Yesterday, an old friend sent me an Instagram DM asking me for help for a contest. The "custom link" was a bit weird as it didn't have any path or URL params and when accessing I confirmed it was phishing as there was a fake Instagram login there.
Thread of how I hacked it👇
Just for fun I submitted a blind XSS payload, but I got something way better on the response. The error revealed this request was vulnerable to SQL injection as special chars were not being escaped, hence it was possible to modify the query being executed.