dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Dave's fixes

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@210 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes 2007-07-25 12:57:17 +00:00
parent d9979e46ed
commit f62eb33c4b
3 changed files with 22 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java
View File

@ -1,5 +1,6 @@
package org.owasp.webgoat.lessons.SQLInjection; package org.owasp.webgoat.lessons.SQLInjection;
import java.sql.PreparedStatement;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.SQLException; import java.sql.SQLException;
import java.sql.Statement; import java.sql.Statement;

7
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java
View File

@ -1,5 +1,6 @@
package org.owasp.webgoat.lessons.SQLInjection; package org.owasp.webgoat.lessons.SQLInjection;
import java.sql.PreparedStatement;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.SQLException; import java.sql.SQLException;
import java.sql.Statement; import java.sql.Statement;
@ -11,6 +12,7 @@ import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException; import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder;
/******************************************************************************* /*******************************************************************************
* *
@ -107,8 +109,9 @@ public class ViewProfile extends DefaultLessonAction
// Query the database for the profile data of the given employee // Query the database for the profile data of the given employee
try try
{ {
String query = "SELECT * FROM employee WHERE userid = " String query = "SELECT employee.* " +
+ subjectUserId; "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
try try
{ {

21
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java
View File

@ -9,6 +9,7 @@ import org.owasp.webgoat.lessons.SQLInjection.ViewProfile;
import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.Employee;
import org.owasp.webgoat.session.UnauthorizedException; import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder;
/* /*
Solution Summary: Edit ViewProfile.java and change getEmployeeProfile(). Solution Summary: Edit ViewProfile.java and change getEmployeeProfile().
@ -16,15 +17,22 @@ Solution Summary: Edit ViewProfile.java and change getEmployeeProfile().
Solution Steps: Solution Steps:
1. Change dynamic query to parameterized query. 1. Change dynamic query to parameterized query.
a. Replace the dynamic varaibles with the "?" a. Replace the dynamic variables with the "?"
String query = "SELECT * FROM employee WHERE userid = ?"; Old: String query = "SELECT employee.* " +
"FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
New: String query = "SELECT employee.* " +
"FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
"ownership.employer_id = ? and ownership.employee_id = ?";
b. Create a preparedStatement using the new query b. Create a preparedStatement using the new query
PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement(
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
c. Set the values of the parameterized query c. Set the values of the parameterized query
answer_statement.setInt(1, Integer.parseInt(subjectUserId)); answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX
answer_statement.setInt(2, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
d. Execute the preparedStatement d. Execute the preparedStatement
ResultSet answer_results = answer_statement.executeQuery(); ResultSet answer_results = answer_statement.executeQuery();
@ -47,13 +55,16 @@ public class ViewProfile_i extends ViewProfile
try try
{ {
String query = "SELECT * FROM employee WHERE userid = ?"; // STAGE 4 - FIX String query = "SELECT employee.* " +
"FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
"ownership.employer_id = ? and ownership.employee_id = ?";
try try
{ {
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query, PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 4 - FIX ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 4 - FIX
answer_statement.setInt(1, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX
answer_statement.setInt(2, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
ResultSet answer_results = answer_statement.executeQuery(); // STAGE 4 - FIX ResultSet answer_results = answer_statement.executeQuery(); // STAGE 4 - FIX
if (answer_results.next()) if (answer_results.next())
{ {