SQL Injection Attack Lab
SEED Lab: A Hands-on Lab for Security Education
Overview
SQL injection is a code injection technique that exploits the vulnerabilities in the interface between web applications and database servers. The vulnerability is present when user's inputs are not correctly checked within the web applications before being sent to the back-end database servers. Many web applications take inputs from users, and then use these inputs to construct SQL queries, so the web applications can get information from the database. Web applications also use SQL queries to store information in the database. These are common practices in the development of web applications. When SQL queries are not carefully constructed, SQL injection vulnerabilities can occur. The SQL injection attack is one of the most common attacks on web applications.
In this lab, we have created a web application that is vulnerable to the SQL injection attack. Our web application includes the common mistakes made by many web developers. Students' goal is to find ways to exploit the SQL injection vulnerabilities, demonstrate the damage that can be achieved by the attack, and master the techniques that can help defend against such type of attacks.
Lab Tasks
- VM version: This lab has been tested on our pre-built SEEDUbuntu16.04 VM.
Recommended Time
- Supervised situation (e.g. a closely-guided lab session):
- Unsupervised situation (e.g. take-home project):
Video
Suggested Reading
- SEED Book by Wenliang Du
(Book website)
(Chinese version)