SQL Injection in alexedwards/scs


Reported on

May 24th 2022


A SQL Injection in rqlite store

Proof of Concept

use example code

package main

import (


var sessionManager *scs.SessionManager

func main() {
    // Establish connection to rqlite.
    conn, err := gorqlite.Open("http://localhost:4001/")
    if err != nil {
    defer conn.Close()

    // Initialize a new session manager and configure it to use rqlitestore as the session store.
    sessionManager = scs.New()
    sessionManager.Store = rqlitestore.New(conn)

    mux := http.NewServeMux()
    mux.HandleFunc("/put", putHandler)
    mux.HandleFunc("/get", getHandler)

    http.ListenAndServe(":4000", sessionManager.LoadAndSave(mux))

func putHandler(w http.ResponseWriter, r *http.Request) {
    sessionManager.Put(r.Context(), "message", "Hello from a session!")

func getHandler(w http.ResponseWriter, r *http.Request) {
    msg := sessionManager.GetString(r.Context(), "message")
    io.WriteString(w, msg)

use ' or '1'='1 as token, then access /get a debug view looks like this


extract data or login as admin (basic vulnerabilities a SQL Injection has, more severely since it happens in a session middleware)

We are processing your report and will contact the alexedwards/scs team within 24 hours. 2 years ago
cokebeer modified the report
2 years ago
We have contacted a member of the alexedwards/scs team and are waiting to hear back 2 years ago
We have sent a follow up to the alexedwards/scs team. We will try again in 4 days. 2 years ago
Alex Edwards validated this vulnerability 2 years ago
cokebeer has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Edwards marked this as fixed in d93ace5be94bc476d79a2b818ae6579fa76e5a59 with commit d93ace 2 years ago
The fix bounty has been dropped
to join this conversation