BackAisle
Yardlines, an indie streetwear retailer, ships their storefront with the same filter logic they wrote three years ago. The unreleased capsule isn't as private as they think.
The Scenario
Yardlines built their storefront on a long weekend in 2022. The category
filter on the shop page was the kind of throwaway code you write at 2am
with a deadline tomorrow — quick, direct, never revisited. They added a
friends-and-family capsule program in 2024 and bolted a second visibility
rule onto the same code path, figuring nobody could tell that capsule
pieces existed if they weren't on the public grid. The grid is just one
view of the data.
Challenge Intel
Synopsis
Bypass a shop's released-only filter to reveal an unreleased capsule item whose description contains a private SKU string.
What It Is
Yardlines is an indie streetwear brand running a small storefront. The /shop page filters products by category via a URL parameter, with the category value spliced directly into a SQL WHERE clause. A second predicate (released=1) is supposed to hide unreleased capsule runs from public view. Both predicates sit in the same WHERE clause. This is the apprentice-tier SQL injection bug — string concatenation into a SELECT — but framed against a real-feeling D2C storefront rather than an abstract /api/sqli endpoint.
Who It's For
Players new to SQL injection who want to see the bug in a realistic e-commerce context.
Skills You'll Practice
- Recognizing string-concatenated SQL in URL parameters
- Using OR / comment-out tricks to bypass additional WHERE-clause predicates
- Reading SQL error messages to identify the database engine
- Translating a SQLi primitive into actual data exfiltration
What You'll Gain
- First-pass SQL injection technique against a realistic storefront filter
- Comfort with the gap between 'I broke the query' and 'I extracted the data I wanted'