Added 3 new lessons. Some strings are in the properties files, but not all. Modified CreateDB.java in order to create a new salaries table used by the new SQL injection lessons.

git-svn-id: http://webgoat.googlecode.com/svn/trunk@390 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/WebGoatLabels_english.properties

@@ -56,7 +56,7 @@ Refresh=Refresh
 
 WeakAuthenticationCookieHints1=The server authenticates the user using a cookie, if you send the right cookie.
 WeakAuthenticationCookieHints2=Is the AuthCookie value guessable knowing the username and password?
-WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>.
+WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A>.
 WeakAuthenticationCookieHints4=After logging in as webgoat a cookie is added. 65432ubphcfx<br/>After logging in as aspect a cookie is added. 65432udfqtb<br/>Is there anything similar about the cookies and the login names?
 
 #RemoteAdminFlaw.java
@@ -213,15 +213,28 @@ ThisAmountCharged=This amount will be charged to your credit card immediately.
 
 HiddenFieldTamperingHint1=This application is using hidden fields to transmit price information to the server.
 HiddenFieldTamperingHint2=Use a program to intercept and change the value in the hidden field.
-HiddenFieldTamperingHint3=Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from "
+HiddenFieldTamperingHint3=Use <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A> to change the price of the TV from "
 HiddenFieldTamperingHint32= to 
 
-
+# Modify data with SQL Injection
-  
+EnterUserid=Enter your userid:
-
+SqlModifyDataHint1=You can use SQL Injection to execute more than one SQL statement.
-
+SqlModifyDataHint2=Use a semicolon (;) to separate SQL statements.
-
+SqlModifyDataHint3=Modify data using a SQL UPDATE Statement.
-
+SqlModifyDataHint4=For details and examples for SQL UPDATE statements, see <A href=\"http://www.w3schools.com/SQl/sql_update.asp\">http://www.w3schools.com/SQl/sql_update.asp</A>
+SqlModifyDataHint5=SOLUTION:<br/>foo'; UPDATE salaries SET salary=9999999 WHERE userid='jsmith
+
+# Modify data with SQL Injection
+SqlAddDataHint1=You can use SQL Injection to execute more than one SQL statement.
+SqlAddDataHint2=Use a semicolon (;) to separate SQL statements.  You will also need to comment out some characters that come after the injection with a double hyphen (--).
+SqlAddDataHint3=Modify data using a SQL INSERT Statement.
+SqlAddDataHint4=For details and examples for SQL INSERT statements, see <A href=\"http://www.w3schools.com/SQl/sql_insert.asp\">http://www.w3schools.com/SQl/sql_insert.asp</A>
+SqlAddDataHint5=SOLUTION:<br/>bar'; INSERT INTO salaries VALUES ('cwillis', 999999); --
+
+# Bypass Html Field Restrictions
+BypassHtmlFieldRestrictionsHint1=You must re-enable the disabled form field or manually add its parameter name to your request.
+BypassHtmlFieldRestrictionsHint2=You can use <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A> to intercept requests and make changes.
+BypassHtmlFieldRestrictionsHint3=Rather than using <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A>, you could instead use the <A href=\"http://chrispederick.com/work/web-developer/\">Web Developer</a> and/or <A href=\"http://devels-playground.blogspot.com/\">Hackbar</a> Firefox extensions to complete this lesson.
 
 
 

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BypassHtmlFieldRestrictions.java

@@ -0,0 +1,256 @@
+
+package org.owasp.webgoat.lessons;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.ResultSetMetaData;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.StringElement;
+import org.apache.ecs.html.A;
+import org.apache.ecs.html.BR;
+import org.apache.ecs.html.Div;
+import org.apache.ecs.html.IMG;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.P;
+import org.apache.ecs.html.PRE;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.ParameterNotFoundException;
+import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.util.WebGoatI18N;
+
+
+/***************************************************************************************************
+ * 
+ * 
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * 
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ * 
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * 
+ * Getting Source ==============
+ * 
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
+ * 
+ * For details, please see http://code.google.com/p/webgoat/
+ * 
+ * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
+ *         site</a> 
+ * @created October 29, 2009
+ */
+public class BypassHtmlFieldRestrictions extends SequentialLessonAdapter
+{
+	public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
+	
+	private final static String USERID = "userid";
+
+	private String userid;
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{			
+		ElementContainer ec = new ElementContainer();
+		
+		try {
+			boolean failed = false;
+
+			// select element
+			ec.addElement(new Div().addElement(new StringElement("Select field with two possible values:")));
+			
+			String[] allowedSelect = {"foo", "bar"};
+	
+			ec.addElement(new org.apache.ecs.html.Select("select", allowedSelect));
+			
+			// radio button element
+			ec.addElement(new P());
+			ec.addElement(new Div().addElement(new StringElement("Radio button with two possible values:")));
+			
+			
+			Input radiofoo = new Input("radio", "radio", "foo");
+			radiofoo.setChecked(true);
+			ec.addElement(radiofoo);
+			ec.addElement(new StringElement("foo"));
+			ec.addElement(new BR());
+			ec.addElement(new Input("radio", "radio", "bar"));
+			ec.addElement(new StringElement("bar"));
+			
+			// checkbox
+			ec.addElement(new P());
+			ec.addElement(new Div().addElement(new StringElement("Checkbox:")));
+			Input checkbox = new Input("checkbox", "checkbox");
+			checkbox.setChecked(true);
+			ec.addElement(checkbox);
+			ec.addElement(new StringElement("checkbox"));
+			
+			// create shortinput
+			ec.addElement(new P());
+			ec.addElement(new Div().addElement(new StringElement("Input field restricted to 5 characters:")));
+			Input shortinput = new Input(Input.TEXT, "shortinput", "12345");
+			shortinput.setMaxlength(5);
+			ec.addElement(shortinput);
+
+			ec.addElement(new P());
+			ec.addElement(new Div().addElement(new StringElement("Disabled input field:")));
+			String defaultdisabledinputtext = "disabled";
+			Input disabledinput = new Input(Input.TEXT, "disabledinput", defaultdisabledinputtext);
+			disabledinput.setDisabled(true);
+			ec.addElement(disabledinput);
+			ec.addElement(new BR());
+	
+			// Submit Button
+			ec.addElement(new P());
+			ec.addElement(new Div().addElement(new StringElement("Submit button:")));
+			String submittext = "Submit";
+			Element b = ECSFactory.makeButton(submittext);
+			ec.addElement(b);
+			
+			//  Now check inputs that were submitted (if any)
+			
+			// check select field
+			String submittedselect = s.getParser().getRawParameter("select");
+			if(submittedselect.equals("foo")) failed = true;
+			if(submittedselect.equals("bar")) failed = true;
+			
+			// check radio buttons
+			String submittedradio = s.getParser().getRawParameter("radio");
+			if(submittedselect.equals("foo")) failed = true;
+			if(submittedselect.equals("bar")) failed = true;
+			
+			// check checkbox (note - if the box is not checked, this will throw an exception, but that
+			// is okay)
+			if(s.getParser().getRawParameter("checkbox").equals("on")) failed = true;
+			
+			// check shortinput
+			if(s.getParser().getRawParameter("shortinput").length() < 6) failed = true;
+			
+			// check disabledinput (note - if the field was not re-enabled, this will throw an exception, but that
+			// is okay)
+			if(s.getParser().getRawParameter("disabledinput").equals(defaultdisabledinputtext)) failed = true;
+			
+			// check submitbutton
+			if(s.getParser().getRawParameter("SUBMIT").equals(submittext)) failed = true;
+			
+			
+			// if we didn't fail, we succeeded!
+			if(failed != true) {
+				makeSuccess(s);
+			}
+			
+		} catch(ParameterNotFoundException e) {
+			//s.setMessage("Error, required parameter not found");
+			e.printStackTrace();
+		}
+		
+		return (ec);
+	}
+
+	/**
+	 * Gets the category attribute of the object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.PARAMETER_TAMPERING;
+	}
+
+    /**
+     * Gets the credits attribute of the AbstractLesson object
+     * 
+     * @return The credits value
+     */
+    public Element getCredits()
+    {
+    	return super.getCustomCredits("Created by Chuck Willis&nbsp;", MANDIANT_LOGO);
+    }
+	
+	/**
+	 * Gets the hints attribute of the DatabaseFieldScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		
+		hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint1"));
+		hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint2"));
+		hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint3"));
+
+		return hints;
+	}
+
+	private final static Integer DEFAULT_RANKING = new Integer(10);
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the DatabaseFieldScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Bypass HTML Field Restrictions");
+	}
+
+    /**
+     * Gets the instructions attribute of the SqlInjection object
+     *  
+     * @return The instructions value
+     */
+    public String getInstructions(WebSession s)
+    {
+	String instructions = "The form below uses HTML form field restrictions. " + 
+		" In order to pass this lesson, submit the form with each field containing an unallowed value. "
+	+ "<b>You must submit invalid values for all six fields in one form submission.</b>";
+
+	return (instructions);
+    }
+	
+	/**
+	 * Constructor for the DatabaseFieldScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public void handleRequest(WebSession s)
+	{
+		try
+		{
+			super.handleRequest(s);
+		} catch (Exception e)
+		{
+			// System.out.println("Exception caught: " + e);
+			e.printStackTrace(System.out);
+		}
+	}
+
+}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlAddData.java

@@ -0,0 +1,247 @@
+
+package org.owasp.webgoat.lessons;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.ResultSetMetaData;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.html.A;
+import org.apache.ecs.html.BR;
+import org.apache.ecs.html.IMG;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.P;
+import org.apache.ecs.html.PRE;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.util.WebGoatI18N;
+
+
+/***************************************************************************************************
+ * 
+ * 
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * 
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ * 
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * 
+ * Getting Source ==============
+ * 
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
+ * 
+ * For details, please see http://code.google.com/p/webgoat/
+ * 
+ * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
+ *         site</a> (this lesson is based on the String SQL Injection lesson)
+ * @created October 29, 2009
+ */
+public class SqlAddData extends SequentialLessonAdapter
+{
+	public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
+	
+	private final static String USERID = "userid";
+
+	private String userid;
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+
+		try
+		{
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			ec.addElement(makeAccountLine(s));
+
+			String query = "SELECT * FROM salaries WHERE userid = '" + userid + "'";
+			//ec.addElement(new PRE(query));
+
+			try
+			{
+				// get number of rows in table before executing injectable query
+				Statement target_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+						ResultSet.CONCUR_READ_ONLY);
+				ResultSet target_results = target_statement.executeQuery("SELECT * from salaries");
+				target_results.last();
+				int number_of_results_before = target_results.getRow();
+				
+				System.out.println("Before running query, table salaries has " 
+						+ number_of_results_before + " records.");
+				
+				// execute query
+				Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																	ResultSet.CONCUR_READ_ONLY);
+				
+				statement.execute(query);
+				
+				ResultSet results = statement.getResultSet();
+
+				if ((results != null) && (results.first() == true))
+				{
+					ResultSetMetaData resultsMetaData = results.getMetaData();
+					ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+					results.last();
+				}
+				else
+				{
+					ec.addElement(WebGoatI18N.get("NoResultsMatched"));
+				}
+				
+				// see if the number of rows in the table has changed
+				target_results = target_statement.executeQuery("SELECT * from salaries");
+				target_results.last();
+				int number_of_results_after = target_results.getRow();
+				
+				System.out.println("After running query, table salaries has " 
+						+ number_of_results_after + " records.");
+				
+				if(number_of_results_after != number_of_results_before) {
+						makeSuccess(s);
+				}
+				
+			} catch (SQLException sqle)
+			{
+				ec.addElement(new P().addElement(sqle.getMessage()));
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		return (ec);
+	}
+
+	
+
+	protected Element makeAccountLine(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+		ec.addElement(new P().addElement(WebGoatI18N.get("EnterUserid")));
+
+		userid = s.getParser().getRawParameter(USERID, "jsmith");
+		Input input = new Input(Input.TEXT, USERID, userid.toString());
+		ec.addElement(input);
+
+		Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!"));
+		ec.addElement(b);
+
+		return ec;
+
+	}
+
+	/**
+	 * Gets the category attribute of the SqNumericInjection object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.INJECTION;
+	}
+
+    /**
+     * Gets the credits attribute of the AbstractLesson object
+     * 
+     * @return The credits value
+     */
+    public Element getCredits()
+    {
+    	return super.getCustomCredits("Created by Chuck Willis&nbsp;", MANDIANT_LOGO);
+    }
+	
+	/**
+	 * Gets the hints attribute of the DatabaseFieldScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		
+		hints.add(WebGoatI18N.get("SqlAddDataHint1"));
+		hints.add(WebGoatI18N.get("SqlAddDataHint2"));
+		hints.add(WebGoatI18N.get("SqlAddDataHint3"));
+		hints.add(WebGoatI18N.get("SqlAddDataHint4"));
+		hints.add(WebGoatI18N.get("SqlAddDataHint5"));
+
+		return hints;
+	}
+
+	private final static Integer DEFAULT_RANKING = new Integer(78);
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the DatabaseFieldScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Add Data with SQL Injection");
+	}
+
+    /**
+     * Gets the instructions attribute of the SqlInjection object
+     *  
+     * @return The instructions value
+     */
+    public String getInstructions(WebSession s)
+    {
+	String instructions = "The form below allows a user to view salaries associated with a userid "
+		+ "(from the table named <b>salaries</b>).  This form" 
+		+ " is vulnerable to String SQL Injection.  In order to pass this lesson, use SQL Injection to "
+		+ "add a record to the table.";
+
+	return (instructions);
+    }
+	
+	/**
+	 * Constructor for the DatabaseFieldScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public void handleRequest(WebSession s)
+	{
+		try
+		{
+			super.handleRequest(s);
+		} catch (Exception e)
+		{
+			// System.out.println("Exception caught: " + e);
+			e.printStackTrace(System.out);
+		}
+	}
+
+}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlModifyData.java

@@ -0,0 +1,266 @@
+
+package org.owasp.webgoat.lessons;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.ResultSetMetaData;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.html.A;
+import org.apache.ecs.html.BR;
+import org.apache.ecs.html.IMG;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.P;
+import org.apache.ecs.html.PRE;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.util.WebGoatI18N;
+
+
+/***************************************************************************************************
+ * 
+ * 
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * 
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ * 
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * 
+ * Getting Source ==============
+ * 
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
+ * 
+ * For details, please see http://code.google.com/p/webgoat/
+ * 
+ * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
+ *         site</a> (this lesson is based on the String SQL Injection lesson)
+ * @created October 29, 2009
+ */
+public class SqlModifyData extends SequentialLessonAdapter
+{
+	public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
+	
+	private final static String USERID = "userid";
+
+    private final static String TARGET_USERID = "jsmith";
+    private final static String NONTARGET_USERID = "lsmith";
+
+	private String userid;
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+
+		try
+		{
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			ec.addElement(makeAccountLine(s));
+
+			String query = "SELECT * FROM salaries WHERE userid = '" + userid + "'";
+			//ec.addElement(new PRE(query));
+
+			try
+			{
+				// check target data
+				Statement target_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+						ResultSet.CONCUR_READ_ONLY);
+				ResultSet target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+TARGET_USERID+"'");
+				target_results.first();
+				String before_salary_target_salary = target_results.getString(1);
+				
+				System.out.println("Before running query, salary for target userid " + TARGET_USERID + " = " + before_salary_target_salary );
+					
+				target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+NONTARGET_USERID+"'");
+				target_results.first();
+				String before_salary_nontarget_salary = target_results.getString(1);
+				
+				System.out.println("Before running query, salary for nontarget userid " + NONTARGET_USERID + " = " + before_salary_nontarget_salary );
+				
+				// execute query
+				Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																	ResultSet.CONCUR_READ_ONLY);
+				//
+				statement.execute(query);
+				
+				ResultSet results = statement.getResultSet();
+
+				if ((results != null) && (results.first() == true))
+				{
+					ResultSetMetaData resultsMetaData = results.getMetaData();
+					ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+					results.last();
+				}
+				else
+				{
+					ec.addElement(WebGoatI18N.get("NoResultsMatched"));
+				}
+				
+				// see if target data was modified
+			    target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+TARGET_USERID+"'");
+				target_results.first();
+				String after_salary_target_salary = target_results.getString(1);
+				
+				System.out.println("After running query, salary for target userid " + TARGET_USERID + " = " + before_salary_target_salary );
+					
+				target_results = target_statement.executeQuery("SELECT salary from salaries where userid='"+NONTARGET_USERID+"'");
+				target_results.first();
+				String after_salary_nontarget_salary = target_results.getString(1);
+				
+				System.out.println("After running query, salary for nontarget userid " + NONTARGET_USERID + " = " + before_salary_nontarget_salary );
+				
+				if(!after_salary_nontarget_salary.equals(before_salary_nontarget_salary)) {
+					s.setMessage("You modified the salary for another userid, in order to succeed you must modify the salary of only userid " 
+							+ TARGET_USERID + ".");
+				} else {
+					if(!after_salary_target_salary.equals(before_salary_target_salary)) {
+						makeSuccess(s);
+					}
+				}
+				
+			} catch (SQLException sqle)
+			{
+				ec.addElement(new P().addElement(sqle.getMessage()));
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		return (ec);
+	}
+
+	
+
+	protected Element makeAccountLine(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+		ec.addElement(new P().addElement(WebGoatI18N.get("EnterUserid")));
+
+		userid = s.getParser().getRawParameter(USERID, "jsmith");
+		Input input = new Input(Input.TEXT, USERID, userid.toString());
+		ec.addElement(input);
+
+		Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!"));
+		ec.addElement(b);
+
+		return ec;
+
+	}
+
+	/**
+	 * Gets the category attribute of the SqNumericInjection object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.INJECTION;
+	}
+
+    /**
+     * Gets the credits attribute of the AbstractLesson object
+     * 
+     * @return The credits value
+     */
+    public Element getCredits()
+    {
+    	return super.getCustomCredits("Created by Chuck Willis&nbsp;", MANDIANT_LOGO);
+    }
+	
+	/**
+	 * Gets the hints attribute of the DatabaseFieldScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		
+		hints.add(WebGoatI18N.get("SqlModifyDataHint1"));
+		hints.add(WebGoatI18N.get("SqlModifyDataHint2"));
+		hints.add(WebGoatI18N.get("SqlModifyDataHint3"));
+		hints.add(WebGoatI18N.get("SqlModifyDataHint4"));
+		hints.add(WebGoatI18N.get("SqlModifyDataHint5"));
+
+		return hints;
+	}
+
+	private final static Integer DEFAULT_RANKING = new Integer(77);
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the DatabaseFieldScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Modify Data with SQL Injection");
+	}
+
+    /**
+     * Gets the instructions attribute of the SqlInjection object
+     *  
+     * @return The instructions value
+     */
+    public String getInstructions(WebSession s)
+    {
+	String instructions = "The form below allows a user to view salaries associated with a userid "
+		+ "(from the table named <b>salaries</b>).  This form" 
+		+ " is vulnerable to String SQL Injection.  In order to pass this lesson, use SQL Injection to "
+		+ "modify the salary for userid <b>"
+		+ TARGET_USERID + "</b>.";
+
+	return (instructions);
+    }
+	
+	/**
+	 * Constructor for the DatabaseFieldScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public void handleRequest(WebSession s)
+	{
+		try
+		{
+			super.handleRequest(s);
+		} catch (Exception e)
+		{
+			// System.out.println("Exception caught: " + e);
+			e.printStackTrace(System.out);
+		}
+	}
+
+}

webgoat/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java

@@ -351,6 +351,53 @@ public class CreateDB
 		statement.executeUpdate(insertData4);
 		statement.executeUpdate(insertData5);
 	
+    }
+	
+	// creates the table salaries which is used in the lessons 
+	// which add or modify data using sql injection 
+	private void createModifyWithSQLLessonTable(Connection connection) throws SQLException
+    {
+		Statement statement = connection.createStatement();
+	
+		// Delete table if there is one
+		try
+		{
+		    String dropTable = "DROP TABLE salaries";
+		    statement.executeUpdate(dropTable);
+		}
+		catch (SQLException e)
+		{
+		    System.out.println("Error dropping salaries table");
+		}
+	
+		// Create the new table
+		try
+		{
+		    String createTableStatement = "CREATE TABLE salaries ("
+			    + "userid varchar(50),"
+			    + "salary int" 
+			    + ")";
+		    statement.executeUpdate(createTableStatement);
+		}
+		catch (SQLException e)
+		{
+		    System.out.println("Error creating salaries table");
+		    e.printStackTrace();
+		}
+	
+		// Populate it
+		String insertData1 = "INSERT INTO salaries VALUES ('jsmith', 20000)";
+		String insertData2 = "INSERT INTO salaries VALUES ('lsmith', 45000)";
+		String insertData3 = "INSERT INTO salaries VALUES ('wgoat', 100000)";
+		String insertData4 = "INSERT INTO salaries VALUES ('rjones', 777777)";
+		String insertData5 = "INSERT INTO salaries VALUES ('manderson', 65000)";
+		
+		statement.executeUpdate(insertData1);
+		statement.executeUpdate(insertData2);
+		statement.executeUpdate(insertData3);
+		statement.executeUpdate(insertData4);
+		statement.executeUpdate(insertData5);
+	
     }
 	
 	/**
@@ -996,6 +1043,7 @@ public class CreateDB
 		createTanUserDataTable(connection);
 		createTanTable(connection);
 		createMFEImagesTable(connection);
+		createModifyWithSQLLessonTable(connection);
 		System.out.println("Success: creating tables.");
 	}
 }