top of page
Search

Hack the box OWASP Top 10: Sanitize

  • carocsteads
  • Feb 12, 2025
  • 2 min read

Updated: Dec 9, 2025

Sanitize:

Synopsis: SQL injection leads to authentication bypass.

Skills Required:

  1. Basic understanding of SQL

  2. Familiarity with Flask web framework.

  3. Knowledge of SQL injection vulnerabilities.

Skills

  1. Learned understanding and exploiting SQL injection vulnerabilities in web applications.

  2. Analyzing Dockerfiles and Docker setup in web applications.


The exercise: Can you escape the query context and login as admin at my super secure login page?





Analysis:

The first clue is in the description: "Can you escape the query context and login as admin at my super secure login page?". This lab contains an SQL injection vulnerability allowing admin login bypass.

Then there is a confirmation of the vulnerability in the tab name SQLi.




We need to identify the entry point by adding a single quote, double quote, or SQL operators like AND, OR, NOT. We can try the following payloads:

[Nothing]

'

"

`

')

")

`)

'))

"))

`))


First let's use username admin and password admin. The result is "select * from users where username = 'admin' AND password = 'admin';"

Next, lets try to scape the ' by adding another ' at the end of username -> admin' and admin. The result is "select * from users where username = 'admin'' AND password = 'admin';

<class 'sqlite3.OperationalError'> : near "admin": syntax error"




To fix the query you can input data so the previous query accepts the new data, or you can input data and add a comment symbol at the end.




After clicking Sign in we get the following




The flag is discovered.


How to prevent SQL injection - authentication bypass:

  • Use database accounts with minimal privileges

Ensure the application uses a database account with only the required permissions to minimize the impact of an attack.

  • Implement Web Application Firewalls (WAFs) with SQL injection detection

Set up a WAF to detect and block common SQL injection patterns.

Keep the WAF up to date with new attack signatures.

  • Prevent injection by separating data from commands

Use parameterized queries or Object-Relational Mapping (ORM) tools to keep user inputs separate from SQL commands, avoiding direct SQL interpretation.

Even when parameterized, be cautious with stored procedures—concatenation or execution of user input with functions like EXECUTE IMMEDIATE can still lead to injection risks.

  • Use positive server-side input validation

Validate input to allow only expected values. However, this is not a complete defense, especially in cases where special characters are required.

  • Escape special characters for residual dynamic queries

For any unavoidable dynamic queries, escape special characters using the appropriate syntax for the SQL interpreter.

Avoid user-supplied structure names (e.g., table and column names), as these cannot be safely escaped and may lead to injection risks.

  • Use SQL query controls to limit data exposure

Always include LIMIT clauses and other controls within queries to prevent mass data leakage in case of SQL injection.


Recent Posts

See All
Automating Privileged Access Management:

A QA Engineer's Journey with Apache Guacamole By Carolina Steadham  | QA Automation Engineer Introduction In today's cybersecurity landscape, privileged access management (PAM) is critical for protect

 
 
 
🔧 Self-Healing Locators

Transform Flaky Tests into Resilient Automation By Carolina Steadham | QA Automation Engineer 📚 About This Project The Selenium TestNG Automation Framework is a comprehensive learning platform desi

 
 
 

Comments

© 2023 by Carolina Steadham. All rights reserved.

bottom of page