Objective: To demonstrate how unsanitized user input allows attackers to bypass authentication and exfiltrate sensitive database records.
1. The Vulnerability: Improper Neutralization (CWE-89)
The application was found to be vulnerable to String-based SQL Injection because the backend code constructed dynamic queries by concatenating user input directly into SQL strings. This represents a critical failure in input validation, allowing an attacker to alter the intended logic of the database query to bypass security controls.
2. Technical Execution: Database Interrogation
I targeted the lastName field within the WebGoat environment. By injecting a logic-based payload, I forced the backend SQL engine to evaluate the query’s WHERE clause as TRUE for every row, bypassing the requirement for a specific valid credential.
| Component | Value | Purpose |
|---|---|---|
| Environment | WebGoat (localhost:8080) | A deliberately vulnerable web application for security training. |
| Target Field | lastName | The input vector used to inject malicious SQL commands. |
| Database | Hypersonic SQL (HSQLDB) | The backend storage engine utilized by the application. |
| Payload | ' OR '1'='1 | The SQL snippet used to force a “TRUE” evaluation. |
3. Execution Workflow
- Discovery: Navigated to the “SQL Injection (Mitigations)” module and identified that the input field was susceptible to string-based manipulation based on provided source code examples.
- Vulnerability Analysis: Determined the backend query structure was constructed as:
SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '<user_input>'. - Exploitation: Entered the
' OR '1'='1payload into thelastNamefield to break out of the string literal and append a tautology. - Post-Exploitation: Successfully dumped the contents of the
user_datatable, gaining unauthorized access to all registered user records.
4. Key Commands
-- The malicious input injected into the lastName field:
' OR '1'='1
-- The resulting query executed by the database:
SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '' OR '1'='1'
5. Evidence of Work


6. Professional Impact
This project illustrates a complete breach of Data Confidentiality, as sensitive PII was stolen using a simple logic-based attack. To remediate this, I recommended the use of Parameterized Queries (Prepared Statements), which ensure that user input is never interpreted as executable code. Additionally, I advised implementing server-side input validation and suppressing raw SQL error messages to prevent further reconnaissance.