SQL injection – practice in perspective
For our practical part, we set up a safe environment so that we didn't cause problems for any external entities through our testing – this way simulating as if we were testing a real system belonging to us – identifying and exploiting SQL injection specifically. After dealing with probably the most fun aspect in the practical part, we described what can be done to prevent SQL injection from happening.
Attacking using SQL injection
Let's review the tests we performed on the targets we selected and go through the techniques we put into practice.
Manual techniques
By taking advantage of the OWASP BWA project, we have been able to explore most of the attack techniques we have previously seen in the theory section. This was made possible by us selecting three specific web applications, against which we could try a wide spectrum of SQL injection attacks.
Our first target was the Mutillidae II web application...