Wireshark Display Filter — Find the SQLi Attempts

Medium Network Forensics · 25 min

Flag submissions require login via tc_sso. Reading instructions does not.

Wireshark Display Filter — Find the SQLi Attempts

Scenario

A SOC analyst has 4 GB of pcap from a web edge tap. They need to isolate HTTP GET requests whose URI contains the substring ' OR '1'='1 (classic SQLi tautology). Write the exact Wireshark display filter.

Constraints

Filter must use Wireshark's display-filter syntax (not BPF / capture-filter syntax).
Filter must match the request URI specifically — not just any payload containing the string.
Filter must be case-sensitive on the string (Wireshark's matches operator is case-sensitive).

Answer format

Submit the filter text exactly, no surrounding quotes:

http.request.uri contains "' OR '1'='1"

(That IS the answer — submit it verbatim.)

Hints

Hint 1 (−10 pts)

The Wireshark dissector field for the HTTP request URI is http.request.uri. The substring-match operator is `contains`.

Hint 2 (−10 pts)

Syntax: <field> contains "<string>". The string must be quoted; special characters inside the quotes are literal.

Hint 3 (−10 pts)

Answer: http.request.uri contains "' OR '1'='1"

Lab environment · sandboxed iframe · auto-resets every 60 min