Module 01: Network Attack and Defense Strategies

39 Minutes Remaining
Instructions Resources Help 100%
Exercise 1: Understanding the Workings of SQL Injection Attacks

SQL injection is the most common vulnerability found in websites. It enables an attacker to gain
unauthorized access to the database or retrieve database information directly.

Lab Scenario A network defender should be aware of various kinds of application-level threats to
identify or detect the signs of such threats. SQL injection is one such application-level threat wherein
an attacker executes arbitrary SQL statements to gain sensitive information, modify database records,
or attach malicious code, resulting in total compromise of the most sensitive data.

Lab Objective

This lab will demonstrate how attackers perform an SQL injection attack on a target website. It will
help the network defender to understand the workings of this attack.

Lab Tasks

Before executing this lab, Click PfSense Firewall VM to turn on pfSense firewall.

1. Click Web Server to launch Web Server VM

2. Click Ctrl+Alt+Delete link to login to Web Server Machine.
3. By default Administrator account is selected, click admin@123 and press Enter to
login.
4. The Network pane appears, click Yes.
5. Click Attacker Machine to launch Attacker's VM.
6. Wait for few seconds to view the Attacker Machine screen.
7. Select user Bob, type password as user@123 and press Enter.
 8. Open the Chromium web browser from the taskbar,
type http://www.luxurytreats.com in the address bar, and then press Enter.

Please type the complete URL www.luxurytreats.com or http://www.luxurytreats.com as

mentioned in the above instruction. Do not type incomplete URL such as luxurytreats.com;
otherwise, it will redirect you to some external website on the internet.

9. The LuxuryTreats home page will appear, as shown in the screenshot below.
10. Assuming that you are a registered member on the LuxuryTreats website, log in with
username bob and password Passw0rd
11. Welcome bob appears on the Home page.
12. Hover the mouse on the left corner of the website and click on My Orders
13. Once the list of orders displays; click on Order Id ORD-001
14. The order details of the selected order will appear.
15. As per standard security practice, only an authorized user should be able to view
their respective personal data. If the user can view other users’ order details, then this
can be considered a security breach, which is possible using the SQL injection technique.
An attacker uses this technique to bypass the security measures of other users’ data.
16. To demonstrate SQL injection, alter the URL in the previous step as follows, and then
press Enter http://www.luxurytreats.com/OrderDetail.aspx?Id=ORD-001 ' or 1=1;--
17. This trick will fetch the order details of the other users, as shown in the screenshot
below.
 18. This is possible because the website is vulnerable to SQL injection attacks. When an
attacker passes this type of an SQL injection-specific query, it bypasses the security
mechanism (authentication) imposed by the application and reveals sensitive data.
19. Click Logout to log out of the LuxuryTreats website.
20. Next, check how this SQL injection vulnerability helps an attacker extract the
username and passwords of other users using the automated SQL injection tool sqlmap.
21. Close the Chromium browser.
22. Open Terminal and type sqlmap -u
“http://www.luxurytreats.com/OrderDetail.aspx?Id=ORD-001” -dbs, and then
press Enter.

If sqlmap prompts with some user inputs before retrieving the database, select the default option
displayed in Capital Letters.
23. Sqlmap retrieves the databases present in the MS SQL Server. It also displays
information about the Web server OS, web application technology, and back-end DBMS,
as shown in the screenshot below.
24. Next, retrieve the tables in the database. In this lab, we shall determine the tables
associated with the LuxuryTreats websites (Database Hotels).
25. Type sqlmap -u “http://www.luxurytreats.com/OrderDetail.aspx?Id=ORD-001”
-D Hotels --tables and press Enter.
26. Sqlmap will list all existing tables in the Hotels database.
27. Retrieve the columns associated with the tables. To retrieve the columns of the table
named CustomerLogin, issue the following sqlmap query: sqlmap -u
“http://www.luxurytreats.com/orderdetail.aspx?Id= ORD-001” -D Hotels -T
CustomerLogin --columns. Sqlmap starts scanning the CustomerLogin table inside the
Hotels database in search of columns.
28. Sqlmap will retrieve the available columns in the CustomerLogin table, as shown in
the screenshot below.
 29. Type sqlmap -u “http://www.luxurytreats.com/orderdetail.aspx?Id=ORD-001” -
D Hotels -T CustomerLogin --dump --regexp --technique=E and press Enter to
dump all CustomerLogin table content.

If sqlmap prompts with some user inputs before retrieving the database, select the default option
displayed in Capital Letters.
 30. The sqlmap has retrieved the complete records of the CustomerLogin table that
contains the username and passwords of users, as shown in the screenshot below.

Repeat the steps 29 with root user permission (sudo) if the Password and Username could not
extract.
 31. This demonstrates how an attacker can extract sensitive information using the SQL
injection attack.

Module 01: Network Attack and Defense Strategies

38 Minutes Remaining
Instructions Resources Help 100%
Exercise 2: Understanding the Workings of XSS Attacks

Cross-site scripting (“XSS” or “CSS”) attacks exploit vulnerabilities in dynamically generated web pages.
This enables malicious attackers to inject client-side script into web pages viewed by other users.

Lab Scenario

A network defender needs to understand XSS attacks in order to identify the signs of such attacks on
an organization’s website. An attacker takes advantage of improper data validation techniques and
injects JavaScript, HTML, Flash, or any other type of executable code in the browser. Any such
attempt could be a sign of an XSS attack.

Lab Objective
This lab will demonstrate how an attacker can initiate an XSS attack on the target website.

Overview of XSS Attack

XSS vulnerabilities can be found in dynamically generated web pages. The dynamic content on these
web pages results in an XSS attack when it is sent to a web user without proper validation for
malicious content. During a cross-site scripting attack, an attacker injects a payload on a web page.
This injected payload will be executed by the browser when a victim visits the injected web page.

Lab Tasks

Before executing this lab, Click PfSense Firewall VM to turn on pfSense firewall.

If you have already launched WebServer and AttackerMachine in the previous exercise, skip steps
from 1 to 6.

1. Click Web Server to launch Web Server VM. If Web Server is already launched, move
to step #5.
2. Click Ctrl+Alt+Delete link to login to Web Server Machine.
3. By default Administrator account is selected, click admin@123 and press Enter to
login.
4. The Network pane appears, click Yes.

5. Click Attacker Machine to launch attacker's VM.

6. Select user Bob, type password as user@123 and press Enter.
 7. Open the Chromium web browser, type http://www.luxurytreats.com in the
address bar, and then press Enter.

Please type the complete URL www.luxurytreats.com or http://www.luxurytreats.com as

mentioned in the above instruction. Do not type incomplete URL such as luxurytreats.com;
otherwise, it will redirect you to some external website on the internet.

8. The LuxuryTreats home page will appear, as shown in the screenshot below.
9. Click Contact in the top menu.
10. You will be redirected to LuxuryTreat’s Contact page. Type a valid email address in
the Email: textbox and type Java script below code in the Comment textbox. Click Save
Comment, as shown in the screenshot below.

<Script> alert(“You are hacked”); </Script>

11. A pop-up appears on the page displaying the message “You are hacked.” Click OK.
12. This indicates that the XSS attack was successfully attempted. This way, an attacker
can inject malicious scripts and perform an XSS attack on the target site. The attacker
can use this technique for session hijacking and phishing, for example.