Editing 327: Exploits of a Mom
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 8: | Line 8: | ||
==Explanation== | ==Explanation== | ||
− | [[Mrs. Roberts]] receives a call from her son's school. The caller, likely one of the school's administrators, asks if she really named her son | + | [[Mrs. Roberts]] receives a call from her [[Little Bobby Tables|son]]'s school. The caller, likely one of the school's administrators, asks if she really named her son <code>Robert'); DROP TABLE Students;--</code>, a rather unusual name.{{Citation needed}} Perhaps surprisingly, Mrs. Roberts responds in the affirmative, claiming that she uses the nickname "Little Bobby Tables." As the full name is read into the school's system's databases without {{w|Data sanitization#SQL injection|data sanitization}}, it causes the "Students" table in the database to be deleted. |
− | + | The title of this comic is a pun. ''Exploit'' can mean an accomplishment or heroic deed, but in computer science, the term refers to a program or technique that takes advantage of a vulnerability in other software. In fact, one could say that her exploit is to exploit an exploit (her achievement is to make use of a vulnerability). The title can also refer to her choice of name for her son, which is rather extraordinary. | |
− | The exploited vulnerability here is that the single quote in the name input was not correctly "escaped" by the software. That is, if a student's name did indeed contain a quote mark, it should have been | + | In {{w|SQL}}, a database programming language, commands are separated by semicolons <code>;</code>, and strings of text are often delimited using single quotes <code>'</code>. Parts of commands may also be enclosed in parentheses <code>(</code> and <code>)</code>. Data entries are stored as "rows" within named "tables" of similar items (e.g., <code>Students</code>). The command to delete an entire table (and thus every row of data in that table) is <code>DROP TABLE</code>, as in <code>DROP TABLE Students;</code>. |
+ | |||
+ | The exploited vulnerability here is that the single quote in the name input was not correctly "escaped" by the software. That is, if a student's name did indeed contain a quote mark, it should have been parsed as one of the characters making up the text string and not as the marker to close the string, which it erroneously was. Lack of careful parsing is a common SQL vulnerability; this type of exploit is referred to as {{w|SQL injection}}. Mrs. Roberts thus reminds the school to make sure that they have added data filtering code to prevent code injection exploits in the future. | ||
For example, to add information about Elaine to a data table called 'Students', the SQL query could be: | For example, to add information about Elaine to a data table called 'Students', the SQL query could be: | ||
Line 19: | Line 21: | ||
However, using the odd name <code>Robert');DROP TABLE Students;-- </code> where we used "Elaine" above, the SQL query becomes: | However, using the odd name <code>Robert');DROP TABLE Students;-- </code> where we used "Elaine" above, the SQL query becomes: | ||
<br><code>INSERT INTO Students (firstname) VALUES ('Robert');DROP TABLE Students;-- ');</code> | <br><code>INSERT INTO Students (firstname) VALUES ('Robert');DROP TABLE Students;-- ');</code> | ||
+ | |||
By insertion of the two semi-colons in the odd name, this is now three well-formed SQL commands: | By insertion of the two semi-colons in the odd name, this is now three well-formed SQL commands: | ||
Line 29: | Line 32: | ||
</code> | </code> | ||
− | The first line is valid SQL code that will legitimately insert data about a student named Robert | + | The first line is valid SQL code that will legitimately insert data about a student named Robert. |
− | + | The second line is valid injected SQL code that will delete the whole Student data table from the database. | |
− | + | The third line is a valid code comment ( -- denotes a comment), which will be ignored by the SQL server. | |
− | + | For this to work, it helps to know the structure of the database. But it's quite a good guess that a school's student management database might have a table named <code>Students</code>. | |
− | |||
− | + | Of course, in real life, most exploits of this kind would be performed not by engineering a person's name such that it would eventually be entered into a school database query, but rather by accessing some kind of input system (such as a website's login screen or search interface) and guessing various combinations by trial and error until something works, perhaps by first trying to inject the <code>SHOW TABLES;</code> command to see how the database is structured. | |
− | The title text references that Mrs. Roberts' daughter is named "Help I'm trapped in a driver's license factory". This is a play on how if someone is stuck and forced to work in a manufacturing factory/plant, then they will write on the product | + | To correctly and harmlessly include the odd name in the Students table in the school database the correct SQL is: |
− | <!-- Help I'm | + | <br><code>INSERT INTO Students (firstname) VALUES ('Robert\');DROP TABLE Students;-- ');</code> |
+ | |||
+ | Note that the single quote after Robert is now sanitized by a backslash, which changes it from malicious code to harmless data, and the full first 'name' of the student <code>Robert';DROP TABLE Students;--</code> is now stored correctly. | ||
+ | |||
+ | It should be noted that, while data sanitization can mitigate the risks of SQL injection, the proper prevention technique is to use {{w|Prepared statement}}s. | ||
+ | |||
+ | The title text references that Mrs. Roberts' daughter is named "Help I'm trapped in a driver's license factory". This is a play on how if someone is stuck and forced to work in a manufacturing factory/plant, then they will write on the product "Help I am trapped in a ____ factory" in order to tell people on the outside. Having this name would cause any police officer who pulls her over to show some concern. And getting the license in the first place would likely be difficult. The idea of inserting a help message like this was already used in [[10: Pi Equals]]. | ||
+ | <!-- Help! I'm being held prisoner in a Wiki markup code editing facility! --> | ||
+ | |||
+ | The title text is even funnier translated into Spanish, where the word for "help" ("Socorro") is actually a common female name, which comes from [https://en.wikipedia.org/wiki/Our_Lady_of_Perpetual_Help a title of the Virgin Mary], so it would be a plausible girl's name (like "Bobby Tables" is for boys). | ||
==Transcript== | ==Transcript== | ||
Line 48: | Line 59: | ||
:[In this frame-less panel Mrs. Roberts has put the cup down on the table turned facing out.] | :[In this frame-less panel Mrs. Roberts has put the cup down on the table turned facing out.] | ||
− | :Mrs. Roberts: Oh, dear | + | :Mrs. Roberts: Oh, dear - did he break something? |
− | :Voice over the phone: In a way | + | :Voice over the phone: In a way - |
:[Mrs. Roberts is now drinking from the cup again looking right. The table is not shown.] | :[Mrs. Roberts is now drinking from the cup again looking right. The table is not shown.] | ||
Line 60: | Line 71: | ||
==Trivia== | ==Trivia== | ||
− | + | ||
− | + | This comic has become rather famous, spawning a site at http://bobby-tables.com about preventing SQL injection and also at the official [https://docs.python.org/2/library/sqlite3.html Python SQLite documentation]. Noted security expert {{w|Bruce Schneier}} (who often quotes xkcd) [https://www.schneier.com/blog/archives/2010/10/pen-and-paper_s.html mentioned a similar attack] that happened in the 2014 Swedish general elections. | |
− | + | ||
+ | In [[1253: Exoplanet Names]], someone (presumably Mrs. Roberts) attempts to perform a similar trick, submitting the name <code>e'); DROP TABLE PLANETS;--</code> to the IAU. | ||
+ | |||
+ | It is later revealed in [[342: 1337: Part 2]] that the daughter's middle name is [[Elaine]] (full name: ''Help I'm trapped in a driver's license factory Elaine Roberts''). This is thus the first time Elaine is mentioned. Seems like this comic was a setup for the "[[:Category:1337|1337]]" series where both this exploiting mom's kids are shown for the first time. | ||
{{comic discussion}} | {{comic discussion}} | ||
[[Category:Comics featuring Mrs. Roberts]] | [[Category:Comics featuring Mrs. Roberts]] | ||
− | [[Category:Comics featuring | + | [[Category:Comics featuring Little Bobby Tables]] |
− | [[Category:Comics featuring | + | [[Category:Comics featuring Elaine Roberts]] |
[[Category:Programming]] | [[Category:Programming]] | ||
− | [[Category: | + | [[Category:Computers]] |
− | |||
− |