dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added comment parsing and feedback to text editor lessons

Browse Source
This commit is contained in:
Max Geldner 2018-11-19 17:48:49 +01:00 committed by Nanne Baars
parent b22deec5b8
commit f66ad51721
4 changed files with 42 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
View File

@ -9,6 +9,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import javax.tools.*; import javax.tools.*;
import java.io.IOException; import java.io.IOException;
import java.net.URI; import java.net.URI;
@ -21,22 +22,31 @@ import java.util.regex.Pattern;
@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3"}) @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3"})
public class SqlInjectionLesson10b extends AssignmentEndpoint { public class SqlInjectionLesson10b extends AssignmentEndpoint {
// Problem: Form has two submits, first submit is null and already wants to throw an attack result. Seconds attack result cant be thrown
@RequestMapping(method = RequestMethod.POST) @RequestMapping(method = RequestMethod.POST)
@ResponseBody @ResponseBody
public AttackResult completed(@RequestParam String editor) { public AttackResult completed(HttpServletRequest req) {
String regex1 = "(?=.*PreparedStatement.*)(?=.*setString.*)(?=.*\\=\\?.*|.*\\=\\s\\?.*)"; String editor = req.getParameter("editor");
editor = editor.replaceAll("\\<.*?>",""); try {
boolean hasImportant = this.check_text(regex1, editor.replace("\n", "").replace("\r", "")); if (editor == null) {
List<Diagnostic> hasCompiled = this.compileFromString(editor); throw new Exception();
String errors = "";
if(hasImportant && hasCompiled.size() < 1) {
return trackProgress(success().build());
} else if(hasCompiled.size() > 1) {
for(Diagnostic d : hasCompiled) {
errors += d.getMessage(null) + "\n";
} }
String regex1 = "(?=.*PreparedStatement.*)(?=.*setString.*)(?=.*\\=\\?.*|.*\\=\\s\\?.*)";
editor = editor.replaceAll("\\<.*?>", "");
boolean hasImportant = this.check_text(regex1, editor.replace("\n", "").replace("\r", ""));
List<Diagnostic> hasCompiled = this.compileFromString(editor);
String errors = "";
if (hasImportant && hasCompiled.size() < 1) {
return trackProgress(success().feedback("sql-injection.10b.success").build());
} else if (hasCompiled.size() > 1) {
for (Diagnostic d : hasCompiled) {
errors += d.getMessage(null) + "\n";
}
}
return trackProgress(failed().feedback("sql-injection.10b.failed").output(errors).build());
} catch(Exception e) {
return trackProgress(success().build());
} }
return trackProgress(failed().output(errors).build());
} }
private List<Diagnostic> compileFromString(String s) { private List<Diagnostic> compileFromString(String s) {

6
webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
View File

@ -41,9 +41,9 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:SqlInjection_jdbc_newcode.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_newcode.adoc"></div>
<div class="attack-container" style="height: 300px; border: none !important"> <div id="insertcode" class="attack-container" style="height: 300px; border: none !important">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10b" enctype="application/json;charset=UTF-8"> <form id="codesubmit" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10b" enctype="application/json;charset=UTF-8">
<div> <div>
<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0;" name="editor"></div> <div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0;" name="editor"></div>
<script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script> <script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
@ -55,9 +55,11 @@
</script> </script>
</div> </div>
<div class="input-group" style="margin-top: 10px"> <div class="input-group" style="margin-top: 10px">
<!--<input name="solution" value="Submit code" style="margin-top: 350%; margin-left: 60%;" type="SUBMIT" onclick="ace_collect()"/>-->
<button type="button" class="btn btn-primary" style="margin-top: 350%; margin-left: 60%;" onclick="ace_collect()">Submit</button> <button type="button" class="btn btn-primary" style="margin-top: 350%; margin-left: 60%;" onclick="ace_collect()">Submit</button>
</div> </div>
</form> </form>
<br />
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
</div> </div>

4
webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -66,6 +66,10 @@ SqlStringInjectionHint.9.5=How about something like '; UPDATE employees....
sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span> sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span>
sql-injection.10.entries=<span class='feedback-negative'>There's still evidence of what you did. Better remove the whole table.</span> sql-injection.10.entries=<span class='feedback-negative'>There's still evidence of what you did. Better remove the whole table.</span>
sql-injection.10b.success=Your code can prevent an SQL Injection! Success!
sql-injection.10b.failed=Something doesn't seem right with that code. Maybe you should look at an example how to prevent SQL Injections with JDBC?
SqlStringInjectionHint.10.1=Use the techniques that you have learned before. SqlStringInjectionHint.10.1=Use the techniques that you have learned before.
SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it. SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it.
SqlStringInjectionHint.10.3=Try query chaining to reach the goal. SqlStringInjectionHint.10.3=Try query chaining to reach the goal.

15
webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js
View File

@ -1,16 +1,25 @@
function ace_collect() { function ace_collect() {
let code = ""; let code = "";
console.log("Test");
$(".ace_line").each(function(i, el) { $(".ace_line").each(function(i, el) {
code += el.innerHTML; var to_add = el.innerHTML;
if(/\/\/.*/.test(to_add)) {
to_add = to_add.replace(/\/\/.*/i, '');
}
code += to_add;
}); });
console.log(code);
code = $(".ace_content")[0].innerHTML;
$.ajax({ $.ajax({
type: "POST", type: "POST",
url: "/WebGoat/SqlInjection/attack10b", url: "/WebGoat/SqlInjection/attack10b",
dataType: "text", dataType: "text",
data: { data: {
editor: code editor: code
},
success: function(data) {
console.log("entry");
let lesson_feedback = JSON.parse(data);
$("#insertcode .attack-feedback").css("display", "block");
$("#insertcode .attack-feedback").html(lesson_feedback.feedback);
} }
}); });
} }