We can send ' OR TRUE - as email input and any string as a password. Now we know the SQL query related to logging in. Here we used 'in the email input field to cause an SQL error. "SELECT * FROM Users WHERE email = ''' AND password = '698d51a19d8a121ce581499d7b701668' AND deletedAt IS NULL" You can see the SQL query used in the login. Let us inject SQL into the login field to bypass the login and login as the first user in the database.įirst, create an error by giving 'as input to the email field and any string (here I used 111 for password) to the password field.Ĭheck the Response in the browser Network tab. ![]() ![]() OWASP juice shop login fields are vulnerable to SQL injection, which enables access to unauthorized access to the system. ![]() Now let us use an SQL injection attack to solve the Login Admin challenge in the OWASP Juice Shop.
0 Comments
Leave a Reply. |