27

> IHateForALiving: I have added markdown on the client! Now the sys admin can use markdown and it's going to be rendered as HTML
> Team leader: ok, I've seen you also included some pics of the tests you made. It's nice, there's no XSS vulnerabilities, now I want you to make sure you didn't introduce any SQL injection too. Post the results of the tests in the tickets, for everybody to see.

I've been trying to extract from him for 15 minutes how sending a text through a markdown renderer on the client is supposed to create a SQL injection on the server, I've been trying to extract from him how showing all of this to the world would improve our reputation.
I miserably failed, I don't know how the fuck am I supposed to test this thing and if I a colleague wasted time to make sure some client-side rendering didn't create a SQL injection I'd make sure to point and laugh at them every time they open their mouth.

Comments
  • 5
    Anyone who attempts or demands proof of security by example doesn't know the first thing about security.
  • 4
    I had this task in uni, upon requesting clarification I was told to prove "the existence of countermeasures", so my SQL injection protection was to reject the string literal "` or 1 = 1;" in the password field.

    I was using an ORM.
  • 11
    @lorentz Well he can do the same. just put the sql injection in the markdown field and show that nothing happens. Security : check.
  • 3
    You can prove this by logical deduction: The output is generated client side and the server code didn't change. Therefore all SQL injections existing after the addition already existed before.
  • 3
    Remove the production database, deploy only the markdown stuff.

    Prod database is gone forever, but the markup thing runs perfectly fine.

    QeD.
  • 1
    @IntrusionCM they will then try to migrate their DB to Markdown since it is obviously the most reliable data store...
  • 6
    Just got fucking scolded because I'm refusing to post the results of my SQL injection test.

    In a client-only markdown renderer.

    I WILL NOT SCREAM TO THE WORLD "IHATEFORALIVING DOESN'T EVEN KNOW HOW TF A CLIENT WORKS AND WASTED HOURS TO PERFORM TESTS WITH ABSOLUTELY NO VALIDITY". YOU WANT TO POST THE RESULTS FOR THESE TEST YOU DO THAT YOURSELF, I WILL NOT DO THAT WITH MY OWN FUCKING NAME
  • 2
    @IHateForALiving

    I'd be willing to sign an NDA and join the conversation.

    Just for the laughs of it.
  • 2
    @IHateForALiving ask him would you also like me to post there is no SQL injection vulnerability in my bike? It's just as stood lstupid to test as it does exactly the same amount of SQL as the Markdown renderer.

    If that doesn't do the trick. Just make a joke posting about it. And list things as a rock and the Rock, security solid as a rock.
Add Comment