SQL Injection – Login Admin Bypass

An SQL Injection (SQLi) vulnerability was discovered in the login functionality of the OWASP Juice Shop application. This vulnerability allows an unauthenticated attacker to bypass the authentication mechanism and log in as the Administrator without knowing the valid credentials, effectively taking over the administrative account.

To reproduce this vulnerability and confirm the exploit, please follow these steps:

1. Navigate to the Juice Shop login page (/#/login).
2. In the Email field, enter the payload provided in the Payload section.
3. In the Password field, enter any random character string (e.g., "123").
4. Click the "Log in" button.
5. Observe that the application redirects you to the dashboard logged in with Administrator privileges.

A common payload for bypassing the login is:

' OR '1'='1' --

The injected clause '1'='1' always evaluates to true, causing the authentication query to return the first user record (the administrator).

This vulnerability is classified as Critical due to the following reasons:

• Authentication Bypass: It completely circumvents the login security controls.
• Privilege Escalation: The attacker gains full administrative access (Admin Privileges).
• Data Compromise: An attacker can access sensitive user data, modify application settings, delete reviews, and potentially access or dump the entire database structure.

The vulnerability exists because the application concatenates user input directly into the SQL query string without proper sanitization or parameterization.

Backend Logic Simulation: Assuming the vulnerable backend code looks something like this:

query = "SELECT * FROM users WHERE email = '" + email + "' AND password = '" + password + "'";

When the payload ' OR '1'='1' -- is injected, the query becomes:

SELECT * FROM Users WHERE email = '' OR '1'='1' --' AND password = 'random';

Here, the condition '1'='1' always evaluates to true, and the -- comments out the password check. This forces the database to return the first user (Admin).

To mitigate this vulnerability, the following coding practices should be implemented:

• Use Parameterized Queries (Prepared Statements): This is the most effective defense. Instead of string concatenation, use placeholders (? or :param) to ensure the database treats user input as data, not executable code.
  Example (Node.js/SQLite):

  db.get("SELECT * FROM Users WHERE email = ? AND password = ?", [email, password], (err, row) => { ... });

• Input Validation: Implement strict server-side validation to ensure the email input adheres to a valid email format and rejects unexpected special characters (like single quotes).
• Use an ORM: Utilize Object-Relational Mapping (ORM) libraries (e.g., Sequelize, TypeORM) which automatically handle parameterization for standard queries.