dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reworked description and added additional hints. Split regex for code checks for better readability.

Browse Source
This commit is contained in:
Benedikt - Desktop
2018-11-24 14:55:51 +01:00
committed by Nanne Baars
parent 4cdd649a5a
commit e873752eac
3 changed files with 52 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -64,9 +64,11 @@ SqlStringInjectionHint.9.5=How about something like '; UPDATE employees....
sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span>
sql-injection.10.entries=<span class='feedback-negative'>There's still evidence of what you did. Better remove the whole table.</span>
sql-injection.10b.success=<span class='feedback-positive'>Your code can prevent an SQL Injection! Success!</span>
sql-injection.10b.success=<span class='feedback-positive'>You did it! Your code can prevent an SQL Injection attack!</span>
sql-injection.10b.failed=<span class='feedback-negative'>Something doesn't seem right with that code. Maybe you should look at an example how to prevent SQL Injections with JDBC?</span>
sql-injection.10b.no-code=<span class='feedback-negative'>You need to write some code.</span>
sql-injection.10b.compiler-errors=<span class='feedback-negative'>Couldn't compile code:</span>
SqlStringInjectionHint.10.1=Use the techniques that you have learned before.
SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it.
@ -78,9 +80,11 @@ SqlStringInjectionHint.10.6=Remember that you can use the -- metacharacter to co
SqlStringInjectionHint-mitigation-10a-1=First establish a connection, after that you can create a statement.
SqlStringInjectionHint-mitigation-10a-2=For every datatype there is a method to insert values into a wildcard symbol in a statement.
SqlStringInjectionHint-mitigation-10b-1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection!
SqlStringInjectionHint-mitigation-10b-2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections!
SqlStringInjectionHint-mitigation-10b-3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype!
SqlStringInjectionHint-mitigation-10b-1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection.
SqlStringInjectionHint-mitigation-10b-2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections.
SqlStringInjectionHint-mitigation-10b-3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype.
SqlStringInjectionHint-mitigation-10b-4=Make sure to execute your statement.
SqlStringInjectionHint-mitigation-10b-5=View the previous lesson to check back on how you can build set up a connection.
SqlStringInjectionHint-mitigation-12a-1=Try sorting and look at the request
SqlStringInjectionHint-mitigation-12a-2=Intercept the request and try to specify a different order by