diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java index e83f945f1..89ca589eb 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java @@ -41,7 +41,7 @@ import java.sql.Statement; @RestController @AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3", - "SqlStringInjectionHint-advanced-6a-4"}) + "SqlStringInjectionHint-advanced-6a-4", "SqlStringInjectionHint-advanced-6a-5"}) public class SqlInjectionLesson6a extends AssignmentEndpoint { private final DataSource dataSource; diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java index a01acd6ee..d590e88f3 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java @@ -33,7 +33,7 @@ import org.springframework.web.bind.annotation.RestController; @RestController @Slf4j -@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-10a2"}) +@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-2"}) public class SqlInjectionLesson10a extends AssignmentEndpoint { private String[] results = {"getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"}; diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 0419a99e8..22ab599cf 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -10,8 +10,8 @@ SqlInjectionChallenge3=Use tooling to automate this attack NoResultsMatched=No results matched, try again. ResultsButNotTom=Try To login as Tom! -sql-injection.2.success=You have succeeded! -sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above. +sql-injection.2.success=You have succeeded! +sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above. SqlStringInjectionHint2-1=You want the data from the column with the name department. You know the database name (employees) and you know the first- and lastname of the employee (first_name, last_name). SqlStringInjectionHint2-2=SELECT column FROM tablename WHERE condition; SqlStringInjectionHint2-3=Use ' instead of " when comparing two strings. @@ -27,55 +27,55 @@ SqlStringInjectionHint4-3=ALTER TABLE table name ADD column name data type(size) SqlStringInjectionHint5-1=Take a look at how to use a grant statement. SqlStringInjectionHint5-2=You are using 'tom' trying to grant access to tom -sql-injection.5a.success=You have succeeded: {0} -sql-injection.5a.no.results=No results matched. Try Again. -SqlStringInjectionHint5a1=Remember that for an successful Sql-Injection the query needs to always evaluate to true. +sql-injection.5a.success=You have succeeded: {0} +sql-injection.5a.no.results=No results matched. Try Again. +SqlStringInjectionHint5a1=Remember that for an successful Sql-Injection the query needs to always evaluate to true. -sql-injection.5b.success=You have succeeded: {0} -sql-injection.5b.no.results=No results matched. Try Again. +sql-injection.5b.success=You have succeeded: {0} +sql-injection.5b.no.results=No results matched. Try Again. SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack. -SqlStringInjectionHint5b2=Insert: 0 or 1 = 1 into the first input field. The output should tell you if this field is injectable. +SqlStringInjectionHint5b2=Insert: 0 or 1 = 1 into the first input field. The output should tell you if this field is injectable. SqlStringInjectionHint5b3=The first input field is not susceptible to sql injection. SqlStringInjectionHint5b4=You do not need to insert any quotations into your injection-string. -sql-injection.6a.success= -sql-injection.6a.no.results= +sql-injection.6a.success=You have succeeded: {0} +sql-injection.6a.no.results=No results matched. Try Again. -sql-injection.advanced.6a.success= -sql-injection.advanced.6a.no.results= +sql-injection.advanced.6a.success=You have succeeded: {0} +sql-injection.advanced.6a.no.results=No results matched. Try Again. SqlStringInjectionHint-advanced-6a-1=Remember that when using an UNION each SELECT statement within UNION must have the same number of columns. SqlStringInjectionHint-advanced-6a-2=The data type of a column in the first SELECT statement must have a similar data type to that in the second SELECT statement. SqlStringInjectionHint-advanced-6a-3=Your new SQL query must end with a comment. eg: -- -SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like 'a String' for it. For integers you could substitute a 1. -SqlStringInjectionHint-advanced-6a-5=Try something like: Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data -- +SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like 'a String' for it. For integers you could substitute a 1. +SqlStringInjectionHint-advanced-6a-5=Try something like: Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data -- -sql-injection.6b.success= -sql-injection.6b.no.results= +sql-injection.6b.success=You have succeeded: {0} +sql-injection.6b.no.results=No results matched. Try Again. -sql-injection.8.success= -sql-injection.8.no.results= -sql-injection.8.one= +sql-injection.8.success=You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done! +sql-injection.8.no.results=No employee found with matching last name. Or maybe your authentication TAN is incorrect? +sql-injection.8.one=That is only one account. You want them all! Try again. SqlStringInjectionHint.8.1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command. SqlStringInjectionHint.8.2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR. SqlStringInjectionHint.8.3=Try appending a SQL statement that always resolves to true. SqlStringInjectionHint.8.4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct. SqlStringInjectionHint.8.5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1. -sql-injection.9.success= -sql-injection.9.one= +sql-injection.9.success=Well done! Now you are earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary! +sql-injection.9.one=Still not earning enough! Better try again and change that. SqlStringInjectionHint.9.1=Try to find a way, to chain another query to the end of the existing one. SqlStringInjectionHint.9.2=Use the ; metacharacter to do so. SqlStringInjectionHint.9.3=Make use of DML to change your salary. SqlStringInjectionHint.9.4=Make sure that the resulting query is syntactically correct. SqlStringInjectionHint.9.5=How about something like '; UPDATE employees.... -sql-injection.10.success= -sql-injection.10.entries= +sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data. +sql-injection.10.entries=There is still evidence of what you did. Better remove the whole table. -sql-injection.10b.success= -sql-injection.10b.failed= -sql-injection.10b.no-code= -sql-injection.10b.compiler-errors= +sql-injection.10b.success=You did it! Your code can prevent an SQL injection attack! +sql-injection.10b.failed=Something does not seem right with that code. Maybe you should look at an example how to prevent SQL injections with JDBC? +sql-injection.10b.no-code=You need to write some code. +sql-injection.10b.compiler-errors=Could not compile code: SqlStringInjectionHint.10.1=Use the techniques that you have learned before. SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it. diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9Test.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9Test.java index b495e7aa2..1125358a6 100644 --- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9Test.java +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9Test.java @@ -151,7 +151,6 @@ public class SqlInjectionLesson9Test extends SqlLessonTest { .andExpect(status().isOk()) .andExpect(jsonPath("lessonCompleted", is(false))) - .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.error")))) .andExpect(jsonPath("$.output", containsString("feedback-negative"))); } catch (AssertionError e) { if (!e.getMessage().contains(completedError)) throw e;