Juicy Shop

SQL Injection via Product Search

InjectionA03:2021 – Injectioncritical

Vulnerability

The product search endpoint builds its SQL query by concatenating the raw `q` request parameter directly into the statement. Because the input is never parameterised, an attacker can break out of the intended string literal and append their own SQL — reading other tables (e.g. user_profiles), bypassing filters, or dumping the schema with UNION SELECT. Any data the database user can reach is exposed.

Exploit Steps

  1. Open the products search bar
  2. Enter a normal query to observe the pattern (e.g. 'apple')
  3. Inject a SQL payload: enter `' UNION SELECT * FROM sqlite_master--`
  4. Observe the application returns unexpected rows — the injection was successful

Tools: browser devtools, curl, Burp Suite

Mitigation & Solution

Use parameterised queries (prepared statements) for all user-supplied input. Never interpolate request data into raw SQL strings. In Effect, use @effect/sql tagged template literals which parameterise automatically.

Coding Challenge

Find It

File: apps/juicy-shop/src/app/api/products/route.ts

Click the line that contains the vulnerability:

Fix It