hands-on lab

OWASP Exercises: SQL Injection

Difficulty: Intermediate
Duration: Up to 1 hour
Students: 1,492
Rating: 4.3/5
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.

Description

SQL is a declarative language which is implemented by every relational database management system (better known as RDBMS). Because of its popularity, lots of hackers constantly try to perform SQL injections to retrieve data they shouldn't be allowed to get.

In this lab, you will attempt a SQL injection attack using just the web browser, in order to trick the back-end MySQL database server to execute queries injected by you and thus gain access to data that you would not be allowed to access otherwise. You will perform the SQL injection attack using only a browser that runs the DVWA (Damn Vulnerable Web App): a web application written to be vulnerable and designed for security professionals to practice their skills and conduct research.

Learning Objectives

Upon completion of this lab you will be able to:

  • Manage the security level of a DVWA application to set it up to your requirements
  • Perform a SQL injection to a DVWA application

Intended Audience

This lab is intended for:

  • Individuals who want to learn how to perform a SQL injection attack
  • Security engineers who want to understand how to better protect their applications to avoid SQL injections
  • People who want to know how a SQL injection can be performed

Prerequisites

This lab has no prerequisites.

Updates

September 21st, 2021 - Updated HyperV VMs to not used save state to avoid an issue with Azure VMs in the same SKU not all having the same processor features

September 7th, 2021 - Upgraded underlying disk, and Kali Hyper-V VM configuration for improved performance

August 30th, 2021 - Include Remote Desktop connection details for those preferring to use their local Remote Desktop client to connect

July 9th, 2020 - Enabled direct browser RDP connection for a streamlined experience

Environment before

Environment after

Covered topics

Lab steps

Load the Virtual Machines (Kali & Metasploitable)
Check connectivity
Access the DVWA website
Set DVWA security to "Low"
Check the website for SQL injection vulnerabilities
Conduct the SQL Injection attack