SQL Injection Attack
- This application demonstrates a code-injection attack targeted towards data-driven applications.
- In an SQL Injection attack (Wikipedia), a hacker may inject malicious SQL statements via form fields
that provide inputs to SQL queries for a database backend.
- We will provide you with a container running a simple database engine and a client login application running code vulnerable to such attacks.
- You will experiment with different login usernames and passwords some of which can inject malicious SQL commands into the query due to broken client code.
- This causes the database to return sensitive user information from its tables. Some examples will demonstrate how a hacker can even insert records or drop the entire table using this approach.
- Client code that does not correctly validate user input and instead inserts it as is into SQL statements is typically vulnerable to such attacks.
- A hacker with some knowledge of SQL syntax can cause arbitrary SQL code to be executed on the database, allowing them to tamper, destroy or spoof sensitive identity information.
- You will be able to take a look at both the broken client code and a proposed fix.
- You can modify the client code and retry the attack to verify that the fix indeed solves this problem.
- Ready to go? Try It !
- Note: You will have around 20 minutes to test this application.