Challenge 4 done

pom.xml

@@ -134,7 +134,7 @@
         <coveralls-maven-plugin.version>4.0.0</coveralls-maven-plugin.version>
         <guava.version>18.0</guava.version>
         <h2.version>1.4.190</h2.version>
-        <hsqldb.version>1.8.0.10</hsqldb.version>
+        <hsqldb.version>2.3.2</hsqldb.version>
         <j2h.version>1.3.1</j2h.version>
         <jackson-core.version>2.6.3</jackson-core.version>
         <jackson-databind.version>2.6.3</jackson-databind.version>

webgoat-container/pom.xml

@@ -162,7 +162,7 @@
             <version>${h2.version}</version>
         </dependency>
         <dependency>
-            <groupId>hsqldb</groupId>
+            <groupId>org.hsqldb</groupId>
             <artifactId>hsqldb</artifactId>
             <version>${hsqldb.version}</version>
         </dependency>

webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java

@@ -38,6 +38,7 @@
  * @version $Id: $Id
  */
 //TODO: class we need to refactor to new structure, we can put the connection in the current session of the user
+	// start using jdbc template
 public class DatabaseUtilities
 {
 

webgoat-container/src/main/resources/db/changelog/db.changelog-master.xml

@@ -6,9 +6,7 @@
 
 <changeSet author="WebGoat" id="init_schema">
         <createTable tableName="web_goat_user">
-            <column name="username" type="varchar(32)">
-                <constraints unique="true"/>
-            </column>
+            <column name="username" type="varchar(32)"/>
             <column name="password" type="varchar(32)"/>
             <column name="role" type="varchar(32)"/>
         </createTable>

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java

@@ -8,6 +8,7 @@
  */
 public interface SolutionConstants {
 
+    //TODO should be random generated when starting the server
     String PASSWORD = "!!webgoat_admin_1234!!";
     String SUPER_COUPON_CODE = "get_it_for_free";
     String PASSWORD_TOM = "thisisasecretfortomonly";

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java

@@ -28,7 +28,8 @@
 @Slf4j
 public class Assignment4 extends AssignmentEndpoint {
 
-    private static final String USERS_TABLE_NAME = "challenge_users_" + RandomStringUtils.randomAlphabetic(6);
+    //Make it more random at runtime (good luck guessing)
+    private static final String USERS_TABLE_NAME = "challenge_users_" + RandomStringUtils.randomAlphabetic(16);
 
     @Autowired
     private WebSession webSession;
@@ -64,7 +65,7 @@ private AttackResult checkArguments(String username_reg, String email_reg, Strin
         if (StringUtils.isEmpty(username_reg) || StringUtils.isEmpty(email_reg) || StringUtils.isEmpty(password_reg)) {
             return failed().feedback("input.invalid").build();
         }
-        if (username_reg.length() > 30 || email_reg.length() > 30 || password_reg.length() > 30) {
+        if (username_reg.length() > 250 || email_reg.length() > 30 || password_reg.length() > 30) {
             return failed().feedback("input.invalid").build();
         }
         return null;
@@ -76,17 +77,16 @@ public AttackResult login(@RequestParam String username_login, @RequestParam Str
         Connection connection = DatabaseUtilities.getConnection(webSession);
         checkDatabase(connection);
 
-        if ("tom".equals(username_login)) {
-            PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = ? and password = ?");
-            statement.setString(1, username_login);
-            statement.setString(2, password_login);
-            ResultSet resultSet = statement.executeQuery();
+        PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = ? and password = ?");
+        statement.setString(1, username_login);
+        statement.setString(2, password_login);
+        ResultSet resultSet = statement.executeQuery();
 
-            if (resultSet.next()) {
-                return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(4)).build();
-            }
+        if (resultSet.next() && "tom".equals(username_login)) {
+            return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(4)).build();
+        } else {
+            return failed().feedback("challenge.close").build();
         }
-        return failed().build();
     }
 
     private void checkDatabase(Connection connection) throws SQLException {
@@ -107,10 +107,10 @@ private void createChallengeTable(Connection connection) {
         } catch (SQLException e) {
             log.info("Delete failed, this does not point to an error table might not have been present...");
         }
-
+        log.debug("Challenge 4 - Creating tables for users {}", USERS_TABLE_NAME);
         try {
             String createTableStatement = "CREATE TABLE " + USERS_TABLE_NAME
-                    + " (" + "userid varchar(30),"
+                    + " (" + "userid varchar(250),"
                     + "email varchar(30),"
                     + "password varchar(30)"
                     + ")";

webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties

@@ -4,6 +4,7 @@ challenge2.title=Get it for free
 challenge3.title=Photo comments
 challenge4.title=Creating a new account
 challenge.solved=Congratulations, you solved the challenge. Here is your flag: {0}
+challenge.close=This is not the correct password for tom, please try again.
 
 user.exists=User {0} already exists please try to register with a different username.
 user.created=User {0} created, please proceed to the login page.