Lesson Plan Title: How to Perform Web Service SQL Injection

 

Concept / Topic To Teach:

Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL) file.

 

General Goal(s):

Check the web service description language (WSDL) file and try to obtain multiple customer credit card numbers. You will not see the results returned to this screen. When you believe you have suceeded, refresh the page and look for the 'green star'.

Solution:

 

This lesson can be solved easily by using a web services tool called SOAPUI. But here you will only use WebScarab. Go in WebScarab to the tab "Web Services". You will see a history of invoked web services or WSDL files.

 

Figure 1 Lesson 23

 

Open the WebGoat WSDL file for this lesson (WsSqlInjection?WSDL) in a new window.

 

In WebScarab you can select this WSDL from the top drop-down box. And WebScarab will parse the XML file so you can select the operations to invoke. Then you can enter a value for the parameters used to invoke the operation. For example fill out the integer 101 for the ID value and click "Execute". WebScarab will pop-up a basic authentication window. Enter username:guest, password:guest and host:localhost then click "Ok". If the pop-up does not appear you have to go to "Tools" > "Credentials". There you should activate "Ask when required".

 

Figure 2 Basic authentication

 

Figure 3 Webservice Response

 

What happens if you change 101 to 1 OR 1=1? Will you get all the credit cards?

Yes J

 

Figure 4 All the credit cards

 

Remark: when you don't get any responses you might want to select the service and operation again from the drop-down box. A nice feature here would be the ability to make a raw SOAP request.