Mission 2: Patch the Wormhole

Mission 2 · Wormhole Patch

Seal the Alien SQL Injection Wormhole

HQ intercepted an outdated login endpoint. The syndicate injects the payload ' OR '1'='1 and the database grants every request. Your operation mirrors real incident response: replicate the breach, collect forensic proof, then rebuild the gateway using parameterized defenses.

Work through each stage, execute the wormhole lab, and deliver an evidence pack that satisfies both the red-team verification and blue-team remediation checklists.

Estimated Time 25 – 35 minutes
Required Skills SQL, Auth, OWASP A03
Reward Fragment BRAVO-4M8Q

Deliverable

Breach Evidence Packet

Console snapshot with injected SQL, leaked agents, and HQ alarm.

Deliverable

Remediation Log

Before/after code excerpts plus notes on how parameter binding neutralizes the payload.

Deliverable

Vault Fragment

Unlocked once secure mode blocks the attack and a valid agent succeeds.

⚠️ Threat Intel · Injection Anatomy

The wormhole opens when the attacker concatenates the payload ' OR '1'='1 directly into the login SQL. The WHERE clause evaluates to TRUE for every record, granting access to the entire agent roster and any linked missions.

  • Vector: User input stitched into SQL without placeholders.
  • Impact: Authentication bypass, mass data leak, privilege escalation.
  • Indicators: Repeated `'1'='1` signatures and full-table result sets in logs.

Real-World Parallels

From the classic XKCD “Little Bobby Tables” strip to the Yahoo breach, SQL injection remains one of the most exploited flaws (OWASP A03). Red teams still rely on this exact payload because legacy apps continue to concatenate strings. Blue teams respond by reproducing the attack, documenting evidence, and rolling out parameterized queries with validation.

Follow the same cadence here: prove the breach exists, capture the telemetry, then neutralize it with secure coding practices.

Recon Objectives

Collect Payload

Highlight where the alien string rewrites the SQL. Screenshot the vulnerable statement.

Measure Blast Radius

Record which rows leak. This becomes your incident impact summary.

Plan Containment

List the code hotspots that must change: query builder, validation, logs.

🛰️ Recon Toolkit

Analysts lean on repeatable payloads and log scrapers to prove how an attack mutates SQL. In this mission the wormhole console provides a live view of the crafted query. Capture the console output and indicator states—they form the evidence bundle for HQ.

SELECT * FROM agents
  WHERE codename = 'GhostWolf'
  AND passcode = '' OR '1'='1';

Recon Checklist

  1. 1. Execute the payload with secure mode off and record the SQL emitted.
  2. 2. Log breach indicator color, HQ transmission, and rows returned.
  3. 3. Reset the console if you need a clean baseline before the lab run.
  4. 4. Prepare questions for engineering: Where does the string concatenation live? Which endpoints reuse it?

Once your recon notes are ready, advance to the wormhole lab to reproduce the exploit live.

💥 Wormhole Lab

Use the console to mimic the attacker and defender workflows. Prime the payload to prove the wormhole is open, then flip to secure mode and demonstrate containment. HQ expects screenshots from both states.

Command Log

$ Awaiting input…
Breach Status: Pending
Telemetry: Wormhole readings stable

Ops Metrics

Attempts

0

Breaches

0

Secure Runs

0

Capture console output, breach indicators, and HQ transmissions from both vulnerable and secure runs. These artifacts become your mission dossier and inform the deployment checklist in the next stage.

🛡️ Secure Coding Playbook

Parameterized queries separate SQL structure from user input. The database engine receives the template first, then binds parameters as data. The payload never merges into the statement, so hostile strings remain harmless text.

Before (Vulnerable)

const query = `SELECT * FROM agents WHERE codename='${codename}' AND passcode='${passcode}'`;

After (Secure)

const query = "SELECT * FROM agents WHERE codename = ? AND passcode = ?";

db.prepare(query).bind([codename, passcode]).all();

Reality check: OWASP ASVS and most compliance baselines demand proof of parameter binding before release.

Secure Deployment Checklist

  1. 1. Run the payload with Secure Mode enabled → expect zero rows.
  2. 2. Authenticate GhostWolf under Secure Mode → expect a single authorized row.
  3. 3. Capture the HQ transmission announcing the vault fragment.
  4. 4. Archive the before/after code snippet for peer review.

Production teams automate these checks after every deploy. When the console reports “GhostWolf cleared,” you’re mirroring those guardrails.

🛰️ Debrief & Evidence Bundle

  • Breach console output showing the injected SQL and leaked agents.
  • Secure console output proving the payload was neutralized and GhostWolf authenticated.
  • Before/after code snippet documenting the parameterized fix.
  • HQ transmission confirming the vault fragment release.

Package these artifacts into your mission log and share them with the security council before advancing to Mission 3.

Vault Fragment

Locked

Unlocks after a secure run blocks the payload and verifies GhostWolf.

Transmit to HQ once recovered.