Juicy Shop
Login Bypass via SQL Injection
InjectionA03:2021 – Injectioncritical
Vulnerability
The login handler interpolates the submitted email straight into the authentication query. Supplying `' OR 1=1--` rewrites the WHERE clause so it is always true and comments out the rest, returning the first row in the table — typically the admin account — without any valid credentials. This is a full authentication bypass and account takeover.
Exploit Steps
- Navigate to the login page
- In the email field enter: `' OR 1=1--`
- Use any value for the password field
- Submit — the SQL condition OR 1=1 makes the WHERE clause always true, logging you in as the first user (admin)
Tools: browser devtools, Burp Suite
Mitigation & Solution
Use parameterised queries for login. Never construct SQL with user-supplied credentials. Also enforce rate limiting and account lockout to prevent automated brute force.
Coding Challenge
Find It
File: apps/juicy-shop/src/app/api/users/login/route.ts
Click the line that contains the vulnerability: