Lab
Preparation
- Take down the IP address of the Virtual Machine (VM) assigned to you. e.g. 18.142.95.177 (For example only, do not use this IP Address)
Get your the IP address of your VM HERE.
Step 1 – Remote Login
- Remote Login to your own VM using the IP address given to you
- Log in using the following credentials
Username: admin
Password: password
Step 2 – Run OWASP ZAP
- Open OWASP Zap application in the VM
Step 3 – Run Firefox
- Open Firefox in your VM
Step 4 – Examine Message in ZAP
- Examine message in ZAP
Step 5 – Login to webgoat
- Login into Webgoat.
Step 6 – Examine Message in ZAP
- Examine new message in ZAP
Step 7 – Exploring Injection Flaws – 1
- Expand Injection Flaws, click on SQL Injection and Click on icon 7
- Key in: dummy’ or ‘1’=‘1
- You will get all the information in the database.
Step 7 – Exploring Injection Flaws – 2
- Click on icon 8
- Enter 101 and Click on “Get Account Info” button
- Enter 101 or true and Click on “Get Account Info” button
- You get more than your own account info
Step 8 – Bypass Client Side Restrictions
- Expand Client side, click on Bypass front-end restrictions
- Click on icon 2
- Click on “Submit” button
Step 9 – Examine Message in ZAP
- Examine message in ZAP:
a. Select the last message
b. Click on Request tab
c. Examine the POST message
Step 10 – Intercept the Next Message
- Move mouse to the green icon, it will turn red and click once on it
Step 11 – Back at Firefox…
- Go back to Firefox and “Submit” button
Step 12 – At ZAP…
- Click on the OK button
Step 13 – Examine the Intercepted Message
Step 14 – Modify the Intercepted Message
- Modify the message as follows:
a. select=option3
b. radio=option4
c. checkbox=hello
d. shortInput=123456789
Step 15 – Send the Modified Message
- Click on the “Play” icon
- Congratulations, you have successfully intercepted and modified the message.
icode 