Emmett had been contracted to maintain the curb appeal of The Website of Judy S. Kirkland (#1 Realtor in Townhouse Resales in the Upper Eastern Greater Metro Area, February 2009).
"It's a charming homepage," he was told by Judy S. Kirkland (Bay Street Diamond Award recipient, thrice). "I got in on the ground floor with this The Internet thing way back when. After all, one only becomes as recognizably successful as myself by staying ahead of the trends."
She'd personally overseen the design of The Website herself. Front page: professional headshot of The Friendly Face To Sell Your Place, photographed images of Recognition of Excellence plaques, hand-picked fonts, and a chartreuse background to match the color of her Top Performer's Elite Jacket. But now the HTML needed a bit of rennovation. Not that there was anything wrong with The Website of Judy S. Kirkland (Rising Star, 2010). It was a well-maintained, cozy corner of the Web that just needed some work. A polish here, a fluff there-- and of course, posting Polaroids of her latest awards. There wasn't any need to bother with the code, though.
"The site has a rock solid foundation and good structure," assured Judy S. Kirkland (Recipient of the Realtor Executive Committee's Jubilee Merit of Excellence), "All you have to concern yourself with is what potential clients will see. In this business, the appearance on the surface is quite literally and absolutely everything."
And that was exactly why the first thing Emmett did was find the SQL injection vulnerability on the login page.
But nothing could convince Judy S. Kirkland (Gold Star Closer) to spend money on beefing up the code's security. Not a proof of concept (successful login with username: ' OR 1=1;--) Not a glossy Powerpoint with animations and chartreuse background. Not a car-analogy explaining the technical concept behind the attack. Not even showing her The Dreaded Obligatory Cartoon.
"You don't understand," said Judy S. Kirkland (Most Mid-Range Properties Sold Over Asking, Summer 2005), "It doesn't look broken. I'd be spending money without bettering the site's appearance, and thus its value. There's no recovery, and you just don't upgrade beyond the value of a property."
"But it's just not broken yet," Emmett argued, "I mean, what's to say someone won't break it? You are #1, aren't you?" She didn't disagree. It was printed on her coffee mug, after all. "So doesn't that mean every single other realtor is just gunning to take you down?"
Judy S. Kirkland (Platinum Member, Upper Echelon Realtor Association) made a non-committal sound, and Emmett didn't let up.
"What if they do worse than break it? What if they-- deface it? Delete your Polaroids? Change the background color? Or worse? Who would trust their home with someone who used Times New Roman?"
A visible shudder went through Judy S. Kirkland (Winner of Top Realtor Award, five years non-consecutive). She showed him the computer with The Website. Emmett opened login.asp in Notepad. He browsed through the Classic ASP code, looking for the location of the toxic function. Hunt, hunt, hunt-- and he found it.
Oh.
The code wouldn't be winning any awards, but at least it wasn't vulnerable to SQL injections.
SQL = "SELECT realtor_id, login, password FROM [Realtors]" set rs = Conn.Execute(SQL) Do While Not RS.EOF If Request("Password") = "star" Then Session("Logged") = "ON" Response.Redirect "realtor_home.asp" End If RS.MoveNext Loop