This is an educational resource demonstrating a relational database running in a Kubernetes cluster that has SQL injection vulnerabilities. Here are a few suggestions for how you might use this repository:
-
Practice your hacking skills by trying to retrieve, insert, or destroy sensitive information.
-
Read the source code found in
main.goand the solution guide found insolution/README.mdto better-understand what SQL injection vulnerabilities look like, how to exploit them, and how to prevent them. -
Use this as a guide/inspiration for building your own applications with vulnerabilities.
The instructions and solutions were written assuming you are using some kind of Linux distribution (sorry Windows 😬), whether Ubuntu, MacOS, or another Debian-based OS.
This is an application with a built-in security vulnerability. Please don't deploy the Helm chart into a production environment. There are also instructions showing how to exploit SQL injection vulnerabilities, so please don't use this to break any laws 😁.
- Latest version of Helm
- Latest version of kubectl
- A fully-compliant Kubernetes distribution (i.e. microk8s, k3s, k3d) that is running on Linux/amd64, and is using containerd or Docker as the runtime.
Add the Helm chart repository:
helm repo add kube-hack https://kube-hack.github.io/chartsUpdate the charts in your Helm repository:
helm repo updateDeploy the chart to your Kubernetes cluster:
helm install sql-injection kube-hack/sql-injectionkubectl port-forward svc/client-sql-injection 3000:3000After the application is port-forwarded (accessible via localhost), you can run the below actions:
# Get all messages for user 1
curl localhost:3000/messages/1# Send a message to user 1
curl \
--request POST \
--data-binary "Hello, user 1" \
localhost:3000/message/1