1. Web Security Academy
  2. SQL injection
  3. Lab

Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data


This lab contains an SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out an SQL query like the following:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

To solve the lab, perform an SQL injection attack that causes the application to display details of all products in any category, both released and unreleased.

Try Burp Suite for Free

Find SQL injection vulnerabilities using Burp Suite

Try for free