How a Simple Search Bar Turns Into a Security Nightmare

We type into search bars every day without thinking twice. But behind that innocent box lies one of the most common entry points for hackers. A poorly coded search bar can expose your entire system — and that's where the nightmare begins.

If you got your head around Cybersecurity, you might have heard about the Injection Attacks. The Injection Vulnerabilities are also listed in the OWASP Top 10. You can read about them here. The injection attacks are highly common. Adding up to this, the rise of vibe coding makes it even worse.

WHAT ARE INJECTION ATTACKS?

Injection attacks are when an attacker uses Input fields in the application to inject malicious code to gain un-authorized access, escalate privelege etc. The injection attacks mostly occur if the developers miss input validation and sanitization.

It might sound complex at the first glance, but it's actually very simple to carry out. Let's take an example.

There is one pre-requisite before you can properly understand the example, that is you must have a base knowledge about SQL

EXAMPLE OF INJECTION ATTACK

Let's take the "search bar" in a site, "insecure-site.domain" which is an e-commerce store. The search bar is meant to list the products by the category.

The front-end seems simple, in the back-end, when user enters a category, for our example, we take "gifts", the SQL query should be generated using the input such as:

SELECT * FROM PRODUCTS WHERE CATEGORY = 'gifts' AND released = 1

SELECT * FROM PRODUCTS WHERE CATEGORY = 'gifts' AND released = 1

The above query simply shows all the gift products that are released.

If the application is prone to it, we can literally get unauthorized access to all the usernames and passwords registered on the site. This can be done using the "UNION" in SQL.

Hence, we can input something like:

' UNION SELECT username,password FROM users

' UNION SELECT username,password FROM users

The ' means we're continuing the query which will be created by the application when the search is initiated from the search bar.

Then we join an extra query using UNION to the query that was made by application. This way, we can inject any query of our choice to the database.

For those who question how can we find the table name where credentials are stored, there are specific methods for different types of SQL to do so.

CONCLUSION

The worst part is that injection attacks are so easy to carry out, even a kid with fundamental knowledge about SQL and Injection vulnerability can carry it by just using the website. You can estimate the damage just by understanding the fact that we could directly interact with the site's database by using the site's own search bar. This is just a single type of SQL injection. The injection vulnerability is a river of easy to exploit vulnerabilities in different applications. These attacks can be prevented if the developers of the applications use input validation and sanitization for every input field they code. But since there is a rise of vibe coding, the practice of secure coding is much more required.