- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
It's not often I really want to do a headdesk moment. But this... this made me want to do that. Repeatedly.
-- Seejay
Admin
So the WTF is that they protect against SQL injection?
...
Admin
You missed the point there.
You don't protect against SQL injection by telling people "Don't insert SQL into the text boxes!"
-- Seejay
Admin
No, the WTF is that they seem to protect themselves from SQL injection by looking for a few key phrases instead of a more robust method.
Admin
Oh dear god. I'm glad I don't use them.
No, the WTF isn't that they protect against SQL injection. It's that they really don't.
If they really did protect against it, you could enter whatever you wanted to for your password phrase. Since they specifically try and watch out for SQL phrases rather than using parameterized queries... ugh..
If you don't understand why that's bad, I can't help you.
Admin
They didn't protect against injection really. The way to protect against that is let the user add whatever he wants, then properly encode it so it is seen as a simple string before getting passed to SQL. You do not protect from injection by making sure your users never enter injection strings. If you do this, you run the risk of missing something and letting one in.
Admin
You guys are such pessimists, always worrying about the bad stuff that people could do. What about the GOOD stuff we can do, like adding $110,000,000,000 to our accounts?
[shamelessplug] That being said, I have an ING Direct account and I can give out referral links that give you $25 when you open an ING Direct account!! Just send me a private message here. [/shamelessplug]
NB: I just logged in and I can't even recreate this error message.
Admin
They really don't protect and they basically tell you how to do it.
I learned about SQL injection a few years back when working as a web programmer. I hadn't thought of it until my boss showed it to me. If I'd seen an error message like this though, I would have figured it out very fast and started poking at sites with it just to see what happened.
Those that know about SQL injection and are willing to try it aren't going to be dissuaded by a note that says "please don't do this". Those that don't know about it just got a very quick lesson on it with this error message.
-- Seejay
Admin
They should have told their users that entering such things is a criminal activity. Then, no one would do it, not even the anonymous criminal hacker from Russia who's been offered $BIG_BUCKS to compromise your system and who you'll never manage to drag to a US court.
You just have to love security by legislation.
Admin
Admin
I'm calling shenanigans.
Admin
Who?
Admin
"So the WTF is that they protect against SQL injection? "
No, the WTF is that they do it by blacklisting rather than by escaping characters.
Admin
Admin
You mean "rather than by using stored procedures or parameterized queries".
Captcha is black on dark grey (WTF?), but I can still read it.
Admin
Eminem. w3rd!
Admin
Original submitter here. Seems my original message got slightly mis-edited. I use two banks: Hudson Valley Federal Credit Union and ING. ING was the first to have that security feature, HVFCU added it shortly thereafter and they are the ones that gave me that popup.
ed. note: article fixed
Admin
I say "SO?".
Everyone here is jumping to huge conclusions about ING's actual security functionality based on a single message.
Lot's of speculation based on a whole lotta nothing.
Sure it's an odd message, but it says NOTHING about their underlying architecture methods. This could simply be an unfortunate message, concocted by the suits, who read an article on injection, and ignored the techies affirmations of "but we built our SQL so that it is safe from injection", to which the suits said "do these tests anyway!"
Admin
Oh nice. So TDWTF does a WTF that makes them liable for a lawsuit by misrepresenting ING security practices as unsafe. BRILLANT!!!
Admin
Ah, I guess it's OK to use "CREATE USER" then (or whatever it is).
Admin
another aspect of the wtf is that they just gave out table names, which would aid anyone profiling the website or app or trying to do an injection attack.
Admin
Admin
I wonder -- if you disable Javascript, is their "SQL injection prevention" disabled too?
Admin
ALTER USER <username/> IDENTIFIED BY <password of your choice/>
Admin
They appear to be protected from SQL injection (although there's no way of telling to what extent based on that error message). They also appear to have accomplished this the worst way possible.
Admin
Error: user does not have access to modify this parameter.
Admin
Yes. Of course. Or maybe this WTF never really happened. Or maybe the message looks like english but really is just an advertisement in another strange language. Or maybe... you're the one that coded that?...
Admin
It's called Defense in Depth. They could use 100 different ways of preventing against SQL injection.
You all only see one and assume that it's the only way they're preventing SQL injection.
Admin
Congratulations to Jay G. He is a true 'hacker' at heart. My passphrase is 'Deposit $1,000,000 in account 4568-3465-2794 ASAP"
Admin
No, it's called needlessly exposing the details of your system to end users who don't understand or care -- if you're lucky.
This is like having a dialog box come up telling the user to re-enter their text in all lowercase so that there won't be any comparison issues due to case differences.
Which is to say, utterly stupid.
Admin
All right, but just what security phrase was Jay G. trying to enter, anyway?
-Harrow.
Admin
You protect against SQL injection by using parameterized queries NOT by trying to devise some "filter" mechanism to catch hackers.
Admin
points for the Eminem reference
Admin
<rant>I appreciate that they're trying to make things more secure, but they keep moving the letters around on the number-pad, so you can't even get used to the clicking pattern - a f'g pain in the arse </rant>
Admin
Not really. Let's say you always enter 'delete from' as your hint. You aren't a programmer and have no idea what SQL is. It's something you came up with randomly. Their system rejects it, BUT it has to tell you that it was rejected. It doesn't expose any details. It's only exposing the fact that they use SQL (duh). To novices it only exposes that certain phrases are not allowed, although you have no idea why.
The WTF is that the system shouldn't have to reject these terms to begin with.
Admin
And what do you think do hapen to your queries when you use stored procedures and parameterized queries?
Of course, reimplementing quotation is an entirely new WTF on itself.
Admin
Immunity to SQL injection?
And, thanks, I know there are brillant ways to make even stored procs or prepared parameterized queries susceptible to SQL injection, by using EXEC. But it's much harder to fuck this up than forgetting to quote that darned user input using mysql_real_escape_string_fer_shure_i_am_not_kidding_lol.
Admin
Admin
At my bank, we use bind variables. However, we also send out goons to thrash wise guys who probe us with their reminder phrases.
Admin
Not all RDBMS have exec. I don't see how putting exec in a parameter is going to cause SQL injection. (unless you are doing something really stupid like execute the contents of this parameter as a SQL statement. (or appending the parameter to something and executing that as dynamic sql instead of a prepared statement.)
Admin
Bah, there's nothing wrong with this. Sure, keywords are a lousy method to prevent SQL injection, but we have no reason to believe they're the only method being used. The only design data being exposed here is that they're probably using an SQL database of some kind. Not exactly shocking news.
And if you read the title of the article, it is clear that the "real WTF" is that a bank actually uses multiple layers of security. That's not a WTF at all.
Admin
Funnily enough, my offense was trying to use a period, not a sql command. They just had a specific error message they gave out for any bad characters or words.
Admin
I like the changing letters thing. The idea is that something that keylogs one login won't work the next time.
Admin
Sounds like some one hasn't heard of syntax trickery. Delete /* */from Users;
Admin
Admin
Seejay: Correct. You protect about SQL injection by escaping and/or parameterisation.
However, it's not a WTF to detect possible attempts and give them a message which boils down to "Come off it, we're not that stupid."
It's funny, not a WTF.
Admin
Admin
Was that an Eminem reference?
Admin
ahahahahahaha
Admin
How about that - I use ING and they don't have any real security - just a couple of passwords you have to enter.