looks like slutty sally has had a crappy backend dev...

I thought most developers were aware of the dangers of interpolating variables into strings in the context of SQL queries, but apparently some people are oblivious.

`SELECT * FROM USERS WHERE USERNAME = ${username}`

My username is ' ' OR 1=1;

You have to assume mongodb didn't make it that far 😁

!rant but seeking für help

Hi!
So my boss came to me yesterday and asked me if I could do some penetration / security testing for a web application our company made.
Interested in learning it and being familiar with HTML, PHP, JavaScript and MySQL I said yes.
Though I have some really basic knock edge of the subject (E.g SQLInjection) I was wondering if you know any good website / udemy course or whatever that can get me started.
I don't mind if there will be a certificate at the end but it is not necessary.

Thank!

Since I started my routine of checking bug logs every morning, I've had 2 instances where a website vulnerability scanner was run against a production website and generated over 2,000 Coldfusion errors.

At the time, I was super nervous about the apparent hack attempt, and hyped that the attackers never actually got in. It's nice to know that despite the various errors indicating vulnerable / breakable code, they were ultimately unsuccessful. I know now that a determined attacker could probably have wrecked our production websites. Since then I've made a ton of security-related updates and I'm actually thankful for the script kiddie getting my attention with that scan.

PS. We're now building a website for a local security company who is going to work with us to pen test the site when it's finished! Gulp.