#StringSqlInjection.java sql.injection.title=SQL Injection (introduction) sql.mitigation.title=SQL Injection (mitigation) sql.advanced.title=SQL Injection (advanced) SqlInjectionChallenge1=Look at the different response you receive from the server SqlInjectionChallenge2=The vulnerability is on the register form SqlInjectionChallenge3=Use tooling to automate this attack sql-injection.error=Sorry, this solution is not correct. Try again! NoResultsMatched=No results matched. Try Again. ResultsButNotTom=Try To login as Tom! sql-injection.2.success=You have succeeded! sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above. SqlStringInjectionHint2-1=You want the data from the column with the name department. You know the database name (employees) and you know the first- and lastname of the employee (first_name, last_name). SqlStringInjectionHint2-2=SELECT column FROM tablename WHERE condition; SqlStringInjectionHint2-3=Use ' instead of " when comparing two strings. SqlStringInjectionHint2-4=Pay attention to case sensitivity when comparing two strings. SqlStringInjectionHint3-1=Try the UPDATE statement SqlStringInjectionHint3-2=UPDATE table name SET column name=value WHERE condition; SqlStringInjectionHint4-1=ALTER TABLE alters the structure of an existing database SqlStringInjectionHint4-2=Do not forget the data type of the new column (e.g. varchar(size) or int(size)) SqlStringInjectionHint4-3=ALTER TABLE table name ADD column name data type(size); SqlStringInjectionHint5-a=Look at the example. There is everything you will need. sql-injection.5a.success=You have succeeded: {0} sql-injection.5a.no.results=No results matched. Try Again. sql-injection.5b.success=You have succeeded: {0} sql-injection.5b.no.results=No results matched. Try Again. SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack. SqlStringInjectionHint5b2=Insert: 0 or 1 = 1 into the first input field. The output should tell you if this field is injectable. SqlStringInjectionHint5b3=The first input field is not susceptible to sql injection. SqlStringInjectionHint5b4=You do not need to insert any quotations into your injection-string. sql-injection.6a.success=You have succeeded: {0} sql-injection.6a.no.results=No results matched. Try Again. sql-injection.advanced.6a.success=You have succeeded: {0} sql-injection.advanced.6a.no.results=No results matched. Try Again. SqlStringInjectionHint-advanced-6a-1=Remember that when using an UNION each SELECT statement within UNION must have the same number of columns. SqlStringInjectionHint-advanced-6a-2=The data type of a column in the first SELECT statement must have a similar data type to that in the second SELECT statement. SqlStringInjectionHint-advanced-6a-3=Your new SQL query must end with a comment. eg: -- SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like 'a String' for it. For integers you could substitute a 1. SqlStringInjectionHint-advanced-6a-5=Try something like: Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data -- sql-injection.6b.success=You have succeeded: {0} sql-injection.6b.no.results=No results matched. Try Again. sql-injection.8.success=You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done! sql-injection.8.no.results=No employee found with matching last name. Or maybe your authentication TAN is incorrect? sql-injection.8.one=That is only one account. You want them all! Try again. SqlStringInjectionHint.8.1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command. SqlStringInjectionHint.8.2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR. SqlStringInjectionHint.8.3=Try appending a SQL statement that always resolves to true. SqlStringInjectionHint.8.4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct. SqlStringInjectionHint.8.5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1. sql-injection.9.success=Well done! Now you are earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary! sql-injection.9.one=Still not earning enough! Better try again and change that. SqlStringInjectionHint.9.1=Try to find a way, to chain another query to the end of the existing one. SqlStringInjectionHint.9.2=Use the ; metacharacter to do so. SqlStringInjectionHint.9.3=Make use of DML to change your salary. SqlStringInjectionHint.9.4=Make sure that the resulting query is syntactically correct. SqlStringInjectionHint.9.5=How about something like '; UPDATE employees.... sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data. sql-injection.10.entries=There is still evidence of what you did. Better remove the whole table. sql-injection.10b.success=You did it! Your code can prevent an SQL injection attack! sql-injection.10b.failed=Something does not seem right with that code. Maybe you should look at an example how to prevent SQL injections with JDBC? sql-injection.10b.no-code=You need to write some code. sql-injection.10b.compiler-errors=Could not compile code: SqlStringInjectionHint.10.1=Use the techniques that you have learned before. SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it. SqlStringInjectionHint.10.3=Try query chaining to reach the goal. SqlStringInjectionHint.10.4=The DDL allows you to delete (DROP) database tables. SqlStringInjectionHint.10.5=The underlying SQL query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'". SqlStringInjectionHint.10.6=Remember that you can use the -- metacharacter to comment out the rest of the line. SqlStringInjectionHint-mitigation-10a-1=First establish a connection, after that you can create a statement. SqlStringInjectionHint-mitigation-10a-2=For every data type there is a method to insert values into a wildcard symbol in a statement. SqlStringInjectionHint-mitigation-10b-1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection. SqlStringInjectionHint-mitigation-10b-2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL injections. SqlStringInjectionHint-mitigation-10b-3=The wildcard symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every data type. SqlStringInjectionHint-mitigation-10b-4=Make sure to execute your statement. SqlStringInjectionHint-mitigation-10b-5=View the previous lesson to check back on how you can build set up a connection. SqlStringInjectionHint-mitigation-12a-1=Try sorting and look at the request SqlStringInjectionHint-mitigation-12a-2=Intercept the request and try to specify a different order by SqlStringInjectionHint-mitigation-12a-3=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens SqlStringInjectionHint-mitigation-12a-4=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens SqlInjectionChallengeHint1=The table name is randomized at each start of WebGoat, try to figure out the name first. SqlInjectionChallengeHint2=Find the field which is vulnerable to SQL injection use that to change the password. SqlInjectionChallengeHint3=Change the password through an UPDATE Statement. SqlInjectionChallengeHint4=The vulnerable field is the username field of the register form.