In this walk through, we will be going through the SQL Injection (Login Form/Hero) vulnerability section from bWAPP Labs. We will be exploring and exploiting SQL Injection in Login Forms and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
Security: Low
- Setting the security level to Low.
- The application consist of a login form and demands credentials to proceed. As per the intercepted request it uses POST request to sqli_3.php file in order to check if the username and password entered is correct and it it is then we are allowed to proceed otherwise we got hit with “Invalid credentials” error.
- I used the below appostorphe (‘) to check if the application is vulnerable to SQL Injection and can be bypass the required authentication. I got an error in response and that’s good as we have break the SQL statement.
'
- I used the below payload to bypass the authentication and login as Neo which is the first user in the database, usually an admin.
' or '1'='1'-- -
Also Read: bWAPP – SQL Injection (GET/Search)
Conclusion:
So, we finally completed all the security levels for the bWAPP SQL Injection (Login Form/Hero) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential SQL Injection attacks by performing input sanitization and using prepared statements or parametrized queries for every SQL query made by the application to the database. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.