Q3.1) SQL Injection Attack: Login Bypass and Unauthorised Profile Modification

Опубликовано: 26 Июнь 2026
на канале: Harshal Pawar
23
0

This video demonstrates a SQL injection attack
Two SQL injection attacks are performed on a vulnerable web application:

1. Login Bypass — logging in as Ted without knowing his password by
injecting SQL code into the username field of the login page.

2. Unauthorised Profile Modification — modifying Boby's email address
while logged in as Ted by injecting SQL code into the NickName field
of the Edit Profile form.

Both attacks exploit the fact that user input is placed directly into
SQL queries without any sanitisation or parameterisation.

Key concepts demonstrated:
SQL injection in login authentication
SQL comment character # to bypass password check
SQL injection in UPDATE statement
Modifying another user's data without their password
Why prepared statements prevent SQL injection

Tools used: PHP, MySQL, Docker, Firefox, Ubuntu 24.04 LTS
Environment: Lab 9 Labsetup (ARM version for Apple Silicon)