| 1 |
Let me present to you the three main characters of my story: * the programmer- played by Santa Claus * the program- played by the head elf * the cracker (correct term for hacker with ill intentions)- played by the Grinch The Grinch perfectly embodies the intentions of a cracker—he wants to destroy Christmas and plunder all the Christmas presents in the world. In this analogy, Christmas is your web app and all those precious Christmas presents are all of your web app's valuable data—customers' credit card numbers, PII, personal files, etc. For just this story's sake, let's believe that people come to Santa to collect their gifts instead of him coming to everyone's house. Once upon a time, on Christmas Day, Santa prepared all the presents for the little girls and boys of the world. Now, he assigned the head elf the task of giving a gift to each once they told the elf their names. Santa told the elf, "Get the present for ( ), and fill the blank with whatever the name is of the child you're serving." The head elf did as he was told and children came and gave their names to the head elf individually and they each got their respective gifts. However, the Grinch came dressed as a child (because obviously no one would welcome the Grinch if they recognized him!) and he said, "My name is Everyone." The elf wasn't prepared for this situation because Santa said to just get the present for whatever the child identifies as. The elf is confused and overwhelmed—so in his state of vulnerability—the Grinch takes everyone's gifts. This is an SQL injection. The program was trying to give the data set for a typical visitor, but the cracker was able to find a vulnerability in the programming and manipulate the program to give him access to all the data. But here is the clever thing—let's say that when the Grinch is asked for his name by the elf, and instead of saying "everyone," he says," Grinch and burn all of the presents." Now, the elf will not only get the gift for the Grinch (though I doubt he would have one), but he will also burn the rest of the gifts. So how do programmers protect against SQL injections? Well, they try to program escape special characters (meaning ignore characters that are not expected answers) in the web app. An example of this would be Santa telling the elf, "You should not destroy any gifts. Also, only gift one gift per person." So when the Grinch comes and asks for everyone's gifts or says "Grinch and burn all presents," the elf will not make a mistake. It is difficult to find all the vulnerabilities in a program, which is why many large companies have dedicated programmers that work to find and remedy these vulnerabilities. Another option for companies to decrease these risks is to use sophisticated firewall systems that block the harmful traffic from your web app a.k.a Santa hiring strong body guards in front of the gift shop and they check the IDs of all the entries to make sure that no Grinches ever enter. Large companies spend thousands of dollars to upkeep these firewall systems, but I find that small businesses can benefit from web app firewall (WAF) systems most of the time to prevent SQL injections. Of course it is definitely recommended to work on making sure that you program your web app to limit vulnerabilities, or soon, you will end up handing out a lot of presents to Grinches. |
Комментарии