fix: SQL advanced assignment 5 (#2047)

- Add and show correct hints - Fix solving the lesson immediately when you register as tom. Now uses `informationMessage` to display a message in the UI - Add Playwright test Closes: gh-2045
2025-03-02 20:31:05 +01:00
parent c37a8e8c19
commit e9f79cc739
20 changed files with 189 additions and 97 deletions
--- a/src/it/java/org/owasp/webgoat/playwright/webgoat/lessons/HttpBasicsLessonUITest.java
+++ b/src/it/java/org/owasp/webgoat/playwright/webgoat/lessons/HttpBasicsLessonUITest.java
@ -2,7 +2,7 @@
 * SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
 * SPDX-License-Identifier: GPL-2.0-or-later
 */
-package org.owasp.webgoat.playwright.webgoat;
+package org.owasp.webgoat.playwright.webgoat.lessons;

 import static com.microsoft.playwright.assertions.PlaywrightAssertions.assertThat;

@ -15,8 +15,9 @@ import org.junit.jupiter.api.Order;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.TestMethodOrder;
 import org.owasp.webgoat.container.lessons.LessonName;
+import org.owasp.webgoat.playwright.webgoat.PlaywrightTest;
 import org.owasp.webgoat.playwright.webgoat.helpers.Authentication;
-import org.owasp.webgoat.playwright.webgoat.pages.HttpBasicsLessonPage;
+import org.owasp.webgoat.playwright.webgoat.pages.lessons.HttpBasicsLessonPage;

@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
 public class HttpBasicsLessonUITest extends PlaywrightTest {
--- a/src/it/java/org/owasp/webgoat/playwright/webgoat/lessons/SqlInjectionAdvancedUITest.java
+++ b/src/it/java/org/owasp/webgoat/playwright/webgoat/lessons/SqlInjectionAdvancedUITest.java
@ -0,0 +1,120 @@
+/*
+ * SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+package org.owasp.webgoat.playwright.webgoat.lessons;
+
+import static com.microsoft.playwright.assertions.PlaywrightAssertions.assertThat;
+
+import com.microsoft.playwright.Browser;
+import com.microsoft.playwright.Page;
+import com.microsoft.playwright.Page.GetByRoleOptions;
+import com.microsoft.playwright.options.AriaRole;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.lessons.LessonName;
+import org.owasp.webgoat.playwright.webgoat.PlaywrightTest;
+import org.owasp.webgoat.playwright.webgoat.helpers.Authentication;
+import org.owasp.webgoat.playwright.webgoat.pages.lessons.LessonPage;
+
+public class SqlInjectionAdvancedUITest extends PlaywrightTest {
+
+  private LessonPage lessonPage;
+
+  @BeforeEach
+  void navigateToLesson(Browser browser) {
+    var lessonName = new LessonName("SqlInjectionAdvanced");
+    var page = Authentication.sylvester(browser);
+
+    this.lessonPage = new LessonPage(page);
+    lessonPage.resetLesson(lessonName);
+    lessonPage.open(lessonName);
+  }
+
+  @Test
+  @DisplayName("Login as Tom with incorrect password")
+  void loginAsTomWithIncorrectPassword() {
+    lessonPage.navigateTo(5);
+    var page = lessonPage.getPage();
+    page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Login")).click();
+    page.locator("[name='username_login']").fill("tom");
+    page.locator("[name='password_login']").fill("test");
+    page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Log In")).click();
+
+    assertThat(lessonPage.getAssignmentOutput())
+        .containsText("Wrong username or password. Try again.");
+  }
+
+  @Test
+  @DisplayName("Login as Tom with correct password")
+  void loginAsTomWithCorrectPassword() {
+    lessonPage.navigateTo(5);
+    var page = lessonPage.getPage();
+    page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Login")).click();
+    page.locator("[name='username_login']").fill("tom");
+    page.locator("[name='password_login']").fill("thisisasecretfortomonly");
+    page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Log In")).click();
+
+    lessonPage.isAssignmentSolved(5);
+  }
+
+  @Test
+  @DisplayName("Register as Tom should show error that Tom already exists")
+  void registerAsTomShouldDisplayError() {
+    lessonPage.navigateTo(5);
+    var page = lessonPage.getPage();
+    page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Register")).click();
+    page.locator("[name='username_reg']").fill("tom");
+    page.locator("[name='email_reg']").fill("tom@tom.org");
+    page.locator("[name='password_reg']").fill("test");
+    page.locator("[name='confirm_password_reg']").fill("test");
+    page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Register Now")).click();
+
+    assertThat(lessonPage.getAssignmentOutput()).containsText("User tom already exists");
+  }
+
+  @Test
+  @DisplayName(
+      "Using SQL Injection to register as Tom to guess the password and the guess is correct")
+  void startGuessingCorrect() {
+    lessonPage.navigateTo(5);
+    var page = lessonPage.getPage();
+    page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Register")).click();
+    page.locator("[name='username_reg']").fill("tom' AND substring(password,1,1)='t");
+    page.locator("[name='email_reg']").fill("tom@tom.org");
+    page.locator("[name='password_reg']").fill("test");
+    page.locator("[name='confirm_password_reg']").fill("test");
+    page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Register Now")).click();
+
+    assertThat(lessonPage.getAssignmentOutput())
+        .containsText("User tom' AND substring(password,1,1)='t already exists");
+  }
+
+  @Test
+  @DisplayName(
+      "Using SQL Injection to register as Tom to guess the password and the guess is incorrect")
+  void startGuessingIncorrect() {
+    lessonPage.navigateTo(5);
+    var page = lessonPage.getPage();
+    page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Register")).click();
+    page.locator("[name='username_reg']").fill("tom' AND substring(password,1,1)='a");
+    page.locator("[name='email_reg']").fill("tom@tom.org");
+    page.locator("[name='password_reg']").fill("test");
+    page.locator("[name='confirm_password_reg']").fill("test");
+    page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Register Now")).click();
+
+    assertThat(lessonPage.getAssignmentOutput())
+        .containsText(
+            "User tom' AND substring(password,1,1)='a created, please proceed to the login page.");
+  }
+
+  @Test
+  @DisplayName("Should display correct hints")
+  void shouldDisplayCorrectHints() {
+    lessonPage.navigateTo(5);
+    var page = lessonPage.getPage();
+    page.getByRole(AriaRole.BUTTON, new Page.GetByRoleOptions().setName("Show hints")).click();
+    assertThat(lessonPage.getAssignmentOutput()).containsText("Look at the different");
+  }
+}
--- a/src/it/java/org/owasp/webgoat/playwright/webgoat/pages/lessons/HttpBasicsLessonPage.java
+++ b/src/it/java/org/owasp/webgoat/playwright/webgoat/pages/lessons/HttpBasicsLessonPage.java
@ -2,7 +2,7 @@
 * SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
 * SPDX-License-Identifier: GPL-2.0-or-later
 */
-package org.owasp.webgoat.playwright.webgoat.pages;
+package org.owasp.webgoat.playwright.webgoat.pages.lessons;

 import com.microsoft.playwright.Locator;
 import com.microsoft.playwright.Page;
--- a/src/it/java/org/owasp/webgoat/playwright/webgoat/pages/lessons/LessonPage.java
+++ b/src/it/java/org/owasp/webgoat/playwright/webgoat/pages/lessons/LessonPage.java
@ -2,7 +2,7 @@
 * SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
 * SPDX-License-Identifier: GPL-2.0-or-later
 */
-package org.owasp.webgoat.playwright.webgoat.pages;
+package org.owasp.webgoat.playwright.webgoat.pages.lessons;

 import static org.owasp.webgoat.playwright.webgoat.PlaywrightTest.webGoatUrl;

@ -14,7 +14,7 @@ import org.assertj.core.api.Assertions;
 import org.owasp.webgoat.container.lessons.LessonName;

@Getter
-class LessonPage {
+public class LessonPage {

  private final Page page;

@ -65,4 +65,8 @@ class LessonPage {
  public Locator getAssignmentOutput() {
    return page.locator("#lesson-content-wrapper");
  }
+
+  public Locator getHintsOutput() {
+    return page.locator("#lesson-hint");
+  }
 }