SQL Injection

[mrussek]

This example app is vulnerable to SQL injection. It is possible to inject arbitrary SQL via the message parameter of the /v1/messages POST endpoint. I have used this to delete the production messages table since it seemed nothing valuable had been stored there as of yet. Now that the table no longer exists, the SQL command will fail earlier and therefore protect the database from more nefarious attacks.

[chidimo]

Hey. I'd like to see the QUERY you sent to delete the table.

Thank you.

[chidimo]

@mrussek could you kindly share the QUERY you sent to delete the table.
Thank you.

[mrussek]

I used this request using httpie

http --form POST https://express-api-template.herokuapp.com/v1/messages name="max" message="data'); delete from messages; insert into messages (name, message) values ('max', 'message"