From d741fb5c781f678121c96d24f95e3ca58b9410a2 Mon Sep 17 00:00:00 2001
From: Jet Hughes <jethughes0@gmail.com>
Date: Thu, 8 Sep 2022 17:47:28 +1200
Subject: [PATCH] vault backup: 2022-09-08 17:47:28

---
 content/notes/01-security-audit.md    |  9 ---------
 content/notes/ass01-security-audit.md | 14 ++++++++++++++
 2 files changed, 14 insertions(+), 9 deletions(-)
 delete mode 100644 content/notes/01-security-audit.md

diff --git a/content/notes/01-security-audit.md b/content/notes/01-security-audit.md
deleted file mode 100644
index 48ebc5104..000000000
--- a/content/notes/01-security-audit.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-title: "01-security-audit"
-aliases: 
-tags: 
-- assignment
-- comp210
----
-
-
diff --git a/content/notes/ass01-security-audit.md b/content/notes/ass01-security-audit.md
index fc4355c38..d73dae9b8 100644
--- a/content/notes/ass01-security-audit.md
+++ b/content/notes/ass01-security-audit.md
@@ -14,6 +14,20 @@ Jet Hughes - 9474308
 - technology
 
 # Flaws
+## SQL Injection 
+CWE: 89
+
+It is possible to inject SQL into the database using the login username field, and display it in the brower as the "username" of the logged in user.
+
+The first thing I attempted was to login using the username " 'or 1=1;--". This worked and I was logged in as administrator.
+After that I created an account. When I noticed that my username was displayed in the brower I attempted to extract data from the database and display is as this username. 
+
+In the username field of the login form I entered the string:
+
+' union select group_concat(username||':'||password||':'||name||':'||credit_card_number||':'||credit_card_expiry||':'||credit_card_cvv) from user as name;--
+
+This resulted in all the users data
+
 ## Password policy
 - must have at least 5 characters and one digit.
 	- not suffiecient