- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
600 Frist comment!
Admin
stop; declare FRIST;
Admin
So, why wasn't there a “Hey, don’t do this!” message, or at least a 500? I feel fristed.
Admin
OK. I AM WITHIN A TENT.
Admin
So rather than just properly escape the strings, it was a better idea just to look for some SQL keywords?
Admin
Why on earth a 404?
Because you don't want to give bots/crackers more information than you have to. Now they will think there is no database if they just try to hack the front end. Ofcourse if people have access already then all bets are off, like being able to see what Michael was able to see. I'm not saying Michael is a cracker, or that this is the right way. But giving proper information to bad people, can hurt you.
Admin
A 500 would be as wrong as a 404. In this case you HAVE to return a 400 because the problem is in the client request.
Admin
Security by obscurity and a PITA to debug. Thanks but try again.
Admin
I love SQL injection prevention code that not only works by checking for SQL keywords, but checks for them in uppercase only. (Or is instr() not case sensitive? Otherwise the sentence in the article shouldn't have triggered it. Hmm.)
Admin
Shouldn'r have anyway, because the detection code looks for ";DECLARE", but in the sentence it's "; DECLARE".
CAPTCHA: minim - al effort should go into proof-reading the articles...
Admin
Better yet, don't respond at all and maybe the baddies will think your company doesn't exist.
Admin
Guess you missed the initial lines that stripped spaces from the text?
Admin
Yes, but above that was a replacement code, so all spaces were gone...
Admin
Anyone remember phpNuke? It would look for SQL keywords like this - "union" was the one that I usually stumbled into - and if you tried to post a message with that word in it, it would throw you back to the site's main page, without explanation. It was frustrating as hell - you'd type out a long post, forget about using that word, and you'd lose everything you typed. That was the best solution they could come up with? Union is used in plenty of other contexts, like town names, plumbing, Civil War discussions, mathematics, etc.
Admin
This is not a solution to SQL Injection in any way, so for future readers, this is the most stupid and error prone way to target this problem, which shouldn't exist if your application is well designed in the first place.
Admin
Right or wrong, this is the way that SQL injection protection was done back then...
Admin
What do you expect from something with the word 'nuke' in its name?
Admin
It's analogous to why you don't tell a user if it is their username or password was wrong (or whether the username even exists). It's enough information to let a hacker take the next step.
What you put into your logs at the back-end is a different story of course.
Admin
Yeah, bad SQL keyword searching is bad.
But I've got a pricy, commercial "web application firewall" (re: glorified proxy server) - foisted on us by a client, of course - that does exactly this, out of the box. With the added "bonus" of undecipherable regexes to boot.
Postdata matches regex? ...404 Querystring matches regex? ...404 URL path matches regex? ...404 Session cookie matches regex? ...404 Server throws a 500 error? ...404
Fishy buggers.
Admin
But it wasn't an attack.
And lots of websites do this. For example if I use the wrong password too much at my bank, they tell me so, and tell me to call my banker, they don't serve me a 404.
Admin
Yes, but it works so poorly. That's how the President's daughter became ill.
Admin
Not sure if you're joking.
You do realize that the server has to have made some connection to the client for the request to get received, so it has already let the client know about its existence before it's in a position to make any kind of judgement call about the request itself.... right?
Admin
at OHM2013 already?
Admin
400 is a "Syntax error", thus I'd choose 422 (Unprocessable) according to RfC 4918, or maybe 403 (forbidden).
Admin
Unfortunately not; that would be awesome.
Admin
Surely that's why this is a WTF in the first place? The 404 thing is a bit lame, but the whole approach is daft
Admin
I've got an apostrophe in my surname, and the number of sites that block it is amazing. Not just small sites, either
Admin
Damn, why does the server reject my commented-out VB code?
Admin
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html then goes on to say that "If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead".
So the 404 is completely correct, and while the SQL Injection handling is clearly a wtf, dealing with any attempt by returning a 404 is definitely not.
Admin
Admin
Admin
I love those login forms, where you are not told what went wrong, especially if it is some site I don't visit regularly. Did I use the wrong username? Or was it just a typo in my password? Oh, the website doesn't know either, now I try every combination of usernames and passwords I think I could have used on that site... and if the site is really bad, it completely clears the login form everytime and eventually locks my account after a few failed login attempts (which even allows for a nice DoS attack, but I think might be ok for a banking site, to be fair).
I know, you should try to reduce the amount of information you give to criminals, but I don't know if giving unclear error messages in login forms really helps that much. I'd guess a criminal could easily get a list of valid usernames in some other way on most sites (e.g. trying to send a message to a user or use a password reset form [oh, and if you don't tell me I entered a wrong username there, I really hate you...]).
Of course, I could have entered a valid username of someone else, so "user exists" does not always imply I did not enter the wrong username, so after a few failed attempts, the site could give me a hint that I might have entered the wrong username.
Admin
If you receive a user id and a password, and the password is wrong, you don't say "wrong password, try again", as this would give an attacker the information that the user id does indeed exist. Instead you say something like "login failed, please check your user id and password".
Admin
Protip: he was joking. Clearly.
Admin
It will look for ';DECLARE' as well as '; DECLARE' because spaces ave already been stripped.
TRWTF is having to go to great lengths to protect against SQL injection anyway. Why not just use parameterised queries? Or does that mickey-mouse language not have them?
Admin
This is arguable. In fact, the server is rejecting a perfectly valid user input, the sole reason being the developer couldn't come up with any better solution to prevent SQL injection attacks than deliberately rejecting some suspect-looking input strings.
That's an issue with the server, not with the request, so a 500 would be perfectly appropriate, IMHO.
Admin
Admin
I once wrote a login system for a company that kept changing their mind what they wanted. Initially it was to be hosted within their network so we blocked ip addresses after x too many failed login attempts. But then they decided to host outside their network, which of course is NAT. Didn't take long for everyone to be locked out and for the ip address based check to be removed!
Admin
There is nothing new in this sort of stupidity. I have seen the same on a Computeworld website. Which I BTW ran into a few months after I had reported an SQL injection bug on said website, which they saw no reason to fix, because they had a firewall.
Admin
I don't see why they just don't return a 418.
Admin
TRWTF is not using PHP. AMIRITE?
Admin
It is ok to give precise information when logging in to a desktop computer via a physical keyboard attached to a physical pc. If you sit in front of a pc, you probably know the users name anyway.
It is not ok to do so in a web environment, and Microsoft doesn't do it either. At least not when logging in at Office.com.
Admin
500 would be the only response status of the 5xx range that one could consider appropriate, but the definition goes "500 Internal Server Error: The server encountered an unexpected condition which prevented it from fulfilling the request." (highlighting by me).
Unexpected condition? This is clearly not the case since the SQL Injection was clearly expected - the conditions are stated in the code.
So again: in this case 403 or 404 are the status to use.
Admin
Admin
Admin
Giving the right answer can be used as an oracle to crack the system. There's a known attack (CBC padding oracle attack) that can be succesful by having the server NOT implementing the trick described in the article, and the attacker can crack the system depending on getting 403 or 404 error to different requests. Check: http://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf
Admin
How about a 406 (Unacceptable) error instead?
Admin
Admin
You are so evil. ;-)
Admin
613: no spec - should be returned by the server when a problem is encountered for which the server can not make a decision due to a missing spec.
654: time machine required - to be returned for all functionality that could not be implemented in time.