Authentication 04

This exercise is one of our challenges on Authentication issues

< 1 Hr.


To address the issue of unauthorized user creation, the developer implemented a case-sensitive comparison during user registration. However, this check can be bypassed due to a quirk in how MySQL handles string comparisons: it ignores trailing spaces. Therefore, usernames such as "pentesterlab" and "pentesterlab[space]" are considered equal by MySQL.

In this lab, you will exploit this behavior to register and log in as the user "admin" by appending trailing spaces to the username. This allows you to circumvent the application's restriction against using the "admin" username. The database will return the first matching record, which will be the actual admin account, thereby granting you access.

A good way to prevent this issue is to designate the username as a PRIMARY KEY in the database, ensuring unique entries and preventing such exploitation. This method is recommended in the Tomcat documentation for using a SQL backend as a Realm.

Want to learn more? Get started with PentesterLab Pro! GO PRO