Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection #1

Open
tch1bo opened this issue Nov 14, 2018 · 0 comments

Comments

@tch1bo
Copy link

@tch1bo tch1bo commented Nov 14, 2018

Hello,

I noticed an unsafe usage of SQL queries in tests/local_api.py line 37. The query coming from the user is executed without any prior sanitization, which may lead to SQL Injection attacks.

I also noticed the comment at the top of the page: "A really basic, insecure API server for the sqlite database", so i guess you are aware of this issue. But at the same time, the code deployed at http://code.minnpost.com/election-night-api/ seems to be vulnerable. I tried the typical "asdasd' or 1==1 -- " vector and it worked (i did not investigate any further). So you might consider taking some measures to prevent attacks.

Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.