Test a SQL Injection Attack against the Arcadia Finance App

  1. Before you enable the App Protect service, attempt a SQL injection attack on the Arcadia Finance app. In your Jump Server RDP session, click Applications and then Terminal.
../../../_images/terminal_click1.png ../../../_images/terminal_new1.png
  1. In the terminal window that opens, enter the command below.
curl -vd POST -kLH "host: diy.arcadia-finance.io" "https://nginx-plus-2.appworld.lab/trading/auth.php" -H 'Sec-Fetch-User: ?1' --data-raw 'username='+or+1=1'--&password='
../../../_images/terminal_curl_output_block1.png

While your SQL injection was not successful in logging into the system, the attempt was also not blocked. You were just redirected back to the login page. We’ll enable the App Protect WAF policy and re-attempt to ensure protection is enforce as you progress through the lab.