►
Description
This video is to learn about Dynamic Application Security Testing (DAST) and the application security training app called WebGoat. What DAST is, what WebGoat looks like and how GitLab's DAST security scanner reveals vulnerabilities is demonstrated in less than 15 mins.
A
A
If
you
are
in
it,
you
certainly
have
heard
about
cross-site,
scripting,
sql
injection
and
several
other
buzzwords
to
make
you
familiar
with
the
tech
language
used
here.
I
do
not
want
to
use
the
lengthy
term
dynamic
application
security
testing
all
the
time,
so
I
will
abbreviate
with
just
saying
dast
d-a-s-t,
as
in
the
title
of
this
video,
but
let's
get
started.
A
A
These
are
out
of
focus
for
today,
rather
think
about
das,
as
treating
the
application
as
a
black
box
and
depending
on
an
app's
features
and
user
input.
A
vulnerable
app
can
often
be
manipulated
in
tricky
ways
and
retrieve
data
you're
not
supposed
to
see
or
even
delete
that
data
in
the
database,
which
is
serving
the
application.
A
Useful
applications
often
require
you
to
authenticate
and
log
in
and
then
you're
looking
at
the
various
pages
and
maybe
fill
in
some
forms,
etc.
This
is
where
application
security
scanners
has
demonstrated
shortly
come
into
play.
The
scanner
will
pretty
much
do
the
same
thing
log
in
and
browse
through
the
app.
The
scanner
will
also
provide
some
input
to
the
forms
and
then
checking
for
security
flaws
at
the
same
time,
next
step.
A
A
famous
list
of
the
most
often
occurring
vulnerabilities
can
be
found
in
the
o,
wasp
top
10
list.
In
this
demo
I
will
use
git
labs,
dare
scanner
to
reveal
the
existing
weaknesses,
but
let's
have
a
short
look
at
web
code.
So
we
have
a
better
picture
of
what
we
are
going
to
check
by
the
way
webcode
is
written
in
a
mixture
of
java
and
javascript
and
uses
an
sql
database
as
the
backend.
A
So
I'm
going
to
log
in
here
into
this
training
app
and
on
the
left
side,
you
see,
you
know,
there's
a
menu
which
is
related
to
many
of
those
lessons
of
this
training
app
and
we
want
to
go
to
sql
injection
and
refer
to
what
I've
been
talking
about
just
previously,
so
we're
directly
going
to
lecture
11
and
we're
going
to
compromise
the
confidentiality
with
with
an
input
in
our
form
here.
So
what
is
the
scenario?
A
A
A
Oops
miss
something
again:
oh
yes,
I'm
a
little
bit
confused.
Sorry
for
that,
so
yeah.
That
now
should
work.
Okay.
So
here
you
see
my
boss,
bob
franco
wow.
He
was
quite
a
bit
more
than
I
have
okay.
So
this
was
part
one
of
this
video
to
show
you
what
sql
injection
can
do
and
in
the
next
step,
I'm
going
to
show
you
how
to
deal
with
that
and
how
we
can
improve
the
security
of
this
web
application.
A
A
A
So
let's
just
look
at
the
dust
vulnerabilities
over
here
and
you
see
not
too
exciting
medium
severity,
low
and
info
and
there's
nothing
like
the
sql
injection
that
we
have
seen
before.
So
what
went
wrong?
Well,
actually,
nothing
went
wrong,
there's
various
ways
to
operate
the
dev
scanner
and
another
there's.
There
are
certain
ways
like
different
crawlers,
which
browse
the
app
in
in
different
ways,
and
the
standard
setting
is
not
helpful
for
the
way
web
goat
is
actually
programmed.
A
A
A
A
desk
job
that
is,
that
comes
as
a
standard,
so
we
don't
have
to
write
everything
for
running
the
scanner
ourselves.
It's
part
of
what
gitlab
calls
auto
devops
templates.
Then
here's
the
build
stage
that
builds
the
java
application,
then
there's
the
sas
jobs.
That
do
the
analysis
analysis
here.
The
push
is
pushing
the
container
as
mentioned,
and
then
the
dust
scan
is
taking
place.