d1e44bbc98
* better check on host and port for password reset and make context roots more flexible * spotless applied * removed hardcoded /WebGoat from js * removed hardcoded /WebGoat from js * fix spotless * fix scoreboard * upgrade WebWolf bootstrap version and icons and templates - part 1 * fixed more bootstrap 5 style issues and context path issues * organized WebSecurityConfig based on latest conventions and added basic support for oauth (more work needed) * spotless applied * added mock bean * requires updates to properties - commented for now * requires updates to properties - commented for now * oauth secrets through env values * user creation after oauth login * integration test against non default context paths * adjusted StartupMessage * add global model element username * conditionally show login oauth links * fixed WebWolf login --------- Co-authored-by: René Zubcevic <rene@Mac-mini-van-Rene.local>
86 lines
2.9 KiB
Java
86 lines
2.9 KiB
Java
package org.owasp.webgoat;
|
|
|
|
import static org.hamcrest.CoreMatchers.containsString;
|
|
|
|
import io.restassured.RestAssured;
|
|
import io.restassured.http.ContentType;
|
|
import java.util.HashMap;
|
|
import java.util.Map;
|
|
import org.junit.jupiter.api.Test;
|
|
|
|
public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
|
|
|
|
@Test
|
|
public void runTests() {
|
|
startLesson("SqlInjectionMitigations");
|
|
|
|
Map<String, Object> params = new HashMap<>();
|
|
params.clear();
|
|
params.put("field1", "getConnection");
|
|
params.put("field2", "PreparedStatement prep");
|
|
params.put("field3", "prepareStatement");
|
|
params.put("field4", "?");
|
|
params.put("field5", "?");
|
|
params.put("field6", "prep.setString(1,\"\")");
|
|
params.put("field7", "prep.setString(2,\\\"\\\")");
|
|
checkAssignment(url("SqlInjectionMitigations/attack10a"), params, true);
|
|
|
|
params.put(
|
|
"editor",
|
|
"try {\r\n"
|
|
+ " Connection conn = DriverManager.getConnection(DBURL,DBUSER,DBPW);\r\n"
|
|
+ " PreparedStatement prep = conn.prepareStatement(\"select id from users where name"
|
|
+ " = ?\");\r\n"
|
|
+ " prep.setString(1,\"me\");\r\n"
|
|
+ " prep.execute();\r\n"
|
|
+ " System.out.println(conn); //should output 'null'\r\n"
|
|
+ "} catch (Exception e) {\r\n"
|
|
+ " System.out.println(\"Oops. Something went wrong!\");\r\n"
|
|
+ "}");
|
|
checkAssignment(url("SqlInjectionMitigations/attack10b"), params, true);
|
|
|
|
params.clear();
|
|
params.put(
|
|
"userid_sql_only_input_validation", "Smith';SELECT/**/*/**/from/**/user_system_data;--");
|
|
checkAssignment(url("SqlOnlyInputValidation/attack"), params, true);
|
|
|
|
params.clear();
|
|
params.put(
|
|
"userid_sql_only_input_validation_on_keywords",
|
|
"Smith';SESELECTLECT/**/*/**/FRFROMOM/**/user_system_data;--");
|
|
checkAssignment(url("SqlOnlyInputValidationOnKeywords/attack"), params, true);
|
|
|
|
RestAssured.given()
|
|
.when()
|
|
.relaxedHTTPSValidation()
|
|
.cookie("JSESSIONID", getWebGoatCookie())
|
|
.contentType(ContentType.JSON)
|
|
.get(
|
|
url(
|
|
"SqlInjectionMitigations/servers?column=(case when (true) then hostname"
|
|
+ " else id end)"))
|
|
.then()
|
|
.statusCode(200);
|
|
|
|
RestAssured.given()
|
|
.when()
|
|
.relaxedHTTPSValidation()
|
|
.cookie("JSESSIONID", getWebGoatCookie())
|
|
.contentType(ContentType.JSON)
|
|
.get(url("SqlInjectionMitigations/servers?column=unknown"))
|
|
.then()
|
|
.statusCode(500)
|
|
.body(
|
|
"trace",
|
|
containsString(
|
|
"select id, hostname, ip, mac, status, description from SERVERS where status <>"
|
|
+ " 'out of order' order by"));
|
|
|
|
params.clear();
|
|
params.put("ip", "104.130.219.202");
|
|
checkAssignment(url("SqlInjectionMitigations/attack12a"), params, true);
|
|
|
|
checkResults();
|
|
}
|
|
}
|