This report documents a SQL Injection vulnerability identified in DVWA during security testing.
Testing Type: Offensive + Defensive Analysis
Environment: Local Lab
Security Level Tested: Low
- Vulnerability Name: SQL Injection
- Severity: Critical
- Category: OWASP Top 10 – Injection
- Affected Module: DVWA SQL Injection Module
The application fails to properly validate user input before executing SQL queries. User-controlled input is directly inserted into the SQL statement, allowing attackers to manipulate the query logic.
1' OR '1'='1
- Login to DVWA.
- Navigate to the "SQL Injection" module.
- Enter the payload in the User ID field.
- Click Submit.
Multiple user records were returned including:
- admin
- Gordon Brown
- Hack Me
- Pablo Picasso
- Bob Smith
This confirms successful SQL Injection.
SELECT first_name, last_name FROM users WHERE user_id = '$id';
SELECT first_name, last_name FROM users WHERE user_id = '1' OR '1'='1';
Since '1'='1' always evaluates to TRUE, the database returns all records.
If exploited in a real-world application, this vulnerability could lead to:
- Unauthorized data access
- Database enumeration
- Admin account discovery
- Password hash extraction
- Complete system compromise
- Lack of input validation
- Use of dynamic SQL queries
- No parameterized query implementation
Severity Level: Critical
Reason: Direct database manipulation and data exposure possible.
To prevent SQL Injection:
- Use Prepared Statements
- Implement Parameterized Queries
- Validate and sanitize user input
- Apply Least Privilege Principle
Secure Query Example (Conceptual):
$stmt = $pdo->prepare("SELECT first_name FROM users WHERE user_id = ?"); $stmt->execute([$id]);
This testing was performed in a controlled lab environment (DVWA) strictly for educational purposes.