| 1000 Monkeys |
Strazzere, JoeWhy did you delete my comment? didn’t even bother to message me to let me know what you thought the issue was. Half of the reason I posted it, because charlatans like you really annoy me. You posted a load of SQL injection links, like you are the master or something. Then when it comes to you seeing one for real, you didn’t even notice. That really annoys me. Here is strazza's original post. (some editing done so it comes under fair use laws) === July 22, 2006 - Thinking Like a Professional Tester This time, one person was asked to go and delete a bunch of test accounts that had been added to a system. She deleted most of them but reported that some couldn't be deleted. She wasn't sure why, but they just "wouldn't delete". She didn't seem concerned. I asked her to put together a list of the accounts which could be deleted and those which could not. When I saw the list, it appeared that all of those which couldn't be deleted had apostrophes in the name It turned out that accounts containing special characters in the name could not be deleted. This bug had been there for quite a while. People testing the system in the past had noticed the problem, but hadn't understood why it happened. Even the customer had noticed the problem, but had just asked the developers to go into the database and delete the accounts. === my response as deleted by strazza I am assuming (yes yes, i know) that they couldnt be deleted because of a statement something like delete * from dbo.accounts where name = '$userinput' I will be amazed if it was not a sql error that caused the problem. If this is the case then you have a much bigger issue than not being able to delete an account. I just read that the developer fixed this by manually deleteing the accounts - hahahahaha - who knows how many haxx0rs you already have owning your systems. man, you must really suck at testing. If this is a public a facing server then anyone can have full access to the server. if it is internal then an outside could still bounce an attack. for example what if i created a username that was ' ; drop table dbo.accounts -- Joe, go ask the programmer why he is not doing input validation on an obvious candidate for attack, then maybe you might want to read up on SQL injections? It could give you a load more stuff to just cut n paste into your blog and make seem like it is your own. here is a url for you. http://www.unixwiz.net/techtips/sql-injection.html This is the real difference between professional testers and test monkeys. Real testers have a clue about the bigger picture and do not just say this is a bug. log it, forget it. They learn why the bugs are bad, what coding issue could have caused it and then move on, with their newly acquired knowledge. - real testers know why bugs are bugs and their implications. there is no fix for this issue, except input sanitation. >Even the customer had noticed the problem, but had just >asked the developers to go into the database and delete the >accounts. oh my life. so the coder saw the issue, didnt realise the potential for abuse.... i wonder if your customers would like other customers to see all their private info? heh sack that coder!!! === I have worked with many people like strazza before. they think the world wants to hear thier bullshit, and misunderstanding of things. that people care.... they are better than everyone else... its fools like this that give testers a bad name. sack yourself too - for not realising the issue and then posting to the world and show your lack of knowledge. esp as you proffed to be an expert on this before - go back to cutting and pasting, at least some people thing you have something worthwhile to say (little do they realise it is actually someone else’s words) here is a link to your SQL injection post - notice that you posted the above url too... shame you never read it. (i wonder if you will delete that too. heh nothing like ignoring an issue.) http://www.sqablogs.com/jstrazzere/151/SQL+Injection.html 10:40 - 3/8/2006 - comments {1}
|
Description |