diff --git a/src/main/java/org/cysecurity/cspf/jvl/controller/EmailCheck.java b/src/main/java/org/cysecurity/cspf/jvl/controller/EmailCheck.java
index b7dd4b3..5800db0 100644
--- a/src/main/java/org/cysecurity/cspf/jvl/controller/EmailCheck.java
+++ b/src/main/java/org/cysecurity/cspf/jvl/controller/EmailCheck.java
@@ -6,6 +6,7 @@
package org.cysecurity.cspf.jvl.controller;
+import java.sql.PreparedStatement;
import java.io.IOException;
import java.io.PrintWriter;
import java.sql.Connection;
@@ -48,8 +49,9 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
if(con!=null && !con.isClosed())
{
ResultSet rs=null;
- Statement stmt = con.createStatement();
- rs=stmt.executeQuery("select * from users where email='"+email+"'");
+ PreparedStatement stmt = con.prepareStatement("select * from users where email=?");
+ stmt.setString(1, email);
+ rs=stmt.executeQuery();
if (rs.next())
{
json.put("available", "1");
diff --git a/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java b/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java
index 4d84a8a..4400900 100644
--- a/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java
+++ b/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java
@@ -124,7 +124,7 @@ protected boolean setup(String i) throws IOException
{
//User Table creation
stmt.executeUpdate("Create table users(ID int NOT NULL AUTO_INCREMENT, username varchar(30),email varchar(60), password varchar(60), about varchar(50),privilege varchar(20),avatar TEXT,secretquestion int,secret varchar(30),primary key (id))");
- stmt.executeUpdate("INSERT into users(username, password, email,About,avatar, privilege,secretquestion,secret) values ('"+adminuser+"','"+adminpass+"','admin@localhost','I am the admin of this application','default.jpg','admin',1,'rocky')");
+ stmt.executeUpdate("INSERT into users(username, password, email,About,avatar, privilege,secretquestion,secret) values ("+stmt.enquoteLiteral(String.valueOf(adminuser))+",'"+adminpass+"','admin@localhost','I am the admin of this application','default.jpg','admin',1,'rocky')");
stmt.executeUpdate("INSERT into users(username, password, email,About,avatar, privilege,secretquestion,secret) values ('victim','victim','victim@localhost','I am the victim of this application','default.jpg','user',1,'max')");
stmt.executeUpdate("INSERT into users(username, password, email,About,avatar, privilege,secretquestion,secret) values ('attacker','attacker','attacker@localhost','I am the attacker of this application','default.jpg','user',1,'bella')");
stmt.executeUpdate("INSERT into users(username, password, email,About,avatar, privilege,secretquestion,secret) values ('NEO','trinity','neo@matrix','I am the NEO','default.jpg','user',1,'sentinel')");
diff --git a/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java b/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java
index 2331d13..8ef8f47 100644
--- a/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java
+++ b/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java
@@ -9,6 +9,7 @@
import java.io.IOException;
import java.io.PrintWriter;
import java.sql.Connection;
+import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.Statement;
import javax.servlet.ServletException;
@@ -48,8 +49,10 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
if(con!=null && !con.isClosed())
{
ResultSet rs=null;
- Statement stmt = con.createStatement();
- rs=stmt.executeQuery("select * from users where username='"+user+"' and password='"+pass+"'");
+ PreparedStatement pstmt = con.prepareStatement("select * from users where username=? and password=?");
+ pstmt.setString(1, user);
+ pstmt.setString(2, pass);
+ rs=pstmt.executeQuery();
if(rs != null && rs.next()){
HttpSession session=request.getSession();
session.setAttribute("isLoggedIn", "1");
diff --git a/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java b/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java
index afa2f83..d04bbbd 100644
--- a/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java
+++ b/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java
@@ -55,7 +55,7 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
{
Statement stmt = con.createStatement();
- stmt.executeUpdate("INSERT into users(username, password, email, About,avatar,privilege,secretquestion,secret) values ('"+user+"','"+pass+"','"+email+"','"+about+"','default.jpg','user',1,'"+secret+"')");
+ stmt.executeUpdate("INSERT into users(username, password, email, About,avatar,privilege,secretquestion,secret) values ('"+user+"','"+pass+"',"+stmt.enquoteLiteral(String.valueOf(email))+",'"+about+"','default.jpg','user',1,'"+secret+"')");
stmt.executeUpdate("INSERT into UserMessages(recipient, sender, subject, msg) values ('"+user+"','admin','Hi','Hi
This is admin of this page.
Welcome to Our Forum')");
response.sendRedirect("index.jsp");
diff --git a/src/main/webapp/ForgotPassword.jsp b/src/main/webapp/ForgotPassword.jsp
index b56f6cb..0a76e71 100644
--- a/src/main/webapp/ForgotPassword.jsp
+++ b/src/main/webapp/ForgotPassword.jsp
@@ -1,6 +1,6 @@
<%@page import="org.cysecurity.cspf.jvl.model.DBConnect"%>
-<%@page import="java.sql.Statement"%>
+<%@page import="java.sql.PreparedStatement"%>
<%@page import="java.sql.ResultSet"%>
<%@page import="java.sql.Connection"%>
<%@ include file="header.jsp" %>
@@ -38,8 +38,10 @@ if(request.getParameter("secret")!=null)
{
Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
ResultSet rs=null;
- Statement stmt = con.createStatement();
- rs=stmt.executeQuery("select * from users where username='"+request.getParameter("username").trim()+"' and secret='"+request.getParameter("secret")+"'");
+ PreparedStatement pstmt = con.prepareStatement("select * from users where username=? and secret=?");
+ pstmt.setString(1, request.getParameter("username").trim());
+ pstmt.setString(2, request.getParameter("secret"));
+ rs=pstmt.executeQuery();
if(rs != null && rs.next()){
out.print("Hello "+rs.getString("username")+", Your Password is: "+rs.getString("password"));
}
diff --git a/src/main/webapp/admin/adminlogin.jsp b/src/main/webapp/admin/adminlogin.jsp
index 9d5b46f..ba30ec4 100644
--- a/src/main/webapp/admin/adminlogin.jsp
+++ b/src/main/webapp/admin/adminlogin.jsp
@@ -15,8 +15,10 @@ if(request.getParameter("Login")!=null)
if(con!=null && !con.isClosed())
{
ResultSet rs=null;
- Statement stmt = con.createStatement();
- rs=stmt.executeQuery("select * from users where username='"+user+"' and password='"+pass+"' and privilege='admin'");
+ PreparedStatement pstmt = con.prepareStatement("select * from users where username=? and password=? and privilege='admin'");
+ pstmt.setString(1, user);
+ pstmt.setString(2, pass);
+ rs=pstmt.executeQuery();
if(rs != null && rs.next()){
session.setAttribute("isLoggedIn", "1");
session.setAttribute("userid", rs.getString("id"));
diff --git a/src/main/webapp/changeCardDetails.jsp b/src/main/webapp/changeCardDetails.jsp
index ca164c7..fd0c562 100644
--- a/src/main/webapp/changeCardDetails.jsp
+++ b/src/main/webapp/changeCardDetails.jsp
@@ -21,8 +21,9 @@ if(session.getAttribute("isLoggedIn")!=null)
| Expiry Date: | |
| |
-
-
+ "/>
+
+
<%
Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
@@ -39,8 +40,12 @@ if(session.getAttribute("isLoggedIn")!=null)
String expirydate=request.getParameter("expirydate");
if(!cardno.equals("") && !cvv.equals("") && !expirydate.equals(""))
{
- Statement stmt = con.createStatement();
- stmt.executeUpdate("INSERT into cards(id,cardno, cvv,expirydate) values ('"+id+"','"+cardno+"','"+cvv+"','"+expirydate+"')");
+ PreparedStatement pstmt = con.prepareStatement("INSERT into cards(id,cardno, cvv,expirydate) values (?,?,?,?)");
+ pstmt.setString(1, id);
+ pstmt.setString(2, cardno);
+ pstmt.setString(3, cvv);
+ pstmt.setString(4, expirydate);
+ pstmt.executeUpdate();
out.print(" * Card details added *");
}
else
diff --git a/src/main/webapp/vulnerability/Messages.jsp b/src/main/webapp/vulnerability/Messages.jsp
index fe2c4b9..019f3e8 100644
--- a/src/main/webapp/vulnerability/Messages.jsp
+++ b/src/main/webapp/vulnerability/Messages.jsp
@@ -1,33 +1,29 @@
<%@page import="java.sql.ResultSet"%>
-<%@page import="java.sql.Statement"%>
+<%@page import="java.sql.PreparedStatement"%>
<%@page import="java.sql.Connection"%>
<%@ include file="/header.jsp" %>
- <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%>
- <%
- if(session.getAttribute("isLoggedIn")!=null)
- {
- Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
- if(con!=null && !con.isClosed())
- {
- Statement stmt = con.createStatement();
- ResultSet rs =null;
- rs=stmt.executeQuery("select * from UserMessages where recipient='"+session.getAttribute("user")+"'");
- out.print("Message: ");
- out.println("");
- while (rs.next())
- {
- out.print("- "+rs.getString("subject")+"
");
-
- }
- out.println("
");
- }
- out.print("
Return to Profile Page >>");
-
- }
- else
- {
- out.print("* Please login to send message");
- }
- %>
-
- <%@ include file="/footer.jsp" %>
\ No newline at end of file
+<%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%>
+<%
+if(session.getAttribute("isLoggedIn")!=null) {
+Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
+if(con!=null && !con.isClosed()) {
+String query = "select * from UserMessages where recipient=?";
+PreparedStatement pstmt = con.prepareStatement(query);
+pstmt.setString(1, session.getAttribute("user").toString());
+ResultSet rs = pstmt.executeQuery();
+out.print("Message: ");
+out.println("");
+while (rs.next()) {
+out.print("- ");
+out.print(rs.getString("subject"));
+out.print("
");
+}
+out.println("
");
+}
+out.print("
Return to Profile Page >>");
+}
+else {
+out.print("* Please login to send message");
+}
+%>
+<%@ include file="/footer.jsp" %>
\ No newline at end of file
diff --git a/src/main/webapp/vulnerability/csrf/changepassword.jsp b/src/main/webapp/vulnerability/csrf/changepassword.jsp
index ca1646f..f83aaed 100644
--- a/src/main/webapp/vulnerability/csrf/changepassword.jsp
+++ b/src/main/webapp/vulnerability/csrf/changepassword.jsp
@@ -1,62 +1,48 @@
<%@ include file="/header.jsp" %>
- <%@page import="java.sql.Connection"%>
-<%@page import="java.sql.Statement"%>
-<%@page import="java.sql.SQLException"%>
-
-<%@page import="java.sql.ResultSetMetaData"%>
-<%@page import="java.sql.ResultSet"%>
-<%@ page import="java.util.*,java.io.*"%>
+<%@ page import="java.sql.Connection, java.sql.PreparedStatement, java.sql.SQLException"%>
<%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%>
<%
-if(session.getAttribute("isLoggedIn")!=null)
-{
- String id=session.getAttribute("userid").toString();
- %>
+if(session.getAttribute("isLoggedIn") != null) {
+ String id = session.getAttribute("userid").toString();
+%>
Enter the New Password:
-
- <%
- Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
-
- String action=request.getParameter("change");
- if(action!=null)
- {
- String pass=request.getParameter("password");
- String confirmPass=request.getParameter("confirmpassword");
- if(pass!=null && confirmPass!=null && !pass.equals("") )
- {
- if(pass.equals(confirmPass) )
- {
- Statement stmt = con.createStatement();
- stmt.executeUpdate("Update users set password='"+pass+"' where id="+id);
- out.print("Password Changed");
- out.print("
Return to the Previous page ");
+
+<%
+ Connection con = new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
+ String action = request.getParameter("change");
+ if(action != null) {
+ String pass = request.getParameter("password");
+ String confirmPass = request.getParameter("confirmpassword");
+ if(pass != null && confirmPass != null && !pass.equals("")) {
+ if(pass.equals(confirmPass)) {
+ PreparedStatement pstmt = con.prepareStatement("Update users set password=? where id=?");
+ pstmt.setString(1, pass);
+ pstmt.setString(2, id);
+ pstmt.executeUpdate();
+ out.print("Password Changed");
+ out.print("
Return to the Previous page ");
}
- else
- {
- out.print("Passwords didn't match");
+ else {
+ out.print("Passwords didn't match");
}
}
- else
- {
+ else {
out.print("Password can't be empty");
}
}
- }
-
- %>
-
-
+}
+%>
+
+
-
- <%@ include file="/footer.jsp" %>
\ No newline at end of file
+<%@ include file="/footer.jsp" %>
\ No newline at end of file
diff --git a/src/main/webapp/vulnerability/forum.jsp b/src/main/webapp/vulnerability/forum.jsp
index 6c71c00..5034d90 100644
--- a/src/main/webapp/vulnerability/forum.jsp
+++ b/src/main/webapp/vulnerability/forum.jsp
@@ -5,7 +5,7 @@
--%>
<%@page import="java.sql.Connection"%>
-<%@page import="java.sql.Statement"%>
+<%@page import="java.sql.PreparedStatement"%>
<%@page import="java.sql.SQLException"%>
<%@page import="java.sql.ResultSetMetaData"%>
@@ -29,7 +29,7 @@
@@ -43,9 +43,12 @@
String title=request.getParameter("title");
if(con!=null && !con.isClosed())
{
- Statement stmt = con.createStatement();
+ PreparedStatement pstmt = con.prepareStatement("INSERT into posts(content,title,user) values (?,?,?)");
+ pstmt.setString(1, content);
+ pstmt.setString(2, title);
+ pstmt.setString(3, user);
//Posting Content
- stmt.executeUpdate("INSERT into posts(content,title,user) values ('"+content+"','"+title+"','"+user+"')");
+ pstmt.executeUpdate();
out.print("Successfully posted");
}
}
diff --git a/src/main/webapp/vulnerability/idor/change-email.jsp b/src/main/webapp/vulnerability/idor/change-email.jsp
index 0dd3c34..2bd8bd1 100644
--- a/src/main/webapp/vulnerability/idor/change-email.jsp
+++ b/src/main/webapp/vulnerability/idor/change-email.jsp
@@ -1,6 +1,6 @@
<%@ include file="/header.jsp" %>
<%@page import="java.sql.Connection"%>
-<%@page import="java.sql.Statement"%>
+<%@page import="java.sql.PreparedStatement"%>
<%@page import="java.sql.SQLException"%>
<%@page import="java.sql.ResultSetMetaData"%>
@@ -28,8 +28,10 @@ if(session.getAttribute("isLoggedIn")!=null)
String id=request.getParameter("id");
if(email!=null && !email.equals("") && id!=null)
{
- Statement stmt = con.createStatement();
- stmt.executeUpdate("Update users set email='"+email+"' where id="+id);
+ PreparedStatement pstmt = con.prepareStatement("Update users set email=? where id=?");
+ pstmt.setString(1, email);
+ pstmt.setString(2, id);
+ pstmt.executeUpdate();
out.print("email Changed");
}