You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
In Challenge 13, I have found the coupon_code parameter in the /workshop/api/shop/apply_coupon to be injectable.
I also found the applied_coupon table in the PostgreSQL database.
The endpoint accepts the following injection and returns the database version:
"coupon_code":"TRAC075'; SELECT version() --+"
But it refuses the following and returns a 500 error:
"coupon_code":"TRAC075'; DELETE FROM applied_coupon WHERE coupon_code=TRAC075 --+"
Is there anything that needs to be changed in the crAPI config file to allow user edits to be made to the database? I noticed there are restrictions for shell injection.
Thanks,
Edw.
The text was updated successfully, but these errors were encountered:
Hi,
In Challenge 13, I have found the coupon_code parameter in the /workshop/api/shop/apply_coupon to be injectable.
I also found the applied_coupon table in the PostgreSQL database.
The endpoint accepts the following injection and returns the database version:
"coupon_code":"TRAC075'; SELECT version() --+"
But it refuses the following and returns a 500 error:
"coupon_code":"TRAC075'; DELETE FROM applied_coupon WHERE coupon_code=TRAC075 --+"
Is there anything that needs to be changed in the crAPI config file to allow user edits to be made to the database? I noticed there are restrictions for shell injection.
Thanks,
Edw.
The text was updated successfully, but these errors were encountered: