• (cs)

    I really wanted to believe that this monumental failure in security couldn't have been done by accident. I am actually at a loss for words.

  • SSilver2k2 (unregistered)

    first post?

    wow. Ive seen people coding open ended sql injections like this (i even did it on a few of my own first lesson websites), but to not know that you can view javascript from a browser, that's scary

  • Cyrus (unregistered)

    Showing this to a DBA got a long silence, a gasp, then a long groan, pretty cool to watch.

  • (cs)

    Could we stop unregistered users posting in the first 3 comments? Would cut out the majority of the "fist!" posts.

    And back on topic: Ugh, that code makes my skin crawl.

  • ForcedSterilizationsForAll (unregistered)

    Here's an idea for those "first" posts, how about their IP gets blocked. :)

    And that code is just sad. Maybe it was a contractor that did it. :)

  • Ares (unregistered)

    Wait wait wait... you view javascript code from the browser? Next thing you are going to tell me is that you can do the same thing with HTML.

    Nice try guys, but April Fools was last month.

  • Ctrl_Alt_Kaboom (unregistered)

    Someone should be beaten with a two by four for doing something that stupid.

    What if this had been discovered by someone with malicious intent? looks at self Muhahahaaa!

    Captcha: craaazy. how appropriate.

  • (cs) in reply to Ares
    Ares:
    Wait wait wait... you view javascript code from the browser? Next thing you are going to tell me is that you can do the same thing with HTML.

    Nice try guys, but April Fools was last month.

    It's true.

    And you know all those images on your web site? Someone can save those to their own computer as well. Even if you put in an anti-right click script.

  • Badger (unregistered)

    The "Real WTF" is surely that he complained to the company and they realised he knew what he was talking about and put him through to someone who could do something about it.

  • J (unregistered)

    Not long ago, I was given the task of rewriting an ASP (VBscript) site created in 2003 that had been the victim of SQL injection attacks. The pages were passing querystrings like "user.asp?action=edit&id=1234" and "user.asp?action=add&username=foo". That was the worst SQL injection invitation I'd ever seen until today.

    Just months before I was given this task, they were giving me a hard time about how my insistence on using things like type declarations and stored procedures was slowing down development time.

  • diaphanein (unregistered) in reply to Zemyla
    Zemyla:
    Ares:
    Wait wait wait... you view javascript code from the browser? Next thing you are going to tell me is that you can do the same thing with HTML.

    Nice try guys, but April Fools was last month.

    It's true.

    And you know all those images on your web site? Someone can save those to their own computer as well. Even if you put in an anti-right click script.

    Those always piss me off. Its kind of fun to disable script, reload, save the file and then email the photo to the site's admins with "Your kung fu is weak."

  • dolo54 (unregistered) in reply to Zemyla
    Ares:
    And you know all those images on your web site? Someone can save those to their own computer as well. Even if you put in an anti-right click script.

    Nothing's worse than a client who insists that you make their site un-stealable. I've had "I don't want anybody lifting my copy. Put all the text in images so they can't copy and paste it." "But they could still ocr it, or have a secretary copy it." "Well that makes it harder, so do it anyhow."

    Btw - fortunately due to the current market I don't have to take jobs like that anymore. Whew, glad 2000 came and went.

  • Ben4jammin (unregistered)

    Not long ago, we were in the process of implementing some HR software. Part of this was on a front end server that acted as a public web server (connecting to confidential HR data in the back end database mind you). Long story short, they were having problems and decided the best way to fix it would be to put the IUSR_Servername (Internet guest account for anonymous access to IIS) in the local admin group on the web server. In a related story, our security guy now has a facial tick. Thankfully, we decided against using their software. Moral of the story: Never assume someone wouldn't do something THAT stupid. Whatever THAT may be (SQL injection, escalated rights, etc)

  • (cs)

    IBM's manage now does this... or at lest and older version did. I haven't looked into the most recent one.

  • (cs)

    Maybe they should just give users direct access to the database. "If you are placing an order, you must fill out the following tables with your information..."

    And another step is taken towards 100% user-modifiable content. This is the future, folks.

  • Aaron (unregistered)

    Moving JavaScript to a .NET back-end? That's so Web 1.0! I'll bet that delivery system has almost no Ajax at all now.

    The "status" vs. "theStatus" differentiation is also a nice touch. I've seen people try to differentiate between classes and locals this way ("Session theSession = ..."), and that's bad enough, but doing it with two locals takes the cake. That should be a joy for anybody to maintain.

  • comejoyo (unregistered)
    case "Unconfirmed": dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " status = " GlobalJobStatusView AS J WHERE J.JBCollectDate='' " + theDate + "'' AND J.JBConfirmed=''No''" + modeSQL + " ORDER BY Convert(int, J.MIJobID)" break; case "Complete": dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " status = " GlobalJobStatusView AS J WHERE J.JBCollectDate='' " + theDate + "'' AND J.MIStatusCode=5" + modeSQL + " ORDER BY Convert(int, J.MIJobID)" break; case "Unconformed": dateSQL= "" var modeSQL = "" modeSQL = " AND (J.JBCompanyID=31337) " status = " GlobalJobStatusView AS J WHERE J.JBCollectDate='' " + theDate + "'' AND (J.MIConformance IS NOT NULL AND J.MIConformance<>'''') " + modeSQL + " ORDER BY Convert(int, J.MIJobID)" break;

    ...... what the suck???? sucking culo

  • (cs)

    Really, I gotta say that, Alex, this is one of your lesser editing jobs. Really, the entire code section could have been taken out, and replaced with the phrase "And Moshe discovered that the SQL queries for the site were created using client-side javascript and were wholly vulnerable to SQL injection attacks".

    A lot of code reading there for no purpose.

  • (cs)

    This sort of reminds me of when I first learned how to create ASP pages. I used an MS Access database and promptly placed it sans-password onto the server in the root web directory. Then in my ASP database include file I wrote a nice HTML comment: <!-- get database from c:\www_root\db.mdb -->

    There, now everyone who views the HTML source will know exactly how to download my open database. Perfect.

  • john doe (unregistered) in reply to evanm
    evanm:
    Really, I gotta say that, Alex, this is one of your lesser editing jobs. Really, the entire code section could have been taken out, and replaced with the phrase "And Moshe discovered that the SQL queries for the site were created using client-side javascript and were wholly vulnerable to SQL injection attacks".

    A lot of code reading there for no purpose.

    You're not acutally reading all that code, right? To me, being confronted with this code greatly enhanced the "shock and awe" effect (i.e. my jaw dropped to the ground completely, instead of halfway only).

  • Leo (unregistered) in reply to evanm
    evanm:
    Really, I gotta say that, Alex, this is one of your lesser editing jobs. Really, the entire code section could have been taken out, and replaced with the phrase "And Moshe discovered that the SQL queries for the site were created using client-side javascript and were wholly vulnerable to SQL injection attacks".

    A lot of code reading there for no purpose.

    And where's the shock and awe in that ? You can't get a moan from a DBA with a text line...

    Seriously, I find most of the stories fun, even if I can't read the code. I'm an engineer, most my work is in C or assembly, so SQL/javascript/<put-your-new-favorite-fancy-tecnology-here> is forein to me.

    CAPTCHA: alarm - That should ring a bell, eh ?

  • bobbo (unregistered) in reply to shakin
    shakin:
    This sort of reminds me of when I first learned how to create ASP pages. I used an MS Access database and promptly placed it sans-password onto the server in the root web directory. Then in my ASP database include file I wrote a nice HTML comment: <!-- get database from c:\www_root\db.mdb -->

    There, now everyone who views the HTML source will know exactly how to download my open database. Perfect.

    Is your CV online? We're hiring at the moment.

  • (cs) in reply to Zemyla
    Zemyla:
    And you know all those images on your web site? Someone can save those to their own computer as well. Even if you put in an anti-right click script.

    It's worse than that. Most browsers save that image to disk without even asking the user. Someone needs to do something about all these copyright violating "caches"

  • nobody (unregistered) in reply to Zemyla
    Zemyla:
    Ares:
    Wait wait wait... you view javascript code from the browser? Next thing you are going to tell me is that you can do the same thing with HTML.

    Nice try guys, but April Fools was last month.

    It's true.

    And you know all those images on your web site? Someone can save those to their own computer as well. Even if you put in an anti-right click script.

    I like how IMDB does it. They make the real image the background and put a transparent image over it, so if you right-click and save you get a blank image. View source and a short effort finds the real image URL; cut and paste into a browser, and save the picture. Only worth it for the hottest women, though.

  • Feyr (unregistered)

    i'm not even surprised.

    one of the developper here was surprised you could see the password in the html source because he had set the field type to "password", that should have prevented it in his mind :\

  • B (unregistered) in reply to nobody
    nobody:
    Zemyla:
    Ares:
    Wait wait wait... you view javascript code from the browser? Next thing you are going to tell me is that you can do the same thing with HTML.

    Nice try guys, but April Fools was last month.

    It's true.

    And you know all those images on your web site? Someone can save those to their own computer as well. Even if you put in an anti-right click script.

    I like how IMDB does it. They make the real image the background and put a transparent image over it, so if you right-click and save you get a blank image. View source and a short effort finds the real image URL; cut and paste into a browser, and save the picture. Only worth it for the hottest women, though.

    Hmm... where do they do that? Will it work if one uses Firefox+Adblock and block off the upper transparent image?

  • (cs) in reply to ForcedSterilizationsForAll
    Here's an idea for those "first" posts, how about their IP gets blocked. :)
    The problem there is false positives. Fark.com turns any occurence of "First post" to "Boobies" and knocks the timestamp to 24 hours in the future, and inevitably you see the occasional post that would make sense, in context, if the reverse transform is made to it. What you're suggesting is an even more severe negative consequence to something which, on a site where "ss" is converted to "B", will almost certainly be implemented in a "clbuttic" manner.
  • James Schend (unregistered)

    I like how IMDB does it. They make the real image the background and put a transparent image over it, so if you right-click and save you get a blank image. View source and a short effort finds the real image URL; cut and paste into a browser, and save the picture. Only worth it for the hottest women, though.

    Every browser but IE has an easy way to get a hold of media embedded in the page without using right-click. In Firefox, it's called "Page Info" in Tools. Click Tools -> Page Info -> Media, and there's all the images laid out neatly for you. As well as any SWF or MP3s or whatever other media the page might have.

    In Safari, it's called "Activity" in the Window menu, IIRC.

    Point is, disabling the right-click menu, even if it wasn't easily circumvented, only works in IE in the first place.

    (The "Real WTF" is how few people seem to know about the Page Info window in Firefox.)

  • (cs)
    modeSQL = " AND (J.JBCompanyID=31337) "
    

    Hey this code is in fact 31337!

  • (cs) in reply to James Schend

    To be fair, even Gecko based browsers can have their context menu hijacked, if they allow it.

  • theteapot (unregistered)

    Anyone heard of a browser detection script? Disabling right-click can be done in all browsers: http://hyperdisc.unitec.ac.nz/materials/javascript/top10/disablerightclick.htm But, it's nice to know that the author of this script doesn't like right-click disabling as well!

    But, as far as I know, the major browsers all let you view HTML source, so it's entirely useless, unless you don't know anything about webpages. Oh.

    Probably the best way to hide images is to send a link via ajax, and then set it as the background-image. Then it's not in the HTML source, and can't be found easily (like IMDB and flickr). But even then, it can be picked up by Web Developer https://addons.mozilla.org/en-US/firefox/addon/60.

  • Andrew (unregistered) in reply to SSilver2k2
    SSilver2k2:
    first post?

    wow. Ive seen people coding open ended sql injections like this (i even did it on a few of my own first lesson websites), but to not know that you can view javascript from a browser, that's scary

    Who would write a SQL client in Javascript?!? That developer had to know less than nothing. Anyone around for 5 years knows the joys of Javascript. First, it wasn't mature enough. Then, IE and Netscape fought over setting standards. Now, everyone knows how (and why) to turn Javascript off in the browser.

    Also, the SQL strings make it harder to maintain the application. They waste bandwidth when only a few form values are really needed. Worse, every browser-cached Javascript page has to be changed when the SQL rules do, which the server can't control.

  • (cs) in reply to theteapot
    theteapot:
    Anyone heard of a browser detection script? Disabling right-click can be done in all browsers: http://hyperdisc.unitec.ac.nz/materials/javascript/top10/disablerightclick.htm But, it's nice to know that the author of this script doesn't like right-click disabling as well!

    Don't believe every thing that you read. It works in Firefox and IE, but Opera will cheerfully pop up the context menu, even if you change your javascript settings to let javascript see the right click.

  • (cs) in reply to ForcedSterilizationsForAll
    ForcedSterilizationsForAll:
    Here's an idea for those "first" posts, how about their IP gets blocked. :)

    And that code is just sad. Maybe it was a contractor that did it. :)

    Not a bright idea. For one thing, many people move around to different publicly-accessible wireless networks, so blocking a particular IP would not block the poster for long. Secondly, many ISPs issue connections out of a shared IP pool, so blocking would block others on the same system, while blocking the offender only by chance.

  • serhei (unregistered) in reply to Cyrus

    Showing this to a DBA got a long silence, a gasp, then a long groan, > pretty cool to watch.

    They probably committed suicide by holding their breath.

  • nixen (unregistered) in reply to Andrew
    Andrew:
    Now, everyone knows how (and why) to turn Javascript off in the browser.

    Oh, please then, enlighten me. 'Cause I sure don't know "why".

    Andrew:
    Also, the SQL strings make it harder to maintain the application. They waste bandwidth when only a few form values are really needed.

    Really sharp point you got there. It might waste an entire 100 bytes! Heretics!!

    Andrew:
    Worse, every browser-cached Javascript page has to be changed when the SQL rules do, which the server can't control.

    Most semi-decent frameworks contain ways of controlling the script tags, and thereby client caches. Just informing you, since you don't seem to know.

  • RON (unregistered)

    I am seriously hitting my head really hard right now.

    I can't believe that I have to compete with these people for jobs.

    Worse yet: Management almost never knows what kind of WTF code these people are writing since they don't know what code does anyways, and they are happy if the devs just say "yes!" and do it, even if it's in a completely retarded way.

  • (cs) in reply to diaphanein
    diaphanein:
    Zemyla:
    Ares:
    Wait wait wait... you view javascript code from the browser? Next thing you are going to tell me is that you can do the same thing with HTML.

    Nice try guys, but April Fools was last month.

    It's true.

    And you know all those images on your web site? Someone can save those to their own computer as well. Even if you put in an anti-right click script.

    Those always piss me off. Its kind of fun to disable script, reload, save the file and then email the photo to the site's admins with "Your kung fu is weak."

    Or you could take a screenshot of the page, print it out, put the printout on a wooden table, take a picture with a camera, scan in the picture, and then email it to them!

    But yeah, disabling javascript is probably easier. Unfortunately I use the noscript firefox extension, so normally I never know the anti-right click script is even there in the first place.

    As for this particular wtf, this is why we need to start insisting on some sort of certification for web developers instead of allowing the 15 year old nephew of the VP of marketing get the job. Its easy enough to learn enough web development to put together what appears to be a functional website, its much harder to make one that actually does work.

  • Matthew (unregistered) in reply to diaphanein
    diaphanein:
    Those always piss me off. Its kind of fun to disable script, reload, save the file and then email the photo to the site's admins with "Your kung fu is weak."

    I guess I never noticed this little anti-rightclick "trick" because I always just dragged the images I want to my desktop. Doesn't that work on Windows?

    captcha: kungfu (no, seriously)

  • Mr Steve (unregistered) in reply to MaGnA

    Someone's been playing too much counterstrike ;D

  • DKO (unregistered) in reply to theteapot
    theteapot:
    Disabling right-click can be done in all browsers: http://hyperdisc.unitec.ac.nz/materials/javascript/top10/disablerightclick.htm

    Doesn't work on Firefox 2.0.0.3 with dom.event.contextmenu.enabled=false. (at least some) Distros provide Firefox with this set by default.

    UPDATE: oh yeah, if I release the button over the page and NOT over the menu option (which is where I would release it, I opened the context menu for that reason after all), it pops up a message box. For a moment I forgot the fact that the Mozilla developers are still retards; you still can take down the browser with an infinite loop of alert().

  • (cs) in reply to nixen
    nixen:
    Andrew:
    Now, everyone knows how (and why) to turn Javascript off in the browser.

    Oh, please then, enlighten me. 'Cause I sure don't know "why".

    Yeah, you are right. He probably should have written "anyone with half a brain knows how and why to turn off Javascript by default".

    nixen:
    Andrew:
    Also, the SQL strings make it harder to maintain the application. They waste bandwidth when only a few form values are really needed.

    Really sharp point you got there. It might waste an entire 100 bytes! Heretics!!

    100 bytes times how many millions of requests?

    nixen:
    Andrew:
    Worse, every browser-cached Javascript page has to be changed when the SQL rules do, which the server can't control.

    Most semi-decent frameworks contain ways of controlling the script tags, and thereby client caches. Just informing you, since you don't seem to know.

    No, no framework controls client caches. Because no server side code can control the client (ie, the browser). The best they can do is request the browser do something. Whether they abide by that request or not is up to the browser.

  • (cs) in reply to Matthew
    Matthew:
    I guess I never noticed this little anti-rightclick "trick" because I always just dragged the images I want to my desktop. Doesn't that work on Windows?

    It does work, yes.

  • Sigh (unregistered)

    Hm, not even ten posts to get the requisite "First post!", "Captcha = who gives a crap", and of course, "the real WTF is that I'm a pompous know-it-all"

  • Jon (unregistered) in reply to nwbrown
    nwbrown:
    nixen:
    Andrew:
    Worse, every browser-cached Javascript page has to be changed when the SQL rules do, which the server can't control.
    Most semi-decent frameworks contain ways of controlling the script tags, and thereby client caches. Just informing you, since you don't seem to know.
    No, no framework controls client caches. Because no server side code can control the client (ie, the browser). The best they can do is request the browser do something. Whether they abide by that request or not is up to the browser.
    Oh no! The Cache-Control header is a lie! :(

    But seriously, nixen's idea here is that if you need to update "mylib.js", you instead create a new file, "mylibv2.js" and send back all new pages pointing to the new file. Just because you can't "control" browsers doesn't mean you can't trigger the desired behaviour in the ones that people use.

  • (cs) in reply to evanm
    evanm:
    Really, I gotta say that, Alex, this is one of your lesser editing jobs. Really, the entire code section could have been taken out, and replaced with the phrase "And Moshe discovered that the SQL queries for the site were created using client-side javascript and were wholly vulnerable to SQL injection attacks".

    A lot of code reading there for no purpose.

    Since when did Alex start spelling his name "J A K E?"

    Sure there was probably more code there than needed to get the point across... But it REALLY gets the point across. How are the eyes now? Did the goggles do anything?

  • htg (unregistered)

    That is just horribly stinky, but sadly I can see how the barely educated and zero common sense programmers you see all too often could think that it was cunning. What happened to security courses, and best practices courses, and architecture courses, etc, at university?

    The sad fact is, this just should not be happening, full stop. SQL Injection aside, forming SQL statements is so clearly and obviously not a client-side behaviour that you'd have to be retarded to go down that path. I can understand server side code that has SQL Injection flaws - a brief demonstration and education about prepared statements usually sorts the people out and they never make the mistake again. However I don't think there's any redeeming for someone who forms SQL in client-side Javascript.

  • (cs) in reply to theteapot
    theteapot:
    Disabling right-click can be done in all browsers: http://hyperdisc.unitec.ac.nz/materials/javascript/top10/disablerightclick.htm

    I think the right-click script war ended when someone discovered

    <body oncontextmenu="return false;">
    I feel sad for the customers that want it - very sad.

  • Kris (unregistered)
    function sendLinkVal(theDate,theStatus,MainTitle,PageTitle){ var dateSQL = " AND J.JBDeliveryDate=''" + theDate + "''" var status = "" var newSQLTag ="" var PageTitle = PageTitle var MainTitle = MainTitle
    *bangs head through table*
  • (cs)
    This developer was equally shocked to learn that it was even possible to view a web page's JavaScript code, let alone that his architecture was open to SQL injection attacks from virtually any angle. He took immediate and decisive action; all queries were moved to the .NET backend.
    You mean his immediate and decisive action wasn't to quit and flee the country?

Leave a comment on “One-and-a-Half-Tiered Application Design”

Log In or post as a guest

Replying to comment #:

« Return to Article