Bootcamp
Search…
9.2.3: SQL Injection
SQL injection means the ability of an attacker to run some arbitrary SQL code against the app database using some SQL language syntax techniques.
The following link makes a GET request to the API part of the app: https://github.com/rocketacademy/express-security-bootcamp/blob/main/index.js#L315-L327​
The end of this link has some SQL statements appended to the end of it.
' UNION SELECT email, password FROM users--
After the complete query is constructed it looks like this: (take a look at the console.log that prints this query out).
SELECT name,type from cats WHERE name='kai' UNION SELECT email, password FROM users--'
According to the source UNION "lets you execute an additional SELECT query and append the results to the original query".
You can learn more about this example query here: https://portswigger.net/web-security/sql-injection​
Notice that it prints out a list of all users and their passwords.

SQL Injection Solutions

The main part of the app that exposes this vulnerability is this line: https://github.com/rocketacademy/express-security-bootcamp/blob/main/index.js#L317​
Raw concatenation of request parameters into a SQL query should be avoided. (This applies anywhere in the query, not just if there is a WHERE clause).
const query =
"SELECT name, type from cats WHERE name='" + request.params.name + "'";
Parameterized SQL queries will not have the same problems. The following syntax is preferred in all cases.
const query = 'SELECT name, type from cats WHERE name=$1';
values = [request.params.name];

Further Reading