A deliberately vulnerable Flask web application designed for learning and practicing SQL injection techniques. Originally created for a cybersecurity workshop by Layer Zero at UNLV, this project provides a safe environment to understand and exploit SQL injection vulnerabilities.
- Learning Objectives
- Prerequisites
- Installation & Setup
- Practice Challenges
- Hints
- Project Structure
- Vulnerable Code Patterns
- Learning Outcomes
- Quick Start
- Additional Resources
- Security Reminders
- Understand how SQL injection vulnerabilities occur
- Learn to identify vulnerable code patterns
- Practice exploiting SQL injection to bypass authentication
- Python 3.7 or higher
- Basic understanding of SQL and web applications
- Familiarity with command line/terminal
-
Clone the repository:
git clone https://github.com/layer-zero-unlv/sql-injection-lab.git cd sql-injection-practice -
Install dependencies:
pip install -r requirements.txt
-
Initialize the database:
python create_db.py
This creates
users.dbwith sample user data fromusers.json. -
Start the application:
python app.py
-
Access the application: Open your browser and navigate to
http://localhost:5000
- Visit the homepage and click "Get Started"
- Try logging in with legitimate credentials (check
users.jsonfor valid usernames) - Explore the dashboard and user search functionality
Challenge 1: Authentication Bypass
- Can you log in without knowing a valid password?
- Examine the login form and consider how SQL queries might be constructed
Challenge 2: Information Disclosure
- Use the search functionality to reveal information beyond what's intended
- Try different search patterns and special characters
Challenge 3: Privilege Escalation
- Find a way to gain admin privileges
- Look for the admin user and capture the flag!
- Pay attention to error messages and SQL query logs in the terminal
- The search feature says "Try SQL injection 😉" when no results are found
- Admin users have access to special flags
- Think about how user input is processed in SQL queries
├── app.py
├── create_db.py
├── users.json
├── users.db
├── requirements.txt
├── static/
│ ├── style.css
│ └── script.js
└── templates/
├── index.html
├── login.html
├── dashboard.html
└── 404.html
This application demonstrates several dangerous practices:
- Unparameterized SQL queries - Direct string concatenation
- Insufficient input validation - User input used directly in queries
- Information leakage - SQL errors exposed to users
- Weak session management - Minimal authentication checks
After practicing with this application, you should understand:
- How SQL injection occurs and why it's dangerous
- The difference between parameterized and vulnerable queries
- Common SQL injection payloads and techniques
- The importance of input validation and prepared statements
- How to identify and test for SQL injection vulnerabilities
# Clone, setup, and run
git clone https://github.com/layer-zero-unlv/sql-injection-lab.git && cd sql-injection-practice
pip install -r requirements.txt
python create_db.py
python app.pyThen visit http://localhost:5000 to begin practicing!
- OWASP SQL Injection Guide: [https://owasp.org/www-community/attacks/SQL_Injection]
- SQLite Documentation: [https://www.sqlite.org/lang.html]
- Flask Security Best Practices: [https://flask.palletsprojects.com/en/stable/web-security/]
- This is a practice environment with intentional vulnerabilities
- Never use these techniques against systems without proper authorization
- Always practice ethical hacking and responsible disclosure
- In real applications, always use parameterized queries and input validation
This project is licensed under the MIT License. See LICENSE for details.
Liability Disclaimer: Layer Zero UNLV and its members are not liable for any misuse of this educational tool. Users are solely responsible for ensuring their activities comply with applicable laws and regulations. This software is provided "as is" without warranty of any kind.
Created by Layer Zero