SQL injection | OWASP Bricks Login page #2

Login page #2

Login page with client side validation.
Special characters are not allowed in user name and password field.

Credentials for logging in normally

User name	Password
admin	admin
tom	tom
ron	ron

SQL injection by bypassing the client side security.

When a user enters a user name and password, it is first validated using a client side security mechanism before sending it to the server. Thus, code injection attempts are filtered right from the beginning.

In order to bypass this security mechanism, SQL code has to be injected on to the input fields. However a security mechanism employed on the web page restricts from putting any special characters on the input. One of the easiest method bypass this security mechanism is to craft the POST requests, bypassing the client side security. This can be done using Mantra (Hackbar, Tamper Data, Live HTTP Headers, Chickenfoot etc.) or some man in the middle proxy like ZAP.

Bricks Documentation

Login pages

File upload pages

Content pages

Login page #2

Credentials for logging in normally

SQL injection by bypassing the client side security.