Vulnerabilidad1

src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java

@@ -61,6 +61,7 @@ protected AttackResult injectableQuery(String query) {
         Statement checkStatement =
             connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY);
         statement.executeUpdate(query);
+
         ResultSet results =
             checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
         StringBuilder output = new StringBuilder();

src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java

@@ -26,9 +26,9 @@
 import static org.hsqldb.jdbc.JDBCResultSet.TYPE_SCROLL_SENSITIVE;
 
 import java.sql.Connection;
+import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-import java.sql.Statement;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -63,49 +63,38 @@ public AttackResult completed(@RequestParam String name, @RequestParam String au
 
   protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
     StringBuilder output = new StringBuilder();
-    String query =
-        "SELECT * FROM employees WHERE last_name = '"
-            + name
-            + "' AND auth_tan = '"
-            + auth_tan
-            + "'";
-    try (Connection connection = dataSource.getConnection()) {
-      try {
-        Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
+    String query = "SELECT * FROM employees WHERE last_name = ? AND auth_tan = ?";
+
+    try (Connection connection = dataSource.getConnection();
+         PreparedStatement statement = connection.prepareStatement(query, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE)) {
+
+        // Se asignan los valores de forma segura evitando inyección SQL
+        statement.setString(1, name);
+        statement.setString(2, auth_tan);
+
         SqlInjectionLesson8.log(connection, query);
-        ResultSet results = statement.executeQuery(query);
-        var test = results.getRow() != 0;
-        if (results.getStatement() != null) {
-          if (results.first()) {
+        ResultSet results = statement.executeQuery();
+
+        if (results.first()) {
             output.append(SqlInjectionLesson8.generateTable(results));
-          } else {
-            // no results
+        } else {
             return failed(this).feedback("sql-injection.8.no.results").build();
-          }
         }
-      } catch (SQLException e) {
+    } catch (SQLException e) {
         System.err.println(e.getMessage());
         return failed(this)
             .output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
             .build();
-      }
-
-      return checkSalaryRanking(connection, output);
-
-    } catch (Exception e) {
-      System.err.println(e.getMessage());
-      return failed(this)
-          .output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
-          .build();
     }
+
+    return success(this).output(output.toString()).build();
   }
 
   private AttackResult checkSalaryRanking(Connection connection, StringBuilder output) {
     try {
       String query = "SELECT * FROM employees ORDER BY salary DESC";
-      try (Statement statement =
-          connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); ) {
-        ResultSet results = statement.executeQuery(query);
+      try (PreparedStatement statement = connection.prepareStatement(query, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE)) {
+        ResultSet results = statement.executeQuery();
 
         results.first();
         // user completes lesson if John Smith is the first in the list