Real-World Ethical Hacking Lab: From SQLi to XSS with Docker

Ever tried throwing something weird into a SQL input field?

If not, you’re missing out — that’s how SQL Injection starts. Let’s see what happens when the database gets confused.

Hackers don’t need permission — they just find a way in.

By exploiting vulnerabilities, they bypass login systems and sneak into places they’re never supposed to reach.

Just a trim? Yes — sometimes, that’s all it takes to stop a hacker.

Hackers don’t play by the rules — they’ll sneak in letters, symbols, or even code where only numbers should go.

Hackers try to break into our website using complex and varied techniques.

That means our defenses must be even more diverse and powerful.

Hacking Lab Using Docker Containers, Linux Servers, and a PHP+MySQL Web App

This lab environment consists of three machines:

1. The attacker’s machine (Kali Linux)

2. A target web server running a vulnerable web application

3. An admin machine simulating real user behavior

The attacker’s machine is powered by Kali Linux, which comes preloaded with a wide range of hacking tools. On top of that, additional tools have been installed, giving you access to nearly every major tool mentioned in certifications like Security+ and CEH. It's a complete offensive toolkit, ready for use right out of the box.

The target machine hosts a web application built with Apache, PHP, and MySQL, making it an ideal platform to test real-world web exploits.

The admin machine plays a crucial role: it simulates a real user interacting with the web server. It runs custom Python scripts that mimic human behavior—such as logging in, browsing products, and performing search queries. This simulation is essential for testing certain types of attacks (e.g., CSRF), which require a real user session to be active. Without this, many client-side vulnerabilities wouldn't trigger properly, so this automation was purpose-built to create realistic conditions.

Docker makes setup and usage incredibly simple. With just a little effort, you can download ready-to-use images from Docker Hub, spin up containers via a few console commands, and start testing immediately. A GUI-based desktop app is also available for those who prefer a visual interface.

Thanks to Docker’s nature, containers can be stopped, restarted, or cloned at any time—allowing you to scale the number of machines easily. If you’ve worked with cloud environments before, you’ll find this setup intuitive and flexible enough to adapt to any test scenario in just a few minutes.

Cracking Passwords, Stealing Credentials, and the True Power of Brute Force Attacks

In this segment, we dive deep into the world of password cracking—how hackers break into systems by exploiting weak credentials and how devastating the consequences can be.

Using Kali Linux on the attacker’s machine, we launch real-world attacks against the web server machine. We'll demonstrate brute-force attacks using powerful tools like Medusa and Crunch, where custom wordlists are used to crack login credentials, particularly over services connected to the web server’s database.

You'll learn how attackers can remotely target a MySQL database, attempting to break in directly by guessing the credentials of admin or regular user accounts. Once an account is cracked, we explore what comes next—how the compromise of just one account can lead to secondary data breaches and the exposure of sensitive information.

This lesson emphasizes how a single leaked password can be the domino that topples an entire system.

We also cover the offline password cracking technique using Hashcat, one of the fastest and most effective tools in the hacker’s arsenal. After capturing hashed passwords, we show how brute-force methods can uncover real user credentials—even without an internet connection.

But it’s not all about attack. At the end of the session, we shift focus to defense: the most effective protection against these attacks is strong, complex passwords. Through demonstration, you'll see that even the most advanced cracking tools struggle—or outright fail—when faced with a truly robust password.

This isn’t just about tools and techniques. It’s a reality check on how critical password strength really is—and why it's your first and last line of defense in the cybersecurity battlefield.

The Infamous SQL Injection: A Nightmare for Database Admins

It’s the name that keeps database admins up at night—SQL Injection. In this session, we’re diving headfirst into this legendary hacking technique that has haunted servers for decades.

But we’re not talking about the baby-level stuff you see in basic security certification exams. Nope. We're going full-on real-world hacker mode, using a weaponized, automated tool called SQLmap—a tool that turns powerful SQL injection attacks into push-button exploits.

You'll see how SQLmap doesn’t just throw random guesses. It generates smart, malicious payloads under the hood—exactly like elite attackers do in real-life breaches. And we’ll crack open the black box to show you what kind of payloads it actually crafts, giving you an inside look at how this tool weaponizes your own input fields against you.

This isn’t just theory. This is the kind of attack that has caused massive data leaks—sometimes affecting millions of users—all because someone left a single field unprotected.

But fear not. For every sword, there’s a shield.

That shield? It's called prepared statements. When properly used, they make SQL injection attacks virtually impossible. And if you're a web developer who’s been using ORMs (Object-Relational Mappers) like Django ORM, SQLAlchemy, or Hibernate, you might not even realize it—but you've been carrying one of the strongest shields in the game all along.

This lesson is more than a tutorial—it’s a wake-up call. Understanding SQL Injection is not just about knowing how attacks work. It’s about knowing how to build secure systems that don’t crumble under pressure.

XSS: The Other Legendary Hacking Technique That Haunts the Web

If SQL Injection is the king of all injections, then XSS (Cross-Site Scripting) is its chaotic evil cousin—just as dangerous, just as legendary.

XSS shows us exactly what happens when websites blindly trust what users type in. Spoiler alert: it’s a disaster waiting to happen.

At its core, XSS is an injection attack, just like SQLi. But instead of poking at the database, it’s all about sneaking in malicious scripts—usually JavaScript—straight into the data that's going to be served to other users. Think of it like planting a virus inside the system that everyone ends up downloading... without knowing it.

And the most notorious version? That would be Stored XSS. Here’s how it works: the attacker inputs some evil script, the app saves it into the database, and then boom—every single user who visits the page later gets served that malicious code. It's like setting a trap once and catching everyone who walks by.

You don’t need to imagine how scary this is. Once you see it in action, you’ll get it—it’s like express-shipping malware to millions of browsers. Think of it as the Amazon Prime of browser-based attacks.

And the worst part? It’s totally preventable.

With proper input sanitization, output encoding, and Content Security Policies (CSP), XSS can be stopped cold. But the sad reality? Way too many sites still have unguarded input fields lying around like open doors with no security guards.

So yeah, XSS is wild. It’s old-school, it's terrifying, and it's still lurking all over the modern web. Time to stop trusting user input like it's your best friend—and start validating it like it's a suspicious package.