187
xonya
7y

** The most hilarious authentication implementation I've ever seen **

They stored password in cleartext, but never mind, this is sadly quite common.
For some reasons credentials were also case insensitive (maybe to avoid silly tickets from CAPS LOCK lovers?).

Then I had a look to the query executed during the login:
SELECT * FROM users WHERE username LIKE ? AND password LIKE ?;

So I tried logging in with user "admin" and password "%"... and it worked!
I laughed all the day.

Comments
  • 23
    Why the fuck would you even
  • 14
    Good lord 😳
    although I have come across admin/admin for the admin account of a webDev site and all its clients, some people are just idiots.
  • 3
    Unbelievable 😂
  • 21
    Now i'd like to know what happens on "%" / "%", that query returns all users and you'll most likely be logged in as the first one (which is the admin in most cases)
  • 19
    Oh my fucking god!!!
    I think this one wins the vulnerability challenge... Wtf...
  • 8
    @YouAreAPIRate I tried that. The application thrown an exception, because it expected only one or zero record from the query. It would have been awesome to be logged in with all users at the same time :D
  • 4
    @xonya at least they got that right. Most applications only take the first query result and ignore the rest because there shouldn't be any more. If they really would save all users in the session that would fuck up the whole web application ^^"
  • 2
    How do you look up executed sql query?
  • 8
    @coolmox Unfortunately I worked for the company who owned that shitty code :D
  • 1
    @xonya ouu :D that must be big laugh off
  • 4
    @coolmox some applications even show an error message where you can see the query. So if you feed chars like "\' etc. to the application you force an error and might see query.
    That way you can look at it even if you don't have access to the code.
  • 3
    @YouAreAPIRate Yes, sometimes that happens too. In this case I had access to the whole source code, so it has been easy to found this vulnerability.
  • 8
    I would fire myself if I stored anything in cleartext. Jesus.
  • 2
    What the hell 🤣🤣 that is so dumb!
  • 2
    @ziadkiwan i had to work on a similar program, and sql-injections are still found regularely* in the wild. This is dumb but it's happening way more often than you think. It makes you think.

    *there even is a search engine for that
  • 3
    I mean there is libraries every where, that they are very easy to use to avoid sql injection.. Etc..
  • 3
    @ziadkiwan you might think that (i do too) but no library can compete against idiots. At least OWASP says sql-injections are not (really) slowing down even we got parameterized/prepared statements years ago and escaping decades ago.
  • 2
    True, even tho i found parameterized queries, are easier to build
  • 0
    but how do you know the SQL and if you know the SQL then you have access to the DB anyway so it doesn't really matter?
  • 0
    @billgates Yes, I could query the DB directly. The fact remains that it was a really poor designed application.
  • 1
    @xonya Yea agreed... just like my workplace... if it were me i'd burn down pretty much the whole codebase and build it again without all the unneccessary mess and redundant code.
  • 2
    @billgates Ahah, I think there is a lot of shitty code inside most companies.
  • 0
    SQL injection 😂
  • 1
    If you were able to use %, does that mean they didn't even sanitise the user input?
  • 3
    @DavRant They sanitized the single quote ', but not %.
  • 2
    @xonya wow, that's just...horrible
  • 0
    @Kalex Imagine this happening to the first ever version of our product....
  • 2
    It's not even funny. Sounds like some ultra-n00b dumb sh*t. Like I have never really seen any 'programmer' do something like this, yet alone a company. Umm, are you sure that's a real company? Can you share more info about it with us? Like what country is it located in? What kind of industry is it in? And maybe the name of the company?
  • 2
    I know of a university wherw its case insensitive and after a certain amount of characters it doesnt matter what you put. Its unbelievable
  • 1
    @adminadmin I obviously can't tell the name of the company. In any case it was a quite old project and data "protected" by that passwords were not so critical/sensitive.
Add Comment