Javascript Snippet #07

This challenge covers the review of a snippet of code written in JavaScript

< 1 Hr.


In this lab, we review a JavaScript snippet as part of the code review badge. The provided code handles a GET request to '/api/v1/users', querying the database for user details and their associated groups. While the initial query uses a prepared statement to avoid SQL injection, a second query concatenates user-provided values directly into the SQL string, leading to a second-order SQL injection vulnerability.

The video transcript explains each line of code in detail, pointing out the critical flaw where the result from the first query is directly used in the second query without proper sanitization. To prevent this vulnerability, it is recommended to replace the direct concatenation with a prepared statement, ensuring that even data retrieved from the database is treated as potentially unsafe.

Want to learn more? Get started with PentesterLab Pro! GO PRO