PortSwigger Lab #1: SQL Injection Vulnerability in WHERE Clause Allowing Retrieval of Hidden Data…

In this lab, web security students are presented with a simple website to test for SQL injection (SQLi) vulnerability in the WHERE clause.

What is SQL Injection?

SQLi is a web application vulnerability that allows attackers to interfere with the queries that an application makes to its database. This allows the attackers to retrieve data or information they are not supposed to see which might include personal identifiable information (PII), product data or any other type of data that the application may have access to.

In this lab, we are required to retrieve hidden data from the website’s database and view it. To solve this lab, we could either make use of the browser or Burp Suite. Burp Suite is a web security tool built by PortSwigger and is used by cybersecurity professionals in hunting web security vulnerabilities. Burp Suite will be used in solving this lab. If you are interested in following along this lab while you read, visit this link. Burp Suite Community Edition comes preinstalled on Kali Linux and Parrot OS which are both Linux based operating systems most commonly used by penetration testers in testing for security vulnerabilities.

Burp Suite is available in three editions namely Community Edition which is free, Professional Edition which costs $399 annually and the Enterprise Edition which costs $3,999 annually.

We will make use of the Community Edition to solve this lab, however, some labs may require that we use the Professional Edition to solve them.

The lab we will be working on contains an SQLi vulnerability in the product category filter. When a user selects a category on the website, the application sends a SQL query to the database to provide the released data in that category using the query below:

SELECT * FROM products WHERE category = ‘Gifts’ AND released = 1

This code above tells the application to select everything “*” in the “products” table WHERE the “category” is ‘Gifts’ AND released is TRUE.

To solve this lab, we need to hit the ACCESS THE LAB button on this page.

Once the lab has loaded, we will then launch Burp Suite

Click the Next button to start a new temporary project as we won’t need to save the project for this lab except if you choose to and then in the dialog box that pops up, click Start Burp.
This is what the landing page looks like below:

Before we start intercepting traffic with Burp Suite, add the FoxyProxy extension to your browser and select “Burp”.

At this point, we switch over to Burp Suite and select Proxy on the navigation bar and turn on Intercept to intercept the traffic request we will make when we click on the “Pets” category. Once the traffic has been intercepted on the Proxy tab, we will the send the request to Repeater as shown in the screenshot below.

On the repeater is where we will test the application for SQLi vulnerability by passing short payloads to to retrieve hidden data. The first payload we will pass to the request URL to test if the website is SQL injectable is the single quote and double dash (‘ — ). In SQL, the double dash means that any line that is written after it is usually a comment and would not be read by the database.
This lab however requires that we retrieve both released and unreleased data from the category filter, and to do that we will modify the category parameter by adding ‘ OR 1=1 — '. Make sure to use the shortcut Ctrl + U to do a URL-encode on the request before sending it with Repeater. The application sends the following query to the database and returns data of both released and unreleased products to the attacker.
SELECT * FROM products WHERE category = Gifts' OR 1=1 —

After hitting Send, we immediately see “Congratulations, you solved the lab!” appear on the homepage as shown below and can then move on to the next topic and lab to continue your learning.

As this marks the end of this write-up, it also marks the beginning of your journey as a Web Security Tester, Security Researcher, Bug Bounty Hunter, Penetration Tester or Security-Driven Developer (SDD, if there’s something like that).