Matthew Hardeman writes:
>On Thu, May 31, 2018 at 5:03 PM, Kristian Fiskerstrand <[email protected]> wrote:
>
>> New business enterprise name: ';UPDATE TAXRATE SET RATE = 0 WHERE NAME =
>> 'EDVIN SYSE'
>
>That's hilarious. Where I'm from they'd accuse you of attempting to hack
>them, though likely not actually attempt to prosecute it.
Some years ago I sent a cert request to a public CA's test server that
contained, among other things, the following:
static const CERT_DATA certReqData[] = {
/* Identification information */
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "US" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's
Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "SSL
Certificates" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Robert';DROP TABLE
certificates;--" ) },
(it's part of the standard self-test data that I use for my own code, used to
be a different SQLI string but I changed it to Bobby Tables as an homage to
XKCD).
Their test server went offline for several days.
I was nice enough not to submit the request to their production systems.
Peter.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
