Hello guys, Hope everyone is good. I would like to share one of my findings.
What is Authentication Bypass?
Authentication bypass vulnerability could allow attackers to perform various malicious operations by bypassing the device authentication mechanism.
How I find & exploited this vulnerability?
While testing the web forms, I tried to bypass the authentication by using the true SQL Statement. To craft these types of SQL statements, we should know about a few logic gates(I know).
The Statement what I wrote is [1'or’1'=’1' — -], I put that statement on both username and password fields.
How the payload [1'or’1'=’1' — -] works?
For Example, the database will take the user inputs via Sequal Query which looks like a below statement (which is understood by database servers).
select uname,passwd from table where uname=’test’ and passwd=’test@1234'
the payload will sit on uname & passwd field like below,
select uname,passwd from table where uname=’1'or’1'=’1' — -’ and passwd=’1'or’1'=’1' — -’
I made a true SQL statement (above), the database server will understand that the statement is true and the server logged me into the application with first users credentials of database table.
What are all the access I got after bypassing the authentication?
Mostly the first user on the database would be an Admin user. so, I directly logged onto the application with ADMIN privileges, I can able to delete, create and modify users credentials etc.,
Remediations:-
• Validate inputs.
• Use of low-privileged database logins.
• Use Parameterized queries.
• Use ORM (e.g. Dapper, Entity framework).
• Use Stored Procedures
