BuggyTheApp is buggy! And we are going to try to attack it. Poor Buggy!
Our plan is to attack BuggyTheApp using SQL injection.
We will explain more about SQL injection in the next step. For now all you need to know is that the passwords stored by BuggyTheApp are stored in an SQLite database (DBclass.java), and that we intend to attack that database.
The idea is to try to enter SQL commands into BuggyTheApp’s user interface with the aim of getting the underlying SQLite database to run these commands, and thus give us access to data that we shouldn’t have.
Try to gain access to BuggyTheApp’s welcome page by injecting SQL commands into the login form. Spend at least 10 minutes doing this. If you are not familiar with SQL injection, please read these useful SQL injection attack tips.
Did you succeed?
If you didn’t try this:
Username: admin or your login username that you created in the app.
Password: ‘ or’1=1
Now you have seen how dangerous SQL injection can be, and easy it is in some cases.
In the next few steps we will see how SQL injection is detected by Fortify, and how we can fix BuggyTheApp!
© University of Southampton 2017