The WebGoat XXE (XML External Entity) section has 3 exercises. The first 2 are pretty easy, the last one quite difficult. So without further ado, let’s get to it! Exercise 3 In this exercise you are asked to list the contents of the root file system directly in a comment using XXE. For this, you …
The OWASP WebGoat SQL Injection Mitigation lesson 8 is another blind SQL exercise, very similar to the SQL advanced lesson 5. Actually, I solved it with a similar technique to that one. The goal is to find the IP of the webgoat-prd server, which is not listed on the page. Try sorting the entries via the …
Last week I wrote about the OWASP WebGoat XSS lessons. Today I’d like to write a few pointers on how to solve the SQL injection (advanced) lesson 5. The goal is simple: you are presented with a login box and given a username; log in as that user. The usual username’ OR ‘1’=’1 — unfortunately doesn’t …
I recently installed WebGoat, a deliberately vulnerable web app with built-in lessons. While some of the lessons are very easy, they quickly rise to a much higher difficulty. Even though the app does explain the basic concepts, the explanations are nowhere good enough to solve the exercises provided. In this post I’ll focus on the Cross-Site …