Your code of the main function should look like this. Now you need to go to the main.go, comment API code, and uncomment the migrations one. You need to set up your connection string in the two files, vulnerable-db.go, and migrations.go Notably, it is vulnerable to SQL injection, and does not use hashed and salted passwords. This is an example of what NOT to dothis query has multiple flaws by design.
In that case, you will need to change the connection string. In the following SQL injection example, we try to login by comparing the user input (username and password) to those stored in the database. Name it bankapp and use user Postgres, or you can use whatever user you want. Here is the link to the code for Golang back-end for banking app: Requirements to make SQL Injection attack: We built a banking app that you can test to attack, check the code, and responses to understand how it works fully. Now we will make a simple attack to get somebody’s account access. What if an attacker could go into the DB, and send messages from your account, add his account as a verified friend, or edit posts from your social profile? Let’s perform an SQL Injection attack Like only admin can delete or edit records, request to a friend needs to be accepted by an invited person, etc. When we build an application, very often, we have some permission for x role. That could be very painful, especially when no backup. This type of attack can give the possibility to fire any SQL command, not only getting data.įor example, an attacker can send money from your account to his own, change your account balance, or delete all the records. What worse, if database is vulnerable, attackers can have open access to millions of records in a moment. Why SQL Injection is dangerousīy SQL Injection attacker can quickly get access to data that should never be accessible to the regular user.įor example, that can be your private messages, bank transactions, sensitive personal data like your ID, or where you live. Like we can use deleting whole tables, getting data from other database tables or auto-unlocking admin account.
It’s kind of like a situation when we can push some custom and unwanted commands to the SQL database.įor example, when we have username input, we can put come custom commands. SQL Injection is one of the most popular OWASP vulnerabilities that is very easy to do and can do horrible damages. If you prefer video here is the youtube version:
Sql vulnerable sites with admin how to#
Today I would like to show you a bit about a SQL Injection attack, what it is, how to do it, why it’s dangerous, and how to protect your application from that. It doesn’t matter if we do front-end or back-end, both of them are vulnerable. If we are developers, we should always care about the security of our code (at least a bit). Today we will learn how to do the SQL Injection attack, and how to prevent it.ĭid you know hackers steal billions of dollars every year?ĭid you know almost every 30 seconds is a new hackers attack?
0 kommentar(er)
