fix: SQL advanced assignment 5 (#2047)
- Add and show correct hints - Fix solving the lesson immediately when you register as tom. Now uses `informationMessage` to display a message in the UI - Add Playwright test Closes: gh-2045
This commit is contained in:
Nanne Baars
GitHub
@ -15,17 +15,16 @@ public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest {
|
||||
startLesson("SqlInjectionAdvanced");
|
||||
|
||||
Map<String, Object> params = new HashMap<>();
|
||||
params.clear();
|
||||
params.put("username_reg", "tom' AND substring(password,1,1)='t");
|
||||
params.put("password_reg", "password");
|
||||
params.put("email_reg", "someone@microsoft.com");
|
||||
params.put("confirm_password", "password");
|
||||
checkAssignmentWithPUT(webGoatUrlConfig.url("SqlInjectionAdvanced/challenge"), params, true);
|
||||
checkAssignmentWithPUT(webGoatUrlConfig.url("SqlInjectionAdvanced/register"), params, false);
|
||||
|
||||
params.clear();
|
||||
params.put("username_login", "tom");
|
||||
params.put("password_login", "thisisasecretfortomonly");
|
||||
checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/challenge_Login"), params, true);
|
||||
checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/login"), params, true);
|
||||
|
||||
params.clear();
|
||||
params.put("userid_6a", "'; SELECT * FROM user_system_data;--");
|
||||
@ -59,7 +58,5 @@ public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest {
|
||||
"question_4_solution",
|
||||
"Solution 4: The database registers 'Robert' ); DROP TABLE Students;--'.");
|
||||
checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/quiz"), params, true);
|
||||
|
||||
checkResults("SqlInjectionAdvanced");
|
||||
}
|
||||
}
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
* SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
|
||||
* SPDX-License-Identifier: GPL-2.0-or-later
|
||||
*/
|
||||
package org.owasp.webgoat.playwright.webgoat;
|
||||
package org.owasp.webgoat.playwright.webgoat.lessons;
|
||||
|
||||
import static com.microsoft.playwright.assertions.PlaywrightAssertions.assertThat;
|
||||
|
||||
@ -15,8 +15,9 @@ import org.junit.jupiter.api.Order;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.TestMethodOrder;
|
||||
import org.owasp.webgoat.container.lessons.LessonName;
|
||||
import org.owasp.webgoat.playwright.webgoat.PlaywrightTest;
|
||||
import org.owasp.webgoat.playwright.webgoat.helpers.Authentication;
|
||||
import org.owasp.webgoat.playwright.webgoat.pages.HttpBasicsLessonPage;
|
||||
import org.owasp.webgoat.playwright.webgoat.pages.lessons.HttpBasicsLessonPage;
|
||||
|
||||
@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
|
||||
public class HttpBasicsLessonUITest extends PlaywrightTest {
|
||||
@ -0,0 +1,120 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
|
||||
* SPDX-License-Identifier: GPL-2.0-or-later
|
||||
*/
|
||||
package org.owasp.webgoat.playwright.webgoat.lessons;
|
||||
|
||||
import static com.microsoft.playwright.assertions.PlaywrightAssertions.assertThat;
|
||||
|
||||
import com.microsoft.playwright.Browser;
|
||||
import com.microsoft.playwright.Page;
|
||||
import com.microsoft.playwright.Page.GetByRoleOptions;
|
||||
import com.microsoft.playwright.options.AriaRole;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.DisplayName;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.owasp.webgoat.container.lessons.LessonName;
|
||||
import org.owasp.webgoat.playwright.webgoat.PlaywrightTest;
|
||||
import org.owasp.webgoat.playwright.webgoat.helpers.Authentication;
|
||||
import org.owasp.webgoat.playwright.webgoat.pages.lessons.LessonPage;
|
||||
|
||||
public class SqlInjectionAdvancedUITest extends PlaywrightTest {
|
||||
|
||||
private LessonPage lessonPage;
|
||||
|
||||
@BeforeEach
|
||||
void navigateToLesson(Browser browser) {
|
||||
var lessonName = new LessonName("SqlInjectionAdvanced");
|
||||
var page = Authentication.sylvester(browser);
|
||||
|
||||
this.lessonPage = new LessonPage(page);
|
||||
lessonPage.resetLesson(lessonName);
|
||||
lessonPage.open(lessonName);
|
||||
}
|
||||
|
||||
@Test
|
||||
@DisplayName("Login as Tom with incorrect password")
|
||||
void loginAsTomWithIncorrectPassword() {
|
||||
lessonPage.navigateTo(5);
|
||||
var page = lessonPage.getPage();
|
||||
page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Login")).click();
|
||||
page.locator("[name='username_login']").fill("tom");
|
||||
page.locator("[name='password_login']").fill("test");
|
||||
page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Log In")).click();
|
||||
|
||||
assertThat(lessonPage.getAssignmentOutput())
|
||||
.containsText("Wrong username or password. Try again.");
|
||||
}
|
||||
|
||||
@Test
|
||||
@DisplayName("Login as Tom with correct password")
|
||||
void loginAsTomWithCorrectPassword() {
|
||||
lessonPage.navigateTo(5);
|
||||
var page = lessonPage.getPage();
|
||||
page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Login")).click();
|
||||
page.locator("[name='username_login']").fill("tom");
|
||||
page.locator("[name='password_login']").fill("thisisasecretfortomonly");
|
||||
page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Log In")).click();
|
||||
|
||||
lessonPage.isAssignmentSolved(5);
|
||||
}
|
||||
|
||||
@Test
|
||||
@DisplayName("Register as Tom should show error that Tom already exists")
|
||||
void registerAsTomShouldDisplayError() {
|
||||
lessonPage.navigateTo(5);
|
||||
var page = lessonPage.getPage();
|
||||
page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Register")).click();
|
||||
page.locator("[name='username_reg']").fill("tom");
|
||||
page.locator("[name='email_reg']").fill("tom@tom.org");
|
||||
page.locator("[name='password_reg']").fill("test");
|
||||
page.locator("[name='confirm_password_reg']").fill("test");
|
||||
page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Register Now")).click();
|
||||
|
||||
assertThat(lessonPage.getAssignmentOutput()).containsText("User tom already exists");
|
||||
}
|
||||
|
||||
@Test
|
||||
@DisplayName(
|
||||
"Using SQL Injection to register as Tom to guess the password and the guess is correct")
|
||||
void startGuessingCorrect() {
|
||||
lessonPage.navigateTo(5);
|
||||
var page = lessonPage.getPage();
|
||||
page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Register")).click();
|
||||
page.locator("[name='username_reg']").fill("tom' AND substring(password,1,1)='t");
|
||||
page.locator("[name='email_reg']").fill("tom@tom.org");
|
||||
page.locator("[name='password_reg']").fill("test");
|
||||
page.locator("[name='confirm_password_reg']").fill("test");
|
||||
page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Register Now")).click();
|
||||
|
||||
assertThat(lessonPage.getAssignmentOutput())
|
||||
.containsText("User tom' AND substring(password,1,1)='t already exists");
|
||||
}
|
||||
|
||||
@Test
|
||||
@DisplayName(
|
||||
"Using SQL Injection to register as Tom to guess the password and the guess is incorrect")
|
||||
void startGuessingIncorrect() {
|
||||
lessonPage.navigateTo(5);
|
||||
var page = lessonPage.getPage();
|
||||
page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Register")).click();
|
||||
page.locator("[name='username_reg']").fill("tom' AND substring(password,1,1)='a");
|
||||
page.locator("[name='email_reg']").fill("tom@tom.org");
|
||||
page.locator("[name='password_reg']").fill("test");
|
||||
page.locator("[name='confirm_password_reg']").fill("test");
|
||||
page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Register Now")).click();
|
||||
|
||||
assertThat(lessonPage.getAssignmentOutput())
|
||||
.containsText(
|
||||
"User tom' AND substring(password,1,1)='a created, please proceed to the login page.");
|
||||
}
|
||||
|
||||
@Test
|
||||
@DisplayName("Should display correct hints")
|
||||
void shouldDisplayCorrectHints() {
|
||||
lessonPage.navigateTo(5);
|
||||
var page = lessonPage.getPage();
|
||||
page.getByRole(AriaRole.BUTTON, new Page.GetByRoleOptions().setName("Show hints")).click();
|
||||
assertThat(lessonPage.getAssignmentOutput()).containsText("Look at the different");
|
||||
}
|
||||
}
|
||||
@ -2,7 +2,7 @@
|
||||
* SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
|
||||
* SPDX-License-Identifier: GPL-2.0-or-later
|
||||
*/
|
||||
package org.owasp.webgoat.playwright.webgoat.pages;
|
||||
package org.owasp.webgoat.playwright.webgoat.pages.lessons;
|
||||
|
||||
import com.microsoft.playwright.Locator;
|
||||
import com.microsoft.playwright.Page;
|
||||
@ -2,7 +2,7 @@
|
||||
* SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
|
||||
* SPDX-License-Identifier: GPL-2.0-or-later
|
||||
*/
|
||||
package org.owasp.webgoat.playwright.webgoat.pages;
|
||||
package org.owasp.webgoat.playwright.webgoat.pages.lessons;
|
||||
|
||||
import static org.owasp.webgoat.playwright.webgoat.PlaywrightTest.webGoatUrl;
|
||||
|
||||
@ -14,7 +14,7 @@ import org.assertj.core.api.Assertions;
|
||||
import org.owasp.webgoat.container.lessons.LessonName;
|
||||
|
||||
@Getter
|
||||
class LessonPage {
|
||||
public class LessonPage {
|
||||
|
||||
private final Page page;
|
||||
|
||||
@ -65,4 +65,8 @@ class LessonPage {
|
||||
public Locator getAssignmentOutput() {
|
||||
return page.locator("#lesson-content-wrapper");
|
||||
}
|
||||
|
||||
public Locator getHintsOutput() {
|
||||
return page.locator("#lesson-hint");
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user