# Level 2: SQL injection vulnerability allowing login bypass ## Objective This lab contains a SQL injection vulnerability in the login function. To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user. ## Explanation The login form is vulnerable to SQL injection due to improper handling of user-supplied input. When credentials are submitted, the application constructs a SQL query that checks if the user exists and if the password matches. By injecting SQL logic into the username field, we can manipulate the query to always return true, effectively bypassing the authentication process and logging in as any user, including the administrator. ## Resolution 1. Go to the **My Account** section to access the login form. 2. In the **Username** field, input the following payload: ```sql administrator' OR 1=1-- - ``` 3. Enter any arbitrary value in the **Password** field (e.g., `test`), since it will be ignored by the SQL logic. 4. The injection transforms the backend query into something like: ```sql SELECT * FROM users WHERE username = 'administrator' OR 1=1-- -' AND password = 'test' ``` The `OR 1=1` condition always evaluates to true, and the `-- -` sequence comments out the rest of the query. 5. This bypasses the password check and logs you in as the administrator, solving the lab.

## Mitigation To prevent SQL injection in authentication functions: * Always use **parameterized queries** or **ORMs** that safely handle user input. * Avoid directly embedding input into SQL statements. * Implement **multi-factor authentication (MFA)** to add an additional layer of security. * Regularly test login endpoints with automated tools and manual review to detect injection flaws.