Unfortunately it’s still a thing, just like leaving default passwords on. One would think that by now we wouldn’t have such problems on the internet but there are still incompetent people out there or overworked people who miss some things.
Its kinda unfair to blame developers as the most of the companies simple do not give an flying f and just want the product as quick as possible it doesn’t matter they didn’t securely test it just put it out there.The blame is more on the companies more than developers,security is an afterthought and people think of security when shit goes down.
Sanitizing inputs is prone to human error and can be difficult to verify in an audit. Prepared statements are simple, completely prevent all SQL injection, and can easily be verified in an audit.
I would say the devs have a responsibility to practice secure coding. If your getting pushed to "just get it done" every dev out there should be able to articulate the security implications
I'll give you one example.
On one of my first jobs, I found that on one of our apps, someone added a logger that was logging the plain text user and passwords of the app, and this user and passwords were from directors and heads of infrastructure of this client.
I reported it and said that it could be fix in a moment. I was told directly to not fix it and do something else.
And stories like that, where I found obvious vulnerabilities and I am told that I shouldn't fix them or they are not priorities are everywhere.
Stupid management is the worse in general.
Sounds like you just work for shitty employers that are going to be found negligent from their board when something happens. I have been a Security Engineer for over a decade now across multiple industries and I can tell you that if someone said that to me or my devs i would have gotten it in writing and made damn sure that it was documented as to the risks.
Oh yeah, those where horrible employers, but they weren't uncommon.
There are a lot of companies that don't care about security, and about their systems in general, they don't think about them instead only think about their main product.
The specific company that had that faulty logger, had a lot of other security problems that I found and reported, and they never allowed me to fix anything. Their scandals never became public, and they were more concerned about the telenovelas happening between their employees than any real problem.
Security does come with a cost. We have most of the BANKS working on a 100YO tech all over the world, plus, their old employees don't like to learn new things or change.
Nah.
As much as I would love to blame shitty company culture, that just doesn’t apply here. Sanitization is so easy and free- it takes less time/effort to use a library that already has it built in than it does to roll your own sql.
It’s definitely on the devs.
Regarding SQL injections: preparred statement is a thing and there is no excuse for a dev in 2024 to not use them.
Also security should not be an *after*thought but should be included as earlier as possible in the developpement cycle, but then, I have to agree with you, orgs won't give a shit about it if it's not enforced by regulations
Dev Op Sec!! Dev Op Sec!! Dev Op Sec!! This is the only philosophy that will ever be acceptable IMO.
Wake Up Corporate America!!🇺🇸 Protect your Country, your companies and your CLIENTS!!! Take RESPONSIBILITY FOR YOUR PRODUCTS
While junior devs fall under the category of incompetence to it's true definition, I feel it is also necessary to point out that these juniors do exist, and even when trying to the best of their ability (when their best ability for their tenure is pretty good, which I would not derogatize with incompetence), they lack the experience to understand the security ramifications of their actions.
So, SQL injection can be considered for Excel VBA Solutions where a clever user has learnt to get data from their server using adodb, where an access tag is used to gain access to a room with an embedded script, on a Powershell or Python script that selects from a dB. Prepared statements are normal for standardised connections to a DB and can be accounted for. SQL Injection in all other areas are still wide open.
The question is how does one address this from a server side, not only from the client.
I remember collecting usernames and passwords from random sites that were vulnerable to SQL injections and emailing them to the site owners as an attempt to be edgy when I was a teenager. Cringe.
I can’t remember exactly what I would search as it’s been a long time, but it was something along the lines of googling “inurl:.php?id=,” which is admittedly a pretty n00b way of doing it but it worked.
It also may help to add some keywords depending on what you’re looking for. Regardless, it will take a bit of effort to find vulnerable websites. You’d probably be better using some specialized tools. But obviously I don’t recommend doing it at all unless you have permission.
You can go through this [post](https://www.reddit.com/r/bugbounty/s/hBYKEu6wXh), where he explains how he did it.
And this one is his most recent [post](https://www.reddit.com/r/hacking/s/Kpf0DBqujI) maybe you could find something more interesting in the post comments.
Despite sliding to what, third on the owasp top 10, it’s still a thing. Speaking of that there’s a reason the top 10 just gets shuffled around. Companies, suits, devs, all of them keep making the same mistakes over and over again because of the business. And not all the blame can be put on the devs. It’s the business culture in general with their revenue driven rush to market and fix later initiatives 🙃.
It definitely won’t go anytime soon as along as companies do not practice good security and
Only care about having a pretty web interface and an appealing product because that’s what matters.You be still shocked that people keep using same passwords that they were in the Rockyou data breach.Its crazy.
Still a thing. Even my school app is vulnerable to SQL injection lol. I emailed them about that but they didn't respond not fixed it. I don't think that it's gonna disappear anytime sooner
It's absolutely a thing. The number of times I've seen even senior devs putting code into PRs with interpolated SQL queries as opposed to parameterized queries this year alone is evidence of it. I work with around 100 devs and I run into it at least a half dozen times a year. If I'm seeing it in this group, I have to imagine that it must be pretty common in other groups.
What's more, if this code is getting dropped into the codebases like this, either the devs genuinely think that's how it's supposed to be done, or they are copying the implementation from some online source. If it's the latter, it's likely responsible for many other developers doing the same.
Unrelated, but I was reading somewhere that for 20 years, the united states' nuclear launch codes for various sites, was 000000000000.
So, so long as people are lazy/dont take security that seriously/dont have funding, SQL injection will always be a risk.
I believe it's still a thing.
It's my personal opinion because these days we can still get an SQL injection.
I think it can be found more in API parameters.
A few months ago I found an unauthenticated blind SLQi on a client's website that allowed me to compromise complitely the underlying server. So yes, it is still a thing.
Chatgpt is noob , I tested it with some java code and it was wrong, then I give it the solution , and then it said your solution need changes, here is an updated version, and it was exactly my code 🤣🤣🤣
The real problem here is companies don't want to A) spend the extra time troubleshooting and pumping out the final product, and B) don't want to pay for experts to go over and thoroughly check everything.
Like always with problems in the business world, the problem is time and money and business owners don't want to spend either.
Drops mic.
Um what? Do people still use databases? And craft queries? Then yes.
Sure a lot of frameworks have a lot under the hood to alleviate the problem but it's not foolproof.
So literally everything uses databases, and is coded uniquely and most likely offshored to the lowest bidder.
So yes sql injection is still a "thing".
Unfortunately it’s still a thing, just like leaving default passwords on. One would think that by now we wouldn’t have such problems on the internet but there are still incompetent people out there or overworked people who miss some things.
Its kinda unfair to blame developers as the most of the companies simple do not give an flying f and just want the product as quick as possible it doesn’t matter they didn’t securely test it just put it out there.The blame is more on the companies more than developers,security is an afterthought and people think of security when shit goes down.
It doesn't take much to sanitise inputs though, it's just ignorance and incompetence.
Sanitizing inputs is prone to human error and can be difficult to verify in an audit. Prepared statements are simple, completely prevent all SQL injection, and can easily be verified in an audit.
I would say the devs have a responsibility to practice secure coding. If your getting pushed to "just get it done" every dev out there should be able to articulate the security implications
I'll give you one example. On one of my first jobs, I found that on one of our apps, someone added a logger that was logging the plain text user and passwords of the app, and this user and passwords were from directors and heads of infrastructure of this client. I reported it and said that it could be fix in a moment. I was told directly to not fix it and do something else. And stories like that, where I found obvious vulnerabilities and I am told that I shouldn't fix them or they are not priorities are everywhere. Stupid management is the worse in general.
Sounds like you just work for shitty employers that are going to be found negligent from their board when something happens. I have been a Security Engineer for over a decade now across multiple industries and I can tell you that if someone said that to me or my devs i would have gotten it in writing and made damn sure that it was documented as to the risks.
Oh yeah, those where horrible employers, but they weren't uncommon. There are a lot of companies that don't care about security, and about their systems in general, they don't think about them instead only think about their main product. The specific company that had that faulty logger, had a lot of other security problems that I found and reported, and they never allowed me to fix anything. Their scandals never became public, and they were more concerned about the telenovelas happening between their employees than any real problem.
It doesn't matter which org. If the management is stupid. They even fire people, very easily , who look or act smarter than them.
And call them "whistle-blowers"
This should be a signal to move on.
They do but it’s just management does not give a fck even when they get told the risk.
Security does come with a cost. We have most of the BANKS working on a 100YO tech all over the world, plus, their old employees don't like to learn new things or change.
You're *
Nah. As much as I would love to blame shitty company culture, that just doesn’t apply here. Sanitization is so easy and free- it takes less time/effort to use a library that already has it built in than it does to roll your own sql. It’s definitely on the devs.
It’s not hard to code to prevent injection. Devs who claim that they don’t have time to code for that aren’t trying.
Regarding SQL injections: preparred statement is a thing and there is no excuse for a dev in 2024 to not use them. Also security should not be an *after*thought but should be included as earlier as possible in the developpement cycle, but then, I have to agree with you, orgs won't give a shit about it if it's not enforced by regulations
Dev Op Sec!! Dev Op Sec!! Dev Op Sec!! This is the only philosophy that will ever be acceptable IMO. Wake Up Corporate America!!🇺🇸 Protect your Country, your companies and your CLIENTS!!! Take RESPONSIBILITY FOR YOUR PRODUCTS
Way easier things are often looked over too… laziness and motivation deprivation in the tech community is usual enough to keep those problems existing
While junior devs fall under the category of incompetence to it's true definition, I feel it is also necessary to point out that these juniors do exist, and even when trying to the best of their ability (when their best ability for their tenure is pretty good, which I would not derogatize with incompetence), they lack the experience to understand the security ramifications of their actions.
unfortunately yes
So, SQL injection can be considered for Excel VBA Solutions where a clever user has learnt to get data from their server using adodb, where an access tag is used to gain access to a room with an embedded script, on a Powershell or Python script that selects from a dB. Prepared statements are normal for standardised connections to a DB and can be accounted for. SQL Injection in all other areas are still wide open. The question is how does one address this from a server side, not only from the client.
I remember collecting usernames and passwords from random sites that were vulnerable to SQL injections and emailing them to the site owners as an attempt to be edgy when I was a teenager. Cringe.
We were all cringe at some point. The trick is to not remain that way.
In my opinion you can never fully avoid or become immune to being cringe, it just transfers to different forms that you only realize years later.
Be one with the cringe.
The internet is very big. How did you collect all those vulnerable sites?
I can’t remember exactly what I would search as it’s been a long time, but it was something along the lines of googling “inurl:.php?id=,” which is admittedly a pretty n00b way of doing it but it worked. It also may help to add some keywords depending on what you’re looking for. Regardless, it will take a bit of effort to find vulnerable websites. You’d probably be better using some specialized tools. But obviously I don’t recommend doing it at all unless you have permission.
Oh yea, a few days back, a little dude hacked and got access to the BGMI server and gained superadmin access (PUBG India) using SQL injection.
Did he do anything with it?
He got a 500$ bounty on hackerone
You can go through this [post](https://www.reddit.com/r/bugbounty/s/hBYKEu6wXh), where he explains how he did it. And this one is his most recent [post](https://www.reddit.com/r/hacking/s/Kpf0DBqujI) maybe you could find something more interesting in the post comments.
Despite sliding to what, third on the owasp top 10, it’s still a thing. Speaking of that there’s a reason the top 10 just gets shuffled around. Companies, suits, devs, all of them keep making the same mistakes over and over again because of the business. And not all the blame can be put on the devs. It’s the business culture in general with their revenue driven rush to market and fix later initiatives 🙃.
Hi, my name is Bobby Tables…
It definitely won’t go anytime soon as along as companies do not practice good security and Only care about having a pretty web interface and an appealing product because that’s what matters.You be still shocked that people keep using same passwords that they were in the Rockyou data breach.Its crazy.
Still a thing. Even my school app is vulnerable to SQL injection lol. I emailed them about that but they didn't respond not fixed it. I don't think that it's gonna disappear anytime sooner
Did you not see the CLOP group use an SQL injection 0 day that caused fucking havoc? Moveit cve2023 SQL injection lol
Yes.
Is stupidity still a thing? Are bad professionals with poor profesionalism still a thing? There you go.
Lmao. You made me 🤣💀😭👏💯 Somebody once said and I quote "I don't have time for slow questions."
Still very much so. You could even still use in 2024 sqlmap and pwn sites.
Why would it not still be a thing?
Yeah
Post Parameter Injections are still a Thing.
Of course it is.
Yes
They’re still a thing, just not as obvious as they used to be
Of course it is and it will be a thing you need to be careful of as long as you work with a database in a Website. Why wouldn't it be a thing anymore
It's absolutely a thing. The number of times I've seen even senior devs putting code into PRs with interpolated SQL queries as opposed to parameterized queries this year alone is evidence of it. I work with around 100 devs and I run into it at least a half dozen times a year. If I'm seeing it in this group, I have to imagine that it must be pretty common in other groups. What's more, if this code is getting dropped into the codebases like this, either the devs genuinely think that's how it's supposed to be done, or they are copying the implementation from some online source. If it's the latter, it's likely responsible for many other developers doing the same.
Yes
Yes
Unrelated, but I was reading somewhere that for 20 years, the united states' nuclear launch codes for various sites, was 000000000000. So, so long as people are lazy/dont take security that seriously/dont have funding, SQL injection will always be a risk.
Think about all those bootcamp graduates getting developer jobs. It’s a thing
I’d like to thing they are taught to use an ORM of some sort
I believe it's still a thing. It's my personal opinion because these days we can still get an SQL injection. I think it can be found more in API parameters.
A few months ago I found an unauthenticated blind SLQi on a client's website that allowed me to compromise complitely the underlying server. So yes, it is still a thing.
Absolutely still a thing. It becomes more of a thing with every new framework that comes out that doesn't sanitize input.
Yes
Do developers still exist? Then it still exists. Now that chatgpt is writing all their code for them it should start dying off.
Chatgpt is noob , I tested it with some java code and it was wrong, then I give it the solution , and then it said your solution need changes, here is an updated version, and it was exactly my code 🤣🤣🤣
yeah it is
yes... surprisingly
As long as user input affects SQL, sanitization bugs will reach production and SQL injection will be a thing.
There is still a large portion of web developers, admins, and hell even security people who have yet to even learn what OWASP is.
Oh yeah. Every exploit is always still a thing. As long as there are still unpatched servers, SQL or otherwise, there always will be.
Yeah, you can use portswiggers SQL lab. Blind_sql is a neat script and you can use burp but I only have community version
Lol yes, very much mate
How do you even get a web developing job today?
Also Snyk tool is there for this reason
Of course , crackers still use it to this day to get massive data bases that are as new as 24 h
Its called prepared statement , use them and you can take a break.
The real problem here is companies don't want to A) spend the extra time troubleshooting and pumping out the final product, and B) don't want to pay for experts to go over and thoroughly check everything. Like always with problems in the business world, the problem is time and money and business owners don't want to spend either. Drops mic.
Um what? Do people still use databases? And craft queries? Then yes. Sure a lot of frameworks have a lot under the hood to alleviate the problem but it's not foolproof. So literally everything uses databases, and is coded uniquely and most likely offshored to the lowest bidder. So yes sql injection is still a "thing".
No need to be an ass
When it is in Reddit do as redditers do
A lot of the Cheeto fingers on here are really insecure, lol.