dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix issue with labels in SQL lessons

Browse Source
This commit is contained in:
Nanne Baars 2021-04-01 17:40:35 +02:00 committed by Nanne Baars
parent 59c96f9890
commit de453fad84
4 changed files with 29 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
View File

@ -41,7 +41,7 @@ import java.sql.Statement;
@RestController
@AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3",
"SqlStringInjectionHint-advanced-6a-4"})
"SqlStringInjectionHint-advanced-6a-4", "SqlStringInjectionHint-advanced-6a-5"})
public class SqlInjectionLesson6a extends AssignmentEndpoint {
private final DataSource dataSource;

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java
View File

@ -33,7 +33,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@Slf4j
@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-10a2"})
@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-2"})
public class SqlInjectionLesson10a extends AssignmentEndpoint {
private String[] results = {"getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"};

54
webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -10,8 +10,8 @@ SqlInjectionChallenge3=Use tooling to automate this attack
NoResultsMatched=No results matched, try again.
ResultsButNotTom=Try To login as Tom!
sql-injection.2.success=<span class='feedback-positive'>You have succeeded!</span>
sql-injection.2.failed=<span class='feedback-negative'>Something went wrong! You got no results, check your SQL Statement and the table above.</span>
sql-injection.2.success=You have succeeded!
sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above.
SqlStringInjectionHint2-1=You want the data from the column with the name department. You know the database name (employees) and you know the first- and lastname of the employee (first_name, last_name).
SqlStringInjectionHint2-2=SELECT column FROM tablename WHERE condition;
SqlStringInjectionHint2-3=Use ' instead of " when comparing two strings.
@ -27,55 +27,55 @@ SqlStringInjectionHint4-3=ALTER TABLE table name ADD column name data type(size)
SqlStringInjectionHint5-1=Take a look at how to use a grant statement.
SqlStringInjectionHint5-2=You are using 'tom' trying to grant access to tom
sql-injection.5a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
sql-injection.5a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
SqlStringInjectionHint5a1=Remember that for an successful Sql-Injection the query needs to always evaluate to <span style="font-style: italic">true</span>.
sql-injection.5a.success=You have succeeded: {0}
sql-injection.5a.no.results=No results matched. Try Again.
SqlStringInjectionHint5a1=Remember that for an successful Sql-Injection the query needs to always evaluate to <span style="font-style: italic">true.
sql-injection.5b.success=<span class='feedback-positive'>You have succeeded: {0}</span>
sql-injection.5b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
sql-injection.5b.success=You have succeeded: {0}
sql-injection.5b.no.results=No results matched. Try Again.
SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack.
SqlStringInjectionHint5b2=Insert: <span style="font-style: italic">0 or 1 = 1</span> into the first input field. The output should tell you if this field is injectable.
SqlStringInjectionHint5b2=Insert: <span style="font-style: italic">0 or 1 = 1 into the first input field. The output should tell you if this field is injectable.
SqlStringInjectionHint5b3=The first input field is not susceptible to sql injection.
SqlStringInjectionHint5b4=You do not need to insert any quotations into your injection-string.
sql-injection.6a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
sql-injection.6a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
sql-injection.6a.success=You have succeeded: {0}
sql-injection.6a.no.results=No results matched. Try Again.
sql-injection.advanced.6a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
sql-injection.advanced.6a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
sql-injection.advanced.6a.success=You have succeeded: {0}
sql-injection.advanced.6a.no.results=No results matched. Try Again.
SqlStringInjectionHint-advanced-6a-1=Remember that when using an UNION each SELECT statement within UNION must have the same number of columns.
SqlStringInjectionHint-advanced-6a-2=The data type of a column in the first SELECT statement must have a similar data type to that in the second SELECT statement.
SqlStringInjectionHint-advanced-6a-3=Your new SQL query must end with a comment. eg: --
SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like <span style="font-style: italic">'a String'</span> for it. For integers you could substitute a <span style="font-style: italic">1</span>.
SqlStringInjectionHint-advanced-6a-5=Try something like: <span style="font-style: italic">Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data --</span>
SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like <span style="font-style: italic">'a String' for it. For integers you could substitute a <span style="font-style: italic">1.
SqlStringInjectionHint-advanced-6a-5=Try something like: <span style="font-style: italic">Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data --
sql-injection.6b.success=<span class='feedback-positive'>You have succeeded: {0}</span>
sql-injection.6b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
sql-injection.6b.success=You have succeeded: {0}
sql-injection.6b.no.results=No results matched. Try Again.
sql-injection.8.success=<span class='feedback-positive'>You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done!</span>
sql-injection.8.no.results=<span class='feedback-negative'>No employee found with matching last name. Or maybe your authentication TAN is incorrect?</span>
sql-injection.8.one=<span class='feedback-negative'>That is only one account. You want them all! Try again.</span>
sql-injection.8.success=You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done!
sql-injection.8.no.results=No employee found with matching last name. Or maybe your authentication TAN is incorrect?
sql-injection.8.one=That is only one account. You want them all! Try again.
SqlStringInjectionHint.8.1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command.
SqlStringInjectionHint.8.2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR.
SqlStringInjectionHint.8.3=Try appending a SQL statement that always resolves to true.
SqlStringInjectionHint.8.4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct.
SqlStringInjectionHint.8.5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1.
sql-injection.9.success=<span class='feedback-positive'>Well done! Now you are earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary!</span>
sql-injection.9.one=<span class='feedback-negative'>Still not earning enough! Better try again and change that.</span>
sql-injection.9.success=Well done! Now you are earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary!
sql-injection.9.one=Still not earning enough! Better try again and change that.
SqlStringInjectionHint.9.1=Try to find a way, to chain another query to the end of the existing one.
SqlStringInjectionHint.9.2=Use the ; metacharacter to do so.
SqlStringInjectionHint.9.3=Make use of DML to change your salary.
SqlStringInjectionHint.9.4=Make sure that the resulting query is syntactically correct.
SqlStringInjectionHint.9.5=How about something like '; UPDATE employees....
sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span>
sql-injection.10.entries=<span class='feedback-negative'>There is still evidence of what you did. Better remove the whole table.</span>
sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data.
sql-injection.10.entries=There is still evidence of what you did. Better remove the whole table.
sql-injection.10b.success=<span class='feedback-positive'>You did it! Your code can prevent an SQL injection attack!</span>
sql-injection.10b.failed=<span class='feedback-negative'>Something does not seem right with that code. Maybe you should look at an example how to prevent SQL injections with JDBC?</span>
sql-injection.10b.no-code=<span class='feedback-negative'>You need to write some code.</span>
sql-injection.10b.compiler-errors=<span class='feedback-negative'>Could not compile code:</span>
sql-injection.10b.success=You did it! Your code can prevent an SQL injection attack!
sql-injection.10b.failed=Something does not seem right with that code. Maybe you should look at an example how to prevent SQL injections with JDBC?
sql-injection.10b.no-code=You need to write some code.
sql-injection.10b.compiler-errors=Could not compile code:
SqlStringInjectionHint.10.1=Use the techniques that you have learned before.
SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it.

1
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9Test.java
View File

@ -151,7 +151,6 @@ public class SqlInjectionLesson9Test extends SqlLessonTest {
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.error"))))
.andExpect(jsonPath("$.output", containsString("feedback-negative")));
} catch (AssertionError e) {
if (!e.getMessage().contains(completedError)) throw e;