diff --git a/webgoat/main/project/JavaSource/WebGoatLabels_english.properties b/webgoat/main/project/JavaSource/WebGoatLabels_english.properties
index 4939dc531..ed804f909 100644
--- a/webgoat/main/project/JavaSource/WebGoatLabels_english.properties
+++ b/webgoat/main/project/JavaSource/WebGoatLabels_english.properties
@@ -56,7 +56,7 @@ Refresh=Refresh
WeakAuthenticationCookieHints1=The server authenticates the user using a cookie, if you send the right cookie.
WeakAuthenticationCookieHints2=Is the AuthCookie value guessable knowing the username and password?
-WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>.
+WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A>.
WeakAuthenticationCookieHints4=After logging in as webgoat a cookie is added. 65432ubphcfx<br/>After logging in as aspect a cookie is added. 65432udfqtb<br/>Is there anything similar about the cookies and the login names?
#RemoteAdminFlaw.java
@@ -213,15 +213,28 @@ ThisAmountCharged=This amount will be charged to your credit card immediately.
HiddenFieldTamperingHint1=This application is using hidden fields to transmit price information to the server.
HiddenFieldTamperingHint2=Use a program to intercept and change the value in the hidden field.
-HiddenFieldTamperingHint3=Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from "
+HiddenFieldTamperingHint3=Use <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A> to change the price of the TV from "
HiddenFieldTamperingHint32= to
+# Modify data with SQL Injection
+EnterUserid=Enter your userid:
+SqlModifyDataHint1=You can use SQL Injection to execute more than one SQL statement.
+SqlModifyDataHint2=Use a semicolon (;) to separate SQL statements.
+SqlModifyDataHint3=Modify data using a SQL UPDATE Statement.
+SqlModifyDataHint4=For details and examples for SQL UPDATE statements, see <A href=\"http://www.w3schools.com/SQl/sql_update.asp\">http://www.w3schools.com/SQl/sql_update.asp</A>
+SqlModifyDataHint5=SOLUTION:<br/>foo'; UPDATE salaries SET salary=9999999 WHERE userid='jsmith
-
-
-
-
-
+# Modify data with SQL Injection
+SqlAddDataHint1=You can use SQL Injection to execute more than one SQL statement.
+SqlAddDataHint2=Use a semicolon (;) to separate SQL statements. You will also need to comment out some characters that come after the injection with a double hyphen (--).
+SqlAddDataHint3=Modify data using a SQL INSERT Statement.
+SqlAddDataHint4=For details and examples for SQL INSERT statements, see <A href=\"http://www.w3schools.com/SQl/sql_insert.asp\">http://www.w3schools.com/SQl/sql_insert.asp</A>
+SqlAddDataHint5=SOLUTION:<br/>bar'; INSERT INTO salaries VALUES ('cwillis', 999999); --
+
+# Bypass Html Field Restrictions
+BypassHtmlFieldRestrictionsHint1=You must re-enable the disabled form field or manually add its parameter name to your request.
+BypassHtmlFieldRestrictionsHint2=You can use <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A> to intercept requests and make changes.
+BypassHtmlFieldRestrictionsHint3=Rather than using <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A>, you could instead use the <A href=\"http://chrispederick.com/work/web-developer/\">Web Developer</a> and/or <A href=\"http://devels-playground.blogspot.com/\">Hackbar</a> Firefox extensions to complete this lesson.
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BypassHtmlFieldRestrictions.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BypassHtmlFieldRestrictions.java
new file mode 100644
index 000000000..06a2cae69
--- /dev/null
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BypassHtmlFieldRestrictions.java
@@ -0,0 +1,256 @@
+
+package org.owasp.webgoat.lessons;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.ResultSetMetaData;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.StringElement;
+import org.apache.ecs.html.A;
+import org.apache.ecs.html.BR;
+import org.apache.ecs.html.Div;
+import org.apache.ecs.html.IMG;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.P;
+import org.apache.ecs.html.PRE;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.ParameterNotFoundException;
+import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.util.WebGoatI18N;
+
+
+/***************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
+ *
+ * For details, please see http://code.google.com/p/webgoat/
+ *
+ * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
+ * site</a>
+ * @created October 29, 2009
+ */
+public class BypassHtmlFieldRestrictions extends SequentialLessonAdapter
+{
+ public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
+
+ private final static String USERID = "userid";
+
+ private String userid;
+
+ /**
+ * Description of the Method
+ *
+ * @param s
+ * Description of the Parameter
+ * @return Description of the Return Value
+ */
+ protected Element createContent(WebSession s)
+ {
+ ElementContainer ec = new ElementContainer();
+
+ try {
+ boolean failed = false;
+
+ // select element
+ ec.addElement(new Div().addElement(new StringElement("Select field with two possible values:")));
+
+ String[] allowedSelect = {"foo", "bar"};
+
+ ec.addElement(new org.apache.ecs.html.Select("select", allowedSelect));
+
+ // radio button element
+ ec.addElement(new P());
+ ec.addElement(new Div().addElement(new StringElement("Radio button with two possible values:")));
+
+
+ Input radiofoo = new Input("radio", "radio", "foo");
+ radiofoo.setChecked(true);
+ ec.addElement(radiofoo);
+ ec.addElement(new StringElement("foo"));
+ ec.addElement(new BR());
+ ec.addElement(new Input("radio", "radio", "bar"));
+ ec.addElement(new StringElement("bar"));
+
+ // checkbox
+ ec.addElement(new P());
+ ec.addElement(new Div().addElement(new StringElement("Checkbox:")));
+ Input checkbox = new Input("checkbox", "checkbox");
+ checkbox.setChecked(true);
+ ec.addElement(checkbox);
+ ec.addElement(new StringElement("checkbox"));
+
+ // create shortinput
+ ec.addElement(new P());
+ ec.addElement(new Div().addElement(new StringElement("Input field restricted to 5 characters:")));
+ Input shortinput = new Input(Input.TEXT, "shortinput", "12345");
+ shortinput.setMaxlength(5);
+ ec.addElement(shortinput);
+
+ ec.addElement(new P());
+ ec.addElement(new Div().addElement(new StringElement("Disabled input field:")));
+ String defaultdisabledinputtext = "disabled";
+ Input disabledinput = new Input(Input.TEXT, "disabledinput", defaultdisabledinputtext);
+ disabledinput.setDisabled(true);
+ ec.addElement(disabledinput);
+ ec.addElement(new BR());
+
+ // Submit Button
+ ec.addElement(new P());
+ ec.addElement(new Div().addElement(new StringElement("Submit button:")));
+ String submittext = "Submit";
+ Element b = ECSFactory.makeButton(submittext);
+ ec.addElement(b);
+
+ // Now check inputs that were submitted (if any)
+
+ // check select field
+ String submittedselect = s.getParser().getRawParameter("select");
+ if(submittedselect.equals("foo")) failed = true;
+ if(submittedselect.equals("bar")) failed = true;
+
+ // check radio buttons
+ String submittedradio = s.getParser().getRawParameter("radio");
+ if(submittedselect.equals("foo")) failed = true;
+ if(submittedselect.equals("bar")) failed = true;
+
+ // check checkbox (note - if the box is not checked, this will throw an exception, but that
+ // is okay)
+ if(s.getParser().getRawParameter("checkbox").equals("on")) failed = true;
+
+ // check shortinput
+ if(s.getParser().getRawParameter("shortinput").length() < 6) failed = true;
+
+ // check disabledinput (note - if the field was not re-enabled, this will throw an exception, but that
+ // is okay)
+ if(s.getParser().getRawParameter("disabledinput").equals(defaultdisabledinputtext)) failed = true;
+
+ // check submitbutton
+ if(s.getParser().getRawParameter("SUBMIT").equals(submittext)) failed = true;
+
+
+ // if we didn't fail, we succeeded!
+ if(failed != true) {
+ makeSuccess(s);
+ }
+
+ } catch(ParameterNotFoundException e) {
+ //s.setMessage("Error, required parameter not found");
+ e.printStackTrace();
+ }
+
+ return (ec);
+ }
+
+ /**
+ * Gets the category attribute of the object
+ *
+ * @return The category value
+ */
+ protected Category getDefaultCategory()
+ {
+ return Category.PARAMETER_TAMPERING;
+ }
+
+ /**
+ * Gets the credits attribute of the AbstractLesson object
+ *
+ * @return The credits value
+ */
+ public Element getCredits()
+ {
+ return super.getCustomCredits("Created by Chuck Willis ", MANDIANT_LOGO);
+ }
+
+ /**
+ * Gets the hints attribute of the DatabaseFieldScreen object
+ *
+ * @return The hints value
+ */
+ protected List<String> getHints(WebSession s)
+ {
+ List<String> hints = new ArrayList<String>();
+
+ hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint1"));
+ hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint2"));
+ hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint3"));
+
+ return hints;
+ }
+
+ private final static Integer DEFAULT_RANKING = new Integer(10);
+
+ protected Integer getDefaultRanking()
+ {
+ return DEFAULT_RANKING;
+ }
+
+ /**
+ * Gets the title attribute of the DatabaseFieldScreen object
+ *
+ * @return The title value
+ */
+ public String getTitle()
+ {
+ return ("Bypass HTML Field Restrictions");
+ }
+
+ /**
+ * Gets the instructions attribute of the SqlInjection object
+ *
+ * @return The instructions value
+ */
+ public String getInstructions(WebSession s)
+ {
+ String instructions = "The form below uses HTML form field restrictions. " +
+ " In order to pass this lesson, submit the form with each field containing an unallowed value. "
+ + "<b>You must submit invalid values for all six fields in one form submission.</b>";
+
+ return (instructions);
+ }
+
+ /**
+ * Constructor for the DatabaseFieldScreen object
+ *
+ * @param s
+ * Description of the Parameter
+ */
+ public void handleRequest(WebSession s)
+ {
+ try
+ {
+ super.handleRequest(s);
+ } catch (Exception e)
+ {
+ // System.out.println("Exception caught: " + e);
+ e.printStackTrace(System.out);
+ }
+ }
+
+}
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlAddData.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlAddData.java
new file mode 100644
index 000000000..aefbf6332
--- /dev/null
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlAddData.java
@@ -0,0 +1,247 @@
+
+package org.owasp.webgoat.lessons;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.ResultSetMetaData;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.html.A;
+import org.apache.ecs.html.BR;
+import org.apache.ecs.html.IMG;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.P;
+import org.apache.ecs.html.PRE;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.util.WebGoatI18N;
+
+
+/***************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
+ *
+ * For details, please see http://code.google.com/p/webgoat/
+ *
+ * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
+ * site</a> (this lesson is based on the String SQL Injection lesson)
+ * @created October 29, 2009
+ */
+public class SqlAddData extends SequentialLessonAdapter
+{
+ public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
+
+ private final static String USERID = "userid";
+
+ private String userid;
+
+ /**
+ * Description of the Method
+ *
+ * @param s
+ * Description of the Parameter
+ * @return Description of the Return Value
+ */
+ protected Element createContent(WebSession s)
+ {
+ ElementContainer ec = new ElementContainer();
+
+ try
+ {
+ Connection connection = DatabaseUtilities.getConnection(s);
+
+ ec.addElement(makeAccountLine(s));
+
+ String query = "SELECT * FROM salaries WHERE userid = '" + userid + "'";
+ //ec.addElement(new PRE(query));
+
+ try
+ {
+ // get number of rows in table before executing injectable query
+ Statement target_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+ ResultSet.CONCUR_READ_ONLY);
+ ResultSet target_results = target_statement.executeQuery("SELECT * from salaries");
+ target_results.last();
+ int number_of_results_before = target_results.getRow();
+
+ System.out.println("Before running query, table salaries has "
+ + number_of_results_before + " records.");
+
+ // execute query
+ Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+ ResultSet.CONCUR_READ_ONLY);
+
+ statement.execute(query);
+
+ ResultSet results = statement.getResultSet();
+
+ if ((results != null) && (results.first() == true))
+ {
+ ResultSetMetaData resultsMetaData = results.getMetaData();
+ ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+ results.last();
+ }
+ else
+ {
+ ec.addElement(WebGoatI18N.get("NoResultsMatched"));
+ }
+
+ // see if the number of rows in the table has changed
+ target_results = target_statement.executeQuery("SELECT * from salaries");
+ target_results.last();
+ int number_of_results_after = target_results.getRow();
+
+ System.out.println("After running query, table salaries has "
+ + number_of_results_after + " records.");
+
+ if(number_of_results_after != number_of_results_before) {
+ makeSuccess(s);
+ }
+
+ } catch (SQLException sqle)
+ {
+ ec.addElement(new P().addElement(sqle.getMessage()));
+ sqle.printStackTrace();
+ }
+ } catch (Exception e)
+ {
+ s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
+ e.printStackTrace();
+ }
+
+ return (ec);
+ }
+
+
+
+ protected Element makeAccountLine(WebSession s)
+ {
+ ElementContainer ec = new ElementContainer();
+ ec.addElement(new P().addElement(WebGoatI18N.get("EnterUserid")));
+
+ userid = s.getParser().getRawParameter(USERID, "jsmith");
+ Input input = new Input(Input.TEXT, USERID, userid.toString());
+ ec.addElement(input);
+
+ Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!"));
+ ec.addElement(b);
+
+ return ec;
+
+ }
+
+ /**
+ * Gets the category attribute of the SqNumericInjection object
+ *
+ * @return The category value
+ */
+ protected Category getDefaultCategory()
+ {
+ return Category.INJECTION;
+ }
+
+ /**
+ * Gets the credits attribute of the AbstractLesson object
+ *
+ * @return The credits value
+ */
+ public Element getCredits()
+ {
+ return super.getCustomCredits("Created by Chuck Willis ", MANDIANT_LOGO);
+ }
+
+ /**
+ * Gets the hints attribute of the DatabaseFieldScreen object
+ *
+ * @return The hints value
+ */
+ protected List<String> getHints(WebSession s)
+ {
+ List<String> hints = new ArrayList<String>();
+
+ hints.add(WebGoatI18N.get("SqlAddDataHint1"));
+ hints.add(WebGoatI18N.get("SqlAddDataHint2"));
+ hints.add(WebGoatI18N.get("SqlAddDataHint3"));
+ hints.add(WebGoatI18N.get("SqlAddDataHint4"));
+ hints.add(WebGoatI18N.get("SqlAddDataHint5"));
+
+ return hints;
+ }
+
+ private final static Integer DEFAULT_RANKING = new Integer(78);
+
+ protected Integer getDefaultRanking()
+ {
+ return DEFAULT_RANKING;
+ }
+
+ /**
+ * Gets the title attribute of the DatabaseFieldScreen object
+ *
+ * @return The title value
+ */
+ public String getTitle()
+ {
+ return ("Add Data with SQL Injection");
+ }
+
+ /**
+ * Gets the instructions attribute of the SqlInjection object
+ *
+ * @return The instructions value
+ */
+ public String getInstructions(WebSession s)
+ {
+ String instructions = "The form below allows a user to view salaries associated with a userid "
+ + "(from the table named <b>salaries</b>). This form"
+ + " is vulnerable to String SQL Injection. In order to pass this lesson, use SQL Injection to "
+ + "add a record to the table.";
+
+ return (instructions);
+ }
+
+ /**
+ * Constructor for the DatabaseFieldScreen object
+ *
+ * @param s
+ * Description of the Parameter
+ */
+ public void handleRequest(WebSession s)
+ {
+ try
+ {
+ super.handleRequest(s);
+ } catch (Exception e)
+ {
+ // System.out.println("Exception caught: " + e);
+ e.printStackTrace(System.out);
+ }
+ }
+
+}
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlModifyData.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlModifyData.java
new file mode 100644
index 000000000..722418b66
--- /dev/null
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlModifyData.java
@@ -0,0 +1,266 @@
+
+package org.owasp.webgoat.lessons;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.ResultSetMetaData;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.html.A;
+import org.apache.ecs.html.BR;
+import org.apache.ecs.html.IMG;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.P;
+import org.apache.ecs.html.PRE;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.util.WebGoatI18N;
+
+
+/***************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
+ *
+ * For details, please see http://code.google.com/p/webgoat/
+ *
+ * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
+ * site</a> (this lesson is based on the String SQL Injection lesson)
+ * @created October 29, 2009
+ */
+public class SqlModifyData extends SequentialLessonAdapter
+{
+ public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
+
+ private final static String USERID = "userid";
+
+ private final static String TARGET_USERID = "jsmith";
+ private final static String NONTARGET_USERID = "lsmith";
+
+ private String userid;
+
+ /**
+ * Description of the Method
+ *
+ * @param s
+ * Description of the Parameter
+ * @return Description of the Return Value
+ */
+ protected Element createContent(WebSession s)
+ {
+ ElementContainer ec = new ElementContainer();
+
+ try
+ {
+ Connection connection = DatabaseUtilities.getConnection(s);
+
+ ec.addElement(makeAccountLine(s));
+
+ String query = "SELECT * FROM salaries WHERE userid = '" + userid + "'";
+ //ec.addElement(new PRE(query));
+
+ try
+ {
+ // check target data
+ Statement target_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+ ResultSet.CONCUR_READ_ONLY);
+ ResultSet target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+TARGET_USERID+"'");
+ target_results.first();
+ String before_salary_target_salary = target_results.getString(1);
+
+ System.out.println("Before running query, salary for target userid " + TARGET_USERID + " = " + before_salary_target_salary );
+
+ target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+NONTARGET_USERID+"'");
+ target_results.first();
+ String before_salary_nontarget_salary = target_results.getString(1);
+
+ System.out.println("Before running query, salary for nontarget userid " + NONTARGET_USERID + " = " + before_salary_nontarget_salary );
+
+ // execute query
+ Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+ ResultSet.CONCUR_READ_ONLY);
+ //
+ statement.execute(query);
+
+ ResultSet results = statement.getResultSet();
+
+ if ((results != null) && (results.first() == true))
+ {
+ ResultSetMetaData resultsMetaData = results.getMetaData();
+ ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+ results.last();
+ }
+ else
+ {
+ ec.addElement(WebGoatI18N.get("NoResultsMatched"));
+ }
+
+ // see if target data was modified
+ target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+TARGET_USERID+"'");
+ target_results.first();
+ String after_salary_target_salary = target_results.getString(1);
+
+ System.out.println("After running query, salary for target userid " + TARGET_USERID + " = " + before_salary_target_salary );
+
+ target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+NONTARGET_USERID+"'");
+ target_results.first();
+ String after_salary_nontarget_salary = target_results.getString(1);
+
+ System.out.println("After running query, salary for nontarget userid " + NONTARGET_USERID + " = " + before_salary_nontarget_salary );
+
+ if(!after_salary_nontarget_salary.equals(before_salary_nontarget_salary)) {
+ s.setMessage("You modified the salary for another userid, in order to succeed you must modify the salary of only userid "
+ + TARGET_USERID + ".");
+ } else {
+ if(!after_salary_target_salary.equals(before_salary_target_salary)) {
+ makeSuccess(s);
+ }
+ }
+
+ } catch (SQLException sqle)
+ {
+ ec.addElement(new P().addElement(sqle.getMessage()));
+ sqle.printStackTrace();
+ }
+ } catch (Exception e)
+ {
+ s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
+ e.printStackTrace();
+ }
+
+ return (ec);
+ }
+
+
+
+ protected Element makeAccountLine(WebSession s)
+ {
+ ElementContainer ec = new ElementContainer();
+ ec.addElement(new P().addElement(WebGoatI18N.get("EnterUserid")));
+
+ userid = s.getParser().getRawParameter(USERID, "jsmith");
+ Input input = new Input(Input.TEXT, USERID, userid.toString());
+ ec.addElement(input);
+
+ Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!"));
+ ec.addElement(b);
+
+ return ec;
+
+ }
+
+ /**
+ * Gets the category attribute of the SqNumericInjection object
+ *
+ * @return The category value
+ */
+ protected Category getDefaultCategory()
+ {
+ return Category.INJECTION;
+ }
+
+ /**
+ * Gets the credits attribute of the AbstractLesson object
+ *
+ * @return The credits value
+ */
+ public Element getCredits()
+ {
+ return super.getCustomCredits("Created by Chuck Willis ", MANDIANT_LOGO);
+ }
+
+ /**
+ * Gets the hints attribute of the DatabaseFieldScreen object
+ *
+ * @return The hints value
+ */
+ protected List<String> getHints(WebSession s)
+ {
+ List<String> hints = new ArrayList<String>();
+
+ hints.add(WebGoatI18N.get("SqlModifyDataHint1"));
+ hints.add(WebGoatI18N.get("SqlModifyDataHint2"));
+ hints.add(WebGoatI18N.get("SqlModifyDataHint3"));
+ hints.add(WebGoatI18N.get("SqlModifyDataHint4"));
+ hints.add(WebGoatI18N.get("SqlModifyDataHint5"));
+
+ return hints;
+ }
+
+ private final static Integer DEFAULT_RANKING = new Integer(77);
+
+ protected Integer getDefaultRanking()
+ {
+ return DEFAULT_RANKING;
+ }
+
+ /**
+ * Gets the title attribute of the DatabaseFieldScreen object
+ *
+ * @return The title value
+ */
+ public String getTitle()
+ {
+ return ("Modify Data with SQL Injection");
+ }
+
+ /**
+ * Gets the instructions attribute of the SqlInjection object
+ *
+ * @return The instructions value
+ */
+ public String getInstructions(WebSession s)
+ {
+ String instructions = "The form below allows a user to view salaries associated with a userid "
+ + "(from the table named <b>salaries</b>). This form"
+ + " is vulnerable to String SQL Injection. In order to pass this lesson, use SQL Injection to "
+ + "modify the salary for userid <b>"
+ + TARGET_USERID + "</b>.";
+
+ return (instructions);
+ }
+
+ /**
+ * Constructor for the DatabaseFieldScreen object
+ *
+ * @param s
+ * Description of the Parameter
+ */
+ public void handleRequest(WebSession s)
+ {
+ try
+ {
+ super.handleRequest(s);
+ } catch (Exception e)
+ {
+ // System.out.println("Exception caught: " + e);
+ e.printStackTrace(System.out);
+ }
+ }
+
+}
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
index cef4f69ae..23d725fc5 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
@@ -351,6 +351,53 @@ public class CreateDB
statement.executeUpdate(insertData4);
statement.executeUpdate(insertData5);
+ }
+
+ // creates the table salaries which is used in the lessons
+ // which add or modify data using sql injection
+ private void createModifyWithSQLLessonTable(Connection connection) throws SQLException
+ {
+ Statement statement = connection.createStatement();
+
+ // Delete table if there is one
+ try
+ {
+ String dropTable = "DROP TABLE salaries";
+ statement.executeUpdate(dropTable);
+ }
+ catch (SQLException e)
+ {
+ System.out.println("Error dropping salaries table");
+ }
+
+ // Create the new table
+ try
+ {
+ String createTableStatement = "CREATE TABLE salaries ("
+ + "userid varchar(50),"
+ + "salary int"
+ + ")";
+ statement.executeUpdate(createTableStatement);
+ }
+ catch (SQLException e)
+ {
+ System.out.println("Error creating salaries table");
+ e.printStackTrace();
+ }
+
+ // Populate it
+ String insertData1 = "INSERT INTO salaries VALUES ('jsmith', 20000)";
+ String insertData2 = "INSERT INTO salaries VALUES ('lsmith', 45000)";
+ String insertData3 = "INSERT INTO salaries VALUES ('wgoat', 100000)";
+ String insertData4 = "INSERT INTO salaries VALUES ('rjones', 777777)";
+ String insertData5 = "INSERT INTO salaries VALUES ('manderson', 65000)";
+
+ statement.executeUpdate(insertData1);
+ statement.executeUpdate(insertData2);
+ statement.executeUpdate(insertData3);
+ statement.executeUpdate(insertData4);
+ statement.executeUpdate(insertData5);
+
}
/**
@@ -996,6 +1043,7 @@ public class CreateDB
createTanUserDataTable(connection);
createTanTable(connection);
createMFEImagesTable(connection);
+ createModifyWithSQLLessonTable(connection);
System.out.println("Success: creating tables.");
}
}