Learn by Directing AI
All materials

attack-methodology.md

Attack Methodology — SQL Injection Testing

Engagement: Baobab Bay Lodge Web Application Security Assessment TTP: SQL Injection (ATT&CK T1190 / OWASP A03:2021) Tool: sqlmap

Objective

Test the Baobab Bay Lodge booking website for SQL injection vulnerabilities using sqlmap. Determine whether user-supplied input is passed unsanitized to the MySQL database, and if so, demonstrate the extent of data exposure.

Prerequisites

  • DVWA is running and accessible at http://localhost:8080
  • Nmap scan completed — port 80 (HTTP) and port 3306 (MySQL) confirmed open
  • The target endpoint has been identified through reconnaissance

Step 1 — Identify the Target Endpoint

The booking application's search and lookup functionality is served at /vulnerabilities/sqli/. This page represents the booking form's query interface — where guest records are retrieved by an identifier. The parameter to test is id, which accepts user input and passes it to a backend SQL query.

Before running automated tools, confirm the endpoint is reachable by loading it in a browser or via curl. Note the authentication requirements: DVWA uses session-based authentication with a PHPSESSID cookie and a security cookie set to low.

Step 2 — Run sqlmap

Construct the sqlmap command with the following components:

  • Target URL: The full URL of the vulnerable endpoint, including the id parameter
  • Cookie header: The DVWA session cookie (PHPSESSID) and security level cookie (security=low), obtained from the browser after logging in
  • Parameter: Specify id as the parameter to test
  • Flags: Use --batch for non-interactive mode; use --dbs to enumerate databases if injection is confirmed

Direct Claude to assemble these components into the sqlmap command using the correct values from your running DVWA instance. The session cookie changes each time you log in — copy the current value from your browser's developer tools.

Step 3 — Evaluate Output

What to look for in sqlmap's output:

  • "parameter 'id' is injectable" — This is a confirmed finding. sqlmap has verified that the parameter accepts SQL syntax that alters the query's behavior.
  • Database type identification — sqlmap identifies the backend as MySQL, confirming the technology stack.
  • Extracted data — If injection is confirmed, sqlmap can enumerate databases, tables, and records.

What to be skeptical of:

  • "parameter might be injectable" — This is probabilistic, not confirmed. sqlmap is uncertain. Do not report this as a confirmed finding.
  • "heuristic (basic) test shows that the parameter might be injectable" — This is a preliminary indicator, not a conclusion.

AI tools frequently present uncertain sqlmap output as confirmed findings. Check sqlmap's own confidence indicators before accepting the result.

Step 4 — Demonstrate Impact

If injection is confirmed, extract database contents to demonstrate what an attacker could access. Direct Claude to enumerate the tables in the database and retrieve sample records. The goal is to answer Jean-Marc's question: can someone steal guest information through the booking form?

This is evidence collection for the assessment report, not data theft. Document what is accessible — guest names, email addresses, phone numbers, passport numbers — and the method used to access it.

Step 5 — Document the Finding

Record the following for the assessment report:

Field Content
Vulnerability type SQL injection in user input parameter
Evidence sqlmap output confirming injection and showing extracted records
ATT&CK mapping T1190 — Exploit Public-Facing Application
OWASP mapping A03:2021 — Injection
Potential impact Full access to the guest database including personal information and passport numbers
Severity Critical — unauthenticated access to sensitive personal data