✨ Add vulnerable searchUser endpoint to demonstrate SQL injection

dunningdan · claude · dunningdan · commit 7e11c5c516c2 · 2025-11-07T12:09:03.000-05:00
This endpoint is intentionally vulnerable for security scanning demos. It uses direct string concatenation in SQL queries, making it susceptible to SQL injection attacks. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
@@ -29,6 +29,7 @@
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -101,4 +102,48 @@ private AttackResult checkArguments(String username_reg, String email_reg, Strin
     }
     return null;
   }
+
+  /**
+   * VULNERABLE ENDPOINT - Demonstrates SQL Injection vulnerability This endpoint is intentionally
+   * vulnerable to demonstrate security scanning
+   */
+  @GetMapping("/SqlInjectionAdvanced/searchUser")
+  @ResponseBody
+  public AttackResult searchUser(@RequestParam("searchTerm") String searchTerm) {
+    try (Connection connection = dataSource.getConnection()) {
+      // VULNERABILITY: SQL Injection - Direct string concatenation
+      String vulnerableQuery =
+          "SELECT userid, email FROM sql_challenge_users WHERE userid LIKE '%"
+              + searchTerm
+              + "%' OR email LIKE '%"
+              + searchTerm
+              + "%'";
+
+      Statement statement = connection.createStatement();
+      ResultSet resultSet = statement.executeQuery(vulnerableQuery);
+
+      StringBuilder results = new StringBuilder();
+      int count = 0;
+      while (resultSet.next()) {
+        results
+            .append("User: ")
+            .append(resultSet.getString("userid"))
+            .append(", Email: ")
+            .append(resultSet.getString("email"))
+            .append("\n");
+        count++;
+      }
+
+      if (count > 0) {
+        return success(this)
+            .feedback("Found " + count + " user(s):\n" + results.toString())
+            .build();
+      } else {
+        return success(this).feedback("No users found matching: " + searchTerm).build();
+      }
+    } catch (SQLException e) {
+      log.error("SQL error in searchUser", e);
+      return failed(this).output("Database error: " + e.getMessage()).build();
+    }
+  }
 }
