From f66ad517210db611cead62792b22363e13cfd424 Mon Sep 17 00:00:00 2001 From: Max Geldner <max.sgeldner@t-online.de> Date: Mon, 19 Nov 2018 17:48:49 +0100 Subject: [PATCH] Added comment parsing and feedback to text editor lessons --- .../mitigation/SqlInjectionLesson10b.java | 34 ++++++++++++------- .../html/SqlInjectionMitigations.html | 6 ++-- .../resources/i18n/WebGoatLabels.properties | 4 +++ .../src/main/resources/js/assignment10b.js | 15 ++++++-- 4 files changed, 42 insertions(+), 17 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java index 1ff872a10..8731fd565 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java @@ -9,6 +9,7 @@ import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; +import javax.servlet.http.HttpServletRequest; import javax.tools.*; import java.io.IOException; import java.net.URI; @@ -21,22 +22,31 @@ import java.util.regex.Pattern; @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3"}) public class SqlInjectionLesson10b extends AssignmentEndpoint { + // Problem: Form has two submits, first submit is null and already wants to throw an attack result. Seconds attack result cant be thrown @RequestMapping(method = RequestMethod.POST) @ResponseBody - public AttackResult completed(@RequestParam String editor) { - String regex1 = "(?=.*PreparedStatement.*)(?=.*setString.*)(?=.*\\=\\?.*|.*\\=\\s\\?.*)"; - editor = editor.replaceAll("\\<.*?>",""); - boolean hasImportant = this.check_text(regex1, editor.replace("\n", "").replace("\r", "")); - List<Diagnostic> hasCompiled = this.compileFromString(editor); - String errors = ""; - if(hasImportant && hasCompiled.size() < 1) { - return trackProgress(success().build()); - } else if(hasCompiled.size() > 1) { - for(Diagnostic d : hasCompiled) { - errors += d.getMessage(null) + "\n"; + public AttackResult completed(HttpServletRequest req) { + String editor = req.getParameter("editor"); + try { + if (editor == null) { + throw new Exception(); } + String regex1 = "(?=.*PreparedStatement.*)(?=.*setString.*)(?=.*\\=\\?.*|.*\\=\\s\\?.*)"; + editor = editor.replaceAll("\\<.*?>", ""); + boolean hasImportant = this.check_text(regex1, editor.replace("\n", "").replace("\r", "")); + List<Diagnostic> hasCompiled = this.compileFromString(editor); + String errors = ""; + if (hasImportant && hasCompiled.size() < 1) { + return trackProgress(success().feedback("sql-injection.10b.success").build()); + } else if (hasCompiled.size() > 1) { + for (Diagnostic d : hasCompiled) { + errors += d.getMessage(null) + "\n"; + } + } + return trackProgress(failed().feedback("sql-injection.10b.failed").output(errors).build()); + } catch(Exception e) { + return trackProgress(success().build()); } - return trackProgress(failed().output(errors).build()); } private List<Diagnostic> compileFromString(String s) { diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html index 500e88116..c00ffd5ca 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html +++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html @@ -41,9 +41,9 @@ <div class="lesson-page-wrapper"> <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_newcode.adoc"></div> - <div class="attack-container" style="height: 300px; border: none !important"> + <div id="insertcode" class="attack-container" style="height: 300px; border: none !important"> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> - <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10b" enctype="application/json;charset=UTF-8"> + <form id="codesubmit" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10b" enctype="application/json;charset=UTF-8"> <div> <div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0;" name="editor"></div> <script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script> @@ -55,9 +55,11 @@ </script> </div> <div class="input-group" style="margin-top: 10px"> + <!--<input name="solution" value="Submit code" style="margin-top: 350%; margin-left: 60%;" type="SUBMIT" onclick="ace_collect()"/>--> <button type="button" class="btn btn-primary" style="margin-top: 350%; margin-left: 60%;" onclick="ace_collect()">Submit</button> </div> </form> + <br /> <div class="attack-feedback"></div> <div class="attack-output"></div> </div> diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index f2f9b70dc..a6183f6e4 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -66,6 +66,10 @@ SqlStringInjectionHint.9.5=How about something like '; UPDATE employees.... sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span> sql-injection.10.entries=<span class='feedback-negative'>There's still evidence of what you did. Better remove the whole table.</span> + +sql-injection.10b.success=Your code can prevent an SQL Injection! Success! +sql-injection.10b.failed=Something doesn't seem right with that code. Maybe you should look at an example how to prevent SQL Injections with JDBC? + SqlStringInjectionHint.10.1=Use the techniques that you have learned before. SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it. SqlStringInjectionHint.10.3=Try query chaining to reach the goal. diff --git a/webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js b/webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js index 42be3af63..907832cf4 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js +++ b/webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js @@ -1,16 +1,25 @@ function ace_collect() { let code = ""; + console.log("Test"); $(".ace_line").each(function(i, el) { - code += el.innerHTML; + var to_add = el.innerHTML; + if(/\/\/.*/.test(to_add)) { + to_add = to_add.replace(/\/\/.*/i, ''); + } + code += to_add; }); - console.log(code); - code = $(".ace_content")[0].innerHTML; $.ajax({ type: "POST", url: "/WebGoat/SqlInjection/attack10b", dataType: "text", data: { editor: code + }, + success: function(data) { + console.log("entry"); + let lesson_feedback = JSON.parse(data); + $("#insertcode .attack-feedback").css("display", "block"); + $("#insertcode .attack-feedback").html(lesson_feedback.feedback); } }); } \ No newline at end of file