This is a lab from my Springboard bootcamp that allowed me to demonstrate a SQL injection attack against WebGoat
OWASP ZAP is an attack proxy that will allow us to intercept and alter requests between your browser and the server. This allows you to use many injection attacks you can't perform with the browser alone. ZAP is also able to perform vulnerability scans, fuzzing and other web application tests.
You can view the list of tools available by clicking Tools > Options
In this lab, we utilized Firefox as our browser. In Firefox, you'll enable the ZAP proxy by clicking the FoxyProxy icon in the top right corner of the browser. Select the ZAP setting in green.
WebGoat is an insecure web application created by OWASP to demonstrate application vulnerabilities. Open WebGoat by double-clicking it. It will launch in a terminal and allow it to load completely. You will know when it has finished loading when the message "Browse to http://localhost:8080/WebGoat and happy hacking!" is shown.
Return back to Firebox and navigate to localhost:8080/WebGoat. WebGoat provides guest login credentials; go ahead and use the guest account to login.
In the left pane, click Injection Flaws > Stage 1: String SQL Injection
At the login page, if you click the dropdown menu you can see a list of employee names with a password field underneath. We will use an injection attack to login without a password.
Go back to ZAP and click the Set Break icon (It's the Green Circle above the second pane)
ZAP will now intercept all web requests and responses allowing us to examine them. Go back to WebGoat and log in as Neville Bartholomew using the password, "guest". Go back to the ZAP window, and you should receieve this.
Now, we are going to inject our SQL attack by changing the password to = 1' OR '1'='1.
At the top of of tools bar on ZAP, press the Submit and step to next request or response button twice. This submits the request to the server and then back to WebGoat. Return back to your Firefox window. You should get a notification that states you've made it to Stage 2. Notice we have now logged in as an admin and can see a list of all employees.
Go back to ZAP and click the Submit and continue to next break point icon on the tool bar. This will run through the rest of the process and remove the break point, allowing us to move freely throughout the browser without being intercepted by ZAP.
Back in Firefox, click any employee's name and you're able to view their profile. We're not only able to view, but can edit their private information and find PII like their Social Security Number and their Credit Card number.
Now we will conduct a command injection; this takes advantage of vulnerabilites that allow us to run shell commands on the underlying host. Back in the WebGoat menu, click Injection Flaws > Command Injection
Next, go back to ZAP and use the command Ctrl+B. This is a keyboard shortcut to set a break in ZAP. Once you've set your break in ZAP, go back to WebGoat and on the dropdown menu next to Select the lesson plan to view choose any lesson from the menu and click View. You should get the intercepted request with the "Helpfile" field. Here is where we will try our injection to run the shell commands.
In the request, replace the file name with NoRealFile.help" || netstat -an. Then click Submit and step to next request or response twice.
Instead of the requested file, the page displays the output of the 'netstat' command from the host's perspective.
The End!
Thanks for check out my SQL Injection Attack!