Quick Start

This page will get you up and running with RDDR in no time. We will deploy 3 instances of DVWA running at different security levels behind RDDR sharing a single database microservice.

alternate text

DVWA deployment with RDDR block diagram

1. Install Kubernetes on your system. and enable the DNS service. Istio is not supported at this time; we’ve seen issues with Istio sidecars. Best to disable sidecars for now.

  1. Clone the RDDR project repository:

git clone https://rjw245@bitbucket.org/rjw245/rddr.git

  1. Move to the folder rddr/deployments/dvwa_frontend/k8s

cd rddr/deployments/dvwa_frontend/k8s

4. Apply all kubernetes yaml files in this directory. The command for microk8s is shown below:

microk8s.kubectl apply -f .

Wait until all pods are in the Running state. MySQL can take some time even after it’s in the Running state to become fully ready.

  1. Open localhost:31001 in your browser. You should see the login page:

alternate text

DVWA login page

  1. Login with user admin, password password.

  2. Click “Create/Reset Database” and login once more.

8. Navigate to the “SQL Injection” tab. /home/riley/rddr/docs/.venv/bin/pygmentize 9. Enter a benign input in the User ID box, such as 1. Press enter and you’ll see the request goes through.

alternate text

DVWA SQL Injection with benign input

  1. Enter a malicious input such as:

' UNION SELECT user,password from users WHERE '1'='1

and press enter.

alternate text

DVWA SQL Injection with malicious input

  1. You should see the request gets denied by RDDR:

alternate text

RDDR Denying Access

This is because we’ve deployed multiple instances of DVWA configured for different security levels. The more secure instance properly sanitizes the SQL query which causes its query to the database to look different from that of the other instances. RDDR catches this divergence in behavior and blocks the response to the user so that the SQL sanitization bug cannot be exploited.