Stop Hacker, Save Websites



  • Take down the IP address of the Virtual Machine (VM) assigned to you. e.g. (For example only, do not use this IP Address)

Get your the IP address of your VM HERE.

Step 1 – Remote Login

  • Remote Login to your own VM using the IP address given to you
  • Log in using the following credentials

Username: admin
Password: password

Step 2 – Run OWASP ZAP

  • Open OWASP Zap application in the VM

Step 3 – Run Firefox

  • Open Firefox in your VM

Step 4 – Examine Message in ZAP

  • Examine message in ZAP

Step 5 – Login to webgoat

  • Login into Webgoat.

Step 6 – Examine Message in ZAP

  • Examine new message in ZAP

Step 7 – Exploring Injection Flaws – 1

  • Expand Injection Flaws, click on SQL Injection and Click on icon 7
  • Key in: dummy’ or ‘1’=‘1
  • You will get all the information in the database.

Step 7 – Exploring Injection Flaws – 2

  • Click on icon 8
  • Enter 101 and Click on “Get Account Info” button
  • Enter 101 or true and Click on “Get Account Info” button
  • You get more than your own account info

Step 8 – Bypass Client Side Restrictions

  • Expand Client side, click on Bypass front-end restrictions
  • Click on icon 2
  • Click on “Submit” button

Step 9 – Examine Message in ZAP

  • Examine message in ZAP:
    a. Select the last message
    b. Click on Request tab
    c. Examine the POST message

Step 10 – Intercept the Next Message

  • Move mouse to the green icon, it will turn red and click once on it

Step 11 – Back at Firefox…

  • Go back to Firefox and “Submit” button

Step 12 – At ZAP…

  • Click on the OK button

Step 13 – Examine the Intercepted Message

Step 14 – Modify the Intercepted Message

  • Modify the message as follows:
    a. select=option3
    b. radio=option4
    c. checkbox=hello
    d. shortInput=123456789

Step 15 – Send the Modified Message

  • Click on the “Play” icon
  • Congratulations, you have successfully intercepted and modified the message.