From 438c2a76bbba9c80aa0b5acaf48e80ea1c33f4cf Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Tue, 11 Jun 2024 21:51:18 +0000 Subject: [PATCH] Refactored to use parameterized SQL APIs --- .../advanced/SqlInjectionChallenge.java | 10 ++++--- .../advanced/SqlInjectionLesson6a.java | 14 +++++---- .../introduction/SqlInjectionLesson10.java | 14 +++++---- .../introduction/SqlInjectionLesson5a.java | 14 +++++---- .../introduction/SqlInjectionLesson8.java | 30 +++++++++---------- .../introduction/SqlInjectionLesson9.java | 16 +++++----- 6 files changed, 52 insertions(+), 46 deletions(-) diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java index 95f86ca02..eb7086476 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java @@ -23,6 +23,7 @@ package org.owasp.webgoat.lessons.sqlinjection.advanced; import java.sql.*; +import java.sql.PreparedStatement; import lombok.extern.slf4j.Slf4j; import org.owasp.webgoat.container.LessonDataSource; import org.owasp.webgoat.container.assignments.AssignmentEndpoint; @@ -64,10 +65,10 @@ public AttackResult registerNewUser( try (Connection connection = dataSource.getConnection()) { String checkUserQuery = - "select userid from sql_challenge_users where userid = '" + username_reg + "'"; - Statement statement = connection.createStatement(); - ResultSet resultSet = statement.executeQuery(checkUserQuery); - + "select userid from sql_challenge_users where userid = ?"; + PreparedStatement statement = connection.prepareStatement(checkUserQuery); + statement.setString(1, username_reg); + ResultSet resultSet = statement.execute(); if (resultSet.next()) { if (username_reg.contains("tom'")) { attackResult = success(this).feedback("user.exists").build(); @@ -83,6 +84,7 @@ public AttackResult registerNewUser( preparedStatement.execute(); attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build(); } + } catch (SQLException e) { attackResult = failed(this).output("Something went wrong").build(); } diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java index 313c73910..56d244544 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java @@ -23,6 +23,7 @@ package org.owasp.webgoat.lessons.sqlinjection.advanced; import java.sql.*; +import java.sql.PreparedStatement; import org.owasp.webgoat.container.LessonDataSource; import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentHints; @@ -63,16 +64,16 @@ public AttackResult injectableQuery(String accountName) { String query = ""; try (Connection connection = dataSource.getConnection()) { boolean usedUnion = true; - query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; + query = "SELECT * FROM user_data WHERE last_name = ?"; // Check if Union is used if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) { usedUnion = false; } - try (Statement statement = - connection.createStatement( - ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY)) { - ResultSet results = statement.executeQuery(query); - + try (PreparedStatement statement = + connection.prepareStatement( +query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY)) { + statement.setString(1, accountName); + ResultSet results = statement.execute(); if ((results != null) && results.first()) { ResultSetMetaData resultsMetaData = results.getMetaData(); StringBuilder output = new StringBuilder(); @@ -104,6 +105,7 @@ public AttackResult injectableQuery(String accountName) { .output(YOUR_QUERY_WAS + query) .build(); } + } catch (SQLException sqle) { return failed(this).output(sqle.getMessage() + YOUR_QUERY_WAS + query).build(); } diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java index 55f802116..005f5f6d3 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java @@ -23,6 +23,7 @@ package org.owasp.webgoat.lessons.sqlinjection.introduction; import java.sql.Connection; +import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; @@ -61,15 +62,15 @@ public AttackResult completed(@RequestParam String action_string) { protected AttackResult injectableQueryAvailability(String action) { StringBuilder output = new StringBuilder(); - String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; + String query = "SELECT * FROM access_log WHERE action LIKE ?"; try (Connection connection = dataSource.getConnection()) { try { - Statement statement = - connection.createStatement( - ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); - ResultSet results = statement.executeQuery(query); - + PreparedStatement statement = + connection.prepareStatement( +query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); + statement.setString(1, "%" + action + "%"); + ResultSet results = statement.execute(); if (results.getStatement() != null) { results.first(); output.append(SqlInjectionLesson8.generateTable(results)); @@ -87,6 +88,7 @@ protected AttackResult injectableQueryAvailability(String action) { return success(this).feedback("sql-injection.10.success").build(); } } + } catch (SQLException e) { if (tableExists(connection)) { return failed(this) diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java index 59a29ff10..60102b864 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java @@ -23,6 +23,7 @@ package org.owasp.webgoat.lessons.sqlinjection.introduction; import java.sql.*; +import java.sql.PreparedStatement; import org.owasp.webgoat.container.LessonDataSource; import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentHints; @@ -60,12 +61,12 @@ protected AttackResult injectableQuery(String accountName) { String query = ""; try (Connection connection = dataSource.getConnection()) { query = - "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; - try (Statement statement = - connection.createStatement( - ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) { - ResultSet results = statement.executeQuery(query); - + "SELECT * FROM user_data WHERE first_name = 'John' and last_name = ?"; + try (PreparedStatement statement = + connection.prepareStatement( +query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) { + statement.setString(1, accountName); + ResultSet results = statement.execute(); if ((results != null) && (results.first())) { ResultSetMetaData resultsMetaData = results.getMetaData(); StringBuilder output = new StringBuilder(); @@ -89,6 +90,7 @@ protected AttackResult injectableQuery(String accountName) { .output("Your query was: " + query) .build(); } + } catch (SQLException sqle) { return failed(this).output(sqle.getMessage() + "
Your query was: " + query).build(); } diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java index ae7fbb9f4..d6c77cb58 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java @@ -22,6 +22,7 @@ package org.owasp.webgoat.lessons.sqlinjection.introduction; +import java.sql.PreparedStatement; import static java.sql.ResultSet.CONCUR_UPDATABLE; import static java.sql.ResultSet.TYPE_SCROLL_SENSITIVE; @@ -63,20 +64,17 @@ public AttackResult completed(@RequestParam String name, @RequestParam String au protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { StringBuilder output = new StringBuilder(); String query = - "SELECT * FROM employees WHERE last_name = '" - + name - + "' AND auth_tan = '" - + auth_tan - + "'"; + "SELECT * FROM employees WHERE last_name = ? AND auth_tan = ?"; try (Connection connection = dataSource.getConnection()) { try { - Statement statement = - connection.createStatement( - ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE); + PreparedStatement statement = + connection.prepareStatement( +query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE); log(connection, query); - ResultSet results = statement.executeQuery(query); - + statement.setString(1, name); + statement.setString(2, auth_tan); + ResultSet results = statement.execute(); if (results.getStatement() != null) { if (results.first()) { output.append(generateTable(results)); @@ -100,6 +98,7 @@ protected AttackResult injectableQueryConfidentiality(String name, String auth_t } else { return failed(this).build(); } + } catch (SQLException e) { return failed(this) .output("
" + e.getMessage() + "") @@ -148,15 +147,16 @@ public static void log(Connection connection, String action) { action = action.replace('\'', '"'); Calendar cal = Calendar.getInstance(); SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); - String time = sdf.format(cal.getTime()); String logQuery = - "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; + "INSERT INTO access_log (time, action) VALUES (?, ?)"; try { - Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); - statement.executeUpdate(logQuery); - } catch (SQLException e) { + PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); + statement.setString(1, sdf.format(cal.getTime())); + statement.setString(2, action); + statement.execute(); + } catch (SQLException e) { System.err.println(e.getMessage()); } } diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java index 3df08175a..4136ee6f1 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java @@ -22,6 +22,7 @@ package org.owasp.webgoat.lessons.sqlinjection.introduction; +import java.sql.PreparedStatement; import static org.hsqldb.jdbc.JDBCResultSet.CONCUR_UPDATABLE; import static org.hsqldb.jdbc.JDBCResultSet.TYPE_SCROLL_SENSITIVE; @@ -64,17 +65,14 @@ public AttackResult completed(@RequestParam String name, @RequestParam String au protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { StringBuilder output = new StringBuilder(); String query = - "SELECT * FROM employees WHERE last_name = '" - + name - + "' AND auth_tan = '" - + auth_tan - + "'"; + "SELECT * FROM employees WHERE last_name = ? AND auth_tan = ?"; try (Connection connection = dataSource.getConnection()) { try { - Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); + PreparedStatement statement = connection.prepareStatement(query, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); SqlInjectionLesson8.log(connection, query); - ResultSet results = statement.executeQuery(query); - var test = results.getRow() != 0; + statement.setString(1, name); + statement.setString(2, auth_tan); + ResultSet results = statement.execute(); if (results.getStatement() != null) { if (results.first()) { output.append(SqlInjectionLesson8.generateTable(results)); @@ -83,7 +81,7 @@ protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { return failed(this).feedback("sql-injection.8.no.results").build(); } } - } catch (SQLException e) { + } catch (SQLException e) { System.err.println(e.getMessage()); return failed(this) .output("
" + e.getMessage() + "")