BugForge - Daily - Cheesy Does It (Repeat)

Daily - Cheesy Does It (Repeat)

This is a repeat of the daily challenge from January 5th, 2026.

---

Vulnerability Overview

The Cheesy Does It application contains a SQL Injection vulnerability in the login functionality, allowing attackers to bypass authentication and gain unauthorized access to admin accounts. By injecting a payload such as ' or 1=1-- into the username field, the attacker manipulates the underlying SQL query to always evaluate as true, effectively bypassing password validation. This classic authentication bypass vulnerability grants immediate access to privileged accounts and exposes the challenge flag.

Key Issues:

• The backend constructs SQL queries by directly concatenating user-supplied input without proper sanitization or parameterization
• No input validation is applied to reject unexpected characters in authentication fields
• The login query allows attackers to inject malicious SQL syntax that alters the query logic and bypasses authentication controls

---

Vulnerabilities Covered

• SQL Injection (Authentication Bypass)

---

Classification

• OWASP Top 10: A03:2021 - Injection
• Vulnerability Type: SQL Injection (Authentication Bypass)
• Attack Surface: Login API endpoint (POST /api/login)
• CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command

---