- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I call this sort of code 'job security'. It guarantees I'll always have work fixing this crap.
Admin
Bah humbug.
Just drop the Little Bobby Tables attack into the password field and you can use ";--" all you want...
Admin
So that means I can't use "Drop It Like It's Hot" as my favorite song for the security question?
CAPTCHA: genitus
Admin
Yes and that holds true for any online security question, whether they block the word "drop" or not.
Admin
uNNNNNGH 5th%%%%%55%%55%%%55five
Admin
I guess you couldn't have 'Pannullo Hydroponics' as your answer to 'Where did my grandfather's vet's brother's neighbour's father work in 1995?' then.
Admin
The second example is a classic example of 'trying too hard'. For that code, any username with a ' character in it will cause problems, so just ban the lot of them. Of course, I tend to be more draconian, and also ban ", , ,, ., and any other special character that seems interesting to me. (Actually, to be technical, I allow alphanumeric, underscores, and, depending on the system and field, maybe dashes and/or spaces. If it's for international use, I'll also allow unicode characters which are not part of the standard 7-bit ASCII set - but I'm only generous there because I haven't heard of any of those being exploitable.)
Admin
base64_decode(base64_encode($witty_comment))
Admin
Also from Lincoln County Credit Union's site:
Evidently they've never heard of the latest feature in that 'special software' - monitoring mouse clicks and taking screenshots.
Admin
$sql = "select * from customers where " . "email_address = '" . base64_decode(base64_encode($email_address)) . "' and password = '" . base64_decode(base64_encode($password)) . "'";
...I don't think the purpose of that is to prevent SQL injection but rather to enterprise-y the code. Imagine the CPU cycles that puppy can churn up if they use that everywhere! Whoa momma...
Admin
To see a "professional" financial solutions provider disallowing SQL keywords in all user input simply belies belief. For some shopping cart system written by your brother-in-law's cousin it may be excusable but Harland Financial Solutions? Seriously? You can only imagine what other amateurish garbage goes on in that place; perhaps something like:
Every Friday, an e-mail is sent to all employees to remind them to log onto the McAfee website and update their virus definitions.
The hardware part of a user's two-tier authentication system is attached to the user's machine to prevent loss.
All user passwords are set to "Password1" so the network admins can always reset lost passwords.
An "admin=true" querystring is used to log into the secure area of the website. But it's OK, you only get redirected with that querystring if you pass the client-side Javascript validation routine.
I for one have made damn sure that my bank does not utilise the services of Harland Financial Solutions.
Admin
Seeing how SQL injection discussions are recurrent over here, we should really start devising a way to remotely inflict excrutiating pain to people dropping (pun intended) Bobby Tables references.
Admin
One of the ladies I used to work with has a last name is "Null". Which made for some fun times in the support database - it is null or Null?
Admin
Admin
Ahh, so Harland is still happy for you to use ALTER then.
Admin
Those are absolutely great examples of cargo cult programming. Nothing more, nothing less. Made my day. Go TDWTF!
Cheers, Kuba
Admin
And CREATE. Also, AND, OR, JOIN, IN...
Just think of the possibilities!
Admin
Admin
Admin
Thank god Harland don't ban all SQL keywords. You can imagine the hassle:
Q: What state were you born in? A: Indiana
BEEEP You cannot use the letters 'IN'. Please try again. Note: if you were born in Indiana, please enter the TOWN you were born in.
A: Ingalls
BEEEP
<Gunshot>Admin
...
And to answer someone above, yes, it IS a frequent occurrence to have major financial institutions use bad-word lists to filter sql injection - I've personally fixed it in more than 10 major apps over the years (I'm talking Wall Street brokerages here).
Admin
Dare I even suggest that Truncate would be available. Hey we stopped the hacker! Of course we lost all our data.
Admin
Truncate...
Admin
Admin
I feel sorry for the poor sap who "loses" his passwords in a place that sets all user passwords to "Password1".
Admin
A while ago I had to use a friend's computer because my connection was down. He had an antivirus and he is not the sort of screw-up that plays around malware-ridden sites. Yet when I had to enter my mail password, I typed every keyboard character onto notepad and went back and forth copy-pasting them on my webmail password field, and not on the correct sequence. Sometimes I used the mouse, sometimes the keyboard. I would copy a string where only two separated characters mattered to me, then place the cursor between them and hold Del (single keystroke) until they were together. Anyone trying to recreate my password would have to log all my activity very carefully.
Admin
I have seen that other places too. Taking screen shots and monitoring mouse clicks is a bit tedious don't you think? When do you do it? Constantly? I'm not a hacker but it seems to me that besides the huge burden that could be on the host system and network you would have to go through thousands of screen shots just to find the one were the user is entering the desired info. Once you find it you then have to match up clicks from the same moments while praying they don't move the input screen or maximize it or flip over to their IM screen in the middle make some clicks then flip back etc. Like I said, I’m not a hacker so maybe it is easier then I am thinking but I don’t think so.
Admin
I think truncate shouldn't be blocked. After all, it's not logged, so whether someone used it not, we wouldn't know anyway.
Admin
Admin
I wonder why the coder responsible for the first example didn't see fit to increase the security in the same way that he created it. After all, the following routine would be twice as effective:
base64_decode(base64_encode(base64_decode(base64_encode($sensitive_string))))
And even more secure:
base64_decode(base64_encode(base64_decode(base64_encode(base64_decode(base64_encode($sensitive_string))))))
Genius stuff, surely.
Admin
You could create a function called doAbsolutelyNothingMeaningful() which calls base64_decode and base64_encode().
Admin
I guess paramaterized queries are just TOO HARD to implement.
Admin
Well this still bans enough cities, places and names (Geldrop, NL springs to mind).
Admin
Open Spy++ sometime. On a mouse click message, is the window ID the same as the window ID you saved when they created the window for IE (or other browser). Now is the window ID data looking at website X? If you get a yes to these two checks, screen cap just that window ID and timestamp the sucker. You now have just the clicks for the website you want in the order they were done, instant PIN scraping made easy. Of course you get every other form they clicked on after that on the same site also. It isn't really that hard and you don't slow the client machine down for every click by that much.
Edit: Umm I ment every other click not in the browser.
Admin
That must be why the on screen keyboard is a ****** keyboard rather than a QWERTY keyboard, i.e. all the keys are asterisks.
CAPTCHA: tation
Admin
I am not a hacker or a security guru so could someone please explain to me why banning SQL keywords as part of your strategy is a bad thing? I realize it should not be your only defense but what is wrong with it being part of it?
Admin
Stuff like this pisses me off, especially on the sites of financial institutions.
Please let me use any character in a password, over a certain length. For usernames, alphanumeric is fine with me.
</rant>Admin
As others have shown, you will be banning valid words. Ban "drop" and when asking for someones favorite song they can't enter a true statement "Drop it like it's hot". Or perhaps if you aren't look for just the single word but any string containing it, then Mr. Andropolis can't get an account with you.
Admin
All this password by mouse and the absurd copy and paste excersize is mostly a waste of time. Any good malware (is that an oxymoron) will simply hook into IE and capture the data that gets posted.
Admin
OK, makes sense, I'll buy that, thanks
Admin
Actually, monitoring software along these lines is both available and relatively effective. I have also written similar programs myself for legitimate logging purposes. You asked when the screenshots are taken; that's simple. Screenshots are taken consitently for the duration of the session, configurable to be taken once every x seconds or once every x mouse clicks. Additionally, a screenshot is taken whenever the software detects a combination of keys that affects the windows on the screen. So for example, an ALT-TAB would result in a screenshot being taken always, since ALT-TAB is very likely to have brought a hidden window into visibility. Same with ALT-F4, which may well reveal a new window underneath the window that was just closed.
True, you end up with masses of screenshots and just a dump of mouse clicks and locations. But obviously, you then have a piece of software that parses the data to present the appropriate screenshots with the given mouse data. This technique is known, used and remarkably easy to implement.
Admin
Because it's like lining the inside of an armoured tank with paper.
It adds complexity and pisses of the users for absolutely no gain compared to actually preventing the keywords from doing damage.
Admin
Admin
Here's hoping that last one is a case of "belt and suspenders".
Admin
Password: password1 Luggage Combination & Bank PIN: 1234
Admin
No disrespect my friend, but I would not let you use my computer to check your e-mail!
Admin
Admin
OK I can see that problem, but isn't it more of a minor inconvenience for really a minimal number of people? I don’t think it would rise to the level of grabbing torches and marching over to the developer’s house in the middle of the night to rid the world of one more moron like some seem to advocate. And no, I have never used this method of security. I am just curious so if I ever do run across a reason to have to implement something.
Admin
Now that makes sense to me.... thank you
Admin