In 2017, a person noticed a strange error on a large online store's website: when he put ' (a single quote) in the search field, the site displayed a technical error about a "syntax error".
Within 30 minutes, he had the entire database โ a million user emails and passwords. Within 2 hours, this data was being sold on the darknet for $5000.
The attack is called SQL Injection (or "SQLi"). It's the oldest and most common web vulnerability. Every pentester learns it first.
This lesson is about the idea: what it is, how it's exploited, how to protect against it. And mandatory practice on a specially vulnerable website.