diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java index 467fef655..07e44ff0e 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java @@ -38,6 +38,6 @@ public class ProgressRaceConditionTest extends IntegrationTest { } catch (InterruptedException | ExecutionException e) { throw new IllegalStateException(e); } - }).count()).isGreaterThan(10); + }).count()).isGreaterThan(8); } } diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java index 115362a69..e82b904ba 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java @@ -1,5 +1,6 @@ package org.owasp.webgoat; +import org.hamcrest.CoreMatchers; import org.junit.Test; import io.restassured.RestAssured; @@ -8,46 +9,56 @@ import io.restassured.http.ContentType; import java.util.HashMap; import java.util.Map; +import static org.hamcrest.CoreMatchers.containsString; + public class SqlInjectionMitigationTest extends IntegrationTest { - @Test - public void runTests() { - startLesson("SqlInjectionMitigations"); - - Map params = new HashMap<>(); - params.clear(); - params.put("field1", "getConnection"); - params.put("field2", "PreparedStatement prep"); - params.put("field3", "prepareStatement"); - params.put("field4", "?"); - params.put("field5", "?"); - params.put("field6", "prep.setString(1,\"\")"); - params.put("field7", "prep.setString(2,\\\"\\\")"); - checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10a"), params, true); - - params.put("editor", "try {\r\n" + - " Connection conn = DriverManager.getConnection(DBURL,DBUSER,DBPW);\r\n" + - " PreparedStatement prep = conn.prepareStatement(\"select id from users where name = ?\");\r\n" + - " prep.setString(1,\"me\");\r\n" + - " prep.execute();\r\n" + - " System.out.println(conn); //should output 'null'\r\n" + - "} catch (Exception e) {\r\n" + - " System.out.println(\"Oops. Something went wrong!\");\r\n" + - "}"); - checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10b"), params, true); - - RestAssured.given() - .when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()) - .contentType(ContentType.JSON) - .get(url("/WebGoat/SqlInjectionMitigations/servers?column=(case when (true) then hostname else id end)")) - .then() - .statusCode(200); + @Test + public void runTests() { + startLesson("SqlInjectionMitigations"); - params.clear(); - params.put("ip", "104.130.219.202"); - checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack12a"), params, true); + Map params = new HashMap<>(); + params.clear(); + params.put("field1", "getConnection"); + params.put("field2", "PreparedStatement prep"); + params.put("field3", "prepareStatement"); + params.put("field4", "?"); + params.put("field5", "?"); + params.put("field6", "prep.setString(1,\"\")"); + params.put("field7", "prep.setString(2,\\\"\\\")"); + checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10a"), params, true); - checkResults("/SqlInjectionMitigations/"); - - } + params.put("editor", "try {\r\n" + + " Connection conn = DriverManager.getConnection(DBURL,DBUSER,DBPW);\r\n" + + " PreparedStatement prep = conn.prepareStatement(\"select id from users where name = ?\");\r\n" + + " prep.setString(1,\"me\");\r\n" + + " prep.execute();\r\n" + + " System.out.println(conn); //should output 'null'\r\n" + + "} catch (Exception e) {\r\n" + + " System.out.println(\"Oops. Something went wrong!\");\r\n" + + "}"); + checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10b"), params, true); + + RestAssured.given() + .when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()) + .contentType(ContentType.JSON) + .get(url("/WebGoat/SqlInjectionMitigations/servers?column=(case when (true) then hostname else id end)")) + .then() + .statusCode(200); + + RestAssured.given() + .when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()) + .contentType(ContentType.JSON) + .get(url("/WebGoat/SqlInjectionMitigations/servers?column=unknown")) + .then() + .statusCode(500) + .body("message", containsString("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by")); + + params.clear(); + params.put("ip", "104.130.219.202"); + checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack12a"), params, true); + + checkResults("/SqlInjectionMitigations/"); + + } } diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java index 416216843..1e9ca3be9 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java @@ -66,7 +66,7 @@ public class Servers { @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE) @ResponseBody - public List sort(@RequestParam String column) { + public List sort(@RequestParam String column) throws Exception { List servers = new ArrayList<>(); try (Connection connection = dataSource.getConnection(); @@ -76,8 +76,6 @@ public class Servers { Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6)); servers.add(server); } - } catch (SQLException e) { - log.error("Unable to get servers", e); } return servers; }