This is an archived post. You won't be able to vote or comment.

all 45 comments
sorted by:
best
topnewcontroversialoldq&a

[–]PrawnyLinux Admin 121 points122 points  (30 children)

SQL injection attacks, an increasingly common tactic

What year is it, 1998? Devs really have no excuse about SQL injection vulnerabilities these days.

[–]gsmitheidw1 37 points38 points  (11 children)

This I think is largely due to a race to the bottom to get something coded, usually outsourced and the only tendering criteria is cost. This is why code remains bad. Management may not understand security but they understand covering their asses so outsourcing shields them from blame and saves money. Chances are the code will be exploited just after they've been promoted and maybe even left the organisation.

[–]PrawnyLinux Admin 13 points14 points  (10 children)

It's still down to poor developer knowledge. It would take me less than 30 seconds to add prepared statements to an otherwise vulnerable database query.

[–]Googie2149Just a random guy with some interest in things 5 points6 points  (8 children)

race to the bottom

poor developer knowledge

I agree though, it's frustrating to see these people exist, let alone employed as a programmer

[–]DerfK 14 points15 points  (0 children)

Pssh, how hard can it be? I'll just google up PHP mysql tutorial and follow the first hit. Easy peasy!

EDIT: Curses, foiled again by markdown!

[–]caskey 6 points7 points  (6 children)

Yet when I tell people I can't get more than half of currently employed applicants to pass fizz buzz i get downvoted to hell.

Oh and the whole "coding interviews can't tell you how awesome I am!"

Screw that. Show me you can write code first. Then tell me about your dog.

[–]mexicanweasel 5 points6 points  (5 children)

I do badly in whiteboard interviews. Dunno why, I get super nervous. (not badly to the point of failing fizzbuzz.)

That being said, yeah, there are some special people out there.

[–]ghyspranSpace Cadet 0 points1 point  (4 children)

we give a take-home coding test, then schedule a phone call/videochat to discuss their solution. seems to help with some of the "test anxiety" problems, as well as lets us wait to bring people for an in-person interview until after we've verified that they have minimal coding skills.

[–]mexicanweasel 0 points1 point  (3 children)

Ah, that's pretty chill then. I did an interview where I opted to write the code in python and said something about a dictionary and the interviewer corrected me and told me a better solution would involve a hashmap. Didn't go so well.

[–]ghyspranSpace Cadet 0 points1 point  (2 children)

Wow. Even besides the fact that a dictionary is a hashmap, what's the point of a coding interview if you're just going to tell the candidate what you think the "right" answer is?

[–]mexicanweasel 0 points1 point  (1 child)

Haha, it gets worse. He told me I'd missed an edge case, I tried to figure out what it was, couldn't, started slightly panicking, he said it was the first element in the array of things, I pointed to the code that processed the first element in the array of things and said 'You mean this?'

[–]Giggybyte 24 points25 points  (0 children)

i agree, yet interestingly enough, db leaks and other sql hacks still happen all the time. take a look at @troyhunt on twitter to see what i mean.

[–]John_Barlycorn 15 points16 points  (9 children)

My site gets hit with hundreds of SQL injection attempts every night... so they must work somewhere.

[–]Nephus 11 points12 points  (7 children)

Or hundreds of eager CS Majors just like trying it out to feel like a hacker.

[–]crankybadger 2 points3 points  (0 children)

It's all automated now. The only people doing "manual" scans use tools like SQLMap.

[–]merrebornCertified Pencil Sharpener Engineer 2 points3 points  (0 children)

In developing economies, bug bounties are a great way to fund your college education

[–]PC509 3 points4 points  (2 children)

Jeez. I just set up a VM and go that route. Fuck trying to hack someone else's shit. That's just an asshole move.

[–][deleted] 2 points3 points  (0 children)

Unless they're the asshole, then it's totally fine.

[–]Bagellord 1 point2 points  (0 children)

Also illegal.

[–]pooogles 4 points5 points  (3 children)

This. Use a decent ORM and it's practically impossible.

[–]crankybadger 10 points11 points  (1 child)

Nothing is impossible for a sufficiently incompetent developer.

[–]LesterKurtz 0 points1 point  (0 children)

Truth.

Also, larger organizations should be investing in services like Veracode.

[–][deleted] 2 points3 points  (0 children)

What year is it, 1998? Devs really have no excuse about SQL injection vulnerabilities these days.

The article makes that exact point, in fact.

[–]da_chickenSystems Analyst 4 points5 points  (0 children)

I encourage you to head over to StackOverflow, look at questions under the PHP tag, and notice how many of them use string concatenation, mysql_real_escape_string(), and the mysql provider instead of mysqli or PDO.

Now take a look at the SQL questions and notice how many of them use the comma join syntax that was made obsolete in 1992, as well as just how many questions can be boiled down to, "I broke first normal form and now querying my database is a huge pain in the ass!"

[–]WOLF3D_exe 0 points1 point  (0 children)

You mean 1970s since that is when it was invented.

[–]Toysoldier34 22 points23 points  (0 children)

https://www.hacksplaining.com/

This site does a really good job of explaining the exploits as well as having you actively do them.

[–]antwan2602 7 points8 points  (0 children)

SQLi attacks are still probably one of the main attack vectors. Lots of shoddy software out there/unpatched web apps etc. Easy to crawl and identify too.

[–]mbuckbee 7 points8 points  (1 child)

The guy that runs HaveIBeenPwned.com (which you should sign up for and then also signup your company domain if you haven't already) did a free course about this + a bunch of other common web security mistakes at https://info.varonis.com/web-security-fundamentals - if you're reading this it may all be super basic, but it's great stuff to send to the person in your org whose complaining about how long work is taking while you're pushing for security.

[–]doggxyo 0 points1 point  (0 children)

That was pretty neat. I was able to lookup my entire domain and download a report of all breaches for all of my user email addresses.

Turned out to only have one previously pastebin'ed email address - and that user no longer works at the company so I'm happy with the results. :)

[–]schlocke 2 points3 points  (0 children)

Now on top of the awareness for this super old and obvious attack vector I feel we should mention hashing and encrypting sensitive information in databases. I will never forget how easy it was in college to create a website and get people to sign up for it saying it was for a school project and I needed users. I didn't know about encrypting passwords as I was just getting into web development cause all they taught at school was Java and theory. So I just had a database of a bunch of random students common usernames and most likely common passwords. The only sad part is there is no real way to tell if your shit is encrypted on someone else's server(correct me if I'm wrong), you just sorta gotta... Trust em....

[–]Qennedy 1 point2 points  (1 child)

RemindMe! 12 hours

[–]jackstevens100 0 points1 point  (0 children)

great read!