SQL Injection — Account Lookup Tampering

Hands-on simulation · CompTIA Security+ SY0-701 2.3 Web-based vulnerabilities 2.4 Application attacks

Submission by: (enter a handle below)

Pinebrook Savings — Teller Account Lookup

Internal tool. The lookup field is concatenated straight into a SQL query (the flaw you are assessing). Authorized sandbox only.

Tip: a normal lookup uses just your account number. To test the flaw, try appending a condition that is always true.

SELECT account_no, holder, balance, status FROM accounts WHERE account_no = ;
No query run yet.

No real names. This handle is the only identifier sent.