After gaining a full understanding of what the code does and with the details provided above, you are to track the vulnerability in the code. You have to figure out what might be the possible flaws in the code that an attacker might take advantage of (you have to start thinking like a hacker!). Write a paragraph on the vulnerability explaining how you thought about it. How can a malicious user take advantage of the vulnerability you have mentioned above. Be very concise here as well. Be sure to mention your chain of thoughts while analyzing the code which led to the specific conclusion by you about the vulnerability.

package org.owasp.webgoat.lessons;

import java.sql.Connection;

import java.sql.ResultSet;

import java.sql.SQLException;

import java.sql.Statement;

import java.util.ArrayList;

import java.util.List;

/*************************************************************************************************** *This is a java code that performs a certain utility. *To reduce code size some of the methods and souce codes to higherclasses/dependencies have been deleted. *Most methods used here are self explanatory. ****************************************************************************************************/

public class BlindSqlInjection extends LessonAdapter

{

private final static String ACCT_NUM = "account_number";

protected Element createContent(WebSession s)

{

ElementContainer ec = new ElementContainer();

try

{

Connection connection = DatabaseUtilities.getConnection(s);

ec.addElement(new P().addElement("Enter your Account Number: "));

String accountNumber = s.getParser().getRawParameter(ACCT_NUM,"");

Input input = new Input(Input.TEXT, ACCT_NUM,accountNumber.toString());

ec.addElement(input);

Element b = ECSFactory.makeButton("Go!");

ec.addElement(b);

//user_data : userid user_name SSN

String query = "SELECT * FROM user_data WHERE userid = " +accountNumber;

try

{

Statement answer_statement=connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);

Statement statement=connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,

ResultSet.CONCUR_READ_ONLY);

ResultSet results = statement.executeQuery(query);

if ((results != null) && (results.first() == true))

{

ec.addElement(new P().addElement("Account number isvalid"));

}

else

{

ec.addElement(new P().addElement("Invalid accountnumber"));

}

}

catch (SQLException sqle)

{

ec.addElement(new P().addElement("An error occurred, please tryagain."));

} }

catch (Exception e)

{

s.setMessage("Error generating " + this.getClass().getName());

e.printStackTrace();

}

return (ec);

}

public void handleRequest(WebSession s)

{

try

{

super.handleRequest(s);

}

catch (Exception e)

{

//System.out.println("Exception caught: " + e);

e.printStackTrace(System.out);

} } }