SQL Injection Vulnerability - KSU-CS-Software-Engineering/HSPC GitHub Wiki

We were notified from one of the Software Testing Teams that our project has a SQL Injection when creating accounts.

This bug was found when testing account registration. Testers were able to change values in the database by injecting SQL DML commands into the required fields upon account registration and drop values from the tables.

Steps to reproduce:

  1. Navigate to the Login Page.

  2. Register as a student account and note the email used.

  3. Enter valid information to create an account.

  4. At the Phone Number textbox, enter:

    โ€˜, โ€˜1โ€™, โ€˜โ€™, โ€˜passwordโ€™); update users set AccessLevel = 6 where Email= โ€˜************@gmail.comโ€™;--โ€

    Where the Email is equal to the one used to start the new account.

  5. This will effectively update the new user to the highest permission level.

Reference:
Software Testing | Bugs Reference