More on SQL Injection with DVWA

Published by plaverty on Wed, 03/14/2012 - 09:06

Last night, Allison Nixon gave an excellent talk to a packed room, going over SQL Injection vulnerabilities and letting the audience try it themselves against a local version of Damn Vulnerable Web Application. If you'd like to install and run it yourself, you can download it here: http://sourceforge.net/projects/dvwa/

A couple other options for applications that you can test and learn with include:
Gruyere
Mutillidae
WebGoat

One of the very helpful parts to Allison's talk was the pre-built SQL strings that we were able to copy and paste into the application. Here is a similar PDF from HackYeah.com that will show you many of the same things that Allison presented.

As Allison stressed multiple times during her presentation:

1. Learn SQL. You can't be really good at SQL injection unless you know and understand SQL
2. Don't use tools. You're less of a person if you use SQL Injection tools.
3. If you use this knowledge to do anything illegal, I don't know you. Neither Allison nor ProvWebAppSec condones any illegal activities with these skills.
4. Do not trust a security product unless they know how the details of attacks work and how it defends against them.

Tags: 
sql injection
SQL
Allison Nixon
hackyeah.com
union