![[SOLVED] Cs6035 project: database security fall2025](https://assignmentchef.com/wp-content/uploads/2022/08/downloadzip.jpg)
Welcome to the Database Security project. This hands-on project is designed to help you understand how real-world data breaches occur and the strategies you can use to protect against them.
Learning Goals
In this project, you’ll explore two significant types of database vulnerabilities and how attackers exploit them:
Topics Covered
Final deliverables
You will submit a single file named project_dbsec.json to Gradescope. A template is available at: /home/dbsec/Desktop/project_dbsec.json
See the Submission Details page for formatting and content guidelines.
Important Reference Material
Valuable Information – Database Security Prerequisites
NOTE: Vital information is on the prerequisite page and not elsewhere!
Submission
Virtual Machine
Supported
Not Supported
This project uses Microsoft SQL Server Developer Edition, which runs on Linux inside the provided VM. The DBSec project is on the master VM, and the credentials for the Linux user will be provided in the project release on Canvas.
Table of contents
From Canvas – Database Security
The Database Security Project Release ED Discussion has all the information to get started!
You will use the same VM you used in the earlier projects. If you need to download it again:
For the DB Security project, this is the username and password:
There is a limit of sixteen (16) submissions for the Database Security Project!
FREQUENTLY ASKED QUESTIONS (FAQ)
BACKGROUND AND SETUP:
Project Scenario: Your First Penetration Test
“Good News, Everyone!”
You’ve just stepped into your new role at a penetration testing firm, and your first mission awaits. A portfolio of client websites has been placed before you, each resembling a digital fortress with hidden doors and potential cracks. It’s your responsibility to probe their defenses and uncover vulnerabilities before anyone else does.
As you begin your review, familiar patterns start to emerge. The layouts, naming conventions, and user interfaces share striking similarities. A deeper look reveals the reason — the same software vendor developed all of these websites. This discovery is critical: any weakness found in one site could very likely exist across the entire portfolio, putting multiple clients at risk.
Your objective in this mission is to identify and report those vulnerabilities. You’ll search for sensitive information that was never meant to be exposed, analyze how data is processed and protected, and test the applications against user input designed to bypass their safeguards. In doing so, you’ll step fully into the role of a penetration tester — wearing many hats and sharpening the skills essential to protecting databases and application security.
Setup Instructions
This project focuses on two common yet critical categories of database attacks: inference attacks and SQL injection. You will take on the role of a security analyst, tasked with identifying, exploiting, and reporting these vulnerabilities, all within a controlled environment designed for learning and exploration.
To get started, follow the setup steps carefully. Precision matters here — even a slight misstep could cause confusion or errors later in the process.
Username: Provided on project release in Database Security Project Canvas post
Password: Provided on project release in Database Security Project Canvas post
DbGate
This is required for Task D and I (extra credit). Any testing can be done online with SQLFiddle; however, if you want a more realistic setup for testing, 3 blank databases are provided and can be accessed via DbGate.
Setup
DbGate is a cross-platform database tool designed for ease of use and the simultaneous management of multiple databases. It offers powerful features like schema comparison, a visual query builder, data charts, and tools for importing and exporting large amounts of data.
Location in the VM
DbGate Connection Procedure
GATECH ID – GTID
Project Time Expectations
Based on feedback from students in previous semesters, the time required to complete this project is roughly divided as follows:
This estimate does not include time spent on extra credit opportunities (such as the Defender Task). Because some tasks may require thoughtful analysis and trial-and-error, it is strongly recommended that you start early to avoid last-minute difficulties.
Everyone works at their own pace, and skill sets vary—don’t be hard on yourself if you find you’re taking more time than estimated.
Feel free to post in the appropriate threads if you have questions about the project that aren’t addressed in the Write-Ups or have already been asked and answered on Ed. The TA team will be more than happy to help.
TASK A: GTID VERIFICATION
(flag0 – 0 pts)
NOTE:** Task A is the setup task and contains **one flag**: flag0. **Please review the Submission Details for specific instructions regarding the format.
This task sets up the project and generates hashes for the other flags, so verifying that the hashes are correct in Gradescope is critical. (USE A SUBMISSION)
Important
Steps to earn flag0
Where can I find my GTID?
Submission Details
Check the validity of your JSON before submitting to Gradescope.
See Submission Details for more information.
TASK B: INFERENCE ATTACK #1
(flag1 – 20 pts)
NOTE:** Task B is an array flag and contains **one flag**: flag1. **Please review the Submission Details for specific instructions regarding the format.
What Is an Inference Attack?
An inference attack isn’t a hack in the traditional sense—there’s no breaking into systems. Instead, it’s a method of deducing confidential information by analyzing seemingly harmless data that is available to many people either globally or within a company. Security regarding an inference attack deals with data confidentiality and providing data access/restriction on a need-to-know basis.
In most organizations, data security is enforced by access controls, which might restrict:
However, even when data access controls are in place, attackers (or curious employees) can sometimes combine multiple safe reports to uncover private information.
This is called an inference attack. You don’t have direct access to sensitive data, but you can infer it from the data you do have. Such attacks often exploit standard reports available to many employees. For example, a company might restrict certain columns to enforce access control, creating an employee roster report that everyone can view but excluding sensitive details like salary. However, if other reports are not carefully designed with the same protections, they may unintentionally reveal that information.
Scenario Overview
You’ve been given four internal reports from a single company:
Individually, none of these reports violates the company’s access controls on sensitive HR data. However, with some clever analysis, you realize the reports can be combined in a way that exposes a serious gap, allowing someone to pinpoint individual salaries.
Your Goal
By analyzing and cross-referencing the reports, you must cleverly combine the data to identify specific employees whose salaries you can infer with 100% certainty.
To complete Task B, for each exposed employee:
Save this information in the JSON file as part of your submission for flag1.
Success Criteria
Tips for Success
Steps to earn flag1
(Each page opens in a new tab.)
Hints
Submission Details
Good luck with Task B! After completing this task, move on to Task C.
Check the validity of your JSON before submitting to Gradescope.
See Submission Details for more information.
TASK C: INFERENCE ATTACK #2
(flag2 – 20 pts)
NOTE:** Task C is an **array flag** and contains **one flag**: flag2. **Please review the Submission Details for specific instructions regarding the format.
Overview
Now that you’ve seen how an inference attack can expose sensitive information within a single company, it’s time to explore how the same technique can compromise data by linking together unrelated datasets.
In this task, you will carry out another inference attack — but on a broader scale. Instead of one source, you’ll work with four independent datasets that are publicly available online. Each comes from a different domain: hospital visits, voter registration, insurance claims, and medical codes.
Your mission is to analyze these datasets to identify specific individuals who have undergone certain medical procedures, while respecting the deidentification rules designed to protect privacy. Your task is to show how separate anonymized datasets can be combined to reveal sensitive information. Specifically, you will link medical data, particularly procedure records, to voter registration data to identify individuals and their associated medical history. This exercise highlights how incomplete deidentification, when paired with publicly available data, can still expose private information. This is, of course, a significant breach of HIPAA regulations (in fact, this exercise was inspired by the incident where the medical history of the governor of Massachusetts was made public in a similar fashion). Read more.
What you need to do
Steps to earn flag2
(Each page opens in a new tab.)
Hints
Submission Details
Good luck with Task C! After completing this task, move on to Task D.
Check the validity of your JSON before submitting to Gradescope.
See Submission Details for more information.
TASK D: INFERENCE ATTACK #3 – using DbGate
(flag3 – 7.5 pts)
NOTE:** Task D contains *one flag: flag3.* **Please review the Submission Details for specific instructions regarding the format.
Overview
Task: Inference Attack on Encoded Patient Data
You are tasked with investigating a potential security vulnerability in your company’s patient database. This requires performing an inference attack to determine whether sensitive data can still be uncovered despite the use of encoding measures.
Background
You’ve learned that the database administrator attempted to secure patient data by:
This database supports a Pediatric Office within the system.
During a recent visit with your child, you noticed a sign-in sheet openly displayed at the front desk. The sheet contained the following information:
You discreetly photographed the sheet, which can be accessed through the Task D Menu link.
Result
Despite encoding efforts, you can derive the following sensitive information for at least one patient that is not on the sign-in sheet:
Steps to earn flag3
Hints
Submission Details
Good luck with Task D! After completing this task, move on to Task E.
Check the validity of your JSON before submitting to Gradescope.
See – Da for more information.
TASK E: SQL INJECTION #1
(flag4 – 3 pts | flag5 – 5 pts | flag6 – 7 pts)
NOTE:** Task E contains **three flags**: flag4, flag5, and flag6. **Please review the Submission Details for specific instructions regarding the format.
Introduction: What Is SQL Injection?
This task highlights one of the most common yet preventable database vulnerabilities: SQL Injection (SQLi). SQL injection occurs when user input is not properly validated, allowing attackers to inject or modify SQL statements. The consequences can be severe, ranging from unauthorized access and data exposure to complete system compromise.
The root cause of SQL injection is often careless coding and weak input validation. Developers must ensure that all user-provided data is carefully inspected and that potentially harmful input is sanitized or blocked before reaching a SQL query. This process, known as input sanitization, prevents malicious commands from being executed and protects the database from manipulation
To help you get started, we recommend reviewing online resources like the SQL Injection Cheat Sheet for an overview of techniques and examples.
To complete this task, you will need to craft basic SQL code that can be entered into a form’s input field and executed by the website as part of a valid — but unintended — SQL statement. The goal is not to write complex queries, but to bypass weak SQL injection defenses. This could involve evading security checks, retrieving unauthorized information, or, in severe cases, altering the site’s data. Once a vulnerability is present, successful exploitation depends on your ability to understand or map the database’s structure.
Task Description
In this task, you will work with a sample web application that contains intentional SQL injection vulnerabilities in three different login implementations. Your objective is to exploit these flaws to bypass authentication and capture the corresponding hash flags.
You’ll log in using your GTID (as entered in Task A). You won’t know the actual password — instead, you’ll attempt SQL injections via the password field to force a successful login.
Objective Breakdown
Task E consists of three parts, each increasing in complexity. The site is updating its Legacy Login page, and all three hashes for Task E will change. The main security check on the legacy page is a direct match of the username, your GTID. You will not know the password needed to access the system, and you will not be provided with it.
Steps to earn flags 4, 5, & 6
(Each page opens in a new tab.)
Where’s My GTID?
If you’re unsure of your GTID, refer to the Submissions & Gradescope page for instructions.
Hints & Tips
For flag5 and flag6
Sanitization Considerations
SQL Injection Hints
Reference: Legacy Login Code
<?php
function login($username, $password) {
$sql = “SELECT username, password, hash, count(*) cnt INTO #tmp_user FROM users WHERE username=’$username’”;
$usercheck = $this->db->query($sql)->execute()->fetch();
if ($usercheck[‘cnt’] != 1) {
return false;
} else {
$sql = “SELECT hash FROM #tmp_user WHERE password=’$password’”;
$userdata = $this->db->query($sql)->next();
if ($userdata) {
return true;
} else {
return false;
}
}
}
?>
Submission Details
Once you have the hashes for all three flags, please copy and paste them into your submission JSON.
Good luck with Task E! After completing this task, move on to Task F.
Check the validity of your JSON before submitting to Gradescope.
For submission instructions, refer to the Submission Details page.
TASK F: SQL INJECTION #2 / INFERENCE ATTACK #4
(flag7 – 7.5 pts)
Note:** Task F is an **array flag** and contains **one flag**: flag7. **Please review the Submission Details for specific instructions regarding the format.
Overview
In this task, you’ll combine your knowledge of SQL Injection (SQLi) and Inference Attacks to identify specific students from a fictional grade list who received an “F” in the class.
You’ll start by performing an SQL injection to bypass the login form and gain access to a restricted section of the site. Once logged in, you’ll encounter a security question. To answer it, you’ll use Open-Source Intelligence (OSINT) techniques — methods commonly employed by social engineers to gather publicly available information and exploit it for unauthorized access.
If you complete both stages (SQLi and OSINT), you’ll access extended roster data and use an inference attack to identify students who failed the course.
What is OSINT?
OSINT stands for Open-Source Intelligence. It refers to the practice of collecting and analyzing information from publicly available sources — essentially, anything you can legally access online or offline without hacking or breaking into systems.
For example, imagine you’re working on a school project about climate change. You might research news articles, government reports, YouTube videos, and social media posts to gather insights. That’s OSINT in action — using open sources to build practical knowledge.
Learn more about it here – What is OSINT?
Objective
Your goal is to:
Steps to Complete
Hints & Guidance
Submission Details
Once you identify the students who received an “F”, add the hashes (no particular order) into the flag7 array before proceeding to Task F (order of report does not matter).
Good luck with Task F! After completing this task, move on to Task G.
Check the validity of your JSON before submitting to Gradescope.
For detailed submission guidelines, refer to the Submission Details page.
TASK G: SQL INJECTION #3
(flag8 – 7.5 pts / flag9 – 7.5 pts)
NOTE:** Task G contains **two flags**: flag8 and flag9. flag9 is reliant on the “partial completion” of flag8 (while you do not need the hash for flag8 to complete flag9, you do need the schema). **Please review the Submission Details for specific instructions regarding the format.
Overview
In Task G, you’ll perform two advanced SQL injection attacks targeting a fictional music store database. These attacks will help you:
Understanding the “Schema” Page and Your Goal
You’re working with a music store’s website that has a search engine for music albums. While exploring the site, you’ve found a page called “schema.” This page shows behind-the-scenes information — specifically, the structure (or metadata) of a database table used in the main report.
What You’ve Noticed
What You Know
What You Need to Do
Task Breakdown
flag8 – Privilege Escalation via Injection
The Schema page reveals metadata for the Music table. This view is read-only and tied to a limited-access database user named Schema.
The Report page uses this same schema to generate queries. Your job is to figure out how to extend the Schema user’s access, so it can view more than just the Music table.
Once you succeed, the Schema page will show additional tables. You will notice that the new table does not have a hash. There is a reason for this:
To obtain the hash, you must create the required privilege escalation using the “search” functionality on the Report page. When successful, the new hash will appear in the schema header. That hash is your flag8.
flag9 – Credential Extraction and Login
After gaining visibility into new database tables, you must construct another SQL injection on the Report page. This time, your injection should extract a username and password from another table.
You’ll then log into the Login page using the credentials you uncovered. If successful, you’ll land in a simulated “management console,” where your flag9 hash will be displayed.
Unlike the other login forms thus far, this login page is locked down, and SQLi will not work. You are more than willing to try, but as the great DBA Obi-Wan Kenobi said:
How to Proceed
(Each page opens in a new tab.)
Steps to earn flag8 & flag9
flag8 Hash
flag9 Hash
Hints & Tips
General
flag8
flag9
URL Exploration
Security Model
Submission Details
Once you’ve obtained the hashes, add them to your submission JSON and check the files for any formatting issues before submitting to Gradescope.
Good luck with Task G! After completing this task, move on to Task H.
Check the validity of your JSON before submitting to Gradescope.
See Submission Details for more information.
TASK H: SQL INJECTION #4
(flag10 – 7.5 pts / flag11 – 7.5 pts)
NOTE:** Task H contains **two flags**: flag10 and flag11. flag11 is reliant on the completion of flag10 (or you can choose to use your GTID for the username and password, but not receive a hash for flag10). **Please review the Submission Details for specific instructions regarding the format.
Overview
You’re testing the security of a banking website that allows users to log in and view transaction history. Your objective is to prove the system is vulnerable through two stages of SQL injection attacks :
Steps to earn flag10 & flag11
flag10 – Login Without Username
Goal: Log in to the banking site without knowing a valid username. You must use SQL injection in both the username and password fields to:
Key Hints:
What success looks like:
flag11 – Tamper Transaction History
Goal: Once logged in, you’ll see 10 transaction entries and a balance. One entry will be an overdraw fee (-$25). You must:
Critical Part: You can’t inject into text boxes. You must modify the form payload via Chrome Developer Tools before the form submits. You are altering the data sent to the server, not to the UI!
How to Execute flag11
NOTE: This backend expects/uses JSON.
NOTE: If anything is off (wrong balance, 11 transactions, or an overdraw still exists), the hash will be wrong.
Hints Recap
flag0
flag11
Submission Details
Once you’ve obtained the correct hashes, submit your JSON file on Gradescope after checking for JSON formatting issues.
Good luck with Task H! After completing this task, move on to Task I (REMEMBER: Task I is extra-credit).
Check the validity of your JSON before submitting to Gradescope.
See Submission Details for more information.
Task I: Defend Against Inference and SQL Injection Attacks
(flag12 – 20 pts)
NOTE:** Task I is an **array flag** (Inference – Elements 1-3 → 10 pts / SQLi – Element 4 → 10 pts) and contains **one flag**: flag12. **Please review the Submission Details for specific instructions regarding the format.
Overview
In this task, you’ll shift from attacking to defending. Instead of exploiting vulnerabilities (as in Tasks A–G), you’ll write SQL to prevent inference and SQL injection (SQLi) attacks.
NOTE: All validations will initially show yellow (not run). Click the Run test button next to each to validate individually.
Accessing the Test Pages
(Each page opens in a new tab.)
Part 1: Inference Defense (flag12 Elements 1–3)
View: TitleGenderAgeReport
TGA Report De-Identification Rules
TGA Format Rules
View: DepartmentEthnicityDurationReport
DED Report De-Identification Rules
DED Format Rules
Part 2: SQL Injection Defense (flag12 Element 4)
Procedure: uspSQLReplace
Tips
Reset Code (If Needed)
— Reset TitleGenderAgeReport
ALTER VIEW [dbo].[TitleGenderAgeReport] AS
SELECT *
FROM CompanyEmployees;
GO
— Reset DepartmentEthnicityDurationReport
ALTER VIEW [dbo].[DepartmentEthnicityDurationReport] AS
SELECT *, ” AS Duration
FROM CompanyEmployees;
GO
— Reset uspSQLReplace
ALTER PROCEDURE [dbo].[uspSQLReplace]
(@tblName varchar(64), @colName varchar(64), @colValue varchar(1024), @colDataType varchar(32), @filter varchar(1024) OUTPUT)
AS
BEGIN
DECLARE @sql nvarchar(max);
DECLARE @param nvarchar(64);
DECLARE @found int = 0;
SELECT @filter = @colValue;
/*Student Code Should Go Here*/
END;
GO
DbGate:
Below is how to edit a view:
Submission Details
Include your flag12 hash (array of 4 elements) in the JSON file and submit it to Gradescope!
Good luck with Task I!
Check the validity of your JSON before submitting to Gradescope.
See Submission Details for more information.
File Submission Instructions
This project must be submitted through Gradescope, which you can access via Canvas.
How to Submit
Make sure you validate your JSON file before submitting! Use https://jsonlint.com to check your JSON file format.
Important Notes About Gradescope Behavior
Gradescope uses an auto-grader to evaluate your submission. Please be aware of the following:
Submission Limits and Responsibilities
To avoid this:
JSON File Format and Editing Guidelines
The file you will submit is called: project_dbsec.json
This file is available on the Desktop of the provided Virtual Machine. If it is missing, you can create one from scratch by copying the format below (see final section).
File Editing Rules
Special Formatting Instructions for Array Flags
Template Format for project_dbsec.json
NOTE: New line added after every element is for clarity and **should not be used **, as it can cause the JSON to become invalid. You are responsible for ensuring your JSON is valid before submission.
{
“flag0”: “<copy flag0 hash here>”,
“flag1”: “[
‘<copy employee hash 1 here>_<salary of employee 1>’,
‘<copy employee hash 2 here>_<salary of employee 2>’,
‘<copy employee hash 3 here>_<salary of employee 3>’,
‘<copy employee hash 4 here>_<salary of employee 4>’,
‘<copy employee hash 5 here>_<salary of employee 5>’,
‘<copy employee hash 6 here>_<salary of employee 6>’,
‘<copy employee hash 7 here>_<salary of employee 7>’,
‘<copy employee hash 8 here>_<salary of employee 8>’
]”,
“flag2”: “[
‘<copy voter hash here>_<cpt code of voter>’,
‘<copy voter hash here>_<cpt code of voter>’,
‘<copy voter hash here>_<cpt code of voter>’,
‘<copy voter hash here>_<cpt code of voter>’,
‘<copy voter hash here>_<cpt code of voter>’,
‘<copy voter hash here>_<cpt code of voter>’,
‘<copy voter hash here>_<cpt code of voter>’,
‘<copy voter hash here>_<cpt code of voter>’
]”,
“flag3”: “<FirstNameLastName>_<DateOfBirth>_<SocialSecurityNumber>”,
“flag4”: “<copy flag4 hash here>”,
“flag5”: “<copy flag5 hash here>”,
“flag6”: “<copy flag6 hash here>”,
“flag7”: “[
‘<copy student hash here>’,
‘<copy student hash here>’,
‘<copy student hash here>’,
‘<copy student hash here>’,
‘<copy student hash here>’,
‘<copy student hash here>’,
‘<copy student hash here>’,
‘<copy student hash here>’
]”,
“flag8”: “<copy flag8 hash here>”,
“flag9”: “<copy flag9 hash here>”,
“flag10”: “<copy flag10 hash here>”,
“flag11”: “<copy flag11 hash here>”,
“flag12”: “[
‘<copy TitleGenderAgeReport hash here>’,
‘<copy DepartmentEthnicityDurationReport hash here>’,
‘<copy EmployeeReport hash here>’,
‘<copy SQLInjection hash here>’
]”
}
NOTE: The number of entries for an array flag, except Flag12, are mere examples and do not suggest the total number of flags; this is an added challenge. In reality, the number of flags can be less or more than the example flag count for each array flag.
An example of what the submitted file content should look like
If you need to recreate the file manually, use this template structure. Replace the placeholders with your actual flag values:
{
“flag0”: “f64c3063af19c10afeeec201ce07a92627dbfe2ad594b5729c719d7727c1”,
“flag1”: “[‘a478e5926bce_85650.00’, ‘dd94bd958dba_132950.05’, ‘d958dbd94bda_119950.15’, ‘dd94958dba_79950.10’, ‘dbdd94bd958dba_85950.35’, ‘dd94bd958dba_102450.55’]”,
“flag2”: “[‘164266c8e971_97760’, ‘3b70f2b5b53c_96319′, ’66c16428e971_33760’, ‘3bb5b70f253c_94519’, ‘428e66c16971_85760′, ’70f23bb5b53c_96119’]”,
“flag3”: “JaneDoe_19010101_123456789”,
“flag4”: “e96281643cb6661fbc0533e28e64”,
“flag5”: “7552619643cb6661fb9b738c0533”,
“flag6”: “aa2ba3bb2456f39d51553298e821”,
“flag7”: “[‘f2e7aa586cd8’, ‘ed9361f82830’, ‘f2e7aa586cd8’, ‘ed9361f82830’, ‘f2e7aa586cd8’, ‘ed9361f82830’]”,
“flag8”: “8e61e428168eeb43cb6661fee962”,
“flag9”: “58661e43cb6661fc8eebd8e3ce71”,
“flag10”: “a9268eeb2bfead641e3cb6661f59”,
“flag11”: “301fa58e8eeba221eec155a0f562”,
“flag12”: “[‘679fba439156’, ‘cafa10f622c7’, ‘d5e36dc5a36b’, ‘2d2a0cc88888’]”
}
The # of elements in the array flags do not coordinate with the submission and is for demonstration only. it is up to you to determine for those flags how many elements to report!
Am I on the correct page for the flag I am trying to solve?
Menu Links do not load / Website(s) are not loading (The site can’t be reached / We’re having trouble finding that site)
Copying and pasting between the Workstation and the Virtual Machine isn’t working
Task A submission failed
Tasks B-I are not unlocked and say “Task A needs to be completed before this Task is unlocked.”
Task A says, “You have reached the maximum # of entries; the VM will need to be restored.”
JavaScript files are not showing in the Web Developer Tools
The VM is bricked (no longer functioning)
Gradescope won’t allow more submissions (16 submissions limit)
Example Error page
The above error page shows up
If the above steps did not resolve the error
If the above steps still did not resolve the error, try these steps
Finally, if the above steps still did not resolve the error, try these steps
![[Solved] Database Laboratory Assignment # 2](https://assignmentchef.com/wp-content/uploads/2022/08/downloadzip-1200x1200.jpg)
Reviews
There are no reviews yet.