Hi,
In Challenge 13, I have found the coupon_code parameter in the /workshop/api/shop/apply_coupon to be injectable.
I also found the applied_coupon table in the PostgreSQL database.
The endpoint accepts the following injection and returns the database version:
"coupon_code":"TRAC075'; SELECT version() --+"
But it refuses the following and returns a 500 error:
"coupon_code":"TRAC075'; DELETE FROM applied_coupon WHERE coupon_code=TRAC075 --+"
Is there anything that needs to be changed in the crAPI config file to allow user edits to be made to the database? I noticed there are restrictions for shell injection.
Thanks,
Edw.
Hi,
In Challenge 13, I have found the coupon_code parameter in the /workshop/api/shop/apply_coupon to be injectable.
I also found the applied_coupon table in the PostgreSQL database.
The endpoint accepts the following injection and returns the database version:
"coupon_code":"TRAC075'; SELECT version() --+"
But it refuses the following and returns a 500 error:
"coupon_code":"TRAC075'; DELETE FROM applied_coupon WHERE coupon_code=TRAC075 --+"
Is there anything that needs to be changed in the crAPI config file to allow user edits to be made to the database? I noticed there are restrictions for shell injection.
Thanks,
Edw.