Stack Overflow is teeming with questions that ask “is the following database code safe from SQL injection?”. This prompts me to think it would be interesting to develop a system that walks users through some examples of SQL injection, in a browser-illustrated way.

The user could be challenged to find a set of managed vulnerabilities using whatever tools they have at their disposal. Hints or answers could be made available to users where a user can’t find the injection.

• A simple GET injection in a query string
• A POST injection that requires a browser plugin or external tool
• A SELECT injection that returns more data than the user is entitled to
• A SELECT injection that returns nothing from the target table and instead returns entries from a secret table
• An UPDATE injection that overwrites a plaintext password field
• An UPDATE injection that overwrites an MD5 password field
• An UPDATE injection that overwrites an MD5 and username-salted password field
• An illustration of query execution where only single statements are supported, and its impact on injection opportunities

There are two approaches to how this might work: scanning strings and manually ‘detecting’ injections, or – riskier – running all queries verbatim inside a transaction, with limited permissions on just one database.

This idea could be broadened out to all sorts of things. How about JS exploits, such as cookie stealing and cross-site scripting?