Challenge 4 SQL is working
This commit is contained in:
Nanne Baars
parent
ed0e1a1f37
commit
ec36dbd43c
@ -10,5 +10,6 @@ public interface SolutionConstants {
|
|||||||
|
|
||||||
String PASSWORD = "!!webgoat_admin_1234!!";
|
String PASSWORD = "!!webgoat_admin_1234!!";
|
||||||
String SUPER_COUPON_CODE = "get_it_for_free";
|
String SUPER_COUPON_CODE = "get_it_for_free";
|
||||||
|
String PASSWORD_TOM = "thisisasecretfortomonly";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,11 +1,23 @@
|
|||||||
package org.owasp.webgoat.plugin.challenge4;
|
package org.owasp.webgoat.plugin.challenge4;
|
||||||
|
|
||||||
import org.apache.commons.lang3.StringUtils;
|
import lombok.extern.slf4j.Slf4j;
|
||||||
|
import org.apache.commons.lang3.RandomStringUtils;
|
||||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||||
import org.owasp.webgoat.assignments.AttackResult;
|
import org.owasp.webgoat.assignments.AttackResult;
|
||||||
import org.springframework.web.bind.annotation.*;
|
import org.owasp.webgoat.plugin.Flag;
|
||||||
|
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||||
|
import org.owasp.webgoat.session.WebSession;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.util.StringUtils;
|
||||||
|
import org.springframework.web.bind.annotation.PutMapping;
|
||||||
|
import org.springframework.web.bind.annotation.RequestMapping;
|
||||||
|
import org.springframework.web.bind.annotation.RequestParam;
|
||||||
|
import org.springframework.web.bind.annotation.ResponseBody;
|
||||||
|
|
||||||
|
import java.sql.*;
|
||||||
|
|
||||||
|
import static org.owasp.webgoat.plugin.SolutionConstants.PASSWORD_TOM;
|
||||||
import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -13,22 +25,108 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
|||||||
* @since 4/8/17.
|
* @since 4/8/17.
|
||||||
*/
|
*/
|
||||||
@AssignmentPath("/challenge/4")
|
@AssignmentPath("/challenge/4")
|
||||||
|
@Slf4j
|
||||||
public class Assignment4 extends AssignmentEndpoint {
|
public class Assignment4 extends AssignmentEndpoint {
|
||||||
|
|
||||||
|
private static final String USERS_TABLE_NAME = "challenge_users_" + RandomStringUtils.randomAlphabetic(6);
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private WebSession webSession;
|
||||||
|
|
||||||
@PutMapping //assignment path is bounded to class so we use different http method :-)
|
@PutMapping //assignment path is bounded to class so we use different http method :-)
|
||||||
@ResponseBody
|
@ResponseBody
|
||||||
public AttackResult test() {
|
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
|
||||||
return success().build();
|
AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg);
|
||||||
|
|
||||||
|
if (attackResult == null) {
|
||||||
|
Connection connection = DatabaseUtilities.getConnection(webSession);
|
||||||
|
checkDatabase(connection);
|
||||||
|
|
||||||
|
String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'";
|
||||||
|
Statement statement = connection.createStatement();
|
||||||
|
ResultSet resultSet = statement.executeQuery(checkUserQuery);
|
||||||
|
|
||||||
|
if (resultSet.next()) {
|
||||||
|
attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build();
|
||||||
|
} else {
|
||||||
|
PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO " + USERS_TABLE_NAME + " VALUES (?, ?, ?)");
|
||||||
|
preparedStatement.setString(1, username_reg);
|
||||||
|
preparedStatement.setString(2, email_reg);
|
||||||
|
preparedStatement.setString(3, password_reg);
|
||||||
|
preparedStatement.execute();
|
||||||
|
attackResult = success().feedback("user.created").feedbackArgs(username_reg).build();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return attackResult;
|
||||||
|
}
|
||||||
|
|
||||||
|
private AttackResult checkArguments(String username_reg, String email_reg, String password_reg) {
|
||||||
|
if (StringUtils.isEmpty(username_reg) || StringUtils.isEmpty(email_reg) || StringUtils.isEmpty(password_reg)) {
|
||||||
|
return failed().feedback("input.invalid").build();
|
||||||
|
}
|
||||||
|
if (username_reg.length() > 30 || email_reg.length() > 30 || password_reg.length() > 30) {
|
||||||
|
return failed().feedback("input.invalid").build();
|
||||||
|
}
|
||||||
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
@RequestMapping(method = POST)
|
@RequestMapping(method = POST)
|
||||||
@ResponseBody
|
@ResponseBody
|
||||||
public AttackResult login(@RequestParam String username, @RequestParam String password) throws Exception {
|
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
|
||||||
if (StringUtils.isAlphanumeric(username) && StringUtils.isAlphanumeric(password)) {
|
Connection connection = DatabaseUtilities.getConnection(webSession);
|
||||||
return success().build();
|
checkDatabase(connection);
|
||||||
} else {
|
|
||||||
|
if ("tom".equals(username_login)) {
|
||||||
|
PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = ? and password = ?");
|
||||||
|
statement.setString(1, username_login);
|
||||||
|
statement.setString(2, password_login);
|
||||||
|
ResultSet resultSet = statement.executeQuery();
|
||||||
|
|
||||||
|
if (resultSet.next()) {
|
||||||
|
return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(4)).build();
|
||||||
|
}
|
||||||
|
}
|
||||||
return failed().build();
|
return failed().build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void checkDatabase(Connection connection) throws SQLException {
|
||||||
|
try {
|
||||||
|
Statement statement = connection.createStatement();
|
||||||
|
statement.execute("select 1 from " + USERS_TABLE_NAME);
|
||||||
|
} catch (SQLException e) {
|
||||||
|
createChallengeTable(connection);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private void createChallengeTable(Connection connection) {
|
||||||
|
Statement statement = null;
|
||||||
|
try {
|
||||||
|
statement = connection.createStatement();
|
||||||
|
String dropTable = "DROP TABLE " + USERS_TABLE_NAME;
|
||||||
|
statement.executeUpdate(dropTable);
|
||||||
|
} catch (SQLException e) {
|
||||||
|
log.info("Delete failed, this does not point to an error table might not have been present...");
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
String createTableStatement = "CREATE TABLE " + USERS_TABLE_NAME
|
||||||
|
+ " (" + "userid varchar(30),"
|
||||||
|
+ "email varchar(30),"
|
||||||
|
+ "password varchar(30)"
|
||||||
|
+ ")";
|
||||||
|
statement.executeUpdate(createTableStatement);
|
||||||
|
|
||||||
|
String insertData1 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('larry', 'larry@webgoat.org', 'larryknows')";
|
||||||
|
String insertData2 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('tom', 'tom@webgoat.org', '" + PASSWORD_TOM + "')";
|
||||||
|
String insertData3 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('alice', 'alice@webgoat.org', 'rt*(KJ()LP())$#**')";
|
||||||
|
String insertData4 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('eve', 'eve@webgoat.org', '**********')";
|
||||||
|
statement.executeUpdate(insertData1);
|
||||||
|
statement.executeUpdate(insertData2);
|
||||||
|
statement.executeUpdate(insertData3);
|
||||||
|
statement.executeUpdate(insertData4);
|
||||||
|
} catch (SQLException e) {
|
||||||
|
log.error("Unable create table", e);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -32,10 +32,10 @@
|
|||||||
action="/WebGoat/challenge/4"
|
action="/WebGoat/challenge/4"
|
||||||
enctype="application/json;charset=UTF-8" role="form">
|
enctype="application/json;charset=UTF-8" role="form">
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<input type="text" name="username" id="username4" tabindex="1" class="form-control" placeholder="Username" value=""/>
|
<input type="text" name="username_login" id="username4" tabindex="1" class="form-control" placeholder="Username" value=""/>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<input type="password" name="password" id="password4" tabindex="2" class="form-control" placeholder="Password"/>
|
<input type="password" name="password_login" id="password4" tabindex="2" class="form-control" placeholder="Password"/>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group text-center">
|
<div class="form-group text-center">
|
||||||
<input type="checkbox" tabindex="3" class="" name="remember" id="remember"/>
|
<input type="checkbox" tabindex="3" class="" name="remember" id="remember"/>
|
||||||
@ -63,16 +63,16 @@
|
|||||||
action="/WebGoat/challenge/4"
|
action="/WebGoat/challenge/4"
|
||||||
enctype="application/json;charset=UTF-8" style="display: none;" role="form">
|
enctype="application/json;charset=UTF-8" style="display: none;" role="form">
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<input type="text" name="username-reg" id="username" tabindex="1" class="form-control" placeholder="Username" value=""/>
|
<input type="text" name="username_reg" id="username" tabindex="1" class="form-control" placeholder="Username" value=""/>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<input type="email" name="email-reg" id="email" tabindex="1" class="form-control" placeholder="Email Address" value=""/>
|
<input type="email" name="email_reg" id="email" tabindex="1" class="form-control" placeholder="Email Address" value=""/>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<input type="password" name="password-reg" id="password" tabindex="2" class="form-control" placeholder="Password"/>
|
<input type="password" name="password_reg" id="password" tabindex="2" class="form-control" placeholder="Password"/>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<input type="password" name="confirm-password-reg" id="confirm-password" tabindex="2" class="form-control" placeholder="Confirm Password"/>
|
<input type="password" name="confirm_password_reg" id="confirm-password" tabindex="2" class="form-control" placeholder="Confirm Password"/>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<div class="row">
|
<div class="row">
|
||||||
|
|||||||
@ -2,4 +2,9 @@ challenge.title=WebGoat Challenge
|
|||||||
challenge1.title=Admin lost password
|
challenge1.title=Admin lost password
|
||||||
challenge2.title=Get it for free
|
challenge2.title=Get it for free
|
||||||
challenge3.title=Photo comments
|
challenge3.title=Photo comments
|
||||||
|
challenge4.title=Creating a new account
|
||||||
challenge.solved=Congratulations, you solved the challenge. Here is your flag: {0}
|
challenge.solved=Congratulations, you solved the challenge. Here is your flag: {0}
|
||||||
|
|
||||||
|
user.exists=User {0} already exists please try to register with a different username.
|
||||||
|
user.created=User {0} created, please proceed to the login page.
|
||||||
|
input.invalid=Input for user, email and/or password is empty or too long, please fill in all field and/or limit all fields to 30 characters.
|
||||||
Loading…
x
Reference in New Issue
Block a user