After this lesson, you will be able to: Identify and prevent SQL injection, cross-site scripting (XSS), and command injection, the three classic injection attacks.
All injection attacks share the same root cause: untrusted input gets concatenated into a command interpreted by something else (a database, a browser, a shell). Fix the root cause and you fix all three at once.
User-controlled string concatenated into a query.
# VULNERABLEquery = "SELECT * FROM users WHERE name = '" + name + "'"# Input: alice' OR '1'='1# Result: SELECT * FROM users WHERE name = 'alice' OR '1'='1', returns every user# FIXED, parameterized querycursor.execute("SELECT * FROM users WHERE name = %s", (name,))
Untrusted input rendered as HTML.
// VULNERABLEelement.innerHTML = '<p>Hello, ' + userName + '</p>';// Input: <script>fetch('/api/cookies').then(...)</script>// Result: the script runs in the victim's browser// FIXED, set as text, not HTMLelement.textContent = 'Hello, ' + userName;// Or use a templating engine that escapes by default (React, Vue)
User-controlled string appended to a system call.
# VULNERABLEimport osos.system("ping " + ip)# Input: 8.8.8.8; rm -rf /# Result: both commands execute# FIXED, pass as args list, no shellimport subprocesssubprocess.run(["ping", "-c", "1", ip], check=True)
Real injection challenges in a safe legal environment.
Sign in to PicoCTF
Filter the Web Exploitation challenges by difficulty: Easy
Pick a SQL injection challenge
Use the browser's developer tools to inspect requests
Find the injectable parameter and exfiltrate the flag
Choose the most effective answer.
Sign in and purchase access to unlock this lesson.