Learn by Directing AI
All materials

ttp-selection.md

TTP Selection — Baobab Bay Lodge Assessment

Engagement: Web Application Security Assessment Prepared for: Scope document reference — Baobab Bay Lodge booking system at http://localhost:8080

Selected TTPs

SQL Injection via Web Application Input Fields

  • ATT&CK: T1190 — Exploit Public-Facing Application
  • OWASP: A03:2021 — Injection
  • Target: User-facing input parameters in the booking application's form and query interfaces

Rationale

The booking form accepts user input that interacts directly with a MySQL database backend. Guest names, email addresses, booking dates, and passport numbers pass through the application to the database. SQL injection is the highest-priority web application vulnerability to test given the client's concern about guest data exposure. A successful injection could allow an attacker to extract the entire guest database — names, contact details, and passport numbers — without authentication.

The client's friend in Mauritius suffered a breach through a similar booking system. Testing for injection vulnerabilities directly addresses the client's stated concern.

Tool Selection

Tool Role
Nmap Initial port and service discovery — identify what the target exposes to the network
sqlmap Automated SQL injection testing against identified input parameters

Attack Sequence Overview

  1. Reconnaissance (passive + active): Identify the target's exposed services and attack surface using Nmap. Confirm the web application is running and identify any additional exposed services (database ports, administrative interfaces).
  2. Injection testing: Run sqlmap against the identified input endpoint. Test the parameter for SQL injection using standard payloads.
  3. Data extraction: If the parameter is injectable, extract sample database contents to demonstrate the scope of potential data exposure. This demonstrates impact — it is evidence collection for the assessment, not data theft.
  4. Finding documentation: Record the vulnerability with evidence, ATT&CK and OWASP mappings, and a description of potential impact on guest data.

Success Criteria

  • If the parameter is injectable, extract sample data to demonstrate the risk to guest records.
  • Document whether guest names, email addresses, phone numbers, and passport numbers are accessible through the injection.
  • All testing must remain within the boundaries defined in the scope document.

This TTP selection covers the offensive assessment phase. Remediation, detection review, and hardening are separate activities documented in their own materials.