dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix mistake the SQL exception should be throws otherwise users cannot see the table name (servers) makes it impossible to

Browse Source 
solve the assignment. Add explicit test for this to guard against future mistakes
This commit is contained in:
Nanne Baars
2019-11-11 17:24:46 +01:00
committed by Nanne Baars
parent 7d48427d4f
commit e07a2aff48
3 changed files with 51 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java
View File

@ -38,6 +38,6 @@ public class ProgressRaceConditionTest extends IntegrationTest {
} catch (InterruptedException | ExecutionException e) { } catch (InterruptedException | ExecutionException e) {
throw new IllegalStateException(e); throw new IllegalStateException(e);
} }
}).count()).isGreaterThan(10); }).count()).isGreaterThan(8);
} }
} }

79
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java
View File

@ -1,5 +1,6 @@
package org.owasp.webgoat; package org.owasp.webgoat;
import org.hamcrest.CoreMatchers;
import org.junit.Test; import org.junit.Test;
import io.restassured.RestAssured; import io.restassured.RestAssured;
@ -8,46 +9,56 @@ import io.restassured.http.ContentType;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import static org.hamcrest.CoreMatchers.containsString;
public class SqlInjectionMitigationTest extends IntegrationTest { public class SqlInjectionMitigationTest extends IntegrationTest {
@Test @Test
public void runTests() { public void runTests() {
startLesson("SqlInjectionMitigations"); startLesson("SqlInjectionMitigations");
Map<String, Object> params = new HashMap<>(); Map<String, Object> params = new HashMap<>();
params.clear(); params.clear();
params.put("field1", "getConnection"); params.put("field1", "getConnection");
params.put("field2", "PreparedStatement prep"); params.put("field2", "PreparedStatement prep");
params.put("field3", "prepareStatement"); params.put("field3", "prepareStatement");
params.put("field4", "?"); params.put("field4", "?");
params.put("field5", "?"); params.put("field5", "?");
params.put("field6", "prep.setString(1,\"\")"); params.put("field6", "prep.setString(1,\"\")");
params.put("field7", "prep.setString(2,\\\"\\\")"); params.put("field7", "prep.setString(2,\\\"\\\")");
checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10a"), params, true); checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10a"), params, true);
params.put("editor", "try {\r\n" + params.put("editor", "try {\r\n" +
" Connection conn = DriverManager.getConnection(DBURL,DBUSER,DBPW);\r\n" + " Connection conn = DriverManager.getConnection(DBURL,DBUSER,DBPW);\r\n" +
" PreparedStatement prep = conn.prepareStatement(\"select id from users where name = ?\");\r\n" + " PreparedStatement prep = conn.prepareStatement(\"select id from users where name = ?\");\r\n" +
" prep.setString(1,\"me\");\r\n" + " prep.setString(1,\"me\");\r\n" +
" prep.execute();\r\n" + " prep.execute();\r\n" +
" System.out.println(conn); //should output 'null'\r\n" + " System.out.println(conn); //should output 'null'\r\n" +
"} catch (Exception e) {\r\n" + "} catch (Exception e) {\r\n" +
" System.out.println(\"Oops. Something went wrong!\");\r\n" + " System.out.println(\"Oops. Something went wrong!\");\r\n" +
"}"); "}");
checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10b"), params, true); checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10b"), params, true);
RestAssured.given() RestAssured.given()
.when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()) .when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.get(url("/WebGoat/SqlInjectionMitigations/servers?column=(case when (true) then hostname else id end)")) .get(url("/WebGoat/SqlInjectionMitigations/servers?column=(case when (true) then hostname else id end)"))
.then() .then()
.statusCode(200); .statusCode(200);
params.clear(); RestAssured.given()
params.put("ip", "104.130.219.202"); .when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie())
checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack12a"), params, true); .contentType(ContentType.JSON)
.get(url("/WebGoat/SqlInjectionMitigations/servers?column=unknown"))
.then()
.statusCode(500)
.body("message", containsString("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by"));
checkResults("/SqlInjectionMitigations/"); params.clear();
params.put("ip", "104.130.219.202");
checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack12a"), params, true);
} checkResults("/SqlInjectionMitigations/");
}
} }

4
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
View File

@ -66,7 +66,7 @@ public class Servers {
@GetMapping(produces = MediaType.APPLICATION_JSON_VALUE) @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody @ResponseBody
public List<Server> sort(@RequestParam String column) { public List<Server> sort(@RequestParam String column) throws Exception {
List<Server> servers = new ArrayList<>(); List<Server> servers = new ArrayList<>();
try (Connection connection = dataSource.getConnection(); try (Connection connection = dataSource.getConnection();
@ -76,8 +76,6 @@ public class Servers {
Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6)); Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6));
servers.add(server); servers.add(server);
} }
} catch (SQLException e) {
log.error("Unable to get servers", e);
} }
return servers; return servers;
} }