You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed an unsafe usage of SQL queries in tests/local_api.py line 37. The query coming from the user is executed without any prior sanitization, which may lead to SQL Injection attacks.
I also noticed the comment at the top of the page: "A really basic, insecure API server for the sqlite database", so i guess you are aware of this issue. But at the same time, the code deployed at http://code.minnpost.com/election-night-api/ seems to be vulnerable. I tried the typical "asdasd' or 1==1 -- " vector and it worked (i did not investigate any further). So you might consider taking some measures to prevent attacks.
Cheers!
The text was updated successfully, but these errors were encountered:
Hello,
I noticed an unsafe usage of SQL queries in tests/local_api.py line 37. The query coming from the user is executed without any prior sanitization, which may lead to SQL Injection attacks.
I also noticed the comment at the top of the page: "A really basic, insecure API server for the sqlite database", so i guess you are aware of this issue. But at the same time, the code deployed at http://code.minnpost.com/election-night-api/ seems to be vulnerable. I tried the typical "asdasd' or 1==1 -- " vector and it worked (i did not investigate any further). So you might consider taking some measures to prevent attacks.
Cheers!
The text was updated successfully, but these errors were encountered: