OWASP Exercises: SQL Injection

Developed with
QA

Lab Steps

lock
Logging into the Microsoft Azure Portal
lock
Connecting to the Lab Host Virtual Machine Using RDP
lock
Load the Virtual Machines (Kali & Metasploitable)
lock
Check connectivity
lock
Access the DVWA website
lock
Set DVWA security to "Low"
lock
Check the website for SQL injection vulnerabilities
lock
Conduct the SQL Injection attack

Ready for the real environment experience?

DifficultyIntermediate
Time Limit1h
Students15
Ratings
5/5
star star star star star

Description

SQL is a declarative language which is implemented by every relational database management system (better known as RDBMS). Because of its popularity, lots of hackers constantly try to perform SQL injections to retrieve data they shouldn't be allowed to get.

In this lab, you will attempt a SQL injection attack using just the web browser, in order to trick the back-end MySQL database server to execute queries injected by you and thus gain access to data that you would not be allowed to access otherwise. You will perform the SQL injection attack using only a browser that runs the DVWA (Damn Vulnerable Web App): a web application written to be vulnerable and designed for security professionals to practice their skills and conduct research.

Learning Objectives

Upon completion of this lab you will be able to:

  • Manage the security level of a DVWA application to set it up to your requirements
  • Perform a SQL injection to a DVWA application

Intended Audience

This lab is intended for:

  • Individuals who want to learn how to perform a SQL injection attack
  • Security engineers who want to understand how to better protect their applications to avoid SQL injections
  • People who want to know how a SQL injection can be performed

Prerequisites

This lab has no prerequisites.

Environment before
PREVIEW
arrow_forward
Environment after
PREVIEW

About the Author

Richard Beck is Head of Cyber Security at QA, responsible for the entire Cyber Security portfolio. He works with customers to build effective and successful security training solutions tailored to business needs. Richard has over 10 years' experience in senior Information Security roles. Prior to QA, Richard was Head of Information Security for four years at Arqiva, which underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts at CPP, GEC, Pearson and the Royal Air Force. Richard sits on the IBM European Board of Security Advisors and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI).