A guestbook once got sprayed with SQL injections, XSS payloads, and a few hundred messages calling one Arshdeep Singh a LARPER. Every single one of them did nothing. This is a museum of that nothing. The tables did not drop.
'; DROP TABLE guestbook; --
The query was parameterized, so this arrived as a string, not a command. It was stored as a normal guestbook message and admired.
THREADLOCKED FLAVOUR — ABSOLUTE DOMINATION | '; SELECT pg_sleep(10); --
Trying to make the database hang for 10 seconds to confirm an injection point. The database did not hang. It did not even notice.
' OR 1=1; SELECT threadlocked
A classic. Unfortunately there is no login on a guestbook, so there was nothing to log into. 1 does, in fact, equal 1.
<img src=x onerror="window.__xss_hit=(window.__xss_hit||0)+1"> <script>window.__xss_script=1</script>
React escapes everything it renders, so this showed up on the page as the literal characters you see above. No image errored. No script ran. window.__xss_hit remains undefined to this day.
ARSHDEEP SINGH FUCKING LARPER 122
FUCKER LARPER ARSHDEEP MOTHERFUCKER WE WILL FIND U 122
ARSHDEEP SINGH FUCKING LARPER 121
... (see also: 120, 119, 118, 117, 116, 115)
One hundred and twenty-two numbered variations of the same accusation. Automated, sequential, committed. The larper was, in fact, found — he was right here the whole time, reading the logs.
Row-level security on every table. Parameterized queries (the payload is always data, never code). Output escaped by default. A spam filter, a Cloudflare Turnstile check, and every attempt logged with its IP and user-agent. None of it was clever. It just wasn’t left open. Regards to the threadlocked webring. hi nisarga (allegedly 👀).