...
Suppose a system authenticates users by issuing the following query to a SQL database. If the query returns any results, authentication succeeds; otherwise, authentication fails.
| Code Block |
|---|
|
SELECT * FROM db_user WHERE username='<USERNAME>' AND
password='<PASSWORD>' |
Suppose an attacker can substitute arbitrary strings for <USERNAME> and <PASSWORD>. In that case, the authentication mechanism can be bypassed by supplying the following <USERNAME> with an arbitrary password:
| Code Block |
|---|
|
validuser' OR '1'='1
|
The authentication routine dynamically constructs the following query:
| Code Block |
|---|
|
SELECT * FROM db_user WHERE username='validuser' OR '1'='1' AND password='<PASSWORD>'
|
...
Similarly, an attacker could supply the following string for <PASSWORD> with an arbitrary username:
producing the following query:
| Code Block |
|---|
|
SELECT * FROM db_user WHERE username='<USERNAME>' AND password='' OR '1'='1'
|
...
Related Vulnerabilities
...
