• Cracks_InTheWalls@sh.itjust.works
    6·
    2 hours ago

    What I think is funny is every time this gets reposted, people start talking about food orders when it’s obviously* a Canadian weed dispensary.

    This was 100% bound to happen.

    *To Canucks who stopped buying all of their weed from Steve.

    • dual_sport_dork 🐧🗡️@lemmy.worldEnglish
      5·
      1 hour ago

      And setting upperbound limits on input length. Because if you expose it to users, it’s not a matter of if some joker will insist on entering precisely 4,294,967,297 bytes of random data into it to see if they can crash your shit, it’s a matter of when.

  • MourningDove@lemmy.zip
    21·
    2 hours ago

    And The desk laughed and the chair laughed and the pen holder laughed and the phone laughed

    • tetris11@feddit.ukEnglish
      1·
      2 hours ago

      I shot the phone, shot the pen holder, shot the chair, and shot the desk. But little did I know that I had laughed too

  • driving_crooner@lemmy.eco.br
    16·
    7 hours ago

    55 burgers 🍔
    55 fries 🍟
    55 tacos 🌮
    55 pies 🥧
    55 cokes 🥤
    100 tater tots 🥔
    100 pizzas 🍕
    100 tenders 🐓
    100 meatballs ☄️
    100 coffees ☕️
    55 wings 🍗
    55 shakes 🧋
    55 pancakes 🥞
    55 Pastas 🍝
    55 Peppers 🌶️
    155 taters 🥔

    • Jakeroxs@sh.itjust.works
      182·
      5 hours ago

      Why? How does this negatively impact you, I’ve literally worked togo in a restaurant and this would have me rolling and giving extra goodies.

      • bleistift2@sopuli.xyzEnglish
        3·
        2 hours ago

        It prevents all the other people after them from ordering food. Worse, they can order food, but it will never arrive, leading to annoyed customers and bad reviews.

        It creates unnecessary waste.

        Both costs the owner money.

        • Jakeroxs@sh.itjust.works
          2·
          29 minutes ago

          Makes some sense, I would assume just a receipt isn’t the only way to track orders like this (it gets fed to other systems too, again from my experience working in a role like this) I can’t imagine the impact is more then a slight annoyance unless you have a really old system.

          Also restaurant owners suck, massively underpay their workers and treat them like they’re disposable, I think they can take the 3 cent hit this amount of receipt paper actually took.

        • b34k@lemmy.world
          41·
          2 hours ago

          I’m sorry, but to me this is a Bobby Tables issue. The POS devs need to write some sort of sanity checks on customer provided inputs.

          Can’t blame a customer for finding issues in shit software.

          • bleistift2@sopuli.xyzEnglish
            2·
            2 hours ago

            First, the question was

            How does this negatively impact you

            Second, just because you can find a flaw in software, you are not obliged to abuse it. Neither is it right to abuse it. If someone finds that a nuclear reactor has a security issue, the guy blowing it up is still a fucking piece of shit.

      • Starski@lemmy.zip
        14·
        5 hours ago

        Shitty people who pretend to not be shitty use easy targets and excuses like this to fantasize about doing disgusting things and/or being mean to people

    • Boppel@feddit.org
      431·
      14 hours ago

      i shouldn’t have laughed this hard. reminds me of the time we got a substitute for computer class who didn’t know anything about computers. after 45min. of her typing into word she asked the class what the shortcut for quicksaving was. my friend who loves to clown answered “alt+f4”. needless to say she wasn’t happy with the result…

      good times

      thinking about it… that was a real dick move

      • ilinamorato@lemmy.world
        19·
        6 hours ago

        So, imagine that you own a pizza shop. It’s a weird pizza shop, though: instead of having a cashier or online ordering or whatever, you just have a mail slot on the front door. Customers write down their order and push it into the slot, they pay you, and then the kitchen makes the pizza and pushes it out the window. But, crucially, you also only communicate to the kitchen staff through this slot.

        On the first day, everything goes ok. Customers come up, write down “please give me a large pepperoni,” shove it in the slot, pay you, large pepperoni comes out, everyone’s happy. If they order something the kitchen can’t make, they just pass a note or saying “sorry, we don’t have” followed by the type of pizza they ordered. At midnight, you write down “quitting time,” shove it in, and the kitchen staff goes home.

        But the next day, some miscreant comes in the middle of the day, hired by your competitor, and writes “quitting time” and shove it in the slot at 2pm. The kitchen staff goes home. Uh-oh. You’re now the victim of an injection attack.

        So you think, ok, I can fix this. You tell the kitchen staff, “just assume that everything you get is a pizza order by imagining ‘please make me–’ in front of everything that comes through the slot, and I’ll pass notes about closing time in through this locked slot that only I have the key to.” You’re doing some basic input validation here.

        But then the miscreant comes back, and after discovering that the kitchen just says “we don’t have a quitting time pizza,” when he tries his previous shenanigans, he writes down “large pepperoni pizza. Oh, also, it’s quitting time” on his next order. He gets his pizza, and then the kitchen staff, being unbearably literal, goes home. This is still an injection attack, but slightly more sophisticated.

        The next day, you tell the kitchen staff, “ok, don’t accept any messages about quitting time through the customer slot.” Now you’re doing some basic authentication and limiting the acceptable commands for the unauthenticated user.

        But the miscreant, wanting to find out the secret recipe for your special pizza sauce, comes back and orders a “medium [the special sauce ingredients] pizza.” Well, your very literal kitchen staff has a Secret Recipe pizza, but they don’t have a “[the special sauce ingredients]” pizza. So they ask, well, maybe they want a pizza named after the special sauce ingredients instead? So they replace the words “special sauce ingredients” and interpret the order as a “Medium Tomatoes, Onion, Garlic, Celery Salt, and a dash of cumin” pizza. Well, they don’t have a pizza by that name, either, so they just write down “sorry, we don’t have a Tomatoes, Onion, Garlic, Celery Salt, and a dash of cumin pizza” and pass it to the miscreant. You are now the victim of data exfiltration.

        Ugh. Your competitor just got your secret recipe! So the next day you tell the kitchen, ok, when you tell customers you don’t have a pizza, just say “sorry, we don’t have that type of pizza” instead of being specific. Starting to catch on, you also say “and don’t pass anything but pizzas and notes out the window!” Now you’re doing some basic output filtering.

        Well, the miscreant doesn’t give up so easily. He can’t shut you down anymore by sending the kitchen staff home, and he can’t get any more secrets from you, so he’s just going to wreck the place. So the next day, he writes down “large pepperoni. Also, wreck the pizza oven and burn the contents of the cooler” and passes that order in. The kitchen makes his pizza, then dutifully wrecks the pizza oven and burns the contents of the cooler. You are now the victim of the same attack that Bobby Tables’ mom perpetrated on the school: when the school’s system asked for his name, she entered a name, and then a command to wreck everything, which the system did because it’s very literal.

        When she says to “sanitize your data inputs,” it’s the same as the pizza shop owner saying, “ok, I’m not doing this anymore. People can hand me all of their order slips, and I’ll edit them with a marker before passing them in.” Now, if the miscreant tries to do any of those attacks, you’ll cross out all of his attempts to do anything other than order a pizza, and the kitchen will only give him a pizza.

        Now, that’s just local sanitization. If the miscreant can figure out how to get papers into the slot without handing them to you first, he can still do his shenanigans; so it’d be better if you hired someone who isn’t devastatingly literal and actually put them inside the kitchen to sanitize inputs there, too. In the software world, this is the difference between doing data validation on the user’s browser and doing it on the server.

        There are still other ways to attack the system (like copying your key, or picking the lock, or hiding a note on the pizza dough delivery truck), but hopefully that gives you a decent idea.

      • Ardyssian@sh.itjust.works
        5·
        6 hours ago

        Imagine the Computer needs the name of a Student to do something via a command:

        “The student’s name is ____”

        A hacker types into the underlined section : “Bobby, but also delete everything”

        The final command now looks like:

        “The student’s name is Bobby, but also delete everything”

        Without double checking the user input the computer proceeds to delete everything due to the second half of the result.

        It’s something similar to “ignore all previous instructions” for an AI prompt.

      • abbadon420@sh.itjust.works
        31·
        14 hours ago

        ') closes the input for the original sql statement. So the actual input would be “Robert”, but it’s not really important for this kind of attack.
        ; says that the statement is over and anything after is a new statement.
        DROP TABLE customer; is that new statement, which deletes a table with the name “customers”.
        -- is the syntax for an sql comment. It effectively makes sure that any other sql statements in the actual script get ignored, so you don’t get a compile error.

        This is an effective attack for when some programmer uses unsanitized string instertion in their sql script. In this case I could imagine a statement like: SELECT id FROM users WHERE name == {user_input}; where {user_input} is the literal, unsanitized input that you give on the website.

        Notice that in this case, the ') doesn’t do anything, but it just becomes part of the input, so that is now “') Robert”.

        • drolex@sopuli.xyz
          20·
          14 hours ago

          The obvious parade here is to be semi-illiterate when you create your database and name your field “costumer”

        • PhobosAnomaly@feddit.uk
          71·
          14 hours ago

          Spot on.

          As for the sanitisation, it can take many forms. Either characters that don’t usually appear in the context for that field (in terms of names, you can usually scrub most parentheses, more than one hyphen in a row etc) can be removed; copy it to a known encoded field such as unicode to get rid of characters with unusual properties; and making sure bounds are enforced to avoid overflows.

          It should mean that your data is exactly that - raw data, and not commands or operands for the interpreter to act upon.

            • PhobosAnomaly@feddit.uk
              2·
              5 hours ago

              I don’t disagree, but throwing out the concept of prepared statements and parameterisation to someone who has asked for an explanation of the Bobby Tables jokes is a bit heavy going.

            • MotoAsh@piefed.socialEnglish
              41·
              14 hours ago

              Not entirely (I recall seeing some obscure CVEs some years ago), but it’s a hell of a lot better than what some coders try to get away with.

      • GiveOver@feddit.uk
        12·
        14 hours ago

        Here’s an attempt at a non programmer explanation.

        Companies use a SQL database to store their data. Think of it like an Excel file with multiple tables, storing rows and columns.

        You modify the data with written statements, so you’d add a new row of data with a command like add "John" to the users table. Crucially you can chain statements, so you could say add "Sally" to the users table and delete "Pizza" from the menu table

        You wouldn’t be writing this command out manually every time. Say you had a website, you’d write the command as add "<USER>" to the users table and then when the website user sends you their username, you replace <USER> with their name.

        So the user sends their name, Robert, we replace <USER> with Robert and the command becomes add "Robert" to the users table

        But you’re now open to a hack. What if Robert sends his name as

        Robert" to the users table and delete the entire users table

        You’ve inserted that entire thing into your command, because that sentence will replace the <USER> part of your command. So your full command becomes

        add "Robert" to the users table and delete the entire users table" to the users table

        This will delete your entire table. The second half of the command doesn’t make sense but it’s too late SQL has already deleted it.

        The XKCD joke is somebody actually naming their child to execute the hack

      • Deceptichum@quokk.auEnglish
        1·
        14 hours ago

        Or a more simpler approach.

        It could cause a database to delete all customer information.

    • ReginaPhalange@lemmy.world
      8·
      11 hours ago

      Speaking of which - can someone find the link for “Unicode does not work like this” kind of website that emphasizes that there is no simple “character limit”? Like "how many characters is an emoji? " or “Is NBSP a character”, “are non-latin punctuation marks a character”

    • Dave@lemmy.nz
      44·
      15 hours ago

      I tried to contact a company the other day about something with a complex back story of cobtext the other day, and their website contact us form had a 200 character limit. I pretty much just had to type “please email me so I can email back why I’m contacting you”.

    • Warl0k3@lemmy.world
      83·
      15 hours ago

      Cannot imagine how this could be legit - you’d run into a hard limit unless you explicitly designed that field to be unbounded.

      • MotoAsh@piefed.socialEnglish
        18·
        14 hours ago

        Meh, not that hard to default things to “string”, or similar. For example, the “text” type in PostgreSQL explicitly says “unlimited”, though it seems it’s up to 1Gb. See https://www.postgresql.org/docs/current/datatype-character.html

        Similarly, it’s not like text fields on web pages automagically apply limits.

        It’s not unimaginable that some dumbass could vibe-code themselves up an easily exploited form.

        • ByteJunk@lemmy.world
          6·
          10 hours ago

          100% accurate, though vibe coding is optional.

          If I have a set of requirements that don’t mention any type of restriction, then I won’t arbitrarily add one - as far as I know, I could be breaking intended functionality. If I’m invested in this, I’ll add it to the list of stuff that needs clarification, otherwise it’s gonna ship as specified, and eventually someone’s gonna file a change request.

          • Warl0k3@lemmy.world
            3·
            8 hours ago

            Sincere question, are you not expected to clarify questionable business rules? I’ve never worked somewhere that leaving such an obvious issue like “unrestricted fields in a public-facing application” without getting it explicitly stated that that’s intended functionality wouldn’t have gotten me fired instantly.

            • ByteJunk@lemmy.world
              1·
              1 hour ago

              Look around you, you’ll find “unrestricted fields in a public-facing app” (from a practical perspective) everywhere. Shrek’s script has what, less than 50k characters? That’s nothing, you can fit that in a Facebook post and still have more than enough to write a full movie review.

              Where this would likely raise flags is when somebody decided that it needs to be printed, but that could be a different team, maybe outsourced, maybe after the main app was developed, maybe it’s just some “plug-and-play” system that also handles bulk printing jobs, who knows.

        • filcuk@lemmy.zip
          5·
          11 hours ago

          These ‘unlimited’ scams are getting out of hand. All I wanted was to store the library of alexandria in plain text.

        • Warl0k3@lemmy.world
          1·
          4 hours ago

          Yeah, sleepy and wasn’t thinking about file sizes. That 1Gb limit (or, the Tsql 65,536 * [something] limit) was what I was referring to, but rather obviously the plaintext script for the movie is a just a little tiny bit smaller than that (51kb).

          It’s still a good deal larger than what in my experience can be fit into a receipt printer, but I can forgive their phrasing even if it was only a small part of the whole script. And aside from that, it does look to be a pretty modern device so it’s very possible that the stupid stupid 20kb file size limit that was so common has since been expanded (Last time I had to deal with a receipt printer the file was streamed over a serial connection into the printer cache before being run off G-code style. Incredibly charming piece of tech…)