ff872a10 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java @@ -18,7 +18,7 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; @AssignmentPath("SqlInjection/attack10b") -@AssignmentHints(value = {"SqlStringInjectionHint10b1", "SqlStringInjectionHint10b2", "SqlStringInjectionHint10b3"}) +@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3"}) public class SqlInjectionLesson10b extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java index 1394cfd53..8d1820cdd 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java @@ -21,7 +21,7 @@ import java.sql.*; * @since 6/13/17. */ @AssignmentPath("SqlInjection/attack12a") -@AssignmentHints(value = {"SqlStringInjectionHint9", "SqlStringInjectionHint10", "SqlStringInjectionHint11", "SqlStringInjectionHint12"}) +@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-12a-1", "SqlStringInjectionHint-mitigation-12a-2", "SqlStringInjectionHint-mitigation-12a-3", "SqlStringInjectionHint-mitigation-12a-4"}) @Slf4j public class SqlInjectionLesson12a extends AssignmentEndpoint { diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 4f0d9f649..3a19a9cbd 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -1,7 +1,4 @@ #StringSqlInjection.java -StringSqlInjectionSecondStage=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query. Restart the lesson if you wish to return to the injectable query. -EnterLastName=Enter your last name: - sql.injection.title=SQL Injection (introduction) sql.mitigation.title=SQL Injection (mitigation) sql.advanced.title=SQL Injection (advanced) @@ -11,47 +8,21 @@ SqlInjectionChallenge2=The vulnerability is on the register form SqlInjectionChallenge3=Use tooling to automate this attack sql-injection.error=Sorry, this solution is not correct. Try again! -sql-injection.2.success=You have succeded! -sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above - -sql-injection.error=Sorry, this solution is not correct. Try again! - NoResultsMatched=No results matched. Try Again. -SqlInjectionChallengeHint1=The Table Name is randomized at each start of Webgoat, try to figure out the name first. -SqlInjectionChallengeHint2=Find the Field which is vulnerable to SQL Injection use that to change the password. -SqlInjectionChallengeHint3=Change the password through an Update Statement. -SqlInjectionChallengeHint4=The Vulnerable Field is the Username Field of the Register form. -SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack. -SqlStringInjectionHint5b2=Insert 0 or 1 = 1 into the first input field. Th Output should tell you if this field is injectable. -SqlStringInjectionHint5b3=The first Input field is not susceptible to sql injection. -SqlStringInjectionHint5b4=You don't need to insert any quotations into your injection-string. -SqlStringInjectionHint6a1=Try Appending stuff like ",1" to your query, to figure out how many columns there are. -SqlStringInjectionHint6a2=When using a UNION the number of columns, from both tables should match. -SqlStringInjectionHint6a3=The UNION should contain 7 columns. -SqlStringInjectionHint6a4=Try using these columns in your union: userid, user_name, password, cookie, cookie, cookie, userid. +sql-injection.2.success=You have succeeded! +sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above +SqlStringInjectionHint2-1=You want the data from the column with the name department. You know the database name (employees) and you know the first- and lastname of the employee (first_name, last_name). +SqlStringInjectionHint2-2=SELECT column FROM tablename WHERE condition; -SqlStringInjectionHint2a1=You want the data from the column with the name department. You know the database name (employees) and you know the first- and lastname of the employee (first_name, last_name). -SqlStringInjectionHint2a2=SELECT column FROM tablename WHERE condition; -SqlStringInjectionHint3a1=Try the UPDATE statement -SqlStringInjectionHint3a2=UPDATE tablename SET columnname=value WHERE condition; -SqlStringInjectionHint4a1=ALTER TABLE alters the structure of an existing database -SqlStringInjectionHint4a2=Don't forget the data type of the new column (e.g. varchar(size) or int(size)) -SqlStringInjectionHint4a3=ALTER TABLE tablename ADD columnname data type(size); -SqlStringInjectionHint5a1=Look at the example. There's everything you'll need. -SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query. -SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT ... FROM ... -SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- " +SqlStringInjectionHint3-1=Try the UPDATE statement +SqlStringInjectionHint3-2=UPDATE tablename SET columnname=value WHERE condition; -SqlStringInjectionHint9=Try sorting and look at the request -SqlStringInjectionHint10=Intercept the request and try to specify a different order by -SqlStringInjectionHint10a1=First establish a connection, after that you can create a statement. -SqlStringInjectionHint10a2=For every datatype there is a method to insert values into a wildcard symbol in a statement. -SqlStringInjectionHint10b1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection! -SqlStringInjectionHint10b2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections! -SqlStringInjectionHint10b3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype! -SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens -SqlStringInjectionHint12=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens +SqlStringInjectionHint4-1=ALTER TABLE alters the structure of an existing database +SqlStringInjectionHint4-2=Don't forget the data type of the new column (e.g. varchar(size) or int(size)) +SqlStringInjectionHint4-3=ALTER TABLE tablename ADD columnname data type(size); + +SqlStringInjectionHint5-1=Look at the example. There's everything you'll need. sql-injection.5a.success=You have succeeded: {0} sql-injection.5a.no.results=No results matched. Try Again. @@ -59,32 +30,59 @@ sql-injection.5a.no.results=No results matched. Try Again. sql-injection.5b.success=You have succeeded: {0} sql-injection.5b.no.results=No results matched. Try Again. +SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack. +SqlStringInjectionHint5b2=Insert 0 or 1 = 1 into the first input field. Th Output should tell you if this field is injectable. +SqlStringInjectionHint5b3=The first Input field is not susceptible to sql injection. +SqlStringInjectionHint5b4=You don't need to insert any quotations into your injection-string. + sql-injection.6a.success=You have succeeded: {0} sql-injection.6a.no.results=No results matched. Try Again. +sql-injection.advanced.6a.success=You have succeed: {0} +sql-injection.advanced.6a.no.results=No results matched. Try Again. +SqlStringInjectionHint-advanced-6a-1=Try Appending a new SQL Statement to the Query. +SqlStringInjectionHint-advanced-6a-2=The new SQL Statement can be really simple like: SELECT ... FROM ... +SqlStringInjectionHint-advanced-6a-3=Your new SQL Query should start, with a " ; " and end with " -- " + sql-injection.6b.success=You have succeeded: {0} sql-injection.6b.no.results=No results matched. Try Again. sql-injection.8.success=You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done! {0} sql-injection.8.no.results=No employee found with matching lastname. Or maybe your authentication TAN is incorrect? -sql-injection.9.success=Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary! {0} -sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data. - SqlStringInjectionHint.8.1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command. SqlStringInjectionHint.8.2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR. SqlStringInjectionHint.8.3=Try appending a SQL statement that always resolves to true. SqlStringInjectionHint.8.4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct. SqlStringInjectionHint.8.5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1. +sql-injection.9.success=Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary! {0} SqlStringInjectionHint.9.1=Try to find a way, to chain another query to the end of the existing one. SqlStringInjectionHint.9.2=Use the ; metacharacter to do so. SqlStringInjectionHint.9.3=Make use of DML to change your salary. SqlStringInjectionHint.9.4=Make sure that the resulting query is syntactically correct. SqlStringInjectionHint.9.5=How about something like '; UPDATE employees.... +sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data. SqlStringInjectionHint.10.1=Use the techniques that you have learned before. SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it. SqlStringInjectionHint.10.3=Try query chaining to reach the goal. SqlStringInjectionHint.10.4=The DDL allows you to delete (DROP) database tables. SqlStringInjectionHint.10.5=The underlying sql query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'". -SqlStringInjectionHint.10.6=Remember that you can use the -- metacharacter to comment out the rest of the line. \ No newline at end of file +SqlStringInjectionHint.10.6=Remember that you can use the -- metacharacter to comment out the rest of the line. + +SqlStringInjectionHint-mitigation-10a-1=First establish a connection, after that you can create a statement. +SqlStringInjectionHint-mitigation-10a-2=For every datatype there is a method to insert values into a wildcard symbol in a statement. + +SqlStringInjectionHint-mitigation-10b-1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection! +SqlStringInjectionHint-mitigation-10b-2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections! +SqlStringInjectionHint-mitigation-10b-3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype! + +SqlStringInjectionHint-mitigation-12a-1=Try sorting and look at the request +SqlStringInjectionHint-mitigation-12a-2=Intercept the request and try to specify a different order by +SqlStringInjectionHint-mitigation-12a-3=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens +SqlStringInjectionHint-mitigation-12a-4=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens + +SqlInjectionChallengeHint1=The Table Name is randomized at each start of Webgoat, try to figure out the name first. +SqlInjectionChallengeHint2=Find the Field which is vulnerable to SQL Injection use that to change the password. +SqlInjectionChallengeHint3=Change the password through an Update Statement. +SqlInjectionChallengeHint4=The Vulnerable Field is the Username Field of the Register form. \ No newline at end of file