| @ -1,42 +1,77 @@ | ||||
| <?xml version="1.0" encoding="UTF-8"?> | ||||
| <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> | ||||
|     <suppress base="true"> | ||||
|     <suppress> | ||||
|         <notes><![CDATA[ | ||||
|         This suppresses false positives identified on spring framework. | ||||
|         This suppresses all CVE entries that have a score below CVSS 7. | ||||
|         ]]></notes> | ||||
|         <cpe>cpe:/a:pivotal_software:spring_framework</cpe> | ||||
|         <cve>CVE-2020-5398</cve> | ||||
|         <cvssBelow>7</cvssBelow> | ||||
|     </suppress> | ||||
|     <suppress base="true"> | ||||
|     <suppress> | ||||
|         <notes><![CDATA[ | ||||
|         This suppresses false positives identified on spring framework. | ||||
|         file name: spring-tx-5.3.21.jar | ||||
|         ]]></notes> | ||||
|         <cpe>cpe:/a:redhat:undertow</cpe> | ||||
|         <cve>CVE-2019-14888</cve> | ||||
|         <sha1>13f4f564024d2f85502c151942307c3ca851a4f7</sha1> | ||||
|         <cve>CVE-2016-1000027</cve> | ||||
|      </suppress> | ||||
|     <suppress base="true"> | ||||
|      <suppress> | ||||
|         <notes><![CDATA[ | ||||
|         This suppresses false positives identified on spring framework. | ||||
|         file name: spring-core-5.3.21.jar | ||||
|         ]]></notes> | ||||
|         <cpe>cpe:/a:pivotal_software:spring_security</cpe> | ||||
|         <cve>CVE-2018-1258</cve> | ||||
|         <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl> | ||||
|         <cve>CVE-2016-1000027</cve> | ||||
|      </suppress> | ||||
|     <suppress base="true"> | ||||
|      <suppress> | ||||
|         <notes><![CDATA[ | ||||
|         file name: spring-aop-5.3.21.jar | ||||
|         ]]></notes> | ||||
|         <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-aop@.*$</packageUrl> | ||||
|         <cve>CVE-2016-1000027</cve> | ||||
|      </suppress> | ||||
|      <suppress> | ||||
|         <notes><![CDATA[ | ||||
|         file name: spring-boot-starter-security-2.7.1.jar | ||||
|         ]]></notes> | ||||
|         <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring\-boot\-starter\-security@.*$</packageUrl> | ||||
|         <cve>CVE-2022-22978</cve> | ||||
|      </suppress> | ||||
|      <suppress> | ||||
|         <notes><![CDATA[ | ||||
|         file name: jruby-stdlib-9.2.20.1.jar: jopenssl.jar (shaded: rubygems:jruby-openssl:0.11.0) | ||||
|         ]]></notes> | ||||
|         <packageUrl regex="true">^pkg:maven/rubygems/jruby\-openssl@.*$</packageUrl> | ||||
|         <cpe>cpe:/a:jruby:jruby</cpe> | ||||
|         <cve>CVE-2018-1000613</cve> | ||||
|         <cve>CVE-2018-1000180</cve> | ||||
|         <cve>CVE-2017-18640</cve> | ||||
|         <cve>CVE-2011-4838</cve> | ||||
|         <cpe>cpe:/a:openssl:openssl</cpe> | ||||
|      </suppress> | ||||
|     <suppress base="true"><!-- vulnerable components lesson --> | ||||
|     <suppress> | ||||
|         <notes><![CDATA[ | ||||
|         file name: xstream-1.4.5.jar | ||||
|         ]]></notes> | ||||
|         <packageUrl regex="true">^pkg:maven/com\.thoughtworks\.xstream/xstream@.*$</packageUrl> | ||||
|         <cpe>cpe:/a:xstream_project:xstream</cpe> | ||||
|         <cve>CVE-2017-7957</cve> | ||||
|         <cve>CVE-2016-3674</cve> | ||||
|         <cve>CVE-2020-26217</cve> | ||||
|         <cve>CVE-2020-26258</cve> | ||||
|         <vulnerabilityName>CVE-2013-7285</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2016-3674</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2017-7957</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2020-26217</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2020-26258</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2020-26259</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2021-21341</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2021-21342</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2021-21343</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2021-21344</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2021-21345</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2021-21346</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2021-21347</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2021-21348</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2021-21349</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2021-21350</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2021-21351</vulnerabilityName> | ||||
|         <vulnerabilityName>CVE-2021-43859</vulnerabilityName> | ||||
|      </suppress> | ||||
|     <suppress base="true"><!-- webgoat-server --> | ||||
|         <cpe>cpe:/a:postgresql:postgresql</cpe> | ||||
|         <cve>CVE-2018-10936</cve> | ||||
|      <suppress> | ||||
|         <notes><![CDATA[ | ||||
|         file name: spring-jcl-5.3.21.jar | ||||
|         ]]></notes> | ||||
|         <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-.*@.*$</packageUrl> | ||||
|         <cve>CVE-2016-1000027</cve> | ||||
|      </suppress> | ||||
| </suppressions> | ||||
|  | ||||
							
								
								
									
										13
									
								
								pom.xml
									
									
									
									
									
								
							
							
						
						
									
										13
									
								
								pom.xml
									
									
									
									
									
								
							| @ -119,7 +119,7 @@ | ||||
|         <webwolf.port>9090</webwolf.port> | ||||
|  | ||||
|         <!-- Shared properties with plugins and version numbers across submodules--> | ||||
|         <asciidoctorj.version>2.5.2</asciidoctorj.version> | ||||
|         <asciidoctorj.version>2.5.3</asciidoctorj.version> | ||||
|         <bootstrap.version>3.3.7</bootstrap.version> | ||||
|         <cglib.version>2.2</cglib.version> <!-- do not update necessary for lesson --> | ||||
|         <checkstyle.version>3.1.2</checkstyle.version> | ||||
| @ -337,8 +337,8 @@ | ||||
|                         <version>6.5.1</version> | ||||
|                         <configuration> | ||||
|                             <failBuildOnCVSS>7</failBuildOnCVSS> | ||||
|                             <skipProvidedScope>true</skipProvidedScope> | ||||
|                             <skipRuntimeScope>true</skipRuntimeScope> | ||||
|                             <skipProvidedScope>false</skipProvidedScope> | ||||
|                             <skipRuntimeScope>false</skipRuntimeScope> | ||||
|                             <suppressionFiles> | ||||
|                                 <!--suppress UnresolvedMavenProperty --> | ||||
|                                 <suppressionFile> | ||||
| @ -536,14 +536,7 @@ | ||||
|                             <groupId>org.asciidoctor</groupId> | ||||
|                             <artifactId>asciidoctorj</artifactId> | ||||
|                         </dependency> | ||||
|                         <dependency> | ||||
|                             <groupId>org.jruby</groupId> | ||||
|                             <artifactId>jruby-complete</artifactId> | ||||
|                         </dependency> | ||||
|                     </requiresUnpack> | ||||
|                     <jvmArguments> | ||||
|                         <!-- -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000--> | ||||
|                     </jvmArguments> | ||||
|                 </configuration> | ||||
|             </plugin> | ||||
|             <plugin> | ||||
|  | ||||
| @ -41,15 +41,15 @@ import java.sql.*; | ||||
| public class SqlInjectionLesson6a extends AssignmentEndpoint { | ||||
|  | ||||
|     private final LessonDataSource dataSource; | ||||
|  | ||||
|     private static final String YOUR_QUERY_WAS = "<br> Your query was: "; | ||||
|     public SqlInjectionLesson6a(LessonDataSource dataSource) { | ||||
|         this.dataSource = dataSource; | ||||
|     } | ||||
|  | ||||
|     @PostMapping("/SqlInjectionAdvanced/attack6a") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String userid_6a) { | ||||
|         return injectableQuery(userid_6a); | ||||
|     public AttackResult completed(@RequestParam(value="userid_6a")  String userId) { | ||||
|         return injectableQuery(userId); | ||||
|         // The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- | ||||
|     } | ||||
|  | ||||
| @ -66,7 +66,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint { | ||||
|                     ResultSet.CONCUR_READ_ONLY)) { | ||||
|                 ResultSet results = statement.executeQuery(query); | ||||
|  | ||||
|                 if ((results != null) && (results.first())) { | ||||
|                 if ((results != null) && results.first()) { | ||||
|                     ResultSetMetaData resultsMetaData = results.getMetaData(); | ||||
|                     StringBuilder output = new StringBuilder(); | ||||
|  | ||||
| @ -83,17 +83,16 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint { | ||||
|                         output.append(appendingWhenSucceded); | ||||
|                         return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build(); | ||||
|                     } else { | ||||
|                         return failed(this).output(output.toString() + "<br> Your query was: " + query).build(); | ||||
|                         return failed(this).output(output.toString() + YOUR_QUERY_WAS + query).build(); | ||||
|                     } | ||||
|                 } else { | ||||
|                     return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build(); | ||||
|                     return failed(this).feedback("sql-injection.advanced.6a.no.results").output(YOUR_QUERY_WAS + query).build(); | ||||
|                 } | ||||
|             } catch (SQLException sqle) { | ||||
|                 return failed(this).output(sqle.getMessage() + "<br> Your query was: " + query).build(); | ||||
|                 return failed(this).output(sqle.getMessage() + YOUR_QUERY_WAS + query).build(); | ||||
|             } | ||||
|         } catch (Exception e) { | ||||
|             e.printStackTrace(); | ||||
|             return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build(); | ||||
|             return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + YOUR_QUERY_WAS + query).build(); | ||||
|         } | ||||
|     } | ||||
| } | ||||
|  | ||||
| @ -23,9 +23,7 @@ | ||||
| package org.owasp.webgoat.lessons.sql_injection.introduction; | ||||
|  | ||||
| import org.junit.jupiter.api.Test; | ||||
| import org.junit.jupiter.api.extension.ExtendWith; | ||||
| import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest; | ||||
| import org.springframework.test.context.junit.jupiter.SpringExtension; | ||||
| import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; | ||||
|  | ||||
| import static org.hamcrest.Matchers.containsString; | ||||
|  | ||||
		Reference in New Issue
	
	Block a user