SQL Truncation
It's an attack that no longer works in the latest MySQL versions.
Overview
Prerequisites:
MySQL database backend
A SQL Truncation attack takes advantage of two features in MySQL to subvert application logic. These features are:
If the length of a VARCHAR is exceeded, then the rest of it is simply cut off (truncated) - this is no longer a feature of MySQL.
By default, MySQL ignores trailing whitespace when making comparisons (MySQL Loose Comparisons)
Note: This attack doesn't work in newer MySQL versions and other databases like PostgreSQL because an error is thrown when the length of a VARCHAR is exceeded.
Attack Walkthrough
Let's say there's a website with a MySQL backend and a users table, where the username is of type VARCHAR(20)
. Let's also say that there is an admin account
Register the following user:
username:
admin (lots of spaces in between)And then whatever
password:
mypassword123
It produces the following SQL query:
Because of SQL truncation to 20 characters, the above is effectively the same as:
When you later try to log in with admin:mypassword123
, then that produce the following query:
Because of MySQL loose comparisons, admin
is the same as admin
and you can log in as the admin user.
Last updated