By @rosinni and other contributors at 4Geeks Academy
Estas instrucciones están disponibles en español
We need you! These exercises are created and maintained in collaboration with people like you. If you find any errors or typos, please contribute and/or report them.
This exercise aims to teach students how to identify and report an SQL injection vulnerability using the Damn Vulnerable Web Application (DVWA). The report should be made according to ISO 27001 standards for information security incident management.
- VirtualBox installed on your computer.
- A Debian virtual machine installed in VirtualBox. (We will use the machine previously configured in earlier classes).
- Isolation: Keeps the testing environment separate from your main operating system, protecting it from potential damage.
- Ease of Restoration: You can create snapshots of your virtual machine and easily restore them if something goes wrong.
- Portability: You can easily move and share the virtual machine with others.
- Open this URL and fork the repository https://github.com/breatheco-de/incident-report-for-sql-injection-exercise-project
A new repository will be created in your account.
- Clone the newly created repository into your localhost computer.
- Once you have cloned successfully, follow the steps below carefully, one by one.
- In the "Network" section, select "Bridge Adapter" so the VM is on the same network as your host.
- Verify the correct installation of MySQL (MariaDB), Apache, and PHP (LAMP Stack).
- Set the root password for MariaDB and configure the basic security.
-
Download DVWA from the provided link:
cd /var/www/html sudo apt-get install wget unzip sudo wget https://storage.googleapis.com/breathecode/virtualbox/DVWA.zip sudo unzip DVWA.zip sudo mv DVWA-master DVWA -
Configure DVWA Change to the DVWA directory and rename the configuration file
cd DVWA/config
sudo cp config.inc.php.dist config.inc.php- Edit the
config.inc.phpfile to set the MariaDB credentials:
sudo nano config.inc.php
💡 IMPORTANT: Ensure the following lines have the correct credentials:
- $_DVWA[ 'db_user' ] = 'root';
- $_DVWA[ 'db_password' ] = 'root_password';
- $_DVWA[ 'db_database' ] = 'dvwa';
- Configure the Database Log in to MariaDB and create the DVWA database
sudo mysql -u root -p
CREATE DATABASE dvwa;
EXIT;- Adjust Permissions
sudo chown -R www-data:www-data /var/www/html/DVWA/
sudo chmod -R 755 /var/www/html/DVWA/- Open a browser in your VM and go to http://localhost/DVWA/setup.php
- Review the setup and click "Create / Reset Database".
- Open a browser in the VM and go to http://localhost/DVWA.
- Log in to DVWA:
*Username: admin
*Password: password
-
Set the Security Level Go to the "DVWA Security" tab and select the "Low" security level to facilitate exploitation.
-
Execute the SQL Injection Go to the "SQL Injection" section in DVWA Enter a simple SQL injection attack in the provided "User ID" field, for example:
1' OR '1'='1Click "Submit" and observe how DVWA processes the injection and displays the database results.
💡 NOTE: You should see a list of all users extracted from the database, indicating a successful SQL injection.
- Follow the Report Structure
- Report Title
- Introduction
- Incident Description
- Reproduction Process
- Incident Impact
- Recommendations
- Conclusion
💡 NOTE: Incident reports according to ISO 27001 standards do not specifically require the inclusion of images unless they are necessary to illustrate critical points or specific technical details of the incident. However, in most cases, reports often include screenshots, charts, or diagrams only if they are relevant to support the explanation of the incident or to demonstrate how the vulnerability exploitation was carried out.
Download an example of an incident report
- At the root of the forked project, upload the report in
.pdfformat with the nameincident-report.pdf