This writeup walks through a SQL injection in the product search feature of the oss-oopssec-store , an intentionally vulnerable e-commerce app for learning web security. The lab is built with Next.js and Prisma , so you might assume the ORM shields you from SQLi by default, and it mostly does, until someone reaches for $queryRawUnsafe and drops user input straight into a raw query. That's exactly what happens here. The search input gets interpolated into the SQL string with no sanitization, so you can manipulate the query to pull data from other tables and grab the flag. Table of contents Lab setup Feature overview and attack surface Exploitation procedure Vulnerable code analysis Remediation Lab setup Spin up the lab locally: npx create-oss-store oss-store cd oss-store npm run dev Enter fullscreen mode Exit fullscreen mode Or with Docker (no Node.js required): docker run -p 3000:3000 leogra/oss-oopssec-store Enter fullscreen mode Exit fullscreen mode The app runs at http://localhost:3000 .…