Scores

This demo shows an example of a web site that lists student scores (after login). The website is subject to an SQL injection attack.

The Scores Website

The website used the same login mechanisms as the login demo. But it adds the ability for students to see scores for their subjects. There is an additional database that stores student ID, course code and score for that course. Once a student is logged in, they can fill in a form to view there scores.

The form for querying/viewing scores has the following intended functionality:

  1. A user that is authenticated (logged in) can see the scores for either a selected course (by entering the course code) or for all of their courses (by leaving the course code blank).
  2. Non-authenticated users cannot see any scores.
  3. Authenticated users cannot see scores of other users, with the exception of (4).
  4. User steve can see the scores of any users. He is the special user that can enter the student ID of another user and see their scores.

Using the Demo

Login as a user (note that not all users have scores) and try the form to view scores of one or all courses. Check to see that the above requirements are met.

SQL Injection Attack

An SQL injection attack involves injecting untrusted data into a system to perform unauthorised operations; this is done by taking advantage of SQL queries that many websites use to extract data. (Note that it doesn't necessarily mean injected data into an SQL database).

An SQL injection attack is possible due to poor programming by the web application developer; it is generally not due to bugs in the web server, processing language (e.g. PHP) or database (e.g. MySQL). Good programming techniques can help avoid SQL injection attacks.

This demo scores system is setup to allow an SQL injection attack. In particular, when logged in as one student, you can perform an SQL injection attack to view the scores of all other students (which according to the requirements, should not be allowed). Try it! If initially you are not successful, then 'cheat' by looking at the PHP source code, especially the SQL query that extracts the scores from the database. Then try to submit data that creates a SQL query that returns all student data.

Return to demo