"Report vulnerability"-example - does it valid steps (?!).

[Hlynrkjaer]

Hello,

Part Three of Securing Software course with next example of reporting vulnerability (steps to reproduce trouble):

Issue: SQL Injection Steps to reproduce:

1. Open Injection Flaws
2. Select Numeric SQL Injection
3. Open Developer Console
4. Inspect the Weather Station Element
5. In the Developer Console, find the select element that lists the weather stations.
6. Edit one of the option elements within the select element and change the option value to "101 OR station < 9999999".
7. Select the altered option from the dropdown list on the page
8. Press Go!
9. You can now see all weather the weather data.

But (?!) looks like that it should not work with WebGoat (?!). At least, such steps should not be enough. Or should be based on certain advanced 'developer console' (?!). Does it possible to verify that provided example steps indeed valid for reproducing this trouble-example under WebGoat? I tried only with Windows 10 (different browsers) - where it's not valid steps (or...).

Own WebGoat's hints about using WebScarab (as potential hook for request to server and modify it on-the-fly?!).

Thanks!

[nygrenh]

Hi,

Sorry for the delayed answer. The developer console means your browsers developer tools. See for example: https://developer.chrome.com/devtools

I just tried following the example and it worked fine for me.

[Hlynrkjaer]

Hello,

So, I got the proper view! SORRY for confusion. Steps, of course, are valid and worked. Even I completed this task before (and it was a reason for this ask - because eventually current experience was with broken result).

I confused with tries to change 'value' as string than proper change 'value' as 'value' of option ( :-/ ). Not sure why I did not re-check it more properly before this ask. Maybe because confused by WebGoat's suggested solution/tips.

Sorry else one time.

Thanks for your response, @nygrenh !