top | item 39084029

(no title)

0x00_NULL | 2 years ago

On the contrary, make all of your passwords “DROP TABLE users;”. You’ll quickly sort out which passwords are being handled so insecurely by your vendors. This would mean they both don’t sanitize user input and don’t hash or otherwise obscure your password. They are a menace to society.

discuss

jesprenj|2 years ago

AFAIUC, the reason for the word blacklist here lies in the fact that some applications have WAFs or similar software that detect malicious requests and since passwords are sent in plaintext to the WAF, they are detected as malicious exploitation attempts, if they imitate SQL injections, although your parent comment did not give any concrete examples.

nijave|2 years ago

Surely if you've resorted to blocking random SQL keywords you've already lost. SQL has a pretty big dialect not to mention arbitrary functions and procedures that might exist.

For instance, TRUNCATE isn't even in the list

nicolas_t|2 years ago

Bingo... I hate WAF with a passion, wasted so many hours debugging weird issues when it turned out that they were blocked by some kind of black box WAF the client put in front of their systems.

iforgotpassword|2 years ago

"malicious" requests in this case. I actually dealt with a contact form of a health insurance company that had something like this going on, but there wasn't any error page showing up, you just got a blank page after submit if something resembled SQL. In my case it was the words "select" and "from" too close to each other in a sentence.

jamesfinlayson|2 years ago

Ah makes sense - someone in a business unit was having a weird failure updating something last week and I couldn't see any failures in the application logs. I looked on their computer and could say that Akamai was blocking the request, and after some trial and error I found that it was because a text field contained (* - which it thought looked like SQL.

balou23|2 years ago

Someone said you couldn't put ../../../../etc/passwd here in hackernews due to cloudflare waf. Let's see...

Aeolun|2 years ago

Oh, yeah. My Infra As Code state was also blocked by the WAF because it looked too much like SQL injection apparently.

LoveMortuus|2 years ago

Interesting that such situations occur even in academic circles. Especially on the scale of a whole university.

Oh, since it's University of Ljubljana, lepi pozdravi z Maribora! ^^

I guess one could also do "DROP TABLE *", should they want to experience what it means when Google removed "Don't be evil" from the preface of their Code of Conduct.