dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
WebGoat/src/main/resources/lessons/sqlinjection/html/SqlInjection.html
René Zubcevic d1e44bbc98
Password reset link test condition more strict and move all WebWolf links to /WebWolf (#1645) 
* better check on host and port for password reset and make context roots more flexible

* spotless applied

* removed hardcoded /WebGoat from js

* removed hardcoded /WebGoat from js

* fix spotless

* fix scoreboard

* upgrade WebWolf bootstrap version and icons and templates - part 1

* fixed more bootstrap 5 style issues and context path issues

* organized WebSecurityConfig based on latest conventions and added basic support for oauth (more work needed)

* spotless applied

* added mock bean

* requires updates to properties - commented for now

* requires updates to properties - commented for now

* oauth secrets through env values

* user creation after oauth login

* integration test against non default context paths

* adjusted StartupMessage

* add global model element username

* conditionally show login oauth links

* fixed WebWolf login

---------

Co-authored-by: René Zubcevic <rene@Mac-mini-van-Rene.local>
2023-11-14 10:01:59 +01:00

294 lines
12 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/>
<!--Page 1-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_plan.adoc}"></div>
</div>
<!--Page 2-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content1.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack2"
autocomplete="off">
<table>
<tr>
<td><label>SQL query</label></td>
<td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>
</tr>
</table>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!--Page 3-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content2.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack3"
autocomplete="off">
<table>
<tr>
<td><label>SQL query</label></td>
<td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>
</tr>
</table>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!--Page 4-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content3.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack4"
autocomplete="off">
<table>
<tr>
<td><label>SQL query</label></td>
<td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>
</tr>
</table>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!--Page 5-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content4.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack5"
autocomplete="off">
<table>
<tr>
<td><label>SQL query</label></td>
<td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>
</tr>
</table>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!--Page 6-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content5_before.adoc}"></div>
<div>
<label for="username-preview">Username:</label>
<input id="preview-input" type="text" name="username" val=""/>
<div class="listingblock">
<div class="content">
<pre>"SELECT * FROM users WHERE name = '<span id="input-preview" style="font-weight: bold;"></span>'";</pre>
</div>
</div>
<script>
$(document).ready( () => {
$("#preview-input").on("keyup", (e) => {
$("#input-preview").text(e.target.value);
});
});
</script>
</div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content5_after.adoc}"></div>
</div>
<!--Page 7-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content6.adoc}"></div>
</div>
<!--Page 8-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content7.adoc}"></div>
</div>
<!--Page 9-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content11.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/assignment5a">
<table>
<tr>
<td>SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '</td>
<td><select name="account">
<option>Smith</option>
<option>'Smith</option>
<option>'</option>
<option>'Smith'</option>
<option>Smith'</option>
</select></td>
<td>
<select name="operator">
<option>or</option>
<option>and</option>
<option>and not</option>
</select>
</td>
<td>
<select name="injection">
<option>1 = 1</option>
<option>1 = 2</option>
<option>1' = '2</option>
<option>'1' = '1</option>
<option>'1' = '2</option>
<option>Last_Name = 'Smith</option>
</select>
</td>
<td>'</td>
<td><input
name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
</tr>
</table>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content12.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/assignment5b">
<table>
<tr>
<td>Login_Count:</td>
<td><input name="login_count" type="text" required="true"/></td>
</tr>
<tr>
<td>User_Id:</td>
<td><input name="userid" type="TEXT" required="true"/></td>
</tr>
<tr>
<td></td>
<td><input
name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
</tr>
</table>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content8.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack8"
autocomplete="off">
<table>
<tr>
<td><label>Employee Name:</label></td>
<td><input name="name" value="" type="TEXT" placeholder="Lastname"/></td>
</tr>
<tr>
<td><label>Authentication TAN:</label></td>
<td><input name="auth_tan" value="" type="TEXT" placeholder="TAN"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Get department</button></td>
</tr>
</table>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!--Page 10-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content9.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack9"
autocomplete="off">
<table>
<tr>
<td><label>Employee Name:</label></td>
<td><input name="name" value="" type="TEXT" placeholder="Lastname"/></td>
</tr>
<tr>
<td><label>Authentication TAN:</label></td>
<td><input name="auth_tan" value="" type="TEXT" placeholder="TAN"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Get department</button></td>
</tr>
</table>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!--Page 11-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack10"
autocomplete="off">
<table>
<tr>
<td><label>Action contains:</label></td>
<td><input name="action_string" value="" type="TEXT" placeholder="Enter search string"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Search logs</button></td>
</tr>
</table>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>
Reference in New Issue View Git Blame Copy Permalink