144 lines
5.1 KiB
YAML
144 lines
5.1 KiB
YAML
lessonKey: "sql-injection-shop"
|
|
title: "SQL Injection Attack - Online Shop Demo"
|
|
description: "Learn how SQL injection vulnerabilities work through a realistic online shop scenario"
|
|
difficultyLevel: "intermediate"
|
|
estimatedDuration: 20
|
|
module: "sql-injection-shop"
|
|
|
|
steps:
|
|
- id: "intro"
|
|
type: "content"
|
|
title: "What is SQL Injection?"
|
|
content: |
|
|
SQL Injection is one of the most dangerous web application vulnerabilities. It occurs when an attacker can insert malicious SQL code into a query, allowing them to:
|
|
|
|
• Access unauthorized data
|
|
• Modify or delete database records
|
|
• Bypass authentication
|
|
• Execute administrative operations
|
|
|
|
In this lesson, you'll explore a vulnerable online shop to understand how SQL injection works and why proper input validation is critical.
|
|
|
|
- id: "shop-demo"
|
|
type: "interactive"
|
|
title: "Vulnerable Online Shop"
|
|
interactiveComponent: "SQLShopDemo"
|
|
content: |
|
|
Below is a simplified online shop with a product search feature. The search functionality is vulnerable to SQL injection.
|
|
|
|
Try searching for normal products first, then experiment with SQL injection techniques.
|
|
|
|
- id: "question-1"
|
|
type: "question"
|
|
questionType: "multiple_choice"
|
|
question: "Which of the following search inputs could be used to exploit SQL injection?"
|
|
options:
|
|
- id: "normal-search"
|
|
text: "laptop"
|
|
isCorrect: false
|
|
points: 0
|
|
- id: "single-quote"
|
|
text: "' OR '1'='1"
|
|
isCorrect: true
|
|
points: 15
|
|
- id: "union-select"
|
|
text: "' UNION SELECT username, password FROM users--"
|
|
isCorrect: true
|
|
points: 15
|
|
- id: "drop-table"
|
|
text: "'; DROP TABLE products--"
|
|
isCorrect: true
|
|
points: 10
|
|
maxPoints: 40
|
|
feedback:
|
|
correct: "Correct! These inputs manipulate the SQL query structure."
|
|
incorrect: "Review the demo. SQL injection exploits use special characters like quotes and SQL keywords."
|
|
|
|
- id: "detection"
|
|
type: "content"
|
|
title: "How SQL Injection Works"
|
|
content: |
|
|
A vulnerable query might look like:
|
|
|
|
SELECT * FROM products WHERE name LIKE '%[USER_INPUT]%'
|
|
|
|
When a user searches for "laptop", the query becomes:
|
|
SELECT * FROM products WHERE name LIKE '%laptop%'
|
|
|
|
But if they enter "' OR '1'='1", it becomes:
|
|
SELECT * FROM products WHERE name LIKE '%' OR '1'='1%'
|
|
|
|
The OR '1'='1' condition is always true, so ALL products are returned!
|
|
|
|
More dangerous attacks can extract data from other tables or even delete data.
|
|
|
|
- id: "question-2"
|
|
type: "question"
|
|
questionType: "single_choice"
|
|
question: "What is the BEST way to prevent SQL injection vulnerabilities?"
|
|
options:
|
|
- id: "input-filtering"
|
|
text: "Filter out dangerous characters like quotes and semicolons"
|
|
isCorrect: false
|
|
points: 0
|
|
- id: "parameterized-queries"
|
|
text: "Use parameterized queries (prepared statements)"
|
|
isCorrect: true
|
|
points: 30
|
|
- id: "stored-procedures"
|
|
text: "Only use stored procedures for database access"
|
|
isCorrect: false
|
|
points: 0
|
|
- id: "input-length"
|
|
text: "Limit the length of user inputs"
|
|
isCorrect: false
|
|
points: 0
|
|
maxPoints: 30
|
|
feedback:
|
|
correct: "Excellent! Parameterized queries separate SQL code from user data, making injection impossible."
|
|
incorrect: "While filtering helps, parameterized queries are the gold standard. They ensure user input is always treated as data, never as SQL code."
|
|
|
|
- id: "mitigation"
|
|
type: "content"
|
|
title: "Preventing SQL Injection"
|
|
content: |
|
|
Best practices to prevent SQL injection:
|
|
|
|
1. **Parameterized Queries** (Most Important)
|
|
• Use prepared statements with bound parameters
|
|
• Never concatenate user input into SQL strings
|
|
|
|
2. **Input Validation**
|
|
• Validate data types (numbers, emails, etc.)
|
|
• Use allowlists for expected values
|
|
|
|
3. **Least Privilege**
|
|
• Database accounts should have minimal permissions
|
|
• Read-only accounts for read operations
|
|
|
|
4. **Web Application Firewalls**
|
|
• Can detect and block SQL injection attempts
|
|
• Should be used as an additional layer, not primary defense
|
|
|
|
5. **Regular Security Audits**
|
|
• Code reviews and penetration testing
|
|
• Automated vulnerability scanning
|
|
|
|
- id: "question-3"
|
|
type: "question"
|
|
questionType: "free_text"
|
|
question: "In your own words, explain why parameterized queries prevent SQL injection."
|
|
validationRules:
|
|
keywords:
|
|
required: ["parameter", "data", "separate"]
|
|
partialCredit: 10
|
|
minLength: 50
|
|
maxPoints: 30
|
|
feedback:
|
|
correct: "Great explanation! You understand that parameterized queries keep SQL structure separate from user data."
|
|
incorrect: "Think about how parameterized queries treat user input differently than string concatenation. Key concepts: separation of code and data."
|
|
|
|
scoring:
|
|
passingScore: 70
|
|
maxTotalPoints: 100
|