Skip to content

SQL Injection Challenge Two

Views: 394

This is a challenge from OWASP Security Shepherd.

In this challenge, you will notice that the application is checking for a valid email address. Once the input is validated as an email, it will use the input as part of a query. Because of this weak defence, once we managed to bypass the email validator, we will be able to perform SQL injection attacks.

The main obstacle is to form an input which is both a valid email and contains malicious value. Let’s use the hint to see how the query looks like.

For a valid email, there should not be any space in between the value. Hence the usual SQLi payload “something’ OR 1=1–” does not work here. The work around is to use || instead of ‘OR’.

Published inWalkthrough

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *