From 031bcaa381b5e317071f47d3743439d05625d031 Mon Sep 17 00:00:00 2001 From: vbv-18 Date: Sat, 1 Mar 2025 20:39:58 +0100 Subject: [PATCH 1/3] Fix SqlInjectionChallenge with PreparedStatements --- .../advanced/SqlInjectionChallenge.java | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java index 95f86ca0..97337509 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java @@ -54,7 +54,7 @@ public SqlInjectionChallenge(LessonDataSource dataSource) { // assignment path is bounded to class so we use different http method :-) @ResponseBody public AttackResult registerNewUser( - @RequestParam String username_reg, + @RequestParam String username_reg, //1 y 2 @RequestParam String email_reg, @RequestParam String password_reg) throws Exception { @@ -63,10 +63,15 @@ public AttackResult registerNewUser( if (attackResult == null) { try (Connection connection = dataSource.getConnection()) { - String checkUserQuery = - "select userid from sql_challenge_users where userid = '" + username_reg + "'"; - Statement statement = connection.createStatement(); - ResultSet resultSet = statement.executeQuery(checkUserQuery); + String checkUserQuery = + "select userid from sql_challenge_users where userid = '" + username_reg + "'"; //3,4,5 + + //new secure query + PreparedStatement preparedStatement1 = connection.prepareStatement(checkUserQuery); + preparedStatement1.setString(1, username_reg); + + //Statement statement = connection.createStatement(); + ResultSet resultSet = preparedStatement1.executeQuery(); //6 if (resultSet.next()) { if (username_reg.contains("tom'")) { From 00c9c77b0a2e76e129c695e9969a82fd7d0743db Mon Sep 17 00:00:00 2001 From: vbv-18 Date: Sat, 1 Mar 2025 21:00:09 +0100 Subject: [PATCH 2/3] Fix SsqlInjection challenge with Prepared Statements --- .../lessons/sqlinjection/advanced/SqlInjectionChallenge.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java index 97337509..36db62ab 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java @@ -64,7 +64,7 @@ public AttackResult registerNewUser( try (Connection connection = dataSource.getConnection()) { String checkUserQuery = - "select userid from sql_challenge_users where userid = '" + username_reg + "'"; //3,4,5 + "select userid from sql_challenge_users where userid = ?"; //3,4,5 //new secure query PreparedStatement preparedStatement1 = connection.prepareStatement(checkUserQuery); From 4605b6c4caf3373665e49146ed95cd0a9209c32e Mon Sep 17 00:00:00 2001 From: vbv-18 Date: Sun, 2 Mar 2025 20:13:59 +0100 Subject: [PATCH 3/3] Fix SQLInjectionChallenge part 2 --- .../advanced/SqlInjectionChallenge.java | 37 ++++++++++--------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java index 36db62ab..178c691d 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java @@ -67,26 +67,27 @@ public AttackResult registerNewUser( "select userid from sql_challenge_users where userid = ?"; //3,4,5 //new secure query - PreparedStatement preparedStatement1 = connection.prepareStatement(checkUserQuery); - preparedStatement1.setString(1, username_reg); + try(PreparedStatement preparedStatement1 = connection.prepareStatement(checkUserQuery)){ + preparedStatement1.setString(1, username_reg); - //Statement statement = connection.createStatement(); - ResultSet resultSet = preparedStatement1.executeQuery(); //6 - - if (resultSet.next()) { - if (username_reg.contains("tom'")) { - attackResult = success(this).feedback("user.exists").build(); - } else { - attackResult = failed(this).feedback("user.exists").feedbackArgs(username_reg).build(); + //Statement statement = connection.createStatement(); + try(ResultSet resultSet = preparedStatement1.executeQuery()){ //6 + if (resultSet.next()) { + if (username_reg.contains("tom'")) { + attackResult = success(this).feedback("user.exists").build(); + } else { + attackResult = failed(this).feedback("user.exists").feedbackArgs(username_reg).build(); + } + } else { + try(PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO sql_challenge_users VALUES (?, ?, ?)")){ + preparedStatement.setString(1, username_reg); + preparedStatement.setString(2, email_reg); + preparedStatement.setString(3, password_reg); + preparedStatement.execute(); + attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build(); + } + } } - } else { - PreparedStatement preparedStatement = - connection.prepareStatement("INSERT INTO sql_challenge_users VALUES (?, ?, ?)"); - preparedStatement.setString(1, username_reg); - preparedStatement.setString(2, email_reg); - preparedStatement.setString(3, password_reg); - preparedStatement.execute(); - attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build(); } } catch (SQLException e) { attackResult = failed(this).output("Something went wrong").build();