Gray-Box Security Notes for WebGoat 8: Defensive Patterns and Secure Implementations
SQL Injection Risk indicators String-concatenated predicates, e.g., building WHERE clauses from raw request parameters. Dynamic DDL/DCL powered by user input (ALTER, GRANT, DROP). Client-provided sort keys fed directly into ORDER BY. Safer patterns (Java/JDBC) try (var conn = DriverManager.getConnec...