fbpx
TCM Security is offering free Active Directory Health Checks to any company with 10 or more employees. To inquire, please contact us here.

Overview

Despite its popularity as an SQL injection example, we argue that “OR 1=1” presents more risks than rewards. It may work for login bypasses occasionally, but its reliability is questionable, and better alternatives exist. We explore the drawbacks, from database overloads to data manipulation. We recommend using “OR 1=1” cautiously as a last-resort option in cybersecurity assessments.

What is an “OR 1=1” injection?

I want to clarify upfront that when I mention “OR 1=1” here, I’m really talking about “OR <true>.” It’s not about the values 1 or equality but about using the logical operator OR with a condition that’s always true. I use “OR 1=1” for simplicity and recognition. If you were to conduct a Google search on “SQL Injection,” you’d discover that nearly every resource discussing this technique uses “OR 1=1” as the primary example.

The celebration of “OR 1=1” injection mainly revolves around two scenarios: login bypass and search function exploitation. While it can be effective in these cases, I believe it falls short of reliability. In this post, I argue that the associated risks outweigh the rewards, and it should be a last-resort option in security assessments.

Login Bypass

Regarding login bypasses, consider the typical SQL statement for checking credentials:
SELECT * FROM users WHERE username = 'admin' AND password = 'letmein';

Now, by modifying the username to: ' OR 1=1 -- -, the injection alters the structure of the SQL statement:

SELECT * FROM users WHERE username = '' OR 1=1 -- -'' AND password = 'invalid password';

In the initial statement, a row is returned only if it matches “admin” and “letmein.” With our injection, the “--” comment effectively removes the password requirement, retrieving rows with an empty username or when 1 equals 1. Since 1 always equals 1, all rows are retrieved.

While this injection may occasionally result in a successful login, one must consider the developer’s perspective. If a developer expects only one matching row for valid credentials, they would code the login check accordingly. Thus, the reliability of “OR 1=1” injections in login scenarios is uncertain. It might work sometimes but not always.

Nonetheless, there exists an injection that guarantees success every time (assuming it aligns with our SQL example): ' -- -. The caveat here is that you must possess one valid piece of data to match, such as the username. For a legitimate penetration tester, acquiring such data from the client should be a straightforward task.

Data Overload

The unreliability of the “OR 1=1” login bypass is just the tip of the iceberg; there are more perilous consequences associated with this injection. As demonstrated in the login SQL statement, it retrieves all rows from the table. While this may not be an issue for small tables, large databases could experience performance problems, potentially crashing the database server.

Developers may not include a LIMIT clause if the query is expected to return a limited number of rows. Given this, using payloads that could overload the database server is irresponsible.

Mass Update / Deletion of Data

The most alarming outcome of “OR 1=1” injection occurs when used in an UPDATE or DELETE statement. Many applications execute multiple SQL statements during a single request, and while most are SELECT queries, the application occasionally updates or deletes data based on user input.

Similar to how “OR 1=1” can flood a SELECT query with all rows of data, it can also wreak havoc on an UPDATE or DELETE statement. For instance, consider the following statement for a password reset:

UPDATE users SET password = 'newpass' WHERE email = 'tib3rius@example.com';

Setting the email to ' OR 1=1 -- - changes all user passwords. In a DELETE statement, all rows are removed. These scenarios are problematic, and as penetration testers, we should minimize the potential for destructive testing and exercise caution.

Conclusion

While “OR 1=1” may have its moments of success, it is far from a reliable injection technique. Its usage poses significant risks, from unpredictable login outcomes to database overloads and data destruction. Therefore, it should be employed sparingly and only as a last resort in cybersecurity assessments.

About TCM Security

TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.

Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com

Penetration Testing – PCI Compliance – Auditing

See How We Can Secure Your Assets

Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.

 

tel: (877) 771-8911 | email: info@tcm-sec.com