we have to test a website for this software testing class and it's vulnerable to an SQL injection attack

but we can log in as admin anyway. still a bug but not a fun one

is there anything exciting i can do from inside a SELECT statement? i tried to UPDATE the database but i get a MySQL "Verify DB failed" error

oh here's something interesting, if not useful

your username that gets echoed on the page is always set to what you typed into the username field, not what the actual name of the account is

and when it echoes your username to the page, it isn't sanitized

Follow

this is what i decided was fun enough to call the teacher over to see (that is, to show off), and she actually asked me to email her details so she could show the head of the software development program. apparently he'll get a kick out of it :P

Β· Web Β· 1 Β· 4 Β· 19

probably screenreader bad

 

Sign in to participate in the conversation
glaceon.social

An instance of the Mastodon microblogging social network for Ice type pokemon, fans of Ice type pokemon, and anyone else who's, well, cool. Chat with our community here, or with your friends on any other instance! Our code of conduct page can be found here!