Spend approximately 2 to 3 hours on the challenge, please provide an architecture diagram as well as we are very interested in your thinking when building a solution, the code may use mocks in place of real external services.
Download a copy of DVWA VM: [login to view URL]
Write a short python program that will crawl the application and detect an SQL injection vulnerability in
the form at: /vulnerabilities/sqli/
Things to consider
• How to recover if the crawler process dies mid crawl.
• How this program could be extended across multiple servers.
• How the design could be extended to include multiple SQL injection payloads.
• How to avoid crawling out of scope or narrowing the focus of the crawler
• How to make the code easily testable
Guidance of the steps
• Authenticate to the app: admin/password
• Alter the 'security' cookie to 'low' in requests - otherwise filtering will be applied
• Use a logical check to confirm the vulnerability
• Exploit to obtain the database username and version (it is a MySQL database) as further confirmation
• Hint: there is a 'view source' button on the pages in DVWA to help you to understand the context of the
Python is our primary language so please use Python for this challenge, you are free to use whatever
libraries you are familiar with and deem necessary for the challenge.
The application doesn’t necessarily have to run if an architecture diagram is provided and the code is
suitably designed, using mock services.