Workshop Activity

Open WebGoat

Now you can type http://10.0.0.4:8080/WebGoat in your browser. Or open WebGoat via the Favorites tab.

Then login with the account you just registered. You will see the next picture.

HTTP Basics

The basics for understanding the transfer of data between the browser and the web application and how to trap a request/response.

HTTP is also called Hypertext Transfer Protocol. Officially, it is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. Simply speaking. The web pages we use are based on this protocol.

Let’s follow the page and explore.

If you are using Firefox, you can right click on the blank part of the page. Then select inspect to access the developer tools.

Inspector(Elements) Tab : the HTML and CSS source code.

Console tab: We can see anything, which a loaded JavaScript file may have printed out to it. It is also possible for us to run our own line of JavaScript code.

Network tab: Logs all network activity in the Network.

General HTTP Basics subtask 3

You can try any possible answer in the input box. Then click Go and submit your answer. At this time, the browser will send a request to the server. (Remember to open Developer Tools before you click the button to send the request so that it keeps track of your network activity).

Then you will see a name called attack2 appear in the window. Although there are many other activities, attack2 appears when we press the button. We click on it and more information will appear. Like request url, method. Here the method is POST. We can use it to answer the first question. When we click on request, we can see which data is sent by that request.

SQL Injection

First let’s learn some information about SQL.

SQL is a standardized programming language which is used for managing relational databases and performing various operations on the data in them. With using SQL you can use standard SQL commands to interact with relational databases. They are CREATE, SELECT, INSERT, UPDATE, DELETE and DROP.

A relational database is a type of database that stores and provides access to data points that are related to one another. Each row in a table is a record with a unique ID called the key. Columns of the table hold attributes of the data. Each record has a value for each attribute.

Motivation behind a SQL Injection attack is to gain access to data from a database, that the hacker is not authorised to see. With this attack they could gain personal information on people, gain passwords, usernames, credit details. Client list that companies have and sell it on the dark web for a certain value of money.

Here we have a sample database (A1 SQL Injection (intro) subtask 2). A employees table. And we have userid, username, etc.

We can manipulate this table with some commands. Let’s try: Select department from employees where last_name='Franco'

This command allows us to find the department whose last name is ‘Franco’ from the employees table.

SQL injection is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details.

It’s one of the most popular hacking techniques, but also one of the oldest. Nearly 20 years since its discovery, SQL injection news still relevant. For one, it’s used in an estimated two-thirds of web app attacks today.

In March 2022, A security vulnerability in e-learning platform Moodle could allow an attacker to take over a database and potentially obtain sensitive information. This information can be private information about the user.

Let’s look at an example (A1 SQL Injection (intro) subtask 10). This is Numeric SQL injection. Suppose the following is a query statement from the server: "SELECT * FROM user_data WHERE login_count = " + Login_Count + " AND userid = " + User_ID;

If we just enter the query data normally, then there won’t be any problem. But we must know what the Login_Count and User_Id are. Only one of these fields is susceptible to SQL Injection. Let’s try:

Then click Get account info, you will get all user information. Let’s use the input data to complete the SQL statement: 

SELECT * FROM user_data WHERE login_count = 123 AND userid = 1 or 1=1; 

It is easy to see that the last input of ‘or 1=1’ always works. We can also replace ‘1=1’ with true. That’s how Numeric SQL injection works.

Authentication Bypasses

Authentication is the process of verifying whether someone or something is in fact who or what it is declared to be. This process prevents anyone or anything outside of a system they are not authorised to be in.

Motivation for hackers to bypass authentication systems. Is to gain access to system they do not have permission to. With this hackers can gain information, lock users out of their own systems.

It happens in many ways, but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.

Let’s try 2FA Password Reset (A2 Authentication Bypasses subtask 2)

When you forget your password, some applications often help you reset it by answering some questions to confirm your identity. As shown in the figure below.

When we enter some random data and click submit. In the sent packet, we can see that it has these fields.

We can guess that these fields are used by the server to determine if they are consistent with the stored answers. So we can go back to the Inspector tab and change the name of the field. Just like the one shown in the figure below.

Then we submit our form, and we can successfully change our password. Even if we don’t know the answer.