In recent blog we have shown you how an attacker could gain administrator’s access via Cross Site Scripting (XSS) vulnerability. Now we want to show you how an attacker could abuse even more common and more dangerous vulnerability called SQL Injection. It’s main cause is similar – the developer does not sanitize inputs. But this time it’s about inputs getting passed directly to SQL query.
We will demonstrate a real hacker attack that leads to gaining all the data in the database, including credit card information stored in the web store.