Attacking traditional web applications– manual techniques
Let's begin with manual attacks against OWASP BWA web applications. We already found, in Chapter 2, Manipulating SQL – Exploiting SQL Injection, an easy attack point for extracting information through SQL injection, but we will pretend that each application is independent and does not share the same instance of MySQL. For this reason, we will not consider the OWASP Vicnum application for this purpose, as it would make things too easy for us. Each application will be considered as a separate target so that we can explore the intrinsic vulnerabilities residing in them. In this section, we will perform SQL attacks against three of the OWASP BWA applications: Mutillidae II, Magical Code Injection Rainbow, and Peruggia, putting in practice what you have learned so far in a guided setting.
Attacking Mutillidae II
Our first target is kind of a warm-up—Mutillidae II is an application designed to provide...