A login process containing SQL injection vulnerability can be bypassed by attackers. They need to manipulate username or password parameters and thus access to the application (even as administrator) without knowing the original user credentials. This is known as “Authentication Bypass via SQL-Injection”.
In this post, I want to explain how a penetration tester can use Burpsuite’s Intruder Tool to check automatically this type of vulnerability. I am also providing anauthentication-bypass-list.txt file that contains various possibilities for checking sql injection.
Here are the steps that a pentester need to follow respectively:
1- Within the Proxy Tool, choose the option “send to intruder“
2- Within the Intruder tool, go to the Positions tab
“Clear” the default entries, select username and password parameter values and “Add” them to the test list. For “Attack type”, choose sniper which generates requests for all entries within the authentication-bypass-list.txt file for username and password respectively.
3- Within the Intruder tool, go to the Payloads tab
As “payload set”, choose “runtime file” and by “select file”, choose authentication-bypass-list.txt file.
4- Within the Intruder tool, go to the Options tab
The returned HTTP responses need to be analyzed to check if the attack was successful or certain error messages (e.g. SQL queries) are returned. Hence, by section “grep”, enable “search responses for these expressions”. “Add” to the list certain keywords which your application returns after successful login. As an example, my demo application returns an “YOU ARE AUTHENTICATED” message.
5- Start the Attack
Now you can start the attack by clicking Intruder->”Start Attack” on the top menu.
6- Analyze the HTTP Responses
In the final step, you need to check the results to find out if an authentication bypass was possible. You should firstly check if any match expression which you added in the Options tab for successful login was returned in the responses. Additionally, HTTP Responses with status code 302 and 200 are interesting and need to be analyzed futher. HTTP Responses with the status code 500 can contain critical error messages containing even SQL queries. You can use such error messages to execute a customized authentication bypass attack as well.
Final Words