/Code Review/SQL Injection in ORDER BY

SQL Injection in ORDER BY

Dynamic column sorting vulnerable to SQL injection through ORDER BY clause.

HIGHMedium

Vulnerable Codepython

1def get_products(sort_by='name'):
2    query = f"SELECT * FROM products ORDER BY {sort_by}"
3    cursor.execute(query)
4    return cursor.fetchall()

Understanding the Issue

ORDER BY clauses cannot use parameterized queries for column names. Whitelisting allowed column names is the only safe approach.

Boolean-based Blind SQLi

Attacker extracts data by observing result ordering

Malicious Input

sort_by=(CASE WHEN (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a' THEN name ELSE price END)

Impact

If password starts with 'a': sorted by name
If not: sorted by price

✓ Attacker iterates through characters
✓ Extracts full password from ordering behavior

Technical Details

Vulnerability Type: SQL Injection
Severity: HIGH
Language: Python
CWE: CWE-89
OWASP: A03:2021 - Injection

SQL Injection in ORDER BY

Understanding the Issue

How Attackers Exploit This

Boolean-based Blind SQLi

Finding the Vulnerability(3 hints)

Technical Details

SQL Injection in ORDER BY

Understanding the Issue

How Attackers Exploit This

Boolean-based Blind SQLi

Finding the Vulnerability(3 hints)

Technical Details