Human SQLi

Do you remember Tiger King? Feels like a long time ago now, and by 2020 standards, it feels like kind of the time when things were normal.

So, I was quite surprised to see Carole Baskins trending on Twitter. I thought maybe she’s got her own show coming out, or that she was found guilty of murdering her husband.

But no – this was something quite different.

Now, let’s talk about SQL injection, one of the long-standing security issues that still makes its way into applications. At a high level, the application can’t differentiate between an input and a command. Suppose you go to court, and you tell the court clerk that your name is “Case Dismissed” the judge then says, “next up, case dismissed” and you walk out of there smiling because “case dismissed” was interpreted as a command as opposed to an input.

I made a video on the topic a couple… err no seven years ago. Woah, look how young I was back then!

Youthful handsome looks aside, the question is, can SQLi techniques be used on humans? And well, maybe not precisely, but the same principles can apply when there is no input validation so ensure the information being provided is correct.

Case in point brings us back to Carole Baskins. She seemingly offers a pay-for-birthday-wishes service. Where anyone can request a personalised birthday request recorded and published by her.

So, the question is, can you put in any request, and would she regurgitate it without any validation?

The answer is a resounding yes. Someone asked her to wish happy birthday to the Australian (residing in Britain) child presenter and convicted sex-offender Rolf Harris, a “happy birthday” from “all the kids he has touched”. Then to make things worse, “I hear there’s a lot of great stories about you and your best friend Jimmy Saville.”

The Baskins video is here:

So, I guess the lesson is the same – whether you’re a web application, or a human. Don’t trust anything that anyone says to you.

*** This is a Security Bloggers Network syndicated blog from Javvad Malik authored by j4vv4d. Read the original post at: