digg

Facebook Connect Join Digg About

SQL Injection Video watch!

youtube.com Video of an SQL Injection attack on an unsecured site. This is why you don't rely soley on client side validation techniques, among other things.

Who dugg this? Made popular Jul 3, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

53 Comments

show profanity settings
expand all
  • CrookedAsterisk, on 10/12/2007, -0/+15The video doesn't focus too much on the SQL injection itself, but rather how to "disable" client-side restrictions, which is really quite unnecessary when it comes to SQL injections, since modifying the original form isn't just the only way to get the data back to the server.
  • blackax, on 10/12/2007, -0/+11so tell me why people use client-side scripts to check username, pass.
  • hello2usir, on 10/12/2007, -0/+11Welcome to 1993
  • inactive, on 10/12/2007, -0/+10Lmao, I loved the enthusiam too. It was narrated very well :)
  • CrookedAsterisk, on 10/12/2007, -0/+9' OR 1=1--

    Which will satisfy a condition is the SQL query not matter what, so that the user will be authenticated. It will say, "allow the person to be admin if the user name 'h4x0r' exists and if the password is '' (blank) or if 1 equals 1 (which will be always)."
  • inactive, on 10/12/2007, -0/+9what is the injection code he's using?

    ? or 1=1 --
  • Bjehsus, on 10/12/2007, -0/+6Would have been a lot easier to just disable Javascript, and use Firefox's DOM inspector to edit the HTML live, rather than using notepad and stuff.
  • Fluxx, on 10/12/2007, -0/+4Just so we all are on the same page, to stop this attack from happening, even with disabling the javascript, you should use something similar to PHP's mysql_real_escape_string() funtion to escape all user input.

    http://us3.php.net/mysql_real_escape_string

    so his first ' would have become [backslash]' and not ended the query string.
  • CrookedAsterisk, on 10/12/2007, -0/+4I think the answer to that would be pretty obvious. At the start of the video, he says "I've been commissioned to do a web server security audit."
  • FLarsen, on 10/12/2007, -0/+4Instead of rewriting the source, can't he just find the function and type this in the address bar:

    javascript:function thefunction(condition){return:true};

    That's what I do.
  • Mygly, on 10/12/2007, -1/+5I titled it SQL injection because that's what the name of the video was. However I agree 100% with your comment. There are various other ways to go about getting data back to the server.
  • inactive, on 10/12/2007, -2/+5Yeah, if you don't mind hearing "worst... movie...ever"... in your head over and over while he talks.
  • zephc, on 10/12/2007, -0/+3Javascript is a cool, zero-refresh way of basic authentication (checking, say, format with a reg ex) but actual validation should always be a non-javascript, round-trip process. You *could* use xmlhttprequest to send the l/p, but again all the real validation should be one the server.
  • monkeyBox, on 10/12/2007, -0/+3Sometimes you can't disable javascript without rewriting some of the page. It still would have been much easier to do that with firebug or greasemonkey (firefox extensions)
  • konsl, on 10/12/2007, -0/+3Oh, you can see, she was born in 74.
  • trutwin, on 10/12/2007, -0/+3Javascript for the 99% of the normal naive users of the app who aren't smart enough to view the HTML source much less knowingly hack anything to circumvent simple client-side validation. This way you can catch invalid data without addition server requests.

    Server-side to handle anyone who attempts to tamper with or bypass your client-side validation.

    At an entry level DB course I teach we cover SQL Injection and it's always amazing to see student's reactions when you show them how easy it is. Server side scripts should NEVER trust the input it gets. Sadly I can say from experience that the exposure new CS students get to these kind of important topics is pretty much nill.
  • appletalk, on 10/12/2007, -2/+5Why didn't he just disable Javascript ? He oesn't seem very experienced to me, he even uses Internet Explorer.
  • seanmac, on 10/12/2007, -0/+2PHP using the $_POST variable seems to automatically convert the ' to -'

    LOL digg won't let me post - ', without the dash)
    Is there a way around this? (no I'm not trying it on random sites, I'm testing my own app)
  • seanmac, on 10/12/2007, -0/+2Nevermind, hashing the password with md5 negates this technique

    (sorry for multiple replies to my own comment)
  • Mambo, on 10/12/2007, -0/+2A link is usually a good idea for someone to 'checkout' a site.
  • haslo, on 10/12/2007, -0/+2Or just use something like the Tamper Data addon to change the submitted data :)
  • seanmac, on 10/12/2007, -0/+2Argg I am trying to type blackslash ' but digg won't let me...
  • sideral, on 10/12/2007, -0/+2I think his point is best explained without any additional software, since that can make newcomers into think that actually the software is doing all the magic. Clearly the video is intended as a demonstration for newcomers and for that purpose, notepad is good enough. It is a good teaching practice to not introduce more than necessary in what you are trying to show. Although he doesn't deepen into the details of why that attack works, he does a good job raising the interest of the audience. A digg for that.
  • wadabalabadi, on 10/12/2007, -0/+1You can use addslashes() in PHP

    http://ca3.php.net/addslashes
  • Mygly, on 10/12/2007, -1/+2I originally submitted this to tech>security, but it was moved to educational videos.
  • Dom02, on 10/12/2007, -0/+1the guy in the video said he was auditing the website. So he's not just somebody taking advantage of an insecure website. So he was hired to do this and told them how to fix it before releasing the video.
  • QuicksilverJohn, on 10/12/2007, -2/+3Shouldn't this be in Tech>Security, even though it's a video?
  • JustAQuark, on 10/12/2007, -1/+2Just read the posts above, 3 or 4 guys explained it ......
  • CrookedAsterisk, on 10/12/2007, -1/+2It's fast way of validating data or correcting any mistakes from the user without having to talk back to the server, which also means less for the server to take care of. But, it shouldn't ever be used in a way that the application is 100% reliant on it to filter out anything malicious like in the example.
  • kdehead, on 10/12/2007, -0/+1people are still doing client side validation????

    cool video though. more of these should be posted - just to wake inexperiencd webmasters up to the dangers out there.

  • Kilroy2004, on 10/12/2007, -0/+1Link for you: http://www.hackthissite.org/
  • rageguy, on 10/12/2007, -0/+1DOM Inspector can change a password field to text, plus it can delete the javascript from the live page.

    I use it all the time to tamper with my websites and make sure they're secure or just to see if a slight one pixel adjustment will fix something, its more convenient for me than creating files everywhere or downloading extra extensions on the system happen to be using.

    Two screens, DOM Inspector on one, browser window on the other, best web twinkering tools I've ever used, particularly as its on almost every system I come accross on our network.
  • appletalk, on 10/12/2007, -0/+1For those who want to try this on other sites, Firefox Web Developer toolbar could be very useful
  • kev009, on 10/12/2007, -0/+1The Clear Eyes man can perfrom an SQL injection. WOW!
  • freexe, on 10/12/2007, -0/+1"Otherwise be prepared for you application to crawl once it hits a decent number of users."

    You would have to have 100,000s (maybe millions, people don't log in/fill out forms all that often) of users for it to begin to crawl, and run a donkey of a validation script.

    Plus if you have that many users I would expect the developer to competitant enough to do both.

    New developers should consentrate on security and a scalable system that can have javascript added later
  • wadabalabadi, on 10/12/2007, -0/+0When you create a web application, you have to think the worst case: "Client = Hacker", and then proceed to design the system. I mean, they bothered to make a SSL channel, but they (developers) didn't think of server side input sanitazation? What kind of work is that..
  • freshwind, on 10/12/2007, -0/+0This one is really interesting. I love it.
  • zipzappodcast, on 10/12/2007, -0/+0it is a good thing he didn't show any private information about her.
  • gharding, on 10/12/2007, -0/+0Or try using prepared statements. It's available in Perl with DBI, PHP with mysqli (not sure about the other db's), and in Java with java.sql.PreparedStatement. In all of these, the API takes care of the escaping.
  • gonzo1773, on 10/12/2007, -0/+0Totally dugg this. I was aware of the techiques before but its still great to see someone post a video for it.
  • moop2000, on 10/12/2007, -2/+2Anyone know if this still works on the original site, or did he fix it before releasing the video?
  • tomkroening, on 10/12/2007, -2/+2Any website that doesn't check its inputs on the server side as well deserves to be hacked. That's programming 101... always assume that someone is going to try to break your program/site.
  • Quakes, on 10/12/2007, -1/+1Yeah... Our ASP-teacher taught us this the first semester.
  • creeptick, on 10/12/2007, -0/+0THe kind that gets done by different people who don't communicate within the company. Surprisingly happens very often in large companies.
  • creeptick, on 10/12/2007, -0/+0Easier? Not for demonstration purposes. (...since you wouldn't need to change the password field to text, etc.)
  • apolloandi, on 10/12/2007, -2/+1this was dugg a couple months ago
  • LegendarySock, on 10/12/2007, -2/+1Learned this from HTS a few years ago. Damn good site, check it out if you haven't yet.
  • blackax, on 10/12/2007, -2/+1Im sorry Server resources are not that tight that it cant be done all server side. I understand what you guys are saying about not haveing to go back to the server to see if it real or not but for most new web dev's it just bad to show them this first. Because you need to teach them security first!
  • darkroastbeans, on 10/12/2007, -3/+2@teqman --
    Sorry, I didn't read all the comments. I basically repeated what you said.
  • darkroastbeans, on 10/12/2007, -4/+2It has to do with the way you construct your SQL query. For example, let's say your query was this:

    SELECT COUNT(*) FROM user_table WHERE username LIKE '' AND password LIKE '' LIMIT 1;

    When he performs the injection, your query ends up being this:

    SELECT COUNT(*) FROM user_table WHERE username LIKE 'bob' AND password LIKE 'somepassword' OR 1 = 1 --' LIMIT 1;

    Now, the OR condition causes the query to return a count > 0 on either a) a successful match in the DB, or b) 1 = 1. It will always return a number because 1 = 1 is always true. The -- is a SQL comment, and causes the rest of the query to be ignored.
  • Fetching more discussions...
    Show 51 - 53 of 53 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.