A03: Injection

Simulating a SQL Injection attack to bypass a login form.

Interactive Simulation: Login Bypass

Use the pre-filled SQL injection payload to bypass the login authentication.

How to Simulate

With the defense disabled, use the pre-filled injection payload and click 'Login'.
Observe the executed query and see that you have successfully bypassed the login.
Enable the 'Use Prepared Statements' defense and click 'Login' again.
Observe that the login now fails, as the malicious input is treated as a literal string instead of executable code.

Username

Password

Explanation

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

In this SQL injection, the payload `' OR 1=1 --` alters the query. `1=1` is always true, and `--` comments out the rest of the line, ignoring the password check. This bypasses the login and would allow an attacker to proceed as the first user in the database (often the admin).

Toggle Defense

Use Prepared Statements

This ensures the database engine treats user input as data, not as part of the SQL command, neutralizing the attack by preventing the malicious string from being executed.