Login Challenge

It's always good to start by testing the intended behaviour of a system. Try logging in with a random username and password.

Next, its time to think like an attacker - what are things you could do to break it?

Try entering a single quote (') in the username or password field (note: may have to copy-paste it on mobile).

Uh oh! The query returned an error! This is a sign the form might be vulnerable to SQL injection, as data we (the user) have entered has affected the control of the program. The error is coming from us closing off the string with the quote, making the rest of the query invalid. As the program isn't sanitising our inputs, we can modify the sql query to do whatever we want.

How would you get the WHERE condition to always be true? This would match all rows (users) in the table. Then, the website would log you in as the first user - regardless of their username/password.

1=1, '1'='1' etc. all evaluate to true. What if tried to OR this with the rest of the condition?

One way of doing this is entering: ' OR '1'='1 into both the username and password fields. How does this affect the query that gets executed? As a challenge, try to figure out how to get the flag by only inserting into the username field, leaving the password blank.

Another way of dealing with that extra ' is to comment out the rest of the query. In SQL, comments start with --.

We first want to close off the string using a single quote. Next, we want to make the WHERE condition always true to match every user, so we enter OR 1=1. Many SQL implementations require queries to be terminated with a semicolon, so its good practice to include. Finally, we comment out the rest of the query to make it valid - anything after the two hyphens will be ignored. Our final payload (that we enter into the username field) is thus: ' OR 1=1; --