Description

Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

Bug

This example of SQL Injection also happens to be a form of Insecure Direct Object Reference since it uses user-supplied input to determine the user's profile to update. However, we will discuss the SQL query being used and why it is vulnerable.

Within app/controllers/users_controller.rb

  def update
    message = false
    # VULNERABLE CODE, ON THE NEXT LINE (WHERE STATEMENT)
    user = User.where("user_id = '#{params[:user][:user_id]}'").first
    if user
      user.skip_user_id_assign = true
      user.skip_hash_password = true
      user.update_attributes(user_params_without_password)
      if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
        user.skip_hash_password = false
        user.password = params[:user][:password]
      end
      message = true if user.save!
      respond_to do |format|
        format.html { redirect_to user_account_settings_path(:user_id => current_user.user_id) }
        format.json { render :json => {:msg => message ? "success" : "false "} }
      end
    else
      flash[:error] = "Could not update user!"
      redirect_to user_account_settings_path(:user_id => current_user.user_id)
    end
  end

#Hint

I wonder who else's account needs updating?

R4 A1 SQL Injection Concatentation - richardrowe/railsgoat-tutorials GitHub Wiki

Description

Bug

⚠️ GitHub.com Fallback ⚠️

R4 A1 SQL Injection Concatentation - richardrowe/railsgoat-tutorials GitHub Wiki

Description

Bug

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️