1. Web Security Academy
  2. SQL injection
  3. Lab

Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

APPRENTICE

This lab contains an SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out an SQL query like the following:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

To solve the lab, perform an SQL injection attack that causes the application to display details of all products in any category, both released and unreleased.

Stories from the Daily Swig about SQL injection

Find SQL injection vulnerabilities using Burp Suite

The benefits of working through PortSwigger's Web Security Academy

Get started with the Web Security Academy where you can practise exploiting vulnerabilities on realistic targets .. and its free!

Already got an account? Login here