►
Description
This video is to learn about Dynamic Application Security Testing (DAST) and the application security training app called WebGoat. What DAST is, what WebGoat looks like and how GitLab's DAST security scanner reveals vulnerabilities is demonstrated in less than 15 mins.
A
A
If
you
are
in
it,
you
certainly
have
heard
about
cross-site,
scripting,
sql
injection
and
several
other
buzzwords
to
make
you
familiar
with
the
tech
language
used
here.
I
do
not
want
to
use
the
lengthy
term
dynamic
application
security
testing
all
the
time,
so
I
will
abbreviate
with
just
saying
dast
d-a-s-t,
as
in
the
title
of
this
video,
but
let's
get
started.
A
A
These
are
out
of
focus
for
today,
rather
think
about
das,
as
treating
the
application
as
a
black
box
and
depending
on
an
app's
features
and
user
input.
A
vulnerable
app
can
often
be
manipulated
in
tricky
ways
and
retrieve
data
you're
not
supposed
to
see
or
even
delete
that
data
in
the
database,
which
is
serving
the
application.
A
Useful
applications
often
require
you
to
authenticate
and
log
in
and
then
you're
looking
at
the
various
pages
and
maybe
fill
in
some
forms,
etc.
This
is
where
application
security
scanners
has
demonstrated
shortly
come
into
play.
The
scanner
will
pretty
much
do
the
same
thing
log
in
and
browse
through
the
app.
The
scanner
will
also
provide
some
input
to
the
forms
and
then
checking
for
security
flaws
at
the
same
time,
next
step.
A
A
famous
list
of
the
most
often
occurring
vulnerabilities
can
be
found
in
the
o,
wasp
top
10
list.
In
this
demo
I
will
use
git
labs,
dare
scanner
to
reveal
the
existing
weaknesses,
but
let's
have
a
short
look
at
web
code.
So
we
have
a
better
picture
of
what
we
are
going
to
check
by
the
way
webcode
is
written
in
a
mixture
of
java
and
javascript
and
uses
an
sql
database
as
the
backend.
A
So
I'm
going
to
log
in
here
into
this
training
app
and
on
the
left
side,
you
see,
you
know,
there's
a
menu
which
is
related
to
many
of
those
lessons
of
this
training
app
and
we
want
to
go
to
sql
injection
and
refer
to
what
I've
been
talking
about
just
previously,
so
we're
directly
going
to
lecture
11
and
we're
going
to
compromise
the
confidentiality
with
with
an
input
in
our
form
here.
So
what
is
the
scenario?
A
A
So
let
let
me
show
you
how
I'm
going
to
manipulate
the
input
and
show
you
a
trick
with
sql
injection,
so
I'm
not
going
to
explain
all
the
details
here,
because
this
would
be.
You
know
the
topic
for
just
another
video,
but
look
at
this
tricky
input.
A
Oops
miss
something
again:
oh
yes,
I'm
a
little
bit
confused.
Sorry
for
that,
so
yeah.
That
now
should
work.
Okay.
So
here
you
see
my
boss,
bob
franco
wow.
He
was
quite
a
bit
more
than
I
have
okay.
So
this
was
part
one
of
this
video
to
show
you
what
sql
injection
can
do
and
in
the
next
step,
I'm
going
to
show
you
how
to
deal
with
that
and
how
we
can
improve
the
security
of
this
web
application.
A
A
A
A
So
let's
just
look
at
the
dust
vulnerabilities
over
here
and
you
see
not
too
exciting
medium
severity,
low
and
info
and
there's
nothing
like
the
sql
injection
that
we
have
seen
before.
So
what
went
wrong?
Well,
actually,
nothing
went
wrong,
there's
various
ways
to
operate
the
dev
scanner
and
another
there's.
There
are
certain
ways
like
different
crawlers,
which
browse
the
app
in
in
different
ways,
and
the
standard
setting
is
not
helpful
for
the
way
web
goat
is
actually
programmed.
A
And
yes,
all
high
severity,
anti
cross
site
request
forgery
quite
a
bit.
Let's
see
if
we
find
the
sql
injection.
Oh
yeah,
okay,
here's
quite
a
bit
of
those
sql
injections
and
remember:
we
did
exercise
11,
which
happens
to
have
a
url
attack
10..
So
there's
a
couple
in
this
course,
which
is
right.
A
So
let's
look
at
the
very
first
one
in
exercise:
11.,
okay,
here
we
see
what
the
request
was
that
the
das
scanner
had
used
the
actual
response,
the
evidence
for
the
sql
injection
and
an
explanation
or
a
solution.
A
Most
sql
injections
rely
upon
bad
validation
of
user
input,
which
means
that
the
input
is
not
really
checked,
for
you
saw
that
we
had
string
that
I
entered
and
what
happened
was
a
concatenation
of
these
various
pieces
and
it
manipulated
the
sql
query,
and
that
is
how
we
got
into
into
the
table
of
all
salaries
of
all
employees.
A
A
What
we
do
here
is.
We
include
the
dest.
A
A
desk
job
that
is,
that
comes
as
a
standard,
so
we
don't
have
to
write
everything
for
running
the
scanner
ourselves.
It's
part
of
what
gitlab
calls
auto
devops
templates.
Then
here's
the
build
stage
that
builds
the
java
application,
then
there's
the
sas
jobs.
That
do
the
analysis
analysis
here.
The
push
is
pushing
the
container
as
mentioned,
and
then
the
dust
scan
is
taking
place.
A
A
This
is
the
setting
for
the
browser
scan.
That's
very
intensive
that
gave
us
those
a
109.
A
Vulnerabilities,
if
you
leave
them
out
and
use
the
ajax
spider
that
only
found
those
10
things
so.
A
A
Another
thing
you
might
be
interested
is
what
I
did
for
ease
of
use.
I
defined
this
container
as
a
service
so
that
I
didn't
need
to
deploy
it.
This
is
not
the
regular
way
to
do
it.
That
usually
goes
into.