Newb here, So I kind of getting this, you're closing the string with ";)", and then "drop table users" is something server related, maybe SQL? What's the "--"?
The -- makes anything after it into a comment which is ignored by the database. This prevents the remainder of the original command from making the whole thing invalid.
Gotcha, so I guess it's a dev's job to account for such input. Security and hacking seem very interesting but it seems to me you need to have a lot more knowledge of CS than what it takes to do basic QA and programming.
So imagine your website has such (very naïve) server logic:
sql_stmt = "SELECT UserID, Username FROM Users WHERE Username = '"
+ form.fields["username"]
+ "' AND Password = '"
+ hash_password(form.fields["password"])
+ "';";
execute_sql(database, sql_query)
If you put '; DROP TABLE Users; -- as a username in the form, then the statement gets compiled as the following:
SELECT UserID, Username FROM Users
WHERE Username = ''; DROP TABLE Users; -- ' AND Password = '###########…';
Since -- marks the beginning of a comment line, it effectively neuters the statement and makes it drop (delete) the Users table.
Some people would gain admin privilege by adding stuff like UPDATE TABLE Users SET IsAdmin = 1 WHERE Username = 'wakkablam'; thus promoting user Wakkablam to administrator status or so.
Some poking around might be necessary to guess the structure of tables or such.
Unit tests are especially good at preventing regressions, e.g. Adam Customer uses the calculator utility inside your application; the unit test is unable to launch the calculator, therefore the build is broken and shall not be delivered to Adam Customer.
How do you test if Mr. Customer can launch the calculator utility? What if it launches, but the user only sees dicks? I joke, but GUIs are hard to work with sometimes and can do weird things, and I don't know how you can test that outside of whether or not it crashed. "It worked fine on my machine."
Second customer was clearly a Muslim. Should have kept him out. Joke should have gone like this: Two QA engineers from China and India walk into a bar. Just kidding the bar is empty.
29 comments
0 u/BakedMofoBread 06 Dec 2018 01:39
God I wish I didn't relate to this.
1 u/ThirteenthZodiac 06 Dec 2018 02:51
I laughed a whole bunch on the outside, but inside, I'm screaming.
0 u/PresidentSkroob 06 Dec 2018 12:38
I'm on the other side going "Yup, that's about right. At least they QA'd this time."
0 u/NassTee 06 Dec 2018 01:53
A smartass walks into the bar and orders a '); drop table users; --.
0 u/TwistedSista 06 Dec 2018 03:31
Poor little Bobby Tables :'(
0 u/Naked_Dave 06 Dec 2018 15:07
Newb here, So I kind of getting this, you're closing the string with ";)", and then "drop table users" is something server related, maybe SQL? What's the "--"?
0 u/fedevela [OP] 06 Dec 2018 15:26
Basic SQL injection
0 u/Naked_Dave 06 Dec 2018 18:09
Yeah, that's what I gathered from a basic search. I don't have that much familiarity with SQL and databases but plan to learn about it soon.
0 u/moarzor 07 Dec 2018 00:04
-- starts a comment, so they remainder of the SQL doesn't cause an error when included with your injection.
0 u/moarzor 07 Dec 2018 00:04
Oh. Already answered in another branch of the comment chain.
0 u/NassTee 06 Dec 2018 17:32
The -- makes anything after it into a comment which is ignored by the database. This prevents the remainder of the original command from making the whole thing invalid.
0 u/Naked_Dave 06 Dec 2018 18:08
Gotcha, so I guess it's a dev's job to account for such input. Security and hacking seem very interesting but it seems to me you need to have a lot more knowledge of CS than what it takes to do basic QA and programming.
0 u/fedevela [OP] 06 Dec 2018 18:27
If you use an ORM like sequelize it covers your ass from these injections
0 u/wakkablam 06 Dec 2018 23:55
SQL syntax.
So imagine your website has such (very naïve) server logic:
If you put
'; DROP TABLE Users; --as a username in the form, then the statement gets compiled as the following:Since
--marks the beginning of a comment line, it effectively neuters the statement and makes it drop (delete) theUserstable.Some people would gain admin privilege by adding stuff like
UPDATE TABLE Users SET IsAdmin = 1 WHERE Username = 'wakkablam';thus promoting user Wakkablam to administrator status or so.Some poking around might be necessary to guess the structure of tables or such.
0 u/WhiteRonin 06 Dec 2018 02:05
If a release did that, fire the whole QA team!
0 u/SIayfire122 06 Dec 2018 02:09
@PuttItOut and @Atko. It's just like the good ol' days when Voat was in it's infancy. Now it's one of the most reliable websites I've been on.
0 u/BillyLuath 06 Dec 2018 03:17
I'm right in the middle of that.
0 u/fedevela [OP] 06 Dec 2018 11:24
I feel ya bruh.
0 u/sore_ass_losers 06 Dec 2018 03:34
You mean SNAHU, Situation Normal: All Hugged Up, don't you?
0 u/fedevela [OP] 06 Dec 2018 11:22
I must ask the committee BEFORE I can answer.
0 u/ThisIsMyRealName 06 Dec 2018 05:02
This is why unit tests aren't all that great.
0 u/fedevela [OP] 06 Dec 2018 11:24
They provide the most basic net. E2E tests are better but more brittle.
Tautological testing.
0 u/wakkablam 06 Dec 2018 23:56
Unit tests are especially good at preventing regressions, e.g. Adam Customer uses the calculator utility inside your application; the unit test is unable to launch the calculator, therefore the build is broken and shall not be delivered to Adam Customer.
0 u/ThisIsMyRealName 07 Dec 2018 00:58
How do you test if Mr. Customer can launch the calculator utility? What if it launches, but the user only sees dicks? I joke, but GUIs are hard to work with sometimes and can do weird things, and I don't know how you can test that outside of whether or not it crashed. "It worked fine on my machine."
0 u/3dk 08 Dec 2018 17:59
GUI testing tools, maybe one of those can scan for dicks?
0 u/mralexson 06 Dec 2018 05:20
This is a personal attack
0 u/Plavonica 06 Dec 2018 11:30
Sounds a bit like my class projects I've turned in. Sure it will pass the testing script, but just don't ask it to do much else.
0 u/TimberWolfAlpha 06 Dec 2018 13:39
But did he get his lizard?
0 u/videocodec 06 Dec 2018 15:13
Second customer was clearly a Muslim. Should have kept him out. Joke should have gone like this: Two QA engineers from China and India walk into a bar. Just kidding the bar is empty.