undefined | Better HN

0 pointstantalor13y ago0 comments

Almost certainly a query parameter, since he was reverse engineering their API it would be obvious.

For it to be a SQL injection, he'd have to have been looking for vulnerabilities.

0 comments

nwh13y ago

While it's probable he found some issue with permissions in the queries, stumbling on SQL injection is easier than you'd think. For a very short period I used a completely random (any ASCII character) password generator for websites, but I quickly realised that the ' and " characters were breaking the vast majority of sites I logged in to. Plaintext passwords in a database without escaping; about the worst password storage you can get.

j / k navigate · click thread line to collapse

0 pointstantalor13y ago0 comments

Almost certainly a query parameter, since he was reverse engineering their API it would be obvious.

For it to be a SQL injection, he'd have to have been looking for vulnerabilities.

0 comments

nwh13y ago

j / k navigate · click thread line to collapse