Authentication Bypass Using SQL Injection

Authentication Bypass

Hi Foks!

In this blog, I am going to explain “How SQL Injection leads to Authentication Bypass?”

As every website nowadays use “Login pages" to to implement Authentication and Authorization. Where,

Authentication - it is the act of checking users credentials to identify whether user is authenticated one and can have access to sensitive information that comes under that specific user role like (Normal User, Admin user, etc.)

Authorization - it is the process of role mapping or providing access to different part of the application interfaces, Functionalities and sensitive information based on user role. For ex: Admin user role can have access to web interfaces which allows Admin users to create different normal users, delete them if needed and providing and restricting access to different part of the application.

This blog is not written only as per pen-testing perspective but also as per developer perspective so they can understand How attacker identify loopholes and exploit them. I have used total debugging approach to make you understand every step in identifying and exploiting SQL Injection to bypass Authentication mechanism.

Tools Used:

Visual Studio 2015

SQL Server Express 2008

So Let’s Begin!

First Notice as shown below I have created one Login page. Basically this login page takes the user credentials and check with database (SQL SERVER) whether it is correct or not. If it is correct then it will redirect user to Welcome Screen and if credentials are wrong then it will redirect user on Error screen stating that “Entered Credentials are Wrong"

Code to Create Designer of Login Page, Error Page, Welcome Screen is given below:

Login Screen

Login Screen

Error Screen

Welcome Screen

I have created SQL Server Database SpitFireDB and table TblLogin using below Queries:

Database Queries to Create Database and Table

So far, we have created Database and Tables and Designer web pages. Now we need to write code for login page under Button_Click event so that when we click Submit button it will trigger event handler for Login Button and check user entered credentials with database and based on correct credential it will provide access to Welcome Screen or redirect user to Error Screen. I have written following code to do that,

Login Screen Code on Button Click to perform credential check with database

Notice as shown above, Most of the developer write inline SQL queries directly into code to perform dynamic task. Here user supplied input for Username and Password will be captured from txtusername.Text Textbox and txtpwd.Text Textbox and appended into inline SQL queries without any validation and sanitization which will later leads to Authentication Bypass. So expected behaviour is given below.

If user credentials are correct then it will redirect to Welcome Screen. I have inserted Breakpoint into code to make readers understand how correct credentials redirect user to Welcome Screen and Wrong Credentials on Error Screen.

Correct Credentials are Any of given below:

Correct Set of Credentials

1. When Credentials are Correct:

Debugger shows Correct credentials in CommandText Property and Redirection on Welcome.aspx Screen

Redirection on Welcome.aspx Screen on Correct Credentials

1. When Credentials are Wrong:

Debugger shows Wrong credentials in CommandText Property and Redirection on Error.aspx Screen

Redirection on Error.aspx Screen on Wrong Credentials

So far, I have shown normal behaviour of the web application with proof with the help of debugging that How web application send different responses and redirect on different web page based on authenticity of entered credentials. Now lets come to our pen-testing part and let’s try to bypass authentication by entering wrong credentials. Let’s call it as “Hacker’s Way of Exploitation”

Payload Used: ‘ or 1=1--

Now try to login using Hacker’s perspective let’s see whether we can login using wrong credentials. Below figure shows I have entered wrong credentials which is,

Wrong Credentials:

Username: ‘ or 1=1--

Password: foo

Wrong Credentials Redirects to Welcome Screen

How Surprising!

But there are no magic at all. Let’s understand How wrong credentials allows hackers to login into application. So when we entered payload ‘ or 1=1-- on Username Textbox. Our backend dynamic query got break into Three different part as shown below:

1st Part was taken as a String: “Select * from TblLogin where username=”

2nd Part always makes Query to be return TRUE value: 1=1

3rd Part Comments REST of the Query because of:--

Debugging: Understanding Query Logic which incorporates our payload ‘ or 1=1-- and Bypass Authentication Mechanism

Cool!

Here is Video POC,

SQL Injection Authentication Bypass Video POC

I hope now readers will have clear idea How SQL inline queries are dangerous and value of validation and input sanitization. to prevent this kind of attack please read below recommendation from OWASP.

Recommendations:

Please read detail blog on OWASP to prevent SQL injection vulnerabilities by navigating on below mentioned URL:

SQL Injection Prevention - OWASP Cheat Sheet Series

Please do follow for more readings. Many more to come.

Thanks!