Client-side injections are merely local data injections that can lead to unauthorized access to data within the device. This includes SQL injection and UIWebView injections. Let's look at how it can be exploited.
In this section, we will go ahead and exploit the local SQL injection vulnerability in the iGoat app. Open the app, navigate to Categories, click on Injection Flaws, and then click on Start Exercise. You should be able to view the search bar to read articles, as shown in the following screenshot:
If you search for a
in the search bar, you will be able to see only the free articles, as shown in the following screenshot:
The same feature can be exploited to view all the articles in the database by injecting the malicious SQL query A ' OR 1=1—
, making the statement true, just like the classic web SQL injection. The following screenshot displays all the articles, which involves the premium as well as the local database being disclosed; this is due to...