15
How to say you're vulnerable to code injection without saying you're vulnerable to code injection.
this post was submitted on 24 Jan 2024
15 points (94.1% liked)
Cybersecurity - Memes
3672 readers
5 users here now
Only the hottest memes in Cybersecurity
founded 2 years ago
MODERATORS
This is the result of some doc writer or middle manager not fully understanding what they've been told.
Maybe they filtered those strings to be safe, and put the notice there to answer the invertible "why won't it accept my password" queries.
It's a shitty password engine. But not necessarily uncleansed
If they're trying to protect themselves from code injection by rejecting certain user input like that, then they don't actually know how to protect themselves from code injection correctly and there may be serious vulnerabilities that they've missed.
(I think it's likely that, as others have said, they're using off-the-shelf software that does properly sanitize user input, and that this is just the unnecessary result of management making ridiculous demands. Even then, it's evidence of an organization that doesn't have the right approach to security.)
submits Drop Table as passphrase
Grabs popcorn
I don't believe this is real. This isn't real, right?
This is real - I took the screenshot myself.
Little Bobby drop tables
Oh BobbyTables, you little rapscallion...
I wonder, if you turn off JavaScript, does it allow you to perform SQL injections?
Is the front end the only thing protection or is the backend "also" doing work?
What zero string sanitation does to a mfr
Obligatory Little Bobby Tables: https://xkcd.com/327/
And for those who feel like saying they've already seen it: https://xkcd.com/1053/
We could still have some fun with ALTER TABLE
Looking at that I wouldn't be surprised if those rules are just client-side validation.
Didn't say anything about truncate!
So they’re not hashing or salting the passwords too. Cool…