SQL Injection Attack


  • This application demonstrates a code-injection attack targeted towards data-driven applications.

  • In an SQL Injection attack (Wikipedia), a hacker may inject malicious SQL statements via form fields that provide inputs to SQL queries for a database backend.

  • We will provide you with a container running a simple database engine and a client login application running code vulnerable to such attacks.

  • You will experiment with different login usernames and passwords some of which can inject malicious SQL commands into the query due to broken client code.

  • This causes the database to return sensitive user information from its tables. Some examples will demonstrate how a hacker can even insert records or drop the entire table using this approach.

  • Client code that does not correctly validate user input and instead inserts it as is into SQL statements is typically vulnerable to such attacks.

  • A hacker with some knowledge of SQL syntax can cause arbitrary SQL code to be executed on the database, allowing them to tamper, destroy or spoof sensitive identity information.

  • You will be able to take a look at both the broken client code and a proposed fix.

  • You can modify the client code and retry the attack to verify that the fix indeed solves this problem.


  • Ready to go? Try It !
  • Note: You will have around 20 minutes to test this application.