AWT: Web Security

SQL Injection

Using the search functionality of the guestbook application try to execute some other functionalities.
  • Update your configuration of PHP (file php.ini) in order to disable the magic_quote_gpc option.
  • Use the select field to make a SQL Error
  • Change the selection to add a "or 1" that makes the selection always true.
  • Insert a new record in the guestbook database, and give another userid as author.
  • Hack the login, such that you can log as any user (giving only the userid).
  • Hack the list functionality, such that you can see all the users (you may need to rename some fields).

More realistic attacks

  • To be more realistic, we have to reactivate the magic_quote_gpc option. Turn it to ON.
  • Create a page containing a textarea that accesses the page with the view message mode. (a form with id)
  • Use this form to create a file containing all the messages.

Test your Homework

Test the 10 most common vulnerabilities on your homework application.