From b89ab6db1756d32eb3c2f3f86e1bf4c0c8f4fb0d Mon Sep 17 00:00:00 2001 From: "pixee-unstable[bot]" <242477510+pixee-unstable[bot]@users.noreply.github.com> Date: Fri, 7 Nov 2025 17:50:34 +0000 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20Apply=20Cross-Site=20Request=20Forg?= =?UTF-8?q?ery=20Protection?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../introduction/SqlInjectionLesson3.java | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java index f34c9302d6..1cee96ad57 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java @@ -37,6 +37,8 @@ import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.RestController; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; @RestController @AssignmentHints(value = {"SqlStringInjectionHint3-1", "SqlStringInjectionHint3-2"}) @@ -50,7 +52,16 @@ public SqlInjectionLesson3(LessonDataSource dataSource) { @PostMapping("/SqlInjection/attack3") @ResponseBody - public AttackResult completed(@RequestParam String query) { + public AttackResult completed(@RequestParam String query, HttpServletRequest request) { + String tokenReceived = request.getParameter("csrfToken"); + HttpSession session = request.getSession(false); + if (session == null) { + return new AttackResult(false, "Session is not available"); + } + String tokenStored = (String) session.getAttribute("csrfToken"); + if (tokenStored == null || !tokenStored.equals(tokenReceived)) { + return new AttackResult(false, "Invalid CSRF token"); + } return injectableQuery(query); }