/Code Review/SQL Injection in Login

SQL Injection in Login

A classic SQL injection vulnerability in a login function that allows attackers to bypass authentication.

CRITICALEasy

Vulnerable Codepython

1def login(username, password):
2    # Connect to database
3    conn = sqlite3.connect('users.db')
4    cursor = conn.cursor()
5    
6    query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"
7    cursor.execute(query)
8    
9    user = cursor.fetchone()
10    conn.close()
11    
12    if user:
13        return {"success": True, "user": user}
14    return {"success": False, "error": "Invalid credentials"}

Understanding the Issue

This code is vulnerable to SQL injection because user input is directly concatenated into the SQL query. An attacker can input `' OR '1'='1` as the username to bypass authentication entirely.

Authentication Bypass

Attacker inputs a malicious username to bypass password check

Malicious Input

Username: ' OR '1'='1' --
Password: anything

Impact

Query becomes:
SELECT * FROM users WHERE username = '' OR '1'='1' --' AND password = 'anything'

✓ The OR '1'='1' always evaluates to true
✓ The -- comments out the rest of the query
✓ Returns first user in database (usually admin)

Technical Details

Vulnerability Type: SQL Injection
Severity: CRITICAL
Language: Python
CWE: CWE-89
OWASP: A03:2021 - Injection

SQL Injection in Login

Understanding the Issue

How Attackers Exploit This

Authentication Bypass

Finding the Vulnerability(3 hints)

Technical Details

SQL Injection in Login

Understanding the Issue

How Attackers Exploit This

Authentication Bypass

Finding the Vulnerability(3 hints)

Technical Details