[MUSIC] Hello everyone. Today we're going to have a look at WebGoat's SQL injection vulnerability. Now as you can see here, I am using Firefox to access the WebGoat login page. And for myself, I'm using the defaults for WebGoat. It defaults to local host port 8080 as how you would access WebGoat when you start up the WebGoat server. So I'm going to go ahead and log in to WebGoat. Now, we are going to go into Injection Flaws > Numeric SQL Injection. Now in this lab, The scenario is that you can select your local weather station through these controls and I've got here, it's set up for myself as Columbia. And when you click on this Go button, it shows you the results that you were expecting. And you can choose a different city and have the information for that particular city setup, shown for you. Now when you look at the request traffic that Burp Suite intercepts, we can see something very interesting. So if you go into Burp Suite and go into the proxy tab and click on the Intercept sub tab you'll see that the intercept is off. So let's click that on, and now what will happen is every time the client side, which is the browser, makes a request to the server, Burp will be able to see it first before it ends up getting sent to the server. So to show you how that works, I'll click on Go to make a request to the server. Now as you can see here, intercept is on and it sees that this information is captured. So I'll click on Forward and this forward button allows the request to get sent to the server, okay? So as you can see, our web client made a post request to the path WebGoat/attack. And you can see here the post parameter station is set to 101. And that corresponds to the local weather station in numerical form. So what we're going to do is forward that request again. Forward that request again, keep going until you have no more ability to forward any requests to the server. So the station is 101 and it corresponds to Colombia. Now let's turn off intercept, so intercept is off. So Burp won't be able to, Intercept client request before it gets sent out to the server. So that's fine. What I am going to show you now is to show you the source for this functionality of choosing the local web station. So if you look at the source and you scroll all the way, you'll find that the query is generated in this manner, and they've concatenated the station value here. So that can kind of give you a hint of what to do or how to start playing around with it. The goal here is to, from one request, try to show all of the results of all the local weather stations. So we want this select statement to be true for all cases. So in order for that to happen, what we could try is this. We'll send a request or rather first we have to turn on intercept in Burp Suite, and then send the request over. And here we have the ability to modify the request data from the client before it gets sent to the server. So what we will do is we will say, one to one is fine, but we will say or one equals one is something that we can say. So it will end up making these select queries such that it will select station 101 as a station, and then it will append or one equals one which is always true. So what we're going to do now is we're going to forward this modified request over to the server. So we're going to forward, all right, so here we see we have, Performed a very simple SQL injection vulnerability.