resolving SQLi in copy-n-paste application

[vitoriaguidines]

This solution refers to which of the apps?

A3 - Copy n Paste

What did you do to mitigate the vulnerability?

I replaced the string concatenation approach used to build SQL queries with prepared statements that utilize placeholders (?). By doing this, the user-provided data is handled as parameters by the database driver, preventing any malicious injection from altering the structure of the SQL query.

The code in db.go was modified.

Sqlmap results after the change:

More specifically:

• AuthenticateUser now uses SELECT id, username, password FROM Users WHERE username = ? and passes user as a parameter.
• NewUser and CheckIfUserExists also follow the same pattern, using ? instead of string concatenation with +.
• This ensures that the MySQL driver properly escapes any user input before executing the query, thus mitigating SQL Injection.
• Additionally, I included proper error handling and password hashing (bcrypt) to further secure user credentials.

Did you test your changes? What commands did you run?

1. Manual Testing:

   • Tried the SQL Injection payload (-1' UNION select 1,2,sleep(5) -- ') in the user field on both /login and /register endpoints. The app responded with a "user not found or wrong password" message, not granting unauthorized access or displaying DB errors.
   • Verified that normal user flows (registration and login) work as expected.

2. sqlmap Testing:

   • Created a postRequest.txt with the JSON request for /login.
   • Ran sqlmap -r postRequest.txt to see if the parameter user or pass was still injectable.
   • sqlmap did not detect any injection point and failed to retrieve any information from the database, confirming the mitigation was effective, as in the image above.