Use separate project for integration tests so we can start WebGoat and WebWolf
This commit is contained in:
		
							
								
								
									
										66
									
								
								webgoat-integration-tests/pom.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										66
									
								
								webgoat-integration-tests/pom.xml
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,66 @@ | ||||
| <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||||
|          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> | ||||
|     <modelVersion>4.0.0</modelVersion> | ||||
|     <artifactId>webgoat-integration-tests</artifactId> | ||||
|     <packaging>jar</packaging> | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat</groupId> | ||||
|         <artifactId>webgoat-parent</artifactId> | ||||
|         <version>v8.0.0-SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
|     <dependencies> | ||||
|         <dependency> | ||||
|             <groupId>org.owasp.webgoat</groupId> | ||||
|             <artifactId>webgoat-server</artifactId> | ||||
|             <version>${project.version}</version> | ||||
|         </dependency> | ||||
|         <dependency> | ||||
|             <groupId>org.owasp.webgoat</groupId> | ||||
|             <artifactId>webgoat-server</artifactId> | ||||
|             <version>${project.version}</version> | ||||
|             <classifier>internal</classifier> | ||||
|         </dependency> | ||||
|         <dependency> | ||||
|             <groupId>org.owasp.webgoat</groupId> | ||||
|             <artifactId>webwolf</artifactId> | ||||
|             <version>${project.version}</version> | ||||
|             <classifier>internal</classifier> | ||||
|         </dependency> | ||||
|         <dependency> | ||||
|             <groupId>org.owasp.webgoat</groupId> | ||||
|             <artifactId>webwolf</artifactId> | ||||
|             <version>${project.version}</version> | ||||
|         </dependency> | ||||
| 		<dependency> | ||||
| 			<groupId>org.springframework.boot</groupId> | ||||
| 			<artifactId>spring-boot-starter-test</artifactId> | ||||
| 			<scope>test</scope> | ||||
| 		</dependency> | ||||
| 		<dependency> | ||||
| 			<groupId>io.rest-assured</groupId> | ||||
| 			<artifactId>rest-assured</artifactId> | ||||
| 			<version>4.0.0</version> | ||||
| 			<scope>test</scope> | ||||
| 		</dependency> | ||||
|  | ||||
|     </dependencies> | ||||
|  | ||||
|     <build> | ||||
|         <plugins> | ||||
|             <plugin> | ||||
|                 <groupId>org.apache.maven.plugins</groupId> | ||||
|                 <artifactId>maven-surefire-plugin</artifactId> | ||||
|                 <version>${maven-surefire-plugin.version}</version> | ||||
|                 <configuration> | ||||
|                     <forkCount>0</forkCount> | ||||
|                     <reuseForks>true</reuseForks> | ||||
|                     <argLine> | ||||
|                         --illegal-access=permit | ||||
|                     </argLine> | ||||
|                 </configuration> | ||||
|             </plugin> | ||||
|         </plugins> | ||||
|     </build> | ||||
|  | ||||
| </project> | ||||
| @ -0,0 +1,127 @@ | ||||
| package org.owasp.webgoat; | ||||
|  | ||||
| import io.restassured.RestAssured; | ||||
| import io.restassured.http.ContentType; | ||||
| import org.hamcrest.CoreMatchers; | ||||
| import org.junit.Assert; | ||||
| import org.junit.Test; | ||||
|  | ||||
| import java.util.HashMap; | ||||
| import java.util.Map; | ||||
|  | ||||
|  | ||||
| public class GeneralLessonTest extends IntegrationTest { | ||||
|  | ||||
|     @Test | ||||
|     public void httpBasics() { | ||||
|         startLesson("HttpBasics"); | ||||
|         Map<String, Object> params = new HashMap<>(); | ||||
|         params.clear(); | ||||
|         params.put("person", "goatuser"); | ||||
|         checkAssignment(url("HttpBasics/attack1"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("answer", "POST"); | ||||
|         params.put("magic_answer", "33"); | ||||
|         params.put("magic_num", "4"); | ||||
|         checkAssignment(url("HttpBasics/attack2"), params, false); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("answer", "POST"); | ||||
|         params.put("magic_answer", "33"); | ||||
|         params.put("magic_num", "33"); | ||||
|         checkAssignment(url("HttpBasics/attack2"), params, true); | ||||
|  | ||||
|         checkResults("/HttpBasics/"); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void httpProxies() { | ||||
|         startLesson("HttpProxies"); | ||||
|         Assert.assertThat(RestAssured.given() | ||||
|                 .when().config(restConfig).cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true") | ||||
|                 .contentType(ContentType.JSON) | ||||
|                 .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily")) | ||||
|                 .then() | ||||
|                 .statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true)); | ||||
|  | ||||
|         checkResults("/HttpProxies/"); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void cia() { | ||||
|         startLesson("CIA"); | ||||
|         Map<String, Object> params = new HashMap<>(); | ||||
|         params.clear(); | ||||
|         params.put("question_0_solution", "Solution 3: By stealing a database where names and emails are stored and uploading it to a website."); | ||||
|         params.put("question_1_solution", "Solution 1: By changing the names and emails of one or more users stored in a database."); | ||||
|         params.put("question_2_solution", "Solution 4: By launching a denial of service attack on the servers."); | ||||
|         params.put("question_3_solution", "Solution 2: The systems security is compromised even if only one goal is harmed."); | ||||
|         checkAssignment(url("/WebGoat/cia/quiz"), params, true); | ||||
|         checkResults("/cia/"); | ||||
|  | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void securePasswords() { | ||||
|         startLesson("SecurePasswords"); | ||||
|         Map<String, Object> params = new HashMap<>(); | ||||
|         params.clear(); | ||||
|         params.put("password", "ajnaeliclm^&&@kjn."); | ||||
|         checkAssignment(url("/WebGoat/SecurePasswords/assignment"), params, true); | ||||
|         checkResults("SecurePasswords/"); | ||||
|  | ||||
|         startLesson("AuthBypass"); | ||||
|         params.clear(); | ||||
|         params.put("secQuestion2", "John"); | ||||
|         params.put("secQuestion3", "Main"); | ||||
|         params.put("jsEnabled", "1"); | ||||
|         params.put("verifyMethod", "SEC_QUESTIONS"); | ||||
|         params.put("userId", "12309746"); | ||||
|         checkAssignment(url("/WebGoat/auth-bypass/verify-account"), params, true); | ||||
|         checkResults("/auth-bypass/"); | ||||
|  | ||||
|         startLesson("HttpProxies"); | ||||
|         Assert.assertThat(RestAssured.given().when().config(restConfig).cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true") | ||||
|                 .contentType(ContentType.JSON) | ||||
|                 .get(url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")).then() | ||||
|                 .statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true)); | ||||
|         checkResults("/HttpProxies/"); | ||||
|  | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void chrome() { | ||||
|         startLesson("ChromeDevTools"); | ||||
|  | ||||
|         Map<String, Object> params = new HashMap<>(); | ||||
|         params.clear(); | ||||
|         params.put("param1", "42"); | ||||
|         params.put("param2", "24"); | ||||
|  | ||||
|         String result = | ||||
|                 RestAssured.given() | ||||
|                         .when() | ||||
|                         .config(restConfig) | ||||
|                         .cookie("JSESSIONID", getWebGoatCookie()) | ||||
|                         .header("webgoat-requested-by", "dom-xss-vuln") | ||||
|                         .header("X-Requested-With", "XMLHttpRequest") | ||||
|                         .formParams(params) | ||||
|                         .post(url("/WebGoat/CrossSiteScripting/phone-home-xss")) | ||||
|                         .then() | ||||
|                         .statusCode(200) | ||||
|                         .extract().path("output"); | ||||
|         String secretNumber = result.substring("phoneHome Response is ".length()); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("successMessage", secretNumber); | ||||
|         checkAssignment(url("/WebGoat/ChromeDevTools/dummy"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("number", "24"); | ||||
|         params.put("network_num", "24"); | ||||
|         checkAssignment(url("/WebGoat/ChromeDevTools/network"), params, true); | ||||
|  | ||||
|         checkResults("/ChromeDevTools/"); | ||||
|     } | ||||
| } | ||||
| @ -0,0 +1,200 @@ | ||||
| package org.owasp.webgoat; | ||||
|  | ||||
| import io.restassured.RestAssured; | ||||
| import io.restassured.config.RestAssuredConfig; | ||||
| import io.restassured.config.SSLConfig; | ||||
| import lombok.Getter; | ||||
| import org.hamcrest.CoreMatchers; | ||||
| import org.junit.After; | ||||
| import org.junit.Assert; | ||||
| import org.junit.Before; | ||||
| import org.junit.BeforeClass; | ||||
| import org.owasp.webwolf.WebWolf; | ||||
| import org.springframework.boot.builder.SpringApplicationBuilder; | ||||
|  | ||||
| import java.io.IOException; | ||||
| import java.net.ServerSocket; | ||||
| import java.util.Map; | ||||
| import java.util.UUID; | ||||
|  | ||||
| public abstract class IntegrationTest { | ||||
|  | ||||
|     private static String WEBGOAT_URL = "http://localhost:8080/WebGoat/"; | ||||
|     private static String WEBWOLF_URL = "http://localhost:9090/"; | ||||
|  | ||||
|     //This also allows to test the application with HTTPS when outside testing option is used | ||||
|     protected static RestAssuredConfig restConfig = RestAssuredConfig.newConfig().sslConfig(new SSLConfig().relaxedHTTPSValidation()); | ||||
|  | ||||
|     @Getter | ||||
|     private String webGoatCookie; | ||||
|     @Getter | ||||
|     private String webWolfCookie; | ||||
|     @Getter | ||||
|     private String webgoatUser = UUID.randomUUID().toString(); | ||||
|  | ||||
|     private static boolean started = false; | ||||
|  | ||||
|     @BeforeClass | ||||
|     public static void beforeAll() { | ||||
|         if (!started) { | ||||
|             started = true; | ||||
|             if (!areAlreadyRunning()) { | ||||
|                 SpringApplicationBuilder wgs = new SpringApplicationBuilder(StartWebGoat.class) | ||||
|                         .properties(Map.of("spring.config.name", "application-webgoat")); | ||||
|                 wgs.run(); | ||||
|                 SpringApplicationBuilder wws = new SpringApplicationBuilder(WebWolf.class) | ||||
|                         .properties(Map.of("spring.config.name", "application-webwolf")); | ||||
|                 wws.run(); | ||||
|             } | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     private static boolean areAlreadyRunning() { | ||||
|         return checkIfServerIsRunnningOn(9090) && checkIfServerIsRunnningOn(8080); | ||||
|     } | ||||
|  | ||||
|     private static boolean checkIfServerIsRunnningOn(int port) { | ||||
|         try (var ignored = new ServerSocket(port)) { | ||||
|             return false; | ||||
|         } catch (IOException e) { | ||||
|             return true; | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     protected String url(String url) { | ||||
|         url = url.replaceFirst("/WebGoat/", ""); | ||||
|         url = url.replaceFirst("/WebGoat", ""); | ||||
|         url = url.startsWith("/") ? url.replaceFirst("/", "") : url; | ||||
|         return WEBGOAT_URL + url; | ||||
|     } | ||||
|  | ||||
|     protected String webWolfUrl(String url) { | ||||
|         url = url.startsWith("/") ? url.replaceFirst("/", "") : url; | ||||
|         return WEBWOLF_URL + url; | ||||
|     } | ||||
|  | ||||
|     @Before | ||||
|     public void login() { | ||||
|         webGoatCookie = RestAssured.given() | ||||
|                 .when() | ||||
|                 .config(restConfig) | ||||
|                 .formParam("username", webgoatUser) | ||||
|                 .formParam("password", "password") | ||||
|                 .formParam("matchingPassword", "password") | ||||
|                 .formParam("agree", "agree") | ||||
|                 .post(url("register.mvc")) | ||||
|                 .then() | ||||
|                 .cookie("JSESSIONID") | ||||
|                 .statusCode(302) | ||||
|                 .extract() | ||||
|                 .cookie("JSESSIONID"); | ||||
|  | ||||
|         webWolfCookie = RestAssured.given() | ||||
|                 .when() | ||||
|                 .config(restConfig) | ||||
|                 .formParam("username", webgoatUser) | ||||
|                 .formParam("password", "password") | ||||
|                 .post(WEBWOLF_URL + "login") | ||||
|                 .then() | ||||
|                 .cookie("WEBWOLFSESSION") | ||||
|                 .statusCode(302) | ||||
|                 .extract() | ||||
|                 .cookie("WEBWOLFSESSION"); | ||||
|     } | ||||
|  | ||||
|     @After | ||||
|     public void logout() { | ||||
|         RestAssured.given() | ||||
|                 .when() | ||||
|                 .config(restConfig) | ||||
|                 .get(WEBGOAT_URL + "logout") | ||||
|                 .then() | ||||
|                 .statusCode(200); | ||||
|     } | ||||
|  | ||||
|     /** | ||||
|      * At start of a lesson. The .lesson.lesson is visited and the lesson is reset. | ||||
|      * | ||||
|      * @param lessonName | ||||
|      */ | ||||
|     public void startLesson(String lessonName) { | ||||
|         RestAssured.given() | ||||
|                 .when() | ||||
|                 .config(restConfig) | ||||
|                 .cookie("JSESSIONID", getWebGoatCookie()) | ||||
|                 .get(url(lessonName + ".lesson.lesson")) | ||||
|                 .then() | ||||
|                 .statusCode(200); | ||||
|  | ||||
|         RestAssured.given() | ||||
|                 .when() | ||||
|                 .config(restConfig) | ||||
|                 .cookie("JSESSIONID", getWebGoatCookie()) | ||||
|                 .get(url("service/restartlesson.mvc")) | ||||
|                 .then() | ||||
|                 .statusCode(200); | ||||
|     } | ||||
|  | ||||
|     /** | ||||
|      * Helper method for most common type of test. | ||||
|      * POST with parameters. | ||||
|      * Checks for 200 and lessonCompleted as indicated by expectedResult | ||||
|      * | ||||
|      * @param url | ||||
|      * @param params | ||||
|      * @param expectedResult | ||||
|      */ | ||||
|     public void checkAssignment(String url, Map<String, ?> params, boolean expectedResult) { | ||||
|         Assert.assertThat( | ||||
|                 RestAssured.given() | ||||
|                         .when() | ||||
|                         .config(restConfig) | ||||
|                         .cookie("JSESSIONID", getWebGoatCookie()) | ||||
|                         .formParams(params) | ||||
|                         .post(url) | ||||
|                         .then() | ||||
|                         .statusCode(200) | ||||
|                         .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult)); | ||||
|     } | ||||
|  | ||||
|     /** | ||||
|      * Helper method for most common type of test. | ||||
|      * PUT with parameters. | ||||
|      * Checks for 200 and lessonCompleted as indicated by expectedResult | ||||
|      * | ||||
|      * @param url | ||||
|      * @param params | ||||
|      * @param expectedResult | ||||
|      */ | ||||
|     public void checkAssignmentWithPUT(String url, Map<String, ?> params, boolean expectedResult) { | ||||
|         Assert.assertThat( | ||||
|                 RestAssured.given() | ||||
|                         .when() | ||||
|                         .config(restConfig) | ||||
|                         .cookie("JSESSIONID", getWebGoatCookie()) | ||||
|                         .formParams(params) | ||||
|                         .put(url) | ||||
|                         .then() | ||||
|                         .statusCode(200) | ||||
|                         .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult)); | ||||
|     } | ||||
|  | ||||
|     public void checkResults(String prefix) { | ||||
|         Assert.assertThat(RestAssured.given() | ||||
|                 .when() | ||||
|                 .config(restConfig) | ||||
|                 .cookie("JSESSIONID", getWebGoatCookie()) | ||||
|                 .get(url("service/lessonoverview.mvc")) | ||||
|                 .then() | ||||
|                 .statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true))); | ||||
|  | ||||
|         Assert.assertThat(RestAssured.given() | ||||
|                 .when() | ||||
|                 .config(restConfig) | ||||
|                 .cookie("JSESSIONID", getWebGoatCookie()) | ||||
|                 .get(url("service/lessonoverview.mvc")) | ||||
|                 .then() | ||||
|                 .statusCode(200).extract().jsonPath().getList("assignment.path"), CoreMatchers.everyItem(CoreMatchers.startsWith(prefix))); | ||||
|  | ||||
|     } | ||||
| } | ||||
| @ -0,0 +1,76 @@ | ||||
| package org.owasp.webgoat; | ||||
|  | ||||
| import io.restassured.RestAssured; | ||||
| import org.assertj.core.api.Assertions; | ||||
| import org.junit.Test; | ||||
|  | ||||
| import java.util.Map; | ||||
|  | ||||
| public class PasswordResetLessonTest extends IntegrationTest { | ||||
|  | ||||
|     @Test | ||||
|     public void solveAssignment() { | ||||
|         //WebGoat | ||||
|         startLesson("PasswordReset"); | ||||
|         clickForgotEmailLink("tom@webgoat-cloud.org"); | ||||
|  | ||||
|         //WebWolf | ||||
|         var link = getPasswordResetLinkFromLandingPage(); | ||||
|  | ||||
|         //WebGoat | ||||
|         changePassword(link); | ||||
|         checkAssignment(url("PasswordReset/reset/login"), Map.of("email", "tom@webgoat-cloud.org", "password", "123456"), true); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void sendEmailShouldBeAvailabeInWebWolf() { | ||||
|         startLesson("PasswordReset"); | ||||
|         clickForgotEmailLink(getWebgoatUser() + "@webgoat.org"); | ||||
|  | ||||
|         var responseBody = RestAssured.given() | ||||
|                 .when() | ||||
|                 .config(restConfig) | ||||
|                 .cookie("WEBWOLFSESSION", getWebWolfCookie()) | ||||
|                 .get(webWolfUrl("/WebWolf/mail")) | ||||
|                 .then() | ||||
|                 .extract().response().getBody().asString(); | ||||
|  | ||||
|         Assertions.assertThat(responseBody).contains("Hi, you requested a password reset link"); | ||||
|     } | ||||
|  | ||||
|     private void changePassword(String link) { | ||||
|         RestAssured.given() | ||||
|                 .when() | ||||
|                 .config(restConfig) | ||||
|                 .cookie("JSESSIONID", getWebGoatCookie()) | ||||
|                 .formParams("resetLink", link, "password", "123456") | ||||
|                 .post(url("PasswordReset/reset/change-password")) | ||||
|                 .then() | ||||
|                 .statusCode(200); | ||||
|     } | ||||
|  | ||||
|     private String getPasswordResetLinkFromLandingPage() { | ||||
|         var responseBody = RestAssured.given() | ||||
|                 .when() | ||||
|                 .config(restConfig) | ||||
|                 .cookie("WEBWOLFSESSION", getWebWolfCookie()) | ||||
|                 .get(webWolfUrl("WebWolf/requests")) | ||||
|                 .then() | ||||
|                 .extract().response().getBody().asString(); | ||||
|         int startIndex = responseBody.lastIndexOf("\"path\" : \"/PasswordReset/reset/reset-password/"); | ||||
|         var link = responseBody.substring(startIndex + "\"path\" : \"/PasswordReset/reset/reset-password/".length(), responseBody.indexOf(",", startIndex) - 1); | ||||
|         return link; | ||||
|     } | ||||
|  | ||||
|     private void clickForgotEmailLink(String user) { | ||||
|         RestAssured.given() | ||||
|                 .when() | ||||
|                 .header("host", "localhost:9090") | ||||
|                 .config(restConfig) | ||||
|                 .cookie("JSESSIONID", getWebGoatCookie()) | ||||
|                 .formParams("email", user) | ||||
|                 .post(url("PasswordReset/ForgotPassword/create-password-reset-link")) | ||||
|                 .then() | ||||
|                 .statusCode(200); | ||||
|     } | ||||
| } | ||||
| @ -0,0 +1,49 @@ | ||||
| package org.owasp.webgoat; | ||||
|  | ||||
| import org.junit.Test; | ||||
|  | ||||
| import java.util.HashMap; | ||||
| import java.util.Map; | ||||
|  | ||||
| public class SqlInjectionAdvancedTest extends IntegrationTest { | ||||
|  | ||||
|     @Test | ||||
|     public void runTests() { | ||||
|         startLesson("SqlInjectionAdvanced"); | ||||
|  | ||||
|         Map<String, Object> params = new HashMap<>(); | ||||
|         params.clear(); | ||||
|         params.put("username_reg", "tom' AND substring(password,1,1)='t"); | ||||
|         params.put("password_reg", "password"); | ||||
|         params.put("email_reg", "someone@microsoft.com"); | ||||
|         params.put("confirm_password", "password"); | ||||
|         checkAssignmentWithPUT(url("/WebGoat/SqlInjectionAdvanced/challenge"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("username_login", "tom"); | ||||
|         params.put("password_login", "thisisasecretfortomonly"); | ||||
|         checkAssignment(url("/WebGoat/SqlInjectionAdvanced/challenge_Login"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("userid_6a", "'; SELECT * FROM user_system_data;--"); | ||||
|         checkAssignment(url("/WebGoat/SqlInjectionAdvanced/attack6a"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("userid_6a", "Smith' union select userid,user_name, user_name,user_name,password,cookie,userid from user_system_data --"); | ||||
|         checkAssignment(url("/WebGoat/SqlInjectionAdvanced/attack6a"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("userid_6b", "passW0rD"); | ||||
|         checkAssignment(url("/WebGoat/SqlInjectionAdvanced/attack6b"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("question_0_solution", "Solution 4: A statement has got values instead of a prepared statement"); | ||||
|         params.put("question_1_solution", "Solution 3: ?"); | ||||
|         params.put("question_2_solution", "Solution 2: Prepared statements are compiled once by the database management system waiting for input and are pre-compiled this way."); | ||||
|         params.put("question_3_solution", "Solution 3: Placeholders can prevent that the users input gets attached to the SQL query resulting in a seperation of code and data."); | ||||
|         params.put("question_4_solution", "Solution 4: The database registers 'Robert' ); DROP TABLE Students;--'."); | ||||
|         checkAssignment(url("/WebGoat/SqlInjectionAdvanced/quiz"), params, true); | ||||
|  | ||||
|         checkResults("/SqlInjectionAdvanced/"); | ||||
|     } | ||||
| } | ||||
| @ -0,0 +1,82 @@ | ||||
| package org.owasp.webgoat; | ||||
|  | ||||
| import org.junit.Test; | ||||
|  | ||||
| import java.util.HashMap; | ||||
| import java.util.Map; | ||||
|  | ||||
| public class SqlInjectionLessonTest extends IntegrationTest { | ||||
|  | ||||
|     private static final String sql_2 = "select department from employees where last_name='Franco'"; | ||||
|     private static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'"; | ||||
|     private static final String sql_4_drop = "alter table employees drop column phone"; | ||||
|     private static final String sql_4_add = "alter table employees add column phone varchar(20)"; | ||||
|     private static final String sql_5 = "grant alter table to UnauthorizedUser"; | ||||
|     private static final String sql_9_account = " ' "; | ||||
|     private static final String sql_9_operator = "or"; | ||||
|     private static final String sql_9_injection = "'1'='1"; | ||||
|     private static final String sql_10_login_count = "2"; | ||||
|     private static final String sql_10_userid = "1 or 1=1"; | ||||
|  | ||||
|     private static final String sql_11_a = "Smith' or '1' = '1"; | ||||
|     private static final String sql_11_b = "3SL99A'  or '1'='1"; | ||||
|  | ||||
|     private static final String sql_12_a = "Smith"; | ||||
|     private static final String sql_12_b = "3SL99A' ; update employees set salary= '100000' where last_name='Smith"; | ||||
|  | ||||
|     private static final String sql_13 = "%update% '; drop table access_log ; --'"; | ||||
|  | ||||
|     @Test | ||||
|     public void runTests() { | ||||
|         startLesson("SqlInjection"); | ||||
|  | ||||
|         Map<String, Object> params = new HashMap<>(); | ||||
|         params.clear(); | ||||
|         params.put("query", sql_2); | ||||
|         checkAssignment(url("/WebGoat/SqlInjection/attack2"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("query", sql_3); | ||||
|         checkAssignment(url("/WebGoat/SqlInjection/attack3"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("query", sql_4_drop); | ||||
|         checkAssignment(url("/WebGoat/SqlInjection/attack4"), params, false); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("query", sql_4_add); | ||||
|         checkAssignment(url("/WebGoat/SqlInjection/attack4"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("query", sql_5); | ||||
|         checkAssignment(url("/WebGoat/SqlInjection/attack5"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("operator", sql_9_operator); | ||||
|         params.put("account", sql_9_account); | ||||
|         params.put("injection", sql_9_injection); | ||||
|         checkAssignment(url("/WebGoat/SqlInjection/assignment5a"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("login_count", sql_10_login_count); | ||||
|         params.put("userid", sql_10_userid); | ||||
|         checkAssignment(url("/WebGoat/SqlInjection/assignment5b"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("name", sql_11_a); | ||||
|         params.put("auth_tan", sql_11_b); | ||||
|         checkAssignment(url("/WebGoat/SqlInjection/attack8"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("name", sql_12_a); | ||||
|         params.put("auth_tan", sql_12_b); | ||||
|         checkAssignment(url("/WebGoat/SqlInjection/attack9"), params, true); | ||||
|  | ||||
|         params.clear(); | ||||
|         params.put("action_string", sql_13); | ||||
|         checkAssignment(url("/WebGoat/SqlInjection/attack10"), params, true); | ||||
|  | ||||
|         checkResults("/SqlInjection/"); | ||||
|  | ||||
|     } | ||||
| } | ||||
| @ -0,0 +1,39 @@ | ||||
| package org.owasp.webgoat; | ||||
|  | ||||
| import org.junit.Test; | ||||
|  | ||||
| import java.util.HashMap; | ||||
| import java.util.Map; | ||||
|  | ||||
| public class SqlInjectionMitigationTest extends IntegrationTest { | ||||
|  | ||||
| 	@Test | ||||
| 	public void runTests() { | ||||
| 		startLesson("SqlInjectionMitigations"); | ||||
| 		 | ||||
| 		Map<String, Object> params = new HashMap<>(); | ||||
| 		params.clear(); | ||||
| 		params.put("field1", "getConnection"); | ||||
| 		params.put("field2", "PreparedStatement prep"); | ||||
| 		params.put("field3", "prepareStatement"); | ||||
| 		params.put("field4", "?"); | ||||
| 		params.put("field5", "?"); | ||||
| 		params.put("field6", "prep.setString(1,\"\")"); | ||||
| 		params.put("field7", "prep.setString(2,\\\"\\\")"); | ||||
| 		checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10a"), params, true); | ||||
| 	 | ||||
| 		params.put("editor", "try {\r\n" +  | ||||
| 				"    Connection conn = DriverManager.getConnection(DBURL,DBUSER,DBPW);\r\n" +  | ||||
| 				"    PreparedStatement prep = conn.prepareStatement(\"select id from users where name = ?\");\r\n" +  | ||||
| 				"    prep.setString(1,\"me\");\r\n" +  | ||||
| 				"    prep.execute();\r\n" +  | ||||
| 				"    System.out.println(conn);   //should output 'null'\r\n" +  | ||||
| 				"} catch (Exception e) {\r\n" +  | ||||
| 				"    System.out.println(\"Oops. Something went wrong!\");\r\n" +  | ||||
| 				"}"); | ||||
| 		checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10b"), params, true); | ||||
| 		 | ||||
| 		//checkResults(webGoatCookie, webgoatURL, "/SqlInjectionMitigations/"); | ||||
| 	 | ||||
| 	} | ||||
| } | ||||
| @ -0,0 +1,15 @@ | ||||
| <configuration /> | ||||
|  | ||||
| <!-- | ||||
| Enable below if you want to debug a unit test and see why the controller fails the configuration above is there | ||||
| to keep the Travis build going otherwise it fails with too much logging. | ||||
| //TODO we should use a different Spring profile for Travis | ||||
| --> | ||||
|  | ||||
| <!-- | ||||
| <configuration> | ||||
| <include resource="org/springframework/boot/logging/logback/base.xml"/> | ||||
| <logger name="org.springframework.web" level="DEBUG"/> | ||||
| </configuration> | ||||
|  | ||||
| --> | ||||
		Reference in New Issue
	
	Block a user