Removed ajax from assignment. Now using normal post-request.

Made successmessages green and failure messages red for all sql-i messages
2018-11-23 17:00:02 +01:00 · 2018-11-23 17:00:02 +01:00 · ea04d6ef35
commit ea04d6ef35
parent 72ae0d503b
5 changed files with 46 additions and 56 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
@ -22,15 +22,12 @@ import java.util.regex.Pattern;
@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3"})
 public class SqlInjectionLesson10b extends AssignmentEndpoint {
    // Problem: Form has two submits, first submit is null and already wants to throw an attack result. Seconds attack result cant be thrown
    @RequestMapping(method = RequestMethod.POST)
    @ResponseBody
-    public AttackResult completed(HttpServletRequest req) {
+    public AttackResult completed(@RequestParam String editor) {
        String editor = req.getParameter("editor");
        try {
-            if (editor == null) {
+            if (editor.isEmpty()) return trackProgress(failed().feedback("sql-injection.10b.no-code").build());
-                throw new Exception();
+
            }
            String regex1 = "(?=.*PreparedStatement.*)(?=.*setString.*)(?=.*\\=\\?.*|.*\\=\\s\\?.*)";
            editor = editor.replaceAll("\\<.*?>", "");
            boolean hasImportant = this.check_text(regex1, editor.replace("\n", "").replace("\r", ""));
@ -38,12 +35,12 @@ public class SqlInjectionLesson10b extends AssignmentEndpoint {
            String errors = "";
            if (hasImportant && hasCompiled.size() < 1) {
                return trackProgress(success().feedback("sql-injection.10b.success").build());
-            } else if (hasCompiled.size() > 1) {
+            } else if (hasCompiled.size() > 0) {
                for (Diagnostic d : hasCompiled) {
                    errors += d.getMessage(null) + "\n";
                }
            }
-            return trackProgress(failed().feedback("sql-injection.10b.failed").output(errors).build());
+            return trackProgress(failed().feedback("sql-injection.10b.failed").output(errors.replace("\n", "<br>")).build());
        } catch(Exception e) {
            return trackProgress(success().build());
        }
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org">
-
+<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/>
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjectionAdvanced_plan.adoc"></div>
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org">
-
+<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/>
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_content7.adoc"></div>
@ -41,26 +41,20 @@
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_newcode.adoc"></div>
-    <div id="insertcode" class="attack-container" style="height: 300px; border: none !important">
+    <div class="attack-container" style="border: none !important; height: 100%; min-height: 300px;">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10b" enctype="application/json;charset=UTF-8">
        <form id="codesubmit" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10b" enctype="application/json;charset=UTF-8">
            <div>
-                <div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0;" name="editor"></div>
+                <div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 300px;" name="editor"></div>
                <script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
                <script th:src="@{/lesson_js/assignment10b.js}" type="text/javascript" charset="utf-8"></script>
                <script>
                    var editor = ace.edit("editor");
                    editor.setTheme("ace/theme/monokai");
                    editor.session.setMode("ace/mode/java");
                </script>
            </div>
-            <div class="input-group" style="margin-top: 10px">
+            <input type="hidden" name="editor"/>
-                <!--<input name="solution" value="Submit code" style="margin-top: 350%; margin-left: 60%;" type="SUBMIT" onclick="ace_collect()"/>-->
+            <div class="input-group" style="position: absolute; top: 310px;">
-                <button type="button" class="btn btn-primary" style="margin-top: 350%; margin-left: 60%;" onclick="ace_collect()">Submit</button>
+                <button class="btn btn-primary" type="submit">Submit</button>
            </div>
        </form>
        <br />
-        <div class="attack-feedback"></div>
+        <div class="attack-feedback" style="margin-top: 40px;"></div>
        <div class="attack-output"></div>
    </div>
 </div>
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -7,11 +7,10 @@ SqlInjectionChallenge1=Look at the different response you receive from the serve
 SqlInjectionChallenge2=The vulnerability is on the register form
 SqlInjectionChallenge3=Use tooling to automate this attack
 sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span>
 NoResultsMatched=<span class='feedback-negative'>No results matched. Try Again.</span>
-NoResultsMatched=No results matched. Try Again.
+sql-injection.2.success=<span class='feedback-positive'>You have succeeded!</span>
-
+sql-injection.2.failed=<span class='feedback-negative'>Something went wrong! You got no results, check your SQL Statement and the table above.</span>
 sql-injection.2.success=You have succeeded!
 sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above
 SqlStringInjectionHint2-1=You want the data from the column with the name department. You know the database name (employees) and you know the first- and lastname of the employee (first_name, last_name).
 SqlStringInjectionHint2-2=SELECT column FROM tablename WHERE condition;
@ -24,28 +23,27 @@ SqlStringInjectionHint4-3=ALTER TABLE tablename ADD columnname data type(size);
 SqlStringInjectionHint5-1=Look at the example. There's everything you'll need.
-sql-injection.5a.success=You have succeeded: {0}
+sql-injection.5a.success=<span class='feedback-positive'>You have succeed: {0}</span>
-sql-injection.5a.no.results=No results matched. Try Again.
+sql-injection.5a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
-
+sql-injection.5b.success=<span class='feedback-positive'>You have succeed: {0}</span>
-sql-injection.5b.success=You have succeeded: {0}
+sql-injection.5b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
 sql-injection.5b.no.results=No results matched. Try Again.
 SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack.
 SqlStringInjectionHint5b2=Insert 0 or 1 = 1 into the first input field. Th Output should tell you if this field is injectable.
 SqlStringInjectionHint5b3=The first Input field is not susceptible to sql injection.
 SqlStringInjectionHint5b4=You don't need to insert any quotations into your injection-string.
-sql-injection.6a.success=You have succeeded: {0}
+sql-injection.6a.success=<span class='feedback-positive'>You have succeed: {0}</span>
-sql-injection.6a.no.results=No results matched. Try Again.
+sql-injection.6a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
-sql-injection.advanced.6a.success=You have succeed: {0}
+sql-injection.advanced.6a.success=<span class='feedback-positive'>You have succeed: {0}</span>
-sql-injection.advanced.6a.no.results=No results matched. Try Again.
+sql-injection.advanced.6a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
 SqlStringInjectionHint-advanced-6a-1=Try Appending a new SQL Statement to the Query.
 SqlStringInjectionHint-advanced-6a-2=The new SQL Statement can be really simple like: SELECT ... FROM ...
 SqlStringInjectionHint-advanced-6a-3=Your new SQL Query should start, with a " ; " and end with " -- "
-sql-injection.6b.success=You have succeeded: {0}
+sql-injection.6b.success=<span class='feedback-positive'>You have succeed: {0}</span>
-sql-injection.6b.no.results=No results matched. Try Again.
+sql-injection.6b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
 sql-injection.8.success=<span class='feedback-positive'>You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done!</span>
 sql-injection.8.no.results=<span class='feedback-negative'>No employee found with matching lastname. Or maybe your authentication TAN is incorrect?</span>
@ -66,9 +64,9 @@ SqlStringInjectionHint.9.5=How about something like '; UPDATE employees....
 sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span>
 sql-injection.10.entries=<span class='feedback-negative'>There's still evidence of what you did. Better remove the whole table.</span>
-
+sql-injection.10b.success=<span class='feedback-positive'>Your code can prevent an SQL Injection! Success!</span>
-sql-injection.10b.success=Your code can prevent an SQL Injection! Success!
+sql-injection.10b.failed=<span class='feedback-negative'>Something doesn't seem right with that code. Maybe you should look at an example how to prevent SQL Injections with JDBC?</span>
-sql-injection.10b.failed=Something doesn't seem right with that code. Maybe you should look at an example how to prevent SQL Injections with JDBC?
+sql-injection.10b.no-code=<span class='feedback-negative'>You need to write some code.</span>
 SqlStringInjectionHint.10.1=Use the techniques that you have learned before.
 SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it.
--- a/webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js
+++ b/webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js
@ -1,6 +1,20 @@
 $(document).ready( () => {
    var editor = ace.edit("editor");
    editor.setTheme("ace/theme/monokai");
    editor.session.setMode("ace/mode/java");
    editor.getSession().on("change", () => {
        setTimeout( () => {
            $("#codesubmit input[name='editor']").val(ace_collect());
        }, 20);
    });
 });
 function ace_collect() {
    let code = "";
    console.log("Test");
    $(".ace_line").each(function(i, el) {
        var to_add = el.innerHTML;
        if(/\/\/.*/.test(to_add)) {
@ -8,18 +22,5 @@ function ace_collect() {
        }
        code += to_add;
    });
-    $.ajax({
+    return code;
        type: "POST",
        url: "/WebGoat/SqlInjection/attack10b",
        dataType: "text",
        data: {
            editor: code
        },
        success: function(data) {
            console.log("entry");
            let lesson_feedback = JSON.parse(data);
            $("#insertcode .attack-feedback").css("display", "block");
            $("#insertcode .attack-feedback").html(lesson_feedback.feedback);
        }
    });
 }