Chapter 3

Injection & SSRF

SQL injection, command injection, and the URL trap.

~17 min total2 lessonsAssignment

By the end of this chapter you'll be able to

Recognise dangerous string-concat patterns
Use the safefetch package for any URL the user controls

Lessons

Module: Attack + defend

SQL injection in Go

How GORM protects you, and how Sprintf undoes that protection.

8mmedium

SSRF + safefetch

The internal-network attack and how Grit's safefetch blocks it.

9mhard

Chapter assignment

Try to break your own API

Use curl to attempt SQL injection on your search endpoints, and SSRF on any URL-fetching endpoint (e.g., webhook validation, OG-image preview). Document each attempt + the response. Add safefetch where missing.

See success criteria

Lesson 1 takes ~8 min.

Start chapter

Spot a typo? Have an idea?

Help us improve this chapter. One click opens a GitHub issue with this chapter's URL pre-filled — suggest a clearer wording, report a bug, or request a new lesson. The course keeps improving thanks to learners like you.

Suggest an improvement on GitHub

ch.2: Broken Access Control ch.4: Auth + Secret Management