In the next few posts, I’m going to discuss the problems in the challenge, how I solved them and what did I learn from from each challenge.
Here are the code for level 0:
So you have a node.js server script, with an HTML front-end. The front-end allows you to submit a web form which allows you to retrieve your stored secret but the secret to level 1 is also stored in the same database.
Reading the code, the query on line 34 jumps out at you:
var query = 'SELECT * FROM secrets WHERE key LIKE ? || ".%"';
Even though I’m not too familiar with nodejs or its db API, the part where it concatenates user input with “.%” looks suspicious.
|| is the SQL operator for concatenation, and ‘%’ is the SQL wildcard that matches 0 or more characters of any kind. What if my user input is “%”?
Voilà! That’s it!
%.% gives you all passwords with namespace that has a dot in the middle.
SQL-injection is a known security issue for a long time yet you’d be surprised how many sites are still subject to such exploits. The problem with level 0 code is exactly that: unsanitized user input is sent directly to the database for execution. So everytime a string concatenation is seen in a SQL statement, you have to ask yourself: is the ting being concatenated trustworthy? Use prepared statement or your database’s escape function wherever possible.