< Back





2. SQL injection vulnerability allowing login bypass

We're able to bypass the password check for the /login page's POST request because of an existing
SQL injection vulnerability in the server backend code. The username and password parameters of the
POST request are not sanitized. The username and password parameters are used to query the SQL
database for the username and password's existence. We escape the SQL query using the ' character
after entering the username parameter, providing a SQL comment -- to end the query.

This causes the SQL query to ignore the password parameter, allowing the attacker to login as any
valid user.


Solution