From 438c2a76bbba9c80aa0b5acaf48e80ea1c33f4cf Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Tue, 11 Jun 2024 21:51:18 +0000
Subject: [PATCH] Refactored to use parameterized SQL APIs
---
.../advanced/SqlInjectionChallenge.java | 10 ++++---
.../advanced/SqlInjectionLesson6a.java | 14 +++++----
.../introduction/SqlInjectionLesson10.java | 14 +++++----
.../introduction/SqlInjectionLesson5a.java | 14 +++++----
.../introduction/SqlInjectionLesson8.java | 30 +++++++++----------
.../introduction/SqlInjectionLesson9.java | 16 +++++-----
6 files changed, 52 insertions(+), 46 deletions(-)
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
index 95f86ca02..eb7086476 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
@@ -23,6 +23,7 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
import java.sql.*;
+import java.sql.PreparedStatement;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -64,10 +65,10 @@ public AttackResult registerNewUser(
try (Connection connection = dataSource.getConnection()) {
String checkUserQuery =
- "select userid from sql_challenge_users where userid = '" + username_reg + "'";
- Statement statement = connection.createStatement();
- ResultSet resultSet = statement.executeQuery(checkUserQuery);
-
+ "select userid from sql_challenge_users where userid = ?";
+ PreparedStatement statement = connection.prepareStatement(checkUserQuery);
+ statement.setString(1, username_reg);
+ ResultSet resultSet = statement.execute();
if (resultSet.next()) {
if (username_reg.contains("tom'")) {
attackResult = success(this).feedback("user.exists").build();
@@ -83,6 +84,7 @@ public AttackResult registerNewUser(
preparedStatement.execute();
attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build();
}
+
} catch (SQLException e) {
attackResult = failed(this).output("Something went wrong").build();
}
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
index 313c73910..56d244544 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
@@ -23,6 +23,7 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
import java.sql.*;
+import java.sql.PreparedStatement;
import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -63,16 +64,16 @@ public AttackResult injectableQuery(String accountName) {
String query = "";
try (Connection connection = dataSource.getConnection()) {
boolean usedUnion = true;
- query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
+ query = "SELECT * FROM user_data WHERE last_name = ?";
// Check if Union is used
if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) {
usedUnion = false;
}
- try (Statement statement =
- connection.createStatement(
- ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY)) {
- ResultSet results = statement.executeQuery(query);
-
+ try (PreparedStatement statement =
+ connection.prepareStatement(
+query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY)) {
+ statement.setString(1, accountName);
+ ResultSet results = statement.execute();
if ((results != null) && results.first()) {
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuilder output = new StringBuilder();
@@ -104,6 +105,7 @@ public AttackResult injectableQuery(String accountName) {
.output(YOUR_QUERY_WAS + query)
.build();
}
+
} catch (SQLException sqle) {
return failed(this).output(sqle.getMessage() + YOUR_QUERY_WAS + query).build();
}
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java
index 55f802116..005f5f6d3 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java
@@ -23,6 +23,7 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;
import java.sql.Connection;
+import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
@@ -61,15 +62,15 @@ public AttackResult completed(@RequestParam String action_string) {
protected AttackResult injectableQueryAvailability(String action) {
StringBuilder output = new StringBuilder();
- String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
+ String query = "SELECT * FROM access_log WHERE action LIKE ?";
try (Connection connection = dataSource.getConnection()) {
try {
- Statement statement =
- connection.createStatement(
- ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
- ResultSet results = statement.executeQuery(query);
-
+ PreparedStatement statement =
+ connection.prepareStatement(
+query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+ statement.setString(1, "%" + action + "%");
+ ResultSet results = statement.execute();
if (results.getStatement() != null) {
results.first();
output.append(SqlInjectionLesson8.generateTable(results));
@@ -87,6 +88,7 @@ protected AttackResult injectableQueryAvailability(String action) {
return success(this).feedback("sql-injection.10.success").build();
}
}
+
} catch (SQLException e) {
if (tableExists(connection)) {
return failed(this)
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java
index 59a29ff10..60102b864 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java
@@ -23,6 +23,7 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;
import java.sql.*;
+import java.sql.PreparedStatement;
import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -60,12 +61,12 @@ protected AttackResult injectableQuery(String accountName) {
String query = "";
try (Connection connection = dataSource.getConnection()) {
query =
- "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
- try (Statement statement =
- connection.createStatement(
- ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
- ResultSet results = statement.executeQuery(query);
-
+ "SELECT * FROM user_data WHERE first_name = 'John' and last_name = ?";
+ try (PreparedStatement statement =
+ connection.prepareStatement(
+query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
+ statement.setString(1, accountName);
+ ResultSet results = statement.execute();
if ((results != null) && (results.first())) {
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuilder output = new StringBuilder();
@@ -89,6 +90,7 @@ protected AttackResult injectableQuery(String accountName) {
.output("Your query was: " + query)
.build();
}
+
} catch (SQLException sqle) {
return failed(this).output(sqle.getMessage() + "
Your query was: " + query).build();
}
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
index ae7fbb9f4..d6c77cb58 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
@@ -22,6 +22,7 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;
+import java.sql.PreparedStatement;
import static java.sql.ResultSet.CONCUR_UPDATABLE;
import static java.sql.ResultSet.TYPE_SCROLL_SENSITIVE;
@@ -63,20 +64,17 @@ public AttackResult completed(@RequestParam String name, @RequestParam String au
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
StringBuilder output = new StringBuilder();
String query =
- "SELECT * FROM employees WHERE last_name = '"
- + name
- + "' AND auth_tan = '"
- + auth_tan
- + "'";
+ "SELECT * FROM employees WHERE last_name = ? AND auth_tan = ?";
try (Connection connection = dataSource.getConnection()) {
try {
- Statement statement =
- connection.createStatement(
- ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE);
+ PreparedStatement statement =
+ connection.prepareStatement(
+query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE);
log(connection, query);
- ResultSet results = statement.executeQuery(query);
-
+ statement.setString(1, name);
+ statement.setString(2, auth_tan);
+ ResultSet results = statement.execute();
if (results.getStatement() != null) {
if (results.first()) {
output.append(generateTable(results));
@@ -100,6 +98,7 @@ protected AttackResult injectableQueryConfidentiality(String name, String auth_t
} else {
return failed(this).build();
}
+
} catch (SQLException e) {
return failed(this)
.output("
" + e.getMessage() + "")
@@ -148,15 +147,16 @@ public static void log(Connection connection, String action) {
action = action.replace('\'', '"');
Calendar cal = Calendar.getInstance();
SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
- String time = sdf.format(cal.getTime());
String logQuery =
- "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
+ "INSERT INTO access_log (time, action) VALUES (?, ?)";
try {
- Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
- statement.executeUpdate(logQuery);
- } catch (SQLException e) {
+ PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
+ statement.setString(1, sdf.format(cal.getTime()));
+ statement.setString(2, action);
+ statement.execute();
+ } catch (SQLException e) {
System.err.println(e.getMessage());
}
}
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
index 3df08175a..4136ee6f1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
@@ -22,6 +22,7 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;
+import java.sql.PreparedStatement;
import static org.hsqldb.jdbc.JDBCResultSet.CONCUR_UPDATABLE;
import static org.hsqldb.jdbc.JDBCResultSet.TYPE_SCROLL_SENSITIVE;
@@ -64,17 +65,14 @@ public AttackResult completed(@RequestParam String name, @RequestParam String au
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
StringBuilder output = new StringBuilder();
String query =
- "SELECT * FROM employees WHERE last_name = '"
- + name
- + "' AND auth_tan = '"
- + auth_tan
- + "'";
+ "SELECT * FROM employees WHERE last_name = ? AND auth_tan = ?";
try (Connection connection = dataSource.getConnection()) {
try {
- Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
+ PreparedStatement statement = connection.prepareStatement(query, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
SqlInjectionLesson8.log(connection, query);
- ResultSet results = statement.executeQuery(query);
- var test = results.getRow() != 0;
+ statement.setString(1, name);
+ statement.setString(2, auth_tan);
+ ResultSet results = statement.execute();
if (results.getStatement() != null) {
if (results.first()) {
output.append(SqlInjectionLesson8.generateTable(results));
@@ -83,7 +81,7 @@ protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
return failed(this).feedback("sql-injection.8.no.results").build();
}
}
- } catch (SQLException e) {
+ } catch (SQLException e) {
System.err.println(e.getMessage());
return failed(this)
.output("
" + e.getMessage() + "")