Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "sql injection"
Me Vs a PHP teacher
And to do login, we just do SELECT username WHERE password = (userinput)
Really? Checking raw userinput against plaintext password?
There is no point in doing it securely here because if they want, the students can go take a seperate course on security
So no point in teaching students that they should write their code secure by default and just leave it as a afterthought?
Yes, because this is how i have always done it
Okay, time for a break
*Uses the break to teach all students about sql injection, password hash and salt, rainbow tables and user input sanitizing*
Students to teacher:
He's right, if you dont teach us to code securely by default, we are likely to end up causing a data leak or be hacked, if you dont teach us properly we have no point coming here
*Smiles at the teacher with a face that says: Pwnd*
Alright then, tell me whats wrong in my code
I was so proud that i helped the class understand secure by default principles64
So...Today I found an SQLI (sql injection , google if you're not aware) in one of our products , I start exploring it , I get my trusty Kali on me workstation . sqlmap etc. Tell my manager it's a true positive... I start exploring the db , half the devs at my manager's place start staring at his screen as I proper fuck a QA db server... I hear a qa guy mention triangulation as sqlmap dumps a uid table in his face . I hear my manager's manager saying 'this has been in our app for so long and we found it just now ? Who found it ?' *manager proudly saying me name* 'He's still working this late ?' ...apparently now my trip to england is getting covered for both me and me gf by the company...20
We have free WiFi access, but you need to login into your personal student account to use it.
Turns out, SQL Injection works.
It gets worse.
Table name "schueler".
Got all data on all students.
Name, address, phone number, passwords in plain.
I reported it using an anonymous email. Partially fixed. Standard quotes now get eacaped. Still, passwords are now MD5.48
Teach students to write secure code.
For example, if you teach SQL, then you should also teach SQL injection10
So I went for interview today.
Interviewer : Can u give some theory test about php?
Me : Sir, Can u please open your site?
Interviewer: sure 🙂
Me : Sir, I just logged in as Owner of ur company, Your site is not protected from sql injection.
Interviewer : 😌😌
Me : Sir, test?? 😜
xxxxxxxxxxx -------------------- xxxxxxxxx21
CW: The SQL injection vulnerability isn't important because our code is proprietary so hackers won't find it.
A guy named Valter couldn't register on this website because the developer blacklisted *ALTER*, amongst other words, to prevent SQL injection.11
Mom:What are you studying?
Me:Types of SQL Injection
Mom:U r in engineering?Right?So why are u studying types of Injections?
Interviewer: Do you know about SQL injection?
Interviewer: Okay, how we can prevent it?
Student: Yes, we should prevent it as prevention is always better than cure. It can lead to data loss and other problems so it can be difficult to fix it if it happens. The best case is that nothing like that takes place. [...]
Interviewer: I get it but how?
Student: By not building any web applications.
Interviewer: Nice, you may go. Do not call us. We will call you.21
Alright fuck it, let's release this fucker!
https://lynkz.me is the main domain. The interface is *usable* and nothing more than that. I'll invest more time in that soon but for now, hey, it works.
Api is located at https://api.lynkz.me.
Documentation for this (literally some echoes to the screen but it contains the needed information for now) is at that api url.
Found a bug or a security vulnerability? Please let me know!
Yeah I use mariadb but sql injection is luckily not possible due to quite some sanitization ;)
WARNING: if you make a shortened url and forget the delete key, you won't be able to delete it.
Let's see how this goes 😅115
Are you serious? Are you afraid of an SQL injection or something, and instead of properly sanitizing your queries you disallow characters? Or is your software and database so outdated that you're afraid special characters will break it? Goodbye security15
Today was my last day of work, tomorrow i have officially left that place. It's a weird feeling because i'm not certain about the future.
The job was certainly not bad, and after all i read on devrant i'm beginning to believe it was one of the better ones. A nice boss, always something to eat/drink nearby, a relaxed atmosphere, a tolerance for my occasionally odd behaviour and the chance to suggest frameworks. Why i would leave that place, you ask? Because of the thing not on the list, the code, that is the thing i work with all the time.
Most of the time i only had to make things work, testing/refactoring/etc. was cut because we had other things to do. You could argue that we had more time if we did refactor, and i suggested that, but the decision to do so was delayed because we didn't have enough time.
The first project i had to work on had around 100 files with nearly the same code, everything copy-pasted and changed slightly. Half of the files used format a and the other half used the newer format b. B used a function that concatenated strings to produce html. I made some suggestions on how to change this, but they got denied because they would take up too much time. Aat that point i started to understand the position my boss was in and how i had to word things in order to get my point across. This project never got changed and holds hundreds of sql- and xss-injection-vulnerabilities and misses access control up to today. But at least the new project is better, it's tomcat and hibernate on the backend and react in the frontend, communicating via rest. It took a few years to get there, but we made it.
To get back to code quality, it's not there. Some projects had 1000 LOC files that were only touched to add features, we wrote horrible hacks to work with the reactabular-module and duplicate code everywhere. I already ranted about my boss' use of ctrl-c&v and i think it is the biggest threat to code quality. That and the juniors who worked on a real project for the first time. And the fact that i was the only one who really knew git. At some point i had enough of working on those projects and quit.
I don't have much experience, but i'm certain my next job has a better workflow and i hope i don't have to fix that much bugs anymore.
In the end my experience was mostly positive though. I had nice coworkers, was often free to do things my way, got really into linux, all in all a good workplace if there wasn't work.
Now they dont have their js-expert anymore, with that i'm excited to see how the new project evolves. It's still a weird thing to know you won't go back to a place you've been for several years. But i still have my backdoor, but maybe not. :P16
If you’re having SQL injection problems, I feel bad for you son, I got 99 tables but… fffffuck. Now i only have one ☹️5
Years ago we had a visit from a startup company developing a firewall and I got the chance to talk with one of their devs.
He explained the subtleties of security holes in websites and after I said something about our site being secure thanks to being behind a firewall he gently asked what would happen if he entered a specially crafted test into one of the text fields ... and he gave an example ...
I got a chill, went back to my seat and traced what it would do ...
That was when I learned about sql injection and his example would have killed the DB :/
Before going home I designed a way to secure the input which I then refined over a few days.
We still use that today after 17 years.
That one single sentence really showed to never be to proud of our security and I realized how vulnerable our site was.2
IT department created a risk assessment system and asked us to fill out the form.
I found that the form is vulnerable to XSS and possibly SQL injection so I told them and their response was:
"Oh, shit. Please don't tell anyone!"
Of course, it never get fixed :/7
I was registering for a website, and on a whim, I used this as my username:
And sure enough, the login system went down. The next day it was still down, so I went to Twitter to tell the people running the site that this was why, but to my surprise, I see them saying they had been hacked.
Based on the timing, I'm pretty sure they're referring to this, but they are saying user info was stolen. *facepalm*
They later said they stored passwords salted with a fixed salt and hashed with fucking md5, at which point I was glad not to have done any more business with them.
How incompetent can these fucking people be?!15
If you thought your legacy code was bad, this is what I'm dealing with. The below SQL is stored in a cookie on login and executed to on every further request to determine the user / privileges.15
Context: I work in a cyber security company which develop cyber security solutions.
I started testing the API of the dashboard we have. Within 15 minutes, after poking around with burp suite, found SQL injection in post data that leads to the whole DB dumping in sqlmap.
Told the boss and the API developer. Boss said, "it's ok to have bugs/holes in trial box". But this is on a machine that is gonna be sent to client for trial in a few days. I even compiled a report and how to fix it, which is like 2 lines of "if else" statement by the way. Told the API developer how to fix, he didn't care. 'I work on functionality first'. Doesn't look like he gonna fix.
A damn cyber security company, developing cyber security solution, do the "don't" in web security 101, which is dumping POST data directly into the SQL query, which requires only 5 minutes to fix. 🤦♂️🤦♂️🤦♂️14
when was i feeling like a fucking dev badass ?
that time when i exploited an sql injection on a news website and added a post with title "Admin please secure your website ;] "
i was feeling like hacker man 😅😂😂
Our website once had it’s config file (“old” .cgi app) open and available if you knew the file name. It was ‘obfuscated’ with the file name “Name of the cgi executable”.txt. So browsing, browsing.cgi, config file was browsing.txt.
After discovering the sql server admin password in plain text and reporting it to the VP, he called a meeting.
VP: “I have a report that you are storing the server admin password in plain text.”
WebMgr: “No, that is not correct.”
Me: “Um, yes it is, or we wouldn’t be here.”
WebMgr: “It’s not a network server administrator, it’s SQL Server’s SA account. Completely secure since that login has no access to the network.”
<VP looks over at me>
VP: “Oh..I was not told *that* detail.”
Me: “Um, that doesn’t matter, we shouldn’t have any login password in plain text, anywhere. Besides, the SA account has full access to the entire database. Someone could drop tables, get customer data, even access credit card data.”
WebMgr: “You are blowing all this out of proportion. There is no way anyone could do that.”
WebMgr: “Who would do that? They would have to know a lot about our systems in order to do any real damage.”
VP: “Yes, it would have to be someone in our department looking to do some damage.”
<both the VP and WebMgr look at me>
Me: “Open your browser and search on SQL Injection.”
<VP searches on SQL Injection..few seconds pass>
WebMgr: “Our team is already removing the SQL, but our apps need to read the SQL server login and password from a config file. I don’t know why this is such a big deal. The file is read-only and protected by IIS. You can’t even read it from a browser.”
VP: “Well, if it’s secured, I suppose it is OK.”
Me: “Open your browser and navigate to … browse.txt”
VP: “Oh my, there it is.”
WebMgr: “You can only see it because your laptop had administrative privileges. Anyone outside our network cannot access the file.”
VP: “OK, that makes sense. As long as IIS is securing the file …”
Me: “No..no..no.. I can’t believe this. The screen shot I sent yesterday was from my home laptop showing the file is publicly available.”
WebMgr: “But you are probably an admin on the laptop.”
<couple of awkward seconds of silence…then the light comes on>
VP: “OK, I’m stopping this meeting. I want all admin users and passwords removed from the site by the end of the day.”
Took a little longer than a day, but after reviewing what the web team changed:
- They did remove the SQL Server SA account, but replaced it with another account with full admin privileges.
- Replaced the “App Name”.txt with centrally located config file at C:\Inetpub\wwwroot\config.txt (hard-coded in the app)
When I brought this up again with my manager..
Mgr: “Yea, I know, it sucks. WebMgr showed the VP the config file was not accessible by the web site and it wasn’t using the SA password. He was satisfied by that. Web site is looking to beat projections again by 15%, so WebMgr told the other VPs that another disruption from a developer could jeopardize the quarterly numbers. I’d keep my head down for a while.”8
Worst legacy experience...
Called in by a client who had had a pen test on their website and it showed up many, many security holes. I was tasked with coming in and implementing the required fixes.
Site turned out to be Classic ASP built on an MS Access database. Due to the nature of the client, everything had to be done on their premises (kind of ironic but there you go). So I'm on-site trying to get access to code and server. My contact was *never* at her desk to approve anything. IT staff "worked" 11am to 3pm on a long day. The code itself was shite beyond belief.
The site was full of forms with no input validation, origin validation and no SQL injection checks. Sensitive data stored in plain text in cookies. Technical errors displayed on certain pages revealing site structure and even DB table names. Server configured to allow directory listing in file stores so that the public could see/access whatever they liked without any permission or authentication checks. I swear this was written by the child of some staff member. No company would have had the balls to charge for this.
Took me about 8 weeks to make and deploy the changes to client's satisfaction. Could have done it in 2 with some support from the actual people I was suppose to be helping!! But it was their money (well, my money as they were government funded!).1
My first testing job in the industry. Quite the rollercoaster.
I had found this neat little online service with a community. I signed up an account and participated. I sent in a lot of bug reports. One of the community supervisors sent me a message that most things in FogBugz had my username all over it.
After a year, I got cocky and decided to try SQL injection. In a production environment. What can I say. I was young, not bright, and overly curious. Never malicious, never damaged data or exposed sensitive data or bork services.
I reported it.
Not long after, I got phone calls. I was pretty sure I was getting charged with something.
I was offered a job.
Three months into the job, they asked if I wanted to do Python and work with the automators. I said I don't know what that is but sure.
They hired me a private instructor for a week to learn the basics, then flew me to the other side of the world for two weeks to work directly with the automation team to learn how they do it.
It was a pretty exciting era in my life and my dream job.5
Laravel is the worst framework ever.
Everything has to be made convenient and easy. That sounds amazing, because developers want to save time, worry less about boilerplate code, right? No more constructors, no more dependency injection, fuck all the tedious OOP shit... RIGHT?
It does one thing well: Make PHP syntax uniform and concise through easily integrated libraries such as Collection and Carbon. But those are actually not really part of the framework... just commonly integrated and associated with Laravel.
The framework itself is completely derailed: You can define code in a callback in the routes file. You can define a controller in the routes file. You can define middleware as a parameter to the route, as a fluent method to the route, you can stack them up in a service provider. Validators can be made in controllers, Request objects, service providers, etc. You can send mail inline, through Mailable objects, through Notification objects, etc.
Everything is macroable, injectable, and definable in a million different places. Ultimate freedom!
Guess what happens when you give 50 developers of various seniority a swiss army knife?
One hammers in a screw with a nail file, the other clips the head from the screw using scissors, and you end up with an unworkable mess and blunt tools.
And don't get me started about Eloquent, the Active Record ORM. It's cute for the simple blog/article/author/comment queries, but starts choking when you want more selective and performant queries or more complex aggregates, and provides such an opaque apple-esque interface which lets people think everything is OK, when in reality it's forcing the SQL server to slowly commit suicide.39
Just looked at the anonymous analytics I collect on the security/privacy blog.
No SQL Injection attacks yet (would be useless anyways as I don't use MySQL/MariaDB for the databasing.
Directory Traversal attacks. Really? 🤣
Nice try, guys.40
You can't imagine how many lines of pure and utter horseshit, seemingly written in PHP, I had to dig through this whole weekend. (relating to my 2 previous rants)
How is it even possible to write code this unbelievably ugly?
- includes within loops
- included files use variables from parent files
- start- and endtags separated to different files
- SQL queries generated by string concatenation, no safety measures at all (injection)
- repeating DB calls within loops
- multiple directories with the same code (~40 files), only different by ~8 lines, copied
- a mixture of <?php echo ... ?> and <?= ... ?>
- a LOT of array accesses and other stuff prefixed with "@" (suppress error messages)
- passwords in cleartext
- random non-RESTful page changes with a mixture of POST and GET
- GET parameters not URL-encoded
My boss told me it took this guy weeks and weeks of coding to write this tool (he's an "experienced dev", of course WITHOUT Git).
It took me only 20 hours and about 700 lines of code.
I must confess, since this task, I don't hate PHP anymore, I just simply hate this dev to death.
Addendum: It's Monday, 5:30am. Good night. 😉13
To anyone that isn't sanitizing the input on their websites: I know where you live. You told me, remember?2
While watching season 2 of Star Trek Discovery, it was nice to learn SQL is alive and well in the 23rd century. Also, that there are still idiots that don't defend against injection on a warp-capable spaceship with transporter technology.3
I HATE working with MS Office products. Yes, Access, I'm looking at you, you backwards, whanabe database reject! You're invalid as a serious SQL database and retarded as an data application suite.
VBA, make up your MIND with your damn function calls! Either require me to use parenthesis or don't! I'm sick of this conditional parenthesis sh*t!
While we're talking about not making up your mind... screw 'sub', you half wit language! Either use functions like a real language or go the f&$k home and make room for a language that knows what it's doing!
Oh!!! WHY... WHY! do you have null AND... NOTHING?! Who... Who... WHO invented "nothing"?! And what sick joke are you playing at with isnull() and empty()??? How many damn ways so you need to test for "no value"?!?!
Access... That's right, I'm not done with you yet... How is it you've survived this damn long in the business world with all of the databases you corrupt? Sure, you suck as a real database, but at least have some freaking pride that people even USE you! How DARE your corrupt yourself with the regularity you seem to have! I wish my bowel movements were as regular as your database corruptions, for the love of humanity.
F$@k you, VBA! F@&k you, Access! F$#k you, MS Office! And Fuuuuuu$k YOU Microsoft for shoving these half assed reject tools down my throat!
I hope your cloud uses Access as a back end and gets some injection virus.
*Takes deep breath* need to say that.10
So DevRant asked me to put my skills on my profile, I'm like:
you wanna know my languages, well, I'm a human Android sipping on Java, got C++ grade phy-SQL education. but some idiot bashed me on my </head> so swift, that I objectively-c angular stars, everywhere. Recoved by a js injection. ASCII too in snowy Cs4
I once had to literally hack a Joomla 1.5.x site for a client, because they did not find the passwords (hosting, cms, ftp, mysql). After 5 minutes and a SQL injection I was in like flynn.
The site was already full of hidden links to viagra sellers and stuff... 😂1
When your school assignment is to analyze a chosen website and you decide do go above and beyond, testing the sites security but after one SQL injection you get IP Banned.
Going through the name list of Manifesto for Responsible Software Development at http://manifesto.responsiblesoftware.org/... when suddenly......4
1. Buy a road
2. Name it after an sql injection
3. Have mail delivered to you
5. Profit... I guess?7
A Month ago...
Me: when are you going to complete the report
Friend: we can do it in minutes
Me: you can't Ctrl + c and Ctrl +v as there is plagiarism check
Friend: we have spin bot
Me: you do that now itself . if something happens? You can join me .
Friend: just chill
Me: done with report
Friend: feeding it to spin bot!
Feeds text related to database security....
Garbage collector == city worker
SQL statements == SQL explanation
SQL queries == SQL interrogation
SQL injection == SQL infusion
Attack == assault
Malicious == noxious
Data integrity == information uprightness
Sensitive == touchy
Me: told you so...
**spin not == article rewriter3
Before 10 years, a WordPress site hacked with sql injection. They had access to site, they modified many php files and installed commands to download random malwares from over the internet.
At first I didn't know that it hacked and I was trying to remove any new file from the server. That was happening every 1-2 days for a week.
Then I decided to compare every WordPress file with the official, it was too many files, and I did it manually notepad side notepad!! :/
Then I found about over 50 infected files with the malware code.
Cleaned and finished my job.
No one else knows that I did a lot of hard job.2
Had a fight with a teacher today, he was teaching PHP to some new students, and I was doing my own stuff, then I suddenly saw a example of his code
Unsanitized SQL query staring at me
I asked him if there was sanitization anywhere in the code
He said: "We don't need to teach that stuff, it just confuses the students, that stuff belongs to advanced course or something."
I decided to give him the facts but no, still the same statement
Next time I'm going to drop his tables😠10
I've found and fixed any kind of "bad bug" I can think of over my career from allowing negative financial transfers to weird platform specific behaviour, here are a few of the more interesting ones that come to mind...
#1 - Most expensive lesson learned
Almost 10 years ago (while learning to code) I wrote a loyalty card system that ended up going national. Fast forward 2 years and by some miracle the system still worked and had services running on 500+ POS servers in large retail stores uploading thousands of transactions each second - due to this increased traffic to stay ahead of any trouble we decided to add a loadbalancer to our backend.
This was simply a matter of re-assigning the IP and would cause 10-15 minutes of downtime (for the first time ever), we made the switch and everything seemed perfect. Too perfect...
After 10 minutes every phone in the office started going beserk - calls where coming in about store servers irreparably crashing all over the country taking all the tills offline and forcing them to close doors midday. It was bad and we couldn't conceive how it could possibly be us or our software to blame.
Turns out we made the local service write any web service errors to a log file upon failure for debugging purposes before retrying - a perfectly sensible thing to do if I hadn't forgotten to check the size of or clear the log file. In about 15 minutes of downtime each stores error log proceeded to grow and consume every available byte of HD space before crashing windows.
#2 - Hardest to find
This was a true "Nessie" bug.. We had a single codebase powering a few hundred sites. Every now and then at some point the web server would spontaneously die and vommit a bunch of sql statements and sensitive data back to the user causing huge concern but I could never remotely replicate the behaviour - until 4 years later it happened to one of our support staff and I could pull out their network & session info.
Turns out years back when the server was first setup each domain was added as an individual "Site" on IIS but shared the same root directory and hence the same session path. It would have remained unnoticed if we had not grown but as our traffic increased ever so often 2 users of different sites would end up sharing a session id causing the server to promptly implode on itself.
#3 - Most elegant fix
Same bastard IIS server as #2. Codebase was the most unsecure unstable travesty I've ever worked with - sql injection vuns in EVERY URL, sql statements stored in COOKIES... this thing was irreparably fucked up but had to stay online until it could be replaced. Basically every other day it got hit by bots ended up sending bluepill spam or mining shitcoin and I would simply delete the instance and recreate it in a semi un-compromised state which was an acceptable solution for the business for uptime... until we we're DDOS'ed for 5 days straight.
My hands were tied and there was no way to mitigate it except for stopping individual sites as they came under attack and starting them after it subsided... (for some reason they seemed to be targeting by domain instead of ip). After 3 days of doing this manually I was given the go ahead to use any resources necessary to make it stop and especially since it was IIS6 I had no fucking clue where to start.
So I stuck to what I knew and deployed a $5 vm running an Nginx reverse proxy with heavy caching and rate limiting linked to a custom fail2ban plugin in in front of the insecure server. The attacks died instantly, the server sped up 10x and was never compromised by bots again (presumably since they got back a linux user agent). To this day I marvel at this miracle $5 fix.1
Easy cop out for people who wrote code vulenerable to SQL injection: It's not a bug, it's a feature that let's users search using SQL syntax.1
"at least 1 special character except < ' ; / - [ % _"
Also known as "Hey, look at me, I'm vulnerable to SQL injection and a lot of other fun stuff!"3
It has been bugging the shit out of me lately... the sheer number of shit-tier "programmers" that have been climbing out of the woodwork the last few years.
I'm not trying to come across as elitist or "holier than thou", but it's getting ridiculous and annoying. Even on here, you have people who "only do frontend development" or some other lame ass shit-stain of an excuse.
When I first started learning programming (PHP was my first language), it wasn't because I wanted to be a programmer. I used to be a member (my account is still there, in fact) of "HackThisSite", back when I was about 12 years old. After hanging out long enough, I got the hint that the best hackers are, in essence, programmers.
Want to learn how to do SQL injection? Learn SQL - write a program that uses an SQL database, and ask yourself how you would exploit your own software.
Want to reverse engineer the network protocol of some proprietary software? Learn TCP/IP - write a TCP/IP packet filter.
Back then, a programmer and a hacker were very much one in the same. Nowadays, some kid can download Python, write a "hello, world" program and they're halfway to freelancing or whatever.
It's rare to find a programmer - a REAL programmer, one who knows how the systems he develops for better than the back of his hand.
These days, I find people want the instant gratification that these simpler languages provide. You don't need to understand how virtual memory works, hell many people don't even really understand C/C++ pointers - and that's BASIC SHIT right there.
Put another way, would you want to take your car to a brake mechanic that doesn't understand how brakes work? I sure as hell wouldn't.
Watching these "programmers" out there who don't have a fucking clue how the code they write does what it does, is like watching a grown man walk around with a kid's toolbox full or plastic toys calling himself a mechanic. (I like cars, ok?!)
Python, AngularJS, Bootstrap, etc. They're all tools and they have their merits. But god fucking dammit, they're not the ONLY damn tools that matter. Stop making excuses *not* to learn something, Mr."IOnlyDoFrontEnd".
Coding ain't Lego's, fuckers.38
Senior showing fellow intern what SQL injection is on the app the intern created :
Senior : "then I hit enter and the query get executed and...
Intern : "don't you dare hitting enter!!!"4
So this is how they "teach" us in school...As a part time dev I was completely shocked when I saw this in our materials. What do you think? Should I drop the teachers tables to give him a lesson?15
SQL injection holes everywhere... The original author of the product put concatenated SQL queries throughout the whole application. If it's not the client asked for a penetration test, we as developers wouldn't even be given chance to fix this shit.
I'm actually glad to have the chance. I can't live seeing them every day but force myself to ignore them.8
Guess what? 😱 WordPress has probably an SQL injection vulnerability. Check it out and fix your installations, when more info will be known:
> Young dev apprentice me pair programming with another developer
> Dude checks bug report of a customer, saying something about a "Blind SQL Injection"
> Young me asking what that "Blind" part means
> "Dunno man, maybe u gotta close your eyes when hacking this"
Guess what, the issue was never fixed
> Sees mysql_ bindings, XSS/SQL injection vulns
*Logs into webhost*
> Running PHP 5.4 by default
> Doesn't support PHP 7
Sadly, I'm sure this is a common scenario, particularly the webhost part4
I learned recently that you can inject SQL lines in some fields like Passwords or usernames on some websites. (Hacky hacky)
At work there is this intra website that is used to manage the parts of the radios and computers we repair.
Each piece has a specific number, and there is a tree with every pieces for each radio/computer.
When we get to repair one, we gotta change the pieces virtualy on the website. Sadly sometimes, the virtual pieces aren't marked like they followed the whole Radio from the place they come to the place we repair (we need it to replace the piece). People are just not doing their job, so we have to send emails and call for them do it so we can repair it. (This is already fucked up.)
Today, I had to replace a piece, but it was marked like it's not there. I called the guy, and it seems like he is on a vacation for weeks. My superior was super annoyed due to the urge of this task.
Guess who managed to change the _mainlocation_ of the _piece_ in the _radiopieces_ table. (Not actual names, you malicious cunt)
I spent 3 hours looking for the name of the fields and table. I don't know how many times I had to refresh the dam page to see I failed once again.
Hopefully I didn't have to guess all of them. Also the joy when I realised I succeed !!!
No one bats a eyes, and I'm here, feeling infinitely superior, as I might get punished for wanting to do my job.
I know it's basic moves to some of you, but dam it felt good.
Conclusion: Do what you have to, specially when it takes 5 minutes and people need it.14
Well on my last full-time job, that ware using cookies for authentication (not something new, eh?). The thing is, you see, the cookies had the 'accountId' which if you change to another number, kaboom you're that account, oh but that was not all, there was an option to mark the account type in there 'accountType', which was kind of obvious in VLE (virtual learning environment), 'Teacher', 'Student', 'Manager' put what of those values and boom you are that role for the session
Thing was open of SQL injection from the login form, from said cookies and form every part you can pass input to it, when I raised the question to my TL he said 'no one is going to know about thatt, I don't see what is the problem', then escalated to higher management 'oh well speak to *tl_guy*'
Oh and bonus points for it being written in ASP CLASSIC in 2014+ (I was supposed to rewrite, but ended up patching ASP code and writing components in PHP)
In 2015-2016, in a private college, charging kind-of big money per year1
So as applying for an internship to a new company, they wanted me to make an account and do some things to get use to the website... That's great, until I learned their website is fucking garbage!
Their design looks bad, icons are terrible, no common design flow, super busy. And they are taking about using machine learning and big data? Bitch you need to fucking make your site usable first!! If contacted them and will give them 30 days to fix their shit before I write about it
We have 'informatica' (translates to 'computer science') on school. Tuesday we received an assignment to create a 'web-app' with JQuery mobile to show all of the US presidents.
Nearly nobody in my class has experience with PHP, so this is gonna be fun for them. All they have to learn from is a website from 2013, they are tought to just throw variables inside the query's.. Yay for SQL injection! 🎉
It actually contains a lot of out of date information, for example it says that jsp is competition for PHP, and that 'most sites with PHP have a PHP Powered logo'2
rant & question
Last year I had to collaborate to a project written by an old man; let's call him Bob. Bob started working in the punch cards era, he worked as a sysadmin for ages and now he is being "recycled" as a web developer. He will retire in 2 years.
The boss (that is not a programmer) loves Bob and trusts him on everything he says.
Here my problems with Bob and his code:
- he refuses learning git (or any other kind of version control system);
- he knows only procedural PHP (not OO);
- he mixes the presentation layer with business logic;
- he writes layout using tables;
- he uses deprecated HTML tags;
- he uses a random indentation;
- most of the code is vulnerable to SQL injection;
- and, of course, there are no tests.
- Ah, yes, he develops directly on the server, through a SSH connection, using vi without syntax highlighting.
In the beginning I tried to be nice, pointing out just the vulnerabilities and insisting on using git, but he ignored all my suggestions.
So, since I would have managed the production server, I decided to cheat: I completely rewrote the whole application, keeping the same UI, and I said the boss that I created a little fork in order to adapt the code to our infrastructure. He doesn't imagine that the 95% of the code is completely different from the original.
Now it's time to do some changes and another colleague is helping. She noticed what I did and said that I've been disrespectful in throwing away the old man clusterfuck, because in any case the code was working. Moreover he will retire in 2 years and I shouldn't force him to learn new things [tbh, he missed at least last 15 years of web development].
What would you have done in my place?14
I knew I had found the right group of friends when one of them suggested we try SQL Injection on the instant messaging feature of the bowling alley console.
Unrelated, do people not think, "hmm, that seems like an unnecessary feature?"2
The day after I delivered a secure programming course to our junior devs.
Junior dev: I can't figure out what's happening when I generate this sql.
Me: what do you mean generating ... It should be a prepared statement..
Junior dev: no I'm just generating the strings from the form
Me: ... Let's try this again....
I am doing some freelance work for a client who is thankfully mindful about security. I found out that they are so strict with their access because they had a huge data breach last year.
Today I was given access to their repo for connecting to their AS400. In the docker file the username and password were included and were the same for dev and prod. They also are performing no sql injection prevention. They are just joining strings together.1
In one big project I made in past (when I was new developer) every ajax call execute code which looks like: dbquery("SELECT * FROM table WHERE something='".$_POST['value']."'");
That project doesn't exist now (thank god)1
A great and very common web attack is known as 'SQL injection'.
So if I am using MongoDB, does that become 'NoSQL injection'?1
Most of the companies visiting my campus for placements are hiring people with high CGPA and less knowledge and leaving (not even allowing for taking tests) the ones with good technical knowledge with less CGPA 🙁. So I hacked the placement portal developed by a PLACED, HIGH CGPA Candidate using SQL Injection and got access to all the student accounts 😄2
I hate those questions like "where do you see yourself on five years?" Or "tell me a time when you had to [insert leadership activity here]" where the obvious answers are something inane and managerial.
I also hate those questions that come up a lot when I say I know SQL where they ask me to do some inane, unnatural SQL thing in a statement rather than a procedure or a function.
Also see these: https://devrant.io/rants/136331/...
Teacher : You don't have to enter quotation marks: it makes the website crash, I don't know why. We will add a message to warn you.
Me : Can i play with it ? :)2
Sad how the easy to make softwares are already flooding the market and making millions so now we actually need to work a lot and innovate on something if we wanna a few bucks.
Also sad how in the 80s you could rob banks with just sql injection and now its almost impossible unless you’ve been devoting you being to cybersecurity for years.
Basically I feel it would have been cooler to be a computer scientist 30 years ago :/1
Today, I had a small, but funny conversation with a person I knew from my education (application developing).
He suddenly asked, how to prevent using HTML-Tags in PHP.
So I send ihm following line:
$string = str_replace(array("<", ">"), array("<", ">"), $string);
Shortly after the line, he asked, how to add this into his query, which looks like:
$query = "INSERT INTO comments (name, email, quote, hinzugefuegt, ip_adress) VALUES ('" . $_POST['vName'] . "', '" . $_POST['eMail'] . "', '" . $_POST['q17'] . "', NOW(), '" . $_SERVER['REMOTE_ADDR'] . "')";
Now I thought: "Well, he don't even secure his variables", and I posted a Pastebin, which only "fixes" his issue with replacing the HTML-Tags, but still allows SQL injection.
Maybe I'm a bad person, but he doesn't deserve it otherwise, because when I was still in education with him, I told him, he should learn to use prepared statements.3
It was the last year of high school.
We had to submit our final CS homework, so it gets reviewed by someone from the ministry of education and grade it. (think of it as GPA or whatever that is in your country).
Now being me, I really didn’t do much during the whole year, All I did was learning more about C#, more about SQL, and learn from the OGs like thenewboston, derek banas, and of course kudvenkat. (Plus more)
The homework was a C# webform website of whatever theme you like (mostly a web store) that uses MS Access as DB and a C# web service in SOAP. (Don’t ask.)
Months have passed, and only had 2 days left to deadline, with nothing on my hand but website sketches, sample projects for ideas, and table schematics.
I went ahead and started to work on it, for 48 hours STRAIGHT.
No breaks, barely ate, family visited and I barely noticed, I was just disconnected from reality.
48 hours passed and finished the project, I was quite satisfied with my it, I followed the right standards from encrypting passwords to verifying emails to implementing SQL queries without the risk of SQL injection, while everyone else followed foot as the teacher taught with plain text passwords and… do I need to continue? You know what I mean here.
Anyway, I went ahead and was like, Ok, lets do one last test run, And proceeded into deleting an Item from my webstore (it was something similar to shopify).
I refreshed. Nothing. Blank page. Just nothing. Nothing is working, at all.
Went ahead to debug almost everywhere, nothing, I’ve gone mad, like REALLY mad and almost lose it, then an hour later of failed debugging attempts I decided to rewrite the whole project from scratch from rebuilding the db, to rewriting the client/backend code and ui, and whatever works just go with it.
Then I noticed a loop block that was going infinite.
NEVER WAIT FOR A DATABASE TO HAVE MINIMUM NUMBER OF ROWS, ALWAYS ASSUME THAT IT HAS NO VALUES. (and if your CPU is 100%, its an infinite loop, a hard lesson learned)
The issue was that I requested 4 or more items from a table, and if it was less it would just loop.
So I went ahead, fixed that and went to sleep.
The day has come, the guy from the ministry came in and started reviewing each one of the students homeworks, and of course, some of the projects crashed last minute and straight up stopped working, it's like watching people burning alive.
My turn was up, he came and sat next to me and was like:
Him: Alright make me an account with an email of firstname.lastname@example.org with a password 123456
Me: … that won't work, got a real email?
Him: What do you mean?
Me: I implemented an email verification system.
Him: … ok … just show me the website.
Me: Alright as you can see here first of all I used mailgun service on a .tk domain in order to send verification emails you know like every single website does, encrypted passwords etc… As you can see this website allows you to sign up as a customer or as a merc…
Him: Good job.
He stood up and moved on.
I WENT THROUGH HELL IN THE PAST 48 HOURS.
AND YOU JUST SAT THERE FOR A MINUTE AND GAVE UP ON REVIEWING MY ENTIRE MASTERPIECE? GO SWIM IN A POOL FULL OF BURNING OIL YOU COUNTLESS PIECE OF SHIT
I got 100/100 in the end, and I kinda feel like shit for going thought all that trouble for just one minute of project review, but hey at least it helped me practice common standards.2
Well for starters the website that gave you assignments on security of web applications shouldn't have an SQL injection vulnerability on the login page.
Next would be the method of teaching, they would skip what not to do and go straight to what you should do. This in turn causes people to use the exec command in php that actually takes a POST parameter.
And stop allowing teachers to be lazy fucks that don't explain shit and only give you assignments.
And finally when telling the teacher that a method he uses would cause another vulnerability the teacher should properly fix this issue not say it is for an "advanced course".
Yes I am pissed
So I inherited this buggy application my company developed to process state rosters for health care. The daily process fails often and I haven’t been able to figure out why. Then I notice one little thing... it’s essentially using SQL injection as a method of updating records from a file that we receive from outside... there’s no checking for validity of the statements or making sure they’re safe to execute. Just a for in loop and calling a sp to execute the query text under elevated permissions.
MFW I, a junior dev who just started have to explain what sql injection is to a senior IT person... It's not like I'm an expert in the field, but a little bit of expertise would be nice2
I'm currently testing live and that includes trying sql injection, i have no backups. So if i forgot to escape string somewhere, I'm fucked. I like to live dangerous :D
Alos, i always test sql injection with "--; DROP ALL TABLES;" Casue... It's a bad idea..?2
How should you approach someone and tell them they have been an victim of social engineering without being mean?
I was at an security conference today and watched a lot of speaks, and I must say that the atmosphere and the people around made it even better.
Here is one takeaway:
Does the security of IT has to be this depressing most of the time, like there is so many IoT devices, services, websites and critical infrastructure that has security flaws and all we can do is watch for now and say we are all fucked. Then try to lead the industry to better practices, like owasp (duck it) . Stop accepting and using shitty answers from SO that has security flaws (why learn something a way that is wrong in the first place?).
We need more awareness about IT security overall, how can one developer know that certain technologies can have certain vulnerabilities such as XSS, XSRF and even SQL injection if there is no information about it in among all shitton tutorials, guides and SO answers in the first place?
Lighten up! Being sad and depressing about these issues is not the best way to approach this! We need to embrace all steps taken towards better security, even the smallest ones.
Check out OWASP if you are not familiar :
Thanks for reading.
We had a test in class where one of the questions was "What is SQL injection?" and I wrote what it was and even gave a bang on simple example where I showed how you could end up with a truncate statement on your customer db. The last part of it was:
"This will be the SQL that gets executed:
INSERT INTO Customers (Name) VALUES (' ';TRUNCATE Customers;--);
When I got it back after we had a session of "grade each others work" I got the comment: "What makes this an attack against a database?"
I mean, I'm not sure what I could have written. That it truncates the database? And, correct me if I'm wrong, but if a user truncates your DB, is that not an attack?
There have been a few :)
If say it's a videos utter project I initially though was good. Apart from loading a view the controllers didn't do anything - my initial thought was some magic was happening behind the scenes.
However, when I opened up the view things changed.
ALL the business logic happened in the view. Everything. Form processing, consuming an app, file uploads, validation, crud ... You name it, it happened in view. The developer created a raw MySQL connection and build his queries by concatenation g strings, the whole system was wide open to sql injection.
Even more annoying was the "source control" he invented. Every file had several copies. I.e. "User(working).php", "user_v3.php" and even "user(working_no_profile_fields_1.php". It wasn't even like there was any consistency in what file was actually used either. A complete mess. The system had around 69 screens too. No idea how the developer got that gig.2
I was scanning over a dreadful code base I had to work on and found SQL injection vulnerabilities. THE SITE WAS LAUNCHED IN 2017!!!! 😢2
Found an institutional coaching centre leaking 1000s of students personal data phone, photo, db, parents info, documents photo path, payment method(bank, check, card) etc. They 32567 rows. I'm trying to find the admin login page. It seems they have it on separate subdomain. I found student login and I can login as any student. I hate these institutes. Sent them emails days ago (29 sept) but no reply yet. What should I do?2
Any of the several hundred (no joke) xss, csrf or sql injection bugs I've fixed in our legacy apps...
Another guy and I are each making a CMS to see who can be done first and who's looks/acts the best. He's basically done and I still have a lot to do, but I've been looking over his code and, it. is. bad. The classes are badly made and named with all lowercase. And i found this thing, he has 10 other functions just like this one.
His: https://ide.explosivenight.us/works... (I made sure sql injection isn't possible for normal users)
My last rant with example of usefull PHP function in old inhouse CRM software was somewhat popular, so I decided to post more stuff. This time we look at the login function. Besides obvious problem of SQL injection (that i of course tested) we have two calls to the same 'poslednji_login()' method (translated to english - 'last login') that actually just returns current time, not the last login time... twice...6
Inherited a legacy system from a previous "developer" who wrote code to sanitize input from sql injection in the front end and then called an web method called execSql which accepts am sql statement in a string value!
Obviously the app ran under admin privileges.2
Been working on pen testing an old ass web app written in a combination of 4 languages with the primary being asp, serious question for the older generation was concatenating SQL statements ever best practice or are the mob that wrote this just useless?
Some of my previous rants mention a web application that I wrote for my then-employer. As it is still in use and I have the whole code, too, I figured to check on security a little with a friend. It's all fine, except for one page, were I was sloppy and didn't escape strings, thus allowing for SQL injection.
This is however only possible if already logged in, which has shown to be secure (and the tool is for employees only).
Nobody is ever going to find out, as the only one who knew what injection even is was me. I left 2 years ago.
> me: trying to explain to a dev from one of our customers why should they worry about sql injection in their application -which by the way is public- since they always concatenate params (even giving concrete examples in their app on how could I gain acces to their database with just a couple of queries)
> me: (thinking) Did I change my bed with a time machine by accident and got myself into the past?
Do these things happen often to you? (U_U||)1
30 years old PHP code (PHP 5.3). One big global variable holding system settings, entire row sets of data! and database cursors. Oh and HTML was mixed in between. Worst part, I had the task to secure the application. Sql injection didnt even exist back then.3
When you deliver a site to a customer and find out that you forgot to prepare all the statements so that the website wouldn't be vulnerable to SQL injections. So yesterday I forgot to add that, had to close down all the connections to the website and rewrite all the statements. Everything is good now
It is sometimes shocking to see 10+ developers working on a fairly big project (online quiz). Missing data binding operations here and there, as a result, bunch of sql injections, which successfully led to the entire db full of questions and answers sitting on my desktop.
Vulnerabilities have been reported, took them 2 weeks to understand what happened and fix them.
Pretty sad :/1
Working on a legacy PHP project that every single query inserts user-provided data without any sanitization, aka SQL injection ahoy! Also no framework.1
Just what is life
1st I love developing Web Apps
2nd I hate when it has bugs (Always does Everyone does)
3rd More hate for Security related bugs
So I started bug hunting so that even I can make developers hurt I thought I might find peace here
But here we fucking have SQL Injections which are not really that bad easy peasy
But we also have special kind of SQL Injections the Boolean Based ones (Medium Level Demons) and also The Time Based SQL Injections (Medium Level Demon with lots of health consumes too much time has a repetitive process and we have to wait a lot also if you have network lag you are doomed)
No its nice story till here but here it fucking ends the happiness I mean my luck is worst kind of fucking thing anybody ever can have.
I got a mix of both Demons;_;
A Time-Based Boolean SQL Injections yess fuckety amounts of fucking time wasted and redundant fucking process also to make matters worst the fucking famous tool #SQLMAP doesn't work in my case