Juicy Shop

Login Bypass via SQL Injection

InjectionA03:2021 – Injectioncritical

Vulnerability

The login handler interpolates the submitted email straight into the authentication query. Supplying `' OR 1=1--` rewrites the WHERE clause so it is always true and comments out the rest, returning the first row in the table — typically the admin account — without any valid credentials. This is a full authentication bypass and account takeover.

Exploit Steps

  1. Navigate to the login page
  2. In the email field enter: `' OR 1=1--`
  3. Use any value for the password field
  4. Submit — the SQL condition OR 1=1 makes the WHERE clause always true, logging you in as the first user (admin)

Tools: browser devtools, Burp Suite

Mitigation & Solution

Use parameterised queries for login. Never construct SQL with user-supplied credentials. Also enforce rate limiting and account lockout to prevent automated brute force.

Coding Challenge

Find It

File: apps/juicy-shop/src/app/api/users/login/route.ts

Click the line that contains the vulnerability:

Fix It