Split large SQL lesson

WebGoat · Jun 11, 2017 · 6c63973 · 6c63973
1 parent 129e9de
commit 6c63973
Show file tree

Hide file tree

Showing 10 changed files with 332 additions and 109 deletions.
diff --git a/...at-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionAdvanced.java b/...at-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionAdvanced.java
@@ -0,0 +1,63 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class SqlInjectionAdvanced extends NewLesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.INJECTION;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return new ArrayList<>();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 1;
+    }
+
+    @Override
+    public String getTitle() {
+        return "SQL Injection (advanced)";
+    }
+
+    @Override
+    public String getId() {
+        return "SqlInjectionAdvanced";
+    }
+}
diff --git a/...at-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java b/...at-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java
@@ -48,7 +48,7 @@
  * @created October 28, 2003
  */
 @AssignmentPath("/SqlInjection/attack6a")
-@AssignmentHints(value = {"SqlStringInjectionHint5", "SqlStringInjectionHint6"})
+@AssignmentHints(value = {"SqlStringInjectionHint5", "SqlStringInjectionHint6", "SqlStringInjectionHint7"})
 public class SqlInjectionLesson6a extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST)

diff --git a/...lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionMitigations.java b/...lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionMitigations.java
@@ -0,0 +1,63 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class SqlInjectionMitigations extends NewLesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.INJECTION;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return new ArrayList<>();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 1;
+    }
+
+    @Override
+    public String getTitle() {
+        return "SQL Injection (mitigations)";
+    }
+
+    @Override
+    public String getId() {
+        return "SqlInjectionMitigations";
+    }
+}
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
@@ -71,78 +71,4 @@
     </div>
 </div>
 
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN"
-              method="POST" name="form"
-              action="/WebGoat/SqlInjection/attack6a"
-              enctype="application/json;charset=UTF-8">
-            <table>
-                <tr>
-                    <td>Name:</td>
-                    <td><input name="userid_6a" value="" type="TEXT"/></td>
-                    <td><input
-                            name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
-                    <td></td>
-                </tr>
-            </table>
-        </form>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN"
-              method="POST" name="form"
-              action="/WebGoat/SqlInjection/attack6b"
-              enctype="application/json;charset=UTF-8">
-            <table>
-                <tr>
-                    <td>Password:</td>
-                    <td><input name="userid_6b" value="" type="TEXT"/></td>
-                    <td><input
-                            name="Check Dave's Password:" value="Check Password" type="SUBMIT"/></td>
-                    <td></td>
-                </tr>
-            </table>
-        </form>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-
-</div>
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content7.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content8.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content9.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content10.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content11.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content12.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content13.adoc"></div>
-</div>
-
 </html>
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjectionAdvanced_plan.adoc"></div>
+</div>
+
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/SqlInjection/attack6a"
+              enctype="application/json;charset=UTF-8">
+            <table>
+                <tr>
+                    <td>Name:</td>
+                    <td><input name="userid_6a" value="" type="TEXT"/></td>
+                    <td><input
+                            name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
+                    <td></td>
+                </tr>
+            </table>
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/SqlInjection/attack6b"
+              enctype="application/json;charset=UTF-8">
+            <table>
+                <tr>
+                    <td>Password:</td>
+                    <td><input name="userid_6b" value="" type="TEXT"/></td>
+                    <td><input
+                            name="Check Dave's Password:" value="Check Password" type="SUBMIT"/></td>
+                    <td></td>
+                </tr>
+            </table>
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+
+</div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content7.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content8.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content9.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content10.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content11.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content12.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content13.adoc"></div>
+</div>
+
+</html>
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigation.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigation.html
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjectionAdvanced_plan.adoc"></div>
+</div>
+
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/SqlInjection/attack6a"
+              enctype="application/json;charset=UTF-8">
+            <table>
+                <tr>
+                    <td>Name:</td>
+                    <td><input name="userid_6a" value="" type="TEXT"/></td>
+                    <td><input
+                            name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
+                    <td></td>
+                </tr>
+            </table>
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/SqlInjection/attack6b"
+              enctype="application/json;charset=UTF-8">
+            <table>
+                <tr>
+                    <td>Password:</td>
+                    <td><input name="userid_6b" value="" type="TEXT"/></td>
+                    <td><input
+                            name="Check Dave's Password:" value="Check Password" type="SUBMIT"/></td>
+                    <td></td>
+                </tr>
+            </table>
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+
+</div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content7.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content8.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content9.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content10.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content11.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content12.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content13.adoc"></div>
+</div>
+
+</html>
diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@@ -6,8 +6,9 @@ SqlStringInjectionHint1=The application is taking your input and inserting it at
 SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
 SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
 SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
-SqlStringInjectionHint5=Try adding a union to the query, the number of columns should match.
-SqlStringInjectionHint6=Try entering [ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- ].
+SqlStringInjectionHint5=First try to find out the number of columns by adding a group by 1,2,3 etc to the query.
+SqlStringInjectionHint6=Try adding a union to the query, the number of columns should match.
+SqlStringInjectionHint7=Try entering [ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- ].
 
 sql-injection.5a.success=You have succeed: {0}
 sql-injection.5a.no.results=No results matched. Try Again.