Laboratory Exercise: Cyber Basics – Web Application Security: SQL Injection Lab Updated!

This introductory lab has students using simple SQL injection to attempt to gain unauthorized access to data on an intentionally vulnerable web server. The lab document includes a brief SQL primer so that students understand enough to exploit simple SQL injection attacks, followed by an introduction to DVWA and its SQL Injection page for testing injection techniques.

Faculty Instructions

Resources required

This exercise requires two virtual machines (VMs) running in the Virginia Cyber Range.

This lab exercise requires an account on The Range.  To sign up for an account on The Range, please visit our Sign-Up page.  Your students will also require an account on the Virginia Cyber Range; this will be explained in the setup of your course.

For this lab, we will use an intentionally vulnerable web application called DVWA (Damn Vulnerable Web Application, available from http://www.dvwa.co.uk/). DVWA is a teaching tool to help students and system administrators understand common web application flaws that lead to compromise, as well as basic techniques that can be used to help secure these apps.

Virtual Environment: The environment for this lab contains two virtual machines (VMs) in a single subnet: one Kali Linux VM, plus a VM hosting DVWA, an intentionally vulnerable suite of web applications used to teach web application penetration testing and defenses. This exercise can also use the full four VM environment used for the Cyber Basics – Reconnaissance and Network Scanning Lab.

Cyber Basics – Web Application Security: SQL Injection Lab Handout

Log In
to download materials

* NICE Cybersecurity Workforce Framework KSAs Addressed
  • K0069: Knowledge of query languages such as SQL (structured query language).
  • K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • K0236: Knowledge of how to utilize Hadoop, Java, Python, SQL, Hive, and PIG to explore data.
  • S0130: Skill in writing scripts using R, Python, PIG, HIVE, SQL, etc.
* NSA/DHS Center of Excellence (CAE) KUs Addressed
  • Databases (DAT)
  • Database Management Systems (DMS)
  • Basic Scripting and Programming (BSP)

* Most courseware content maps to NIST NICE Cybersecurity Workforce Framework (NCWF) Knowledge, Skills, and Abilities (KSAs) and/or NSA/DHS CAE Knowledge Units (KUs). For more information on KSAs and KUs, please visit:

KSAs: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

KUs: https://www.iad.gov/NIETP/documents/Requirements/CAE-CD_2019_Knowledge_Units.pdf