Starting off I downloaded the WebGoat docker image from GitHub to my Kali Linux VM. In Kali I navigated to https://github.com/WebGoat/WebGoat. Then in the terminal, I ran the command: docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.2. This took a few minutes to download in the terminal and once the download completed I simply navigated to http://localhost:8080/WebGoat where a login appeared and I registered as a new user.
Structured Query Language (SQL) Injection
This is my first time using WebGoat to practice SQL injection techniques so I will start from the beginning with A1 SQL Injection Intro and work through some of the exercises. The first challenge is to retrieve the department of employee Bob Franco. I will do just that starting off with SELECT * FROM EMPLOYEES WHERE USERID=96134. This is telling the database to give me all results from employees whose user id is 96134.
Data Manipulation Language (DML)
Moving right along to the next challenge this one asks for the use of data manipulation language to change the data in the database. This is a pretty cool challenge because doing this messes with the integrity of the data. For this challenge I entered UPDATE EMPLOYEES SET department=’Sales’ WHERE USERID=89762 and the table changes the users department from Development to Sales thus infecting the integrity of the data.
Data Definition Language (DDL)
The challenge on the fourth page asks for the altering of the employees table to add the phone column. This is done with the statement ALTER TABLE employees ADD phone varchar(20).
Data Control Language (DCL)
Here the challenge is to grant privileges to an unauthorized user. This can be done with the statement grant select on grant_rights to unauthorized_user. This one is a bit confusing to me and not quite straight forward as the others, but the statement does make some since after using the hints to solve the challenge. It seems like the “grant select on” statement is enabling the ability to grant a user the rights and the “to unauthorized_user” is telling the statement with user to grant the rights.
That is all for me for now, but so far so good and I think WebGoat is a valuable free resource for beginners to learn hands on hacking techniques. I will definitely be jumping back on WebGoat again in the near future to finish up the other SQL injection Intro challenges. I will either update this post with the rest of the challenges or create another post.
Thank you for stopping by!
-Zer0rigin
