From e873752eacf91be1cae41d005802d0767bf3d466 Mon Sep 17 00:00:00 2001 From: Benedikt - Desktop Date: Sat, 24 Nov 2018 14:55:51 +0100 Subject: [PATCH] Reworked description and added additional hints. Split regex for code checks for better readability. --- .../mitigation/SqlInjectionLesson10b.java | 35 ++++++++++++++----- .../resources/i18n/WebGoatLabels.properties | 12 ++++--- .../en/SqlInjection_jdbc_newcode.adoc | 21 ++++++++--- 3 files changed, 52 insertions(+), 16 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java index 4847e0bbc..3b358c99a 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java @@ -19,7 +19,7 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; @AssignmentPath("SqlInjection/attack10b") -@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3"}) +@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3", "SqlStringInjectionHint-mitigation-10b-4", "SqlStringInjectionHint-mitigation-10b-5"}) public class SqlInjectionLesson10b extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) @@ -28,21 +28,40 @@ public class SqlInjectionLesson10b extends AssignmentEndpoint { try { if (editor.isEmpty()) return trackProgress(failed().feedback("sql-injection.10b.no-code").build()); - String regex1 = "(?=.*PreparedStatement.*)(?=.*setString.*)(?=.*\\=\\?.*|.*\\=\\s\\?.*)"; editor = editor.replaceAll("\\<.*?>", ""); - boolean hasImportant = this.check_text(regex1, editor.replace("\n", "").replace("\r", "")); + + String regex_setsUpConnection = "(?=.*getConnection.*)"; + String regex_usesPreparedStatement = "(?=.*PreparedStatement.*)"; + String regex_usesPlaceholder = "(?=.*\\=\\?.*|.*\\=\\s\\?.*)"; + String regex_usesSetString = "(?=.*setString.*)"; + String regex_usesExecute = "(?=.*execute.*)"; + String regex_usesExecuteUpdate = "(?=.*executeUpdate.*)"; + + String codeline = editor.replace("\n", "").replace("\r", ""); + + boolean setsUpConnection = this.check_text(regex_setsUpConnection, codeline); + boolean usesPreparedStatement = this.check_text(regex_usesPreparedStatement, codeline); + boolean usesSetString = this.check_text(regex_usesSetString, codeline); + boolean usesPlaceholder = this.check_text(regex_usesPlaceholder, codeline); + boolean usesExecute = this.check_text(regex_usesExecute, codeline); + boolean usesExecuteUpdate = this.check_text(regex_usesExecuteUpdate, codeline); + + boolean hasImportant = (setsUpConnection && usesPreparedStatement && usesPlaceholder && usesSetString && (usesExecute || usesExecuteUpdate)); List hasCompiled = this.compileFromString(editor); - String errors = ""; + if (hasImportant && hasCompiled.size() < 1) { return trackProgress(success().feedback("sql-injection.10b.success").build()); } else if (hasCompiled.size() > 0) { + String errors = ""; for (Diagnostic d : hasCompiled) { - errors += d.getMessage(null) + "\n"; + errors += d.getMessage(null) + "
"; } + return trackProgress(failed().feedback("sql-injection.10b.compiler-errors").output(errors).build()); + } else { + return trackProgress(failed().feedback("sql-injection.10b.failed").build()); } - return trackProgress(failed().feedback("sql-injection.10b.failed").output(errors.replace("\n", "
")).build()); } catch(Exception e) { - return trackProgress(success().build()); + return trackProgress(failed().output(e.getMessage()).build()); } } @@ -59,7 +78,7 @@ public class SqlInjectionLesson10b extends AssignmentEndpoint { } private SimpleJavaFileObject getJavaFileContentsAsString(String s){ - StringBuilder javaFileContents = new StringBuilder("import java.sql.*; public class TestClass { public static void main(String[] args) {" + s + "}}"); + StringBuilder javaFileContents = new StringBuilder("import java.sql.*; public class TestClass { static String DBUSER; static String DBPW; static String DBURL; public static void main(String[] args) {" + s + "}}"); JavaObjectFromString javaFileObject = null; try{ javaFileObject = new JavaObjectFromString("TestClass.java", javaFileContents.toString()); diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 8cbf25fa0..1fca278aa 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -64,9 +64,11 @@ SqlStringInjectionHint.9.5=How about something like '; UPDATE employees.... sql-injection.10.success= sql-injection.10.entries= -sql-injection.10b.success= + +sql-injection.10b.success= sql-injection.10b.failed= sql-injection.10b.no-code= +sql-injection.10b.compiler-errors= SqlStringInjectionHint.10.1=Use the techniques that you have learned before. SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it. @@ -78,9 +80,11 @@ SqlStringInjectionHint.10.6=Remember that you can use the -- metacharacter to co SqlStringInjectionHint-mitigation-10a-1=First establish a connection, after that you can create a statement. SqlStringInjectionHint-mitigation-10a-2=For every datatype there is a method to insert values into a wildcard symbol in a statement. -SqlStringInjectionHint-mitigation-10b-1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection! -SqlStringInjectionHint-mitigation-10b-2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections! -SqlStringInjectionHint-mitigation-10b-3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype! +SqlStringInjectionHint-mitigation-10b-1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection. +SqlStringInjectionHint-mitigation-10b-2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections. +SqlStringInjectionHint-mitigation-10b-3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype. +SqlStringInjectionHint-mitigation-10b-4=Make sure to execute your statement. +SqlStringInjectionHint-mitigation-10b-5=View the previous lesson to check back on how you can build set up a connection. SqlStringInjectionHint-mitigation-12a-1=Try sorting and look at the request SqlStringInjectionHint-mitigation-12a-2=Intercept the request and try to specify a different order by diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc index 7198be855..d801656e7 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc @@ -1,10 +1,22 @@ == Try it! Writing safe code -Now it's time to write your own code! Use JDBC to connect to a database and use a statement to request data from the database (the content of the statement doesn't matter, but make sure, that the SQL is valid). The SQL Statement should at least contain one string parameter. The content of the parameter is stored in the variable 'String content'. +Now it's time to write your own code! +Your task is to use JDBC to connect to a database and request data from it. -All code you write down below gets inserted into a main method of a java class with the name "TestClass". This class also imports java.sql.*. Use your knowledge and write the right code from scratch! +*Requirements:* -For example; following coding would compile without any error. +* connect to a database +* perform a query on the database which is immune to SQL Injection attacks +* your query needs to contain at least one string parameter + +*Some tips before you start:* + +For connecting to the database, you can simply assume the constants *DBURL*, *DBUSER* and *DBPW* as given. + +The content of your query does not matter, as long as the SQL is valid and meets the requirements. + +All the code you write gets inserted into the main method of a java class with the name "TestClass" that already imports *java.sql.** for your. + +Not creative enough to think of your own query? How about you try to retrieve the data for a user with a specific name from a fictional database table called *users*. + +For example; following coding would compile without any error (but of course does not meet the requirements to complete this lesson). [source,java] ------------------------------------------------------- @@ -16,4 +28,5 @@ try { } ------------------------------------------------------- -Now type your solution in the editor window down below (if you can't type there it might help to adjust the size of your browser window once, then it should work): +Use your knowledge and write some valid code from scratch in the editor window down below! +(if you can't type there it might help to adjust the size of your browser window once, then it should work):