Objective: To demonstrate how unsanitized user input allows attackers to bypass authentication and exfiltrate sensitive database records.

1. The Vulnerability: Improper Neutralization (CWE-89)

The application was found to be vulnerable to String-based SQL Injection because the backend code constructed dynamic queries by concatenating user input directly into SQL strings. This represents a critical failure in input validation, allowing an attacker to alter the intended logic of the database query to bypass security controls.

2. Technical Execution: Database Interrogation

I targeted the lastName field within the WebGoat environment. By injecting a logic-based payload, I forced the backend SQL engine to evaluate the query’s WHERE clause as TRUE for every row, bypassing the requirement for a specific valid credential.

ComponentValuePurpose
EnvironmentWebGoat (localhost:8080)A deliberately vulnerable web application for security training.
Target FieldlastNameThe input vector used to inject malicious SQL commands.
DatabaseHypersonic SQL (HSQLDB)The backend storage engine utilized by the application.
Payload' OR '1'='1The SQL snippet used to force a “TRUE” evaluation.

3. Execution Workflow

  1. Discovery: Navigated to the “SQL Injection (Mitigations)” module and identified that the input field was susceptible to string-based manipulation based on provided source code examples.
  2. Vulnerability Analysis: Determined the backend query structure was constructed as: SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '<user_input>'.
  3. Exploitation: Entered the ' OR '1'='1 payload into the lastName field to break out of the string literal and append a tautology.
  4. Post-Exploitation: Successfully dumped the contents of the user_data table, gaining unauthorized access to all registered user records.

4. Key Commands

-- The malicious input injected into the lastName field:
' OR '1'='1

-- The resulting query executed by the database:
SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '' OR '1'='1'

5. Evidence of Work

RESOURCES_NODE_01
Discovery
Caption: OWASP ZAP identifying a high-risk SQL Injection vulnerability in the application parameters.

RESOURCES_NODE_01
Results
Caption: Successful exfiltration of sensitive user data, including credit card numbers and session cookies.

6. Professional Impact

This project illustrates a complete breach of Data Confidentiality, as sensitive PII was stolen using a simple logic-based attack. To remediate this, I recommended the use of Parameterized Queries (Prepared Statements), which ensure that user input is never interpreted as executable code. Additionally, I advised implementing server-side input validation and suppressing raw SQL error messages to prevent further reconnaissance.