I saw a post on my Oracle security forum
titled "Please don't do SQL injection
" that refers to a blog on Tom's site the refering to an entry on the http://worsethanfailure.com/Articles/Securing-Secure-Security.aspx - (broken link) Worsethanfailure site about a bank that has an error screen that is presented under circumstances when you try and add a security phrase. This is great, but sad. How does code like this for a bank get into production? - don't they do code reviews? - don't they have secure coding training, don't they know not to send meaningfull errors back to the client. worse they advertise that its possible to SQL Inject??? this is crazy, if they add an error telling people to not send in parts of the SQL language as a security phrase does that mean that if you do it will detect only those keywords? what about others, what about the fact that they have told the user that the security phrase is written to a database table? and it is added into a concatenated string - OK, I am being sarcastic, I realise the issues here! - how does code like this get into the mainstream, is it real or a dummy? - real i guess.
July 9th, 2007 at 10:16 am
Pete Finnigan says:
Banks are pretty lame. I reported a phishing issue to a major UK bank and it took over a year to fix it.
The flaw wasn't a showstopper (they used a redirector script, so you could make URLs that started "www.abigbank.co.uk" point to arbitrary sites) but it wouldn't have got past a rudimentary security code review or penetration test.