Challenge 4 SQL is working
This commit is contained in:
Nanne Baars
parent
ed0e1a1f37
commit
ec36dbd43c
@ -10,5 +10,6 @@ public interface SolutionConstants {
|
||||
|
||||
String PASSWORD = "!!webgoat_admin_1234!!";
|
||||
String SUPER_COUPON_CODE = "get_it_for_free";
|
||||
String PASSWORD_TOM = "thisisasecretfortomonly";
|
||||
|
||||
}
|
||||
|
||||
@ -1,11 +1,23 @@
|
||||
package org.owasp.webgoat.plugin.challenge4;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.apache.commons.lang3.RandomStringUtils;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
import org.owasp.webgoat.plugin.Flag;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.web.bind.annotation.PutMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import java.sql.*;
|
||||
|
||||
import static org.owasp.webgoat.plugin.SolutionConstants.PASSWORD_TOM;
|
||||
import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
|
||||
/**
|
||||
@ -13,22 +25,108 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
* @since 4/8/17.
|
||||
*/
|
||||
@AssignmentPath("/challenge/4")
|
||||
@Slf4j
|
||||
public class Assignment4 extends AssignmentEndpoint {
|
||||
|
||||
private static final String USERS_TABLE_NAME = "challenge_users_" + RandomStringUtils.randomAlphabetic(6);
|
||||
|
||||
@Autowired
|
||||
private WebSession webSession;
|
||||
|
||||
@PutMapping //assignment path is bounded to class so we use different http method :-)
|
||||
@ResponseBody
|
||||
public AttackResult test() {
|
||||
return success().build();
|
||||
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
|
||||
AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg);
|
||||
|
||||
if (attackResult == null) {
|
||||
Connection connection = DatabaseUtilities.getConnection(webSession);
|
||||
checkDatabase(connection);
|
||||
|
||||
String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'";
|
||||
Statement statement = connection.createStatement();
|
||||
ResultSet resultSet = statement.executeQuery(checkUserQuery);
|
||||
|
||||
if (resultSet.next()) {
|
||||
attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build();
|
||||
} else {
|
||||
PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO " + USERS_TABLE_NAME + " VALUES (?, ?, ?)");
|
||||
preparedStatement.setString(1, username_reg);
|
||||
preparedStatement.setString(2, email_reg);
|
||||
preparedStatement.setString(3, password_reg);
|
||||
preparedStatement.execute();
|
||||
attackResult = success().feedback("user.created").feedbackArgs(username_reg).build();
|
||||
}
|
||||
}
|
||||
return attackResult;
|
||||
}
|
||||
|
||||
private AttackResult checkArguments(String username_reg, String email_reg, String password_reg) {
|
||||
if (StringUtils.isEmpty(username_reg) || StringUtils.isEmpty(email_reg) || StringUtils.isEmpty(password_reg)) {
|
||||
return failed().feedback("input.invalid").build();
|
||||
}
|
||||
if (username_reg.length() > 30 || email_reg.length() > 30 || password_reg.length() > 30) {
|
||||
return failed().feedback("input.invalid").build();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
@RequestMapping(method = POST)
|
||||
@ResponseBody
|
||||
public AttackResult login(@RequestParam String username, @RequestParam String password) throws Exception {
|
||||
if (StringUtils.isAlphanumeric(username) && StringUtils.isAlphanumeric(password)) {
|
||||
return success().build();
|
||||
} else {
|
||||
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
|
||||
Connection connection = DatabaseUtilities.getConnection(webSession);
|
||||
checkDatabase(connection);
|
||||
|
||||
if ("tom".equals(username_login)) {
|
||||
PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = ? and password = ?");
|
||||
statement.setString(1, username_login);
|
||||
statement.setString(2, password_login);
|
||||
ResultSet resultSet = statement.executeQuery();
|
||||
|
||||
if (resultSet.next()) {
|
||||
return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(4)).build();
|
||||
}
|
||||
}
|
||||
return failed().build();
|
||||
}
|
||||
|
||||
private void checkDatabase(Connection connection) throws SQLException {
|
||||
try {
|
||||
Statement statement = connection.createStatement();
|
||||
statement.execute("select 1 from " + USERS_TABLE_NAME);
|
||||
} catch (SQLException e) {
|
||||
createChallengeTable(connection);
|
||||
}
|
||||
}
|
||||
|
||||
private void createChallengeTable(Connection connection) {
|
||||
Statement statement = null;
|
||||
try {
|
||||
statement = connection.createStatement();
|
||||
String dropTable = "DROP TABLE " + USERS_TABLE_NAME;
|
||||
statement.executeUpdate(dropTable);
|
||||
} catch (SQLException e) {
|
||||
log.info("Delete failed, this does not point to an error table might not have been present...");
|
||||
}
|
||||
|
||||
try {
|
||||
String createTableStatement = "CREATE TABLE " + USERS_TABLE_NAME
|
||||
+ " (" + "userid varchar(30),"
|
||||
+ "email varchar(30),"
|
||||
+ "password varchar(30)"
|
||||
+ ")";
|
||||
statement.executeUpdate(createTableStatement);
|
||||
|
||||
String insertData1 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('larry', 'larry@webgoat.org', 'larryknows')";
|
||||
String insertData2 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('tom', 'tom@webgoat.org', '" + PASSWORD_TOM + "')";
|
||||
String insertData3 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('alice', 'alice@webgoat.org', 'rt*(KJ()LP())$#**')";
|
||||
String insertData4 = "INSERT INTO " + USERS_TABLE_NAME + " VALUES ('eve', 'eve@webgoat.org', '**********')";
|
||||
statement.executeUpdate(insertData1);
|
||||
statement.executeUpdate(insertData2);
|
||||
statement.executeUpdate(insertData3);
|
||||
statement.executeUpdate(insertData4);
|
||||
} catch (SQLException e) {
|
||||
log.error("Unable create table", e);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -32,10 +32,10 @@
|
||||
action="/WebGoat/challenge/4"
|
||||
enctype="application/json;charset=UTF-8" role="form">
|
||||
<div class="form-group">
|
||||
<input type="text" name="username" id="username4" tabindex="1" class="form-control" placeholder="Username" value=""/>
|
||||
<input type="text" name="username_login" id="username4" tabindex="1" class="form-control" placeholder="Username" value=""/>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<input type="password" name="password" id="password4" tabindex="2" class="form-control" placeholder="Password"/>
|
||||
<input type="password" name="password_login" id="password4" tabindex="2" class="form-control" placeholder="Password"/>
|
||||
</div>
|
||||
<div class="form-group text-center">
|
||||
<input type="checkbox" tabindex="3" class="" name="remember" id="remember"/>
|
||||
@ -63,16 +63,16 @@
|
||||
action="/WebGoat/challenge/4"
|
||||
enctype="application/json;charset=UTF-8" style="display: none;" role="form">
|
||||
<div class="form-group">
|
||||
<input type="text" name="username-reg" id="username" tabindex="1" class="form-control" placeholder="Username" value=""/>
|
||||
<input type="text" name="username_reg" id="username" tabindex="1" class="form-control" placeholder="Username" value=""/>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<input type="email" name="email-reg" id="email" tabindex="1" class="form-control" placeholder="Email Address" value=""/>
|
||||
<input type="email" name="email_reg" id="email" tabindex="1" class="form-control" placeholder="Email Address" value=""/>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<input type="password" name="password-reg" id="password" tabindex="2" class="form-control" placeholder="Password"/>
|
||||
<input type="password" name="password_reg" id="password" tabindex="2" class="form-control" placeholder="Password"/>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<input type="password" name="confirm-password-reg" id="confirm-password" tabindex="2" class="form-control" placeholder="Confirm Password"/>
|
||||
<input type="password" name="confirm_password_reg" id="confirm-password" tabindex="2" class="form-control" placeholder="Confirm Password"/>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<div class="row">
|
||||
|
||||
@ -2,4 +2,9 @@ challenge.title=WebGoat Challenge
|
||||
challenge1.title=Admin lost password
|
||||
challenge2.title=Get it for free
|
||||
challenge3.title=Photo comments
|
||||
challenge4.title=Creating a new account
|
||||
challenge.solved=Congratulations, you solved the challenge. Here is your flag: {0}
|
||||
|
||||
user.exists=User {0} already exists please try to register with a different username.
|
||||
user.created=User {0} created, please proceed to the login page.
|
||||
input.invalid=Input for user, email and/or password is empty or too long, please fill in all field and/or limit all fields to 30 characters.
|
||||
Loading…
x
Reference in New Issue
Block a user