Login Bypass was the Week 01 Saturday CTF challenge — 100 points, the easiest on the board, yet still only 42 of 62 students got it. Here's what tripped people up and the three distinct paths to flag{sql_1s_not_a_password}.
The setup
The target was a simple Node/Express login form at /admin. No HTTPS, no rate limiting, and — crucially — the dev had left three different auth paths active.
Path 1: Classic SQLi
The login handler built a raw SQL query with string interpolation. Username admin' OR '1'='1, password anything:
SELECT * FROM users WHERE username='admin' OR '1'='1' AND password='x'
Operator precedence means AND binds before OR, so this returns the admin row. Flag in the dashboard.
Path 2: JWT alg: none
The "Remember me" checkbox issued a JWT. Setting the algorithm to none and removing the signature — classic CVE-2015-9235 — gave you an admin session without ever knowing a password.
Path 3: Prototype pollution
The most cursed path. The app used lodash.merge to merge user-supplied JSON into the session object. Polluting Object.prototype.isAdmin to true bypassed the auth check entirely.
All three paths were unintentional (only SQLi was the intended solve). Real apps are messy. That's the point.