98949c00d8
git-svn-id: http://webgoat.googlecode.com/svn/trunk@15 4033779f-a91e-0410-96ef-6bf7bf53c507
15 lines
1.3 KiB
HTML
15 lines
1.3 KiB
HTML
<div align="Center">
|
|
<p><b>Lesson Plan Title:</b> How to Perform Blind SQL Injection </p>
|
|
</div>
|
|
|
|
<p><b>Concept / Topic To Teach:</b> </p>
|
|
<!-- Start Instructions -->
|
|
SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack.
|
|
<br>
|
|
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of SQL injection.<br>
|
|
<br>
|
|
It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queiries.<br>
|
|
<!-- Stop Instructions -->
|
|
|
|
<p><b>General Goal(s):</b> </p>
|
|
The form below allows a user to enter an account number and determine if it is valid or not. Use this form to develop a true / false test check other entries in the database.<br><br>Reference Ascii Values: 'A' = 65 'Z' = 90 'a' = 97 'z' = 122<br><br>The goal is to find the value of the first_name in table user_data for userid 15613. Put that name in the form to pass the lesson. |