Cybersecurity Log
CTF writeups, vulnerability mitigations, networking reviews, and a live terminal console.
Interactive Diagnostics Terminal
guest@kcv-security-ops:~
Security & CTF Logs
Writeups on vulnerability exploitation, secure coding, and linux server logs.
Overcoming CTF challenge: SQL Injection in Login Page
2026-07-02•CTF Writeup
Diff: Easy
A guide on exploiting and securing a simple bypass-auth SQL injection vulnerability in a testing framework.
### Vulnerability Analysis
The target application used a standard query builder that directly concatenated user inputs:
```sql
SELECT * FROM users WHERE username = 'user_input' AND password = 'pass_input';
```
### Exploit Code
By inputting `admin' --` in the username field, the query resolves to:
```sql
SELECT * FROM users WHERE username = 'admin' --' AND password = '...';
```
The SQL comment parser ignores the password check, allowing login bypass.
### Mitigation
Always use parameterized inputs:
```typescript
const query = 'SELECT * FROM users WHERE username = ? AND password = ?';
db.execute(query, [username, password]);
```
Or implement standard ORM tools like Prisma or Drizzle.
Securing Next.js APIs: Rate Limiting & JWT Practices
2026-07-08•Notes
Diff: Medium
How to protect Next.js routes from brute-force attempts and securely store session payloads.
### API Protection Guide
Next.js server actions and API routes can be easily overloaded. To prevent abuse:
1. **Implement Upstash or Redis rate-limiting** on public API routes.
2. **Never store JWTs in local storage**; use secure, HTTP-only, SameSite=Strict cookies to defend against Cross-Site Scripting (XSS).
3. **Validate inputs using Zod schemas** before handling data queries.