Overview

SQL injection is a code injection technique that exploits the vulnerabilities in the interface between web applications and database servers. The vulnerability is present when user's inputs are not correctly checked within the web applications before being sent to the back-end database servers. Many web applications take inputs from users, and then use these inputs to construct SQL queries, so the web applications can get information from the database. Web applications also use SQL queries to store information in the database. These are common practices in the development of web applications. When SQL queries are not carefully constructed, SQL injection vulnerabilities can occur. The SQL injection attack is one of the most common attacks on web applications.

In this lab, we have created a web application that is vulnerable to the SQL injection attack. Our web application includes the common mistakes made by many web developers. Students' goal is to find ways to exploit the SQL injection vulnerabilities, demonstrate the damage that can be achieved by the attack, and master the techniques that can help defend against such type of attacks.

Tasks (English) (Spanish)

• VM version: This lab has been tested on our SEED Ubuntu-20.04 VM
• Lab setup files: DO NOT unzip the file in a shared folder, as that would cause problems. Copy the zip file to another folder inside the VM, and then use the unzip command to unpack.
  • Labsetup.zip
  • Labsetup-arm.zip (for Apple Silicon machines)
• Manual:: Docker manual

Time (Suggested)

• Supervised (closely-guided lab session): 2 hours
• Unsupervised (take-home project): 1 week

SEED Videos

• Udemy: Web Security: A Hands-on Approach (§ 4)

SEED Books (English) (Chinese)

• Computer & Internet Security: A Hands-on Approach, 3rd edition (§ 14)
• Computer Security: A Hands-on Approach, 3rd edition (§ 14)
• Internet Security: A Hands-on Approach, 3rd edition (§ 24)

Feedback and Help