Whisper
Whisper Market's online product catalog. The database behind the storefront holds more than just inventory.
The Scenario
Whisper Market prides itself on a fast, searchable product catalog. But their backend stores sensitive configuration data alongside the product listings. Find what they didn't mean to expose.
Challenge Intel
Synopsis
A medium SQL injection lab against an online catalog that stores more than product data.
What It Is
Whisper Market's public storefront runs on a database that was treated as a general-purpose dumping ground during early development. The catalog-facing query layer is flexible enough to reach beyond inventory if pressed. A practical SQLi exercise in turning a harmless-looking search into full database reconnaissance.
Who It's For
Intermediate testers who want to practise pivoting from a product catalog into the broader schema.
Skills You'll Practice
- In-band SQL injection against search features
- Schema enumeration beyond the obvious tables
- Pivoting from product data to sensitive records
- Recognising shared-database anti-patterns
- Iterative payload refinement
What You'll Gain
- Experience turning routine catalog queries into schema tours
- Insight into why over-sharing a database amplifies SQLi impact
- Stronger instincts for when to keep digging past the first leak
- A reusable workflow for storefront SQLi engagements