📜 ⬆️ ⬇️

Verified by Visa and SSL is not a panacea

I was at sea for two weeks, only today I returned home in the evening (exhausted by a long flight). A friend calls and asks to urgently send him documents by mail. The Internet is not paid, it takes about 15 minutes to get to the nearest QIWI terminal. I remember that the provider recently provided an opportunity to make payments using credit cards. I go to my personal account on the provider's website, click on the desired link, I am glad that access to the page is open, despite the absence of the Internet.

I draw attention to the familiar name of the bank, to https in the address bar, to the “Verified by Visa” logo (yes, this is just the name of an additional security measure, but still “checked by Visa”). Can you entrust this site with the card number and CVV2? It looks like yes.

I fill in all the fields of the form, press “pay” ... I see a white page with a line of text.
Could not insert: You have an error in your SQL syntax; check the syntax to use the syntax to use the ya Ivanov ',' ',' 0 ',' ',' ',' https://web3ds.bank-name.ru : 3443 / cgi-bi 'at line 1

Wonderful. What did the bank employee think about when he issued the card to me when he entered an unnecessary apostrophe in the “Card Holder's Name” field. And what the programmer was thinking about, inserting in the SQL query the data transmitted by the user, without screening (it seems that it is not about SQL injection).

I remembered the xkcd comic, closed the page, got dressed, went outside and walked to the nearest QIWI terminal.


PS Never ask your users to enter something “without spaces”. It is easier for the developer to write a regular expression once to process input data than for each user to read and interpret the signatures under the fields.

Source: https://habr.com/ru/post/103926/

All Articles