Lab 1 — SQL Injection in WHERE Clause: How OR 1=1 — Exposes Hidden Products

SQL injection (SQLi) is a major web vulnerability. This blog post breaks down four PortSwigger labs using Burp Suite to show how these attacks work. The goal is to demonstrate why developers must protect their applications by never trusting user input.

Tools Used:

  • Web Browser: Used to access the lab.
  • Burp Suite: A penetration testing toolkit used for intercepting and modifying web requests. We specifically used the Proxy and Repeater tools.

Goal: Access unreleased products on an e-commerce website.

Steps:

  1. Navigate to the product page of the lab and select a product category. This sends a request to the server, which is likely building a SQL query using your input.
  1. The application uses a SQL query that looks something like this: SELECT * FROM products WHERE category = ‘Gifts’ AND released = 1. Your goal is to bypass the AND released = 1 condition.
  2. In the URL or the HTTP request, you’ll see a parameter for the category, such as ?category=Clothing.
  1. Modify the category parameter by adding ‘+OR+1=1–. The single quote closes the original string, the OR 1=1 is a condition that is always true, and the double dash — comments out the rest of the original query, including the AND released = 1 part.
  1. The final query becomes SELECT * FROM products WHERE category = ‘Gifts’ OR 1=1–‘ AND released = 1. The — effectively turns the rest of the query into a comment, and since 1=1 is always true, the query returns all products, including the unreleased ones.
  1. The lab is solved when you see the unreleased products displayed.

Summary

SQL injection (SQLi) is a serious web vulnerability that lets an attacker manipulate a site’s database queries by tampering with user input. Using a browser and Burp Suite (Proxy + Repeater), the lab shows how changing a category parameter to ‘+OR+1=1– closes the original string, adds a always-true condition, and comments out the rest of the query. That transforms a query like …WHERE category=’Gifts’ AND released=1 into one that returns all products (including unreleased ones), demonstrating why developers must never trust or directly embed user input in SQL.

2 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

Trending now

How to Secure Sensitive Data in the Cloud
Building Your Career: In-Demand Cybersecurity Skills to Learn Now
The Rise of AI-Powered Cyber Attacks: How to Stay Ahead of Hackers
Proven Cybersecurity Home Lab Setup: VMware, Kali Linux & Vulnerable Machines
0
Would love your thoughts, please comment.x
()
x