In this thesis, I will attempt to perform a SQL injection attack on a web application. In our current times, technology is moving rapidly and it is proving to shape our society and our future. A big concern with this is the idea of security and how important that role plays in protecting our data and what we are doing. SQL injection is a tool that is going to teach me just how important the role of security plays and how I may effectively understand how people are being able to retrieve data. Security is certainly a big issue in our society as some of the biggest companies in our country are being hacked. This certainly is not something the companies want happening and it is not what the customers of the company want happening either as it is their information that is being leaked. With the knowledge and information I gain, I hope to be able to better figure out why this type of vulnerability might be so common but to also create a prototype in hopes that it could defend against this type of vulnerability. The problem is that there are other types of vulnerabilities out there as well so being able to be completely safe from all of them is a bit difficult but with the idea of my prototype I hope to shed some light to help mitigate one vulnerability so we can continue to slowly mitigate more of them. SQL injection is certainly a controversial topic as people have used it for harm in the past, but with proper understanding, developers can put in place proper security measures to safeguard against the attack.
-
First, download the required source code in order to get the necessary files to have everything setup
-
Navigate to the terminal window and open the sqlite folder
-
Once you have done that, type "python app.py" This should start the web application running on your local machine.
-
At the end of the output in the terminal window it should say that the server is running on "http://127.0.0.1:5000/". Copy and paste the entire URL in your terminal window.
-
Once you have done that, you should be able to see the site and look through the different webpages that are there.
-
Next, navigate to the login page and in the username box, type "Or 1=1-- . This will use the SQL injection attack technique and bypass the login security which should allow you to have access to see the vital data now.
Contact: Jordan Wilson
email: wilsonj3@allegheny.edu