dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: rewrite questions (#2057)

Browse Source 
Closes: gh-1178
This commit is contained in:
Nanne Baars 2025-03-11 20:05:35 +01:00 committed by GitHub
parent 641f24df9d
commit e2f80b18e2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 61 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
src/main/resources/lessons/sqlinjection/js/questions_sql_injection.json
View File

@ -1,43 +1,49 @@
{
"questions": [{
"text": "What is the difference between a prepared statement and a statement?",
"solutions": {
"1": "Prepared statements are statements with hard-coded parameters.",
"2": "Prepared statements are not stored in the database.",
"3": "A statement is faster.",
"4": "A statement has got values instead of a prepared statement"
}
}, {
"text": "Which one of the following characters is a placeholder for variables?",
"solutions": {
"1": "*",
"2": "=",
"3": "?",
"4": "!"
}
}, {
"text": "How can prepared statements be faster than statements?",
"solutions": {
"1": "They are not static so they can compile better written code than statements.",
"2": "Prepared statements are compiled once by the database management system waiting for input and are pre-compiled this way.",
"3": "Prepared statements are stored and wait for input it raises performance considerably.",
"4": "Oracle optimized prepared statements. Because of the minimal use of the databases resources it is faster."
}
}, {
"text": "How can a prepared statement prevent SQL-Injection?",
"solutions": {
"1": "Prepared statements have got an inner check to distinguish between input and logical errors.",
"2": "Prepared statements use the placeholders to make rules what input is allowed to use.",
"3": "Placeholders can prevent that the users input gets attached to the SQL query resulting in a seperation of code and data.",
"4": "Prepared statements always read inputs literally and never mixes it with its SQL commands."
}
}, {
"text": "What happens if a person with malicious intent writes into a register form :Robert); DROP TABLE Students;-- that has a prepared statement?",
"solutions": {
"1": "The table Students and all of its content will be deleted.",
"2": "The input deletes all students with the name Robert.",
"3": "The database registers 'Robert' and deletes the table afterwards.",
"4": "The database registers 'Robert' ); DROP TABLE Students;--'."
}
}]
"questions": [
{
"text": "What is the difference between a prepared statement and a statement?",
"solutions": {
"1": "Prepared statements are statements with hard-coded parameters.",
"2": "Prepared statements are not stored in the database.",
"3": "A statement is faster executes faster than a prepared statement.",
"4": "A statement includes actual values, whereas a prepared statement uses placeholders."
}
},
{
"text": "Which one of the following characters is a placeholder for variables?",
"solutions": {
"1": "*",
"2": "=",
"3": "?",
"4": "!"
}
},
{
"text": "How can prepared statements be faster than statements?",
"solutions": {
"1": "Prepared statements are not static, allowing them to be optimized more efficiently than regular statements.",
"2": "Prepared statements are compiled once by the database management system and then reused with different inputs, reducing compilation overhead.",
"3": "Since prepared statements are stored and wait for input, they improve performance significantly.",
"4": "Oracle optimizes prepared statements, making them faster by minimizing the use of database resources."
}
},
{
"text": "How do prepared statements help prevent SQL injection?",
"solutions": {
"1": "Prepared statements have built-in mechanisms to distinguish between user input and SQL logic, preventing malicious manipulation.",
"2": "Prepared statements use placeholders to enforce rules on allowed input, reducing the risk of SQL injection.",
"3": "Placeholders prevent user input from being directly appended to the SQL query, ensuring a clear separation between code and data.",
"4": "Prepared statements treat all user input as literal values, never mixing it with SQL commands."
}
},
{
"text": "What happens if a person with malicious intent enters the following input into a registration form that uses a prepared statement? Input: Robert); DROP TABLE Students;--",
"solutions": {
"1": "The Students table and all its data will be deleted.",
"2": "The input deletes all students named Robert.",
"3": "The database registers Robert and then deletes the table.",
"4": "The database treats the entire input as a plain string: Robert); DROP TABLE Students;-- without executing it as SQL."
}
}
]
}

28
src/main/resources/lessons/xss/js/questions_cross_site_scripting.json
View File

@ -1,19 +1,19 @@
{
"questions": [{
"text": "Are trusted websites immune to XSS attacks?",
"text": "Is a well known website, like Netflix, immune to XSS attacks?",
"solutions": {
"1": "Yes they are safe because the browser checks the code before executing.",
"2": "Yes because Google has got an algorithm that blocks malicious code.",
"3": "No because the script that is executed will break through the defense algorithm of the browser.",
"4": "No because the browser trusts the website if it is acknowledged trusted, then the browser does not know that the script is malicious."
"1": "Yes, they are safe because the browser checks the code before executing.",
"2": "Yes, because Google has got an algorithm that blocks malicious code.",
"3": "No, because the script that is executed will break through the defense algorithm of the browser.",
"4": "No, because the browser trusts the website if it is acknowledged trusted, then the browser does not know that the script is malicious."
}
}, {
"text": "When do XSS attacks occur?",
"solutions": {
"1": "Data enters a web application through a trusted source.",
"2": "Data enters a browser application through the website.",
"3": "The data is included in dynamic content that is sent to a web user without being validated for malicious content.",
"4": "The data is excluded in static content that way it is sent without being validated."
"1": "When malicious scripts are injected into a website's server-side code.",
"2": "When a user submits sensitive information without encryption.",
"3": "When a website fails to validate or sanitize user input, allowing malicious scripts to be executed in a user's browser.",
"4": "When a website uses outdated SSL/TLS protocols."
}
}, {
"text": "What are Stored XSS attacks?",
@ -27,17 +27,17 @@
"text": "What are Reflected XSS attacks?",
"solutions": {
"1": "Reflected attacks reflect malicious code from the database to the web server and then reflect it back to the user.",
"2": "They reflect the injected script off the web server. That occurs when input sent to the web server is part of the request.",
"2": "They reflect the injected script off the web server. That occurs when input sent to the web server is part of the response.",
"3": "Reflected attacks reflect from the firewall off to the database where the user requests information from.",
"4": "Reflected XSS is an attack where the injected script is reflected off the database and web server to the user."
}
}, {
"text": "Is JavaScript the only way to perform XSS attacks?",
"solutions": {
"1": "Yes you can only make use of tags through JavaScript.",
"2": "Yes otherwise you cannot steal cookies.",
"3": "No there is ECMAScript too.",
"4": "No there are many other ways. Like HTML, Flash or any other type of code that the browser executes."
"1": "Yes, you can only make use of tags through JavaScript.",
"2": "Yes, otherwise you cannot steal cookies.",
"3": "No, there is ECMAScript too.",
"4": "No, there are many other ways. Like HTML, Flash or any other type of code that the browser executes."
}
}]
}