Module 05 · Application

SQL Injection

The hands-on injection module. Students learn to think like an attacker, typing real payloads into a simulated database to understand application-layer vulnerabilities from the inside out, then learn the defenses that make those payloads impossible.

00

About this module

SQL injection remains the most consequential class of web application vulnerability. This module teaches 18+ attack techniques across eight reference and lab pages. Each page contains interactive labs backed by a simulated database where students type real injection payloads, watch the query transform, and see exactly what the database returns.

The sequence moves from foundations through increasingly advanced attack classes, then closes with real-world vectors and the defenses that stop them. Pages are ordered for a first read, but each one stands alone as a reference. Every page ends with prev/next navigation for a straight walk through the track.

Pages
8
Module
05
Track
Hands-On
01

Pages in this module

05.01
Foundations of SQL Injection
What SQL is, how web applications build queries, and why concatenating user input into query strings creates the injection vulnerability.
Live 05.02
Classic Injection Attacks
Tautology-based bypass, comment injection, numeric injection, and LIKE clause manipulation. Four fundamental techniques every attacker tries first.
Live 05.03
UNION-Based Extraction
Using UNION SELECT to enumerate columns, extract data from other tables, and map the entire database schema through the application's own output.
Live 05.04
Blind Injection
When the application hides its errors. Boolean-based and time-based techniques for extracting data one bit at a time through true/false signals and response delays.
Live 05.05
DML Injection
Going beyond SELECT. Injecting into INSERT, UPDATE, and DELETE statements to create accounts, escalate privileges, and destroy data.
Live 05.06
Advanced Techniques
Stacked queries, second-order injection, subquery injection, ORDER BY manipulation, and batched extraction. The payloads that bypass simple filters.
Live 05.07
Real-World Attack Vectors
Search fields, HTTP headers, cookie parameters, and filter dropdowns. Injection surfaces hiding in places developers forget to protect.
Live 05.08
Defense and Mitigation
Parameterized queries, input validation, stored procedures, WAFs, and least privilege. How to build applications that injection cannot break.
Live 05.09
Prompt Injection (LLM)
The same code-vs-data bug, one layer up. OWASP LLM01:2025: when user input alters an AI assistant's behavior. Direct vs. indirect injection with an interactive context-window simulator.
Live