{"id":998,"date":"2012-03-01T12:12:00","date_gmt":"2012-03-01T11:12:00","guid":{"rendered":"https:\/\/loeben.net\/blog\/?p=998"},"modified":"2024-05-03T10:30:57","modified_gmt":"2024-05-03T08:30:57","slug":"how-to-avoid-bobby-tables-sql-spritzen-wirken","status":"publish","type":"post","link":"https:\/\/loeben.net\/blog\/how-to-avoid-bobby-tables-sql-spritzen-wirken\/","title":{"rendered":"HowTo to avoid Bobby tables"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Inhalt<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/loeben.net\/blog\/how-to-avoid-bobby-tables-sql-spritzen-wirken\/#Wie-SQL-Spritzen-wirken\" >Wie SQL Spritzen wirken?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/loeben.net\/blog\/how-to-avoid-bobby-tables-sql-spritzen-wirken\/#Wie-sollte-man-nicht-programmieren\" >Wie sollte man nicht programmieren?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/loeben.net\/blog\/how-to-avoid-bobby-tables-sql-spritzen-wirken\/#Wie-foerdert-mann-Bobby-Tables\" >Wie f\u00f6rdert man(n) Bobby Tables?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/loeben.net\/blog\/how-to-avoid-bobby-tables-sql-spritzen-wirken\/#Foerdere-erfolgreiche-Injektionen-aus-dem-boesen-Internet\" >F\u00f6rdere erfolgreiche Injektionen aus dem b\u00f6sen Internet ?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/loeben.net\/blog\/how-to-avoid-bobby-tables-sql-spritzen-wirken\/#Wie-sollte-guter-Code-gestrickt-sein\" >Wie sollte guter Code gestrickt sein?<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Wie-SQL-Spritzen-wirken\"><\/span>Wie SQL Spritzen wirken?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright size-medium\"><a href=\"https:\/\/loeben.net\/blog\/wp-content\/uploads\/2022\/03\/xkcd_bobby.tables.png\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"92\" src=\"https:\/\/loeben.net\/blog\/wp-content\/uploads\/2022\/03\/xkcd_bobby.tables-300x92.png\" alt=\"bobby tables\" class=\"wp-image-999\" title=\"\" srcset=\"https:\/\/loeben.net\/blog\/wp-content\/uploads\/2022\/03\/xkcd_bobby.tables-300x92.png 300w, https:\/\/loeben.net\/blog\/wp-content\/uploads\/2022\/03\/xkcd_bobby.tables.png 666w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><figcaption>Quelle: http:\/\/xkcd.com\/327\/<\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>Schule<\/strong>: &#8222;Hallo, hier spricht die Schule Ihres Sohnes. Wir haben Computerprobleme.&#8220;<br>Mutter: &#8222;Auweia \u2013 hat er etwas kaputt gemacht?&#8220;<br><strong>Schule<\/strong>: &#8222;So \u00e4hnlich. Haben sie wirklich Ihren Sohn Robert&#8216;); DROP TABLE Students;&#8211;&#8218; genannt?&#8220;<br>Mutter: &#8222;Oh. Ja. Wir rufen ihn klein Bobby Tables.&#8220;<br><strong>Schule<\/strong>: &#8222;Also, der Datenbestand der Sch\u00fcler dieses Jahres ist jetzt futsch. Ich hoffe, Sie sind jetzt gl\u00fccklich.&#8220;<br>Mutter: &#8222;Und ich hoffe, Sie haben gelernt, Datenbankeingaben zu s\u00e4ubern.<\/p>\n\n\n\n<!--more-->\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Wie-sollte-man-nicht-programmieren\"><\/span>Wie sollte man nicht programmieren?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Wie-foerdert-mann-Bobby-Tables\"><\/span>Wie f\u00f6rdert man(n) Bobby Tables?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Indem man Input-<a rel=\"noreferrer noopener\" href=\"https:\/\/www.linguee.de\/englisch-deutsch\/uebersetzung\/sanitizing.html\" target=\"_blank\">Sanitizing<\/a> in der Softwareentwicklung ignoriert.<\/li><li>Indem man SQL-Anweisungen ungepr\u00fcft verarbeiten l\u00e4sst, die aus dem b\u00f6sen Internet kommen.<\/li><li>Indem man SQL-Aufrufe mit Parametern an verwundbare Webanwendungen sendet.<\/li><li>Indem man gleich die Zugangsdaten zur Datenbank in seiner Webanwendung ver\u00f6ffentlicht \ud83d\ude09<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Foerdere-erfolgreiche-Injektionen-aus-dem-boesen-Internet\"><\/span>F\u00f6rdere erfolgreiche Injektionen aus dem b\u00f6sen Internet ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Ist das (fast) alles? Nein nat\u00fcrlich nicht. Man kann auch nach andere Grundlagen ignorieren, die bei der Softwareentwicklung zum Handwerkszeug eines Profis geh\u00f6ren. \ud83d\ude2e<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Versuchen Sie auch nicht ung\u00fcltige Zeichen zu maskieren etc. Ein guter Pentester findet immer eine L\u00fccke!<\/li><li>Versuchen Sie nicht zu \u00fcbergebende Daten nachtr\u00e4glich manuell zu bereinigen bzw. s\u00e4ubern.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Wie-sollte-guter-Code-gestrickt-sein\"><\/span>Wie sollte guter Code gestrickt sein?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Lerne einfach parameterisierte Anweisungen zu nutzen &#8211;\u00a0<strong>immer<\/strong>\u00a0und <strong>ohne Ausnahme<\/strong><\/li><li>Sorge daf\u00fcr, dass nur der Anwendungsinput verarbeitet wird, der verifiziert und &#8222;sauber&#8220; ist.<\/li><li>Im Idealfall werden Pentester arbeitslos \ud83d\ude09<\/li><\/ul>\n\n\n\n<p>Anbei Quellen zum Thema\u00a0<strong>SQL Injektionen<\/strong> und den eingangs angesprochenen SQL Spritzen:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"http:\/\/de.wikipedia.org\/wiki\/SQL-Injection\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/de.wikipedia.org\/wiki\/SQL-Injection<\/a><\/li><li><a href=\"http:\/\/de.wikipedia.org\/wiki\/Sicherheit_von_Webanwendungen\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/de.wikipedia.org\/wiki\/Sicherheit_von_Webanwendungen<\/a><\/li><li><a href=\"http:\/\/www.slideshare.net\/billkarwin\/sql-injection-myths-and-fallacies\" target=\"_blank\" rel=\"noreferrer noopener\">SQL Injection Myths and Fallacies<\/a><\/li><li><a href=\"http:\/\/www.schneier.com\/blog\/archives\/2008\/10\/how_to_write_in.html\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/www.schneier.com\/blog\/archives\/2008\/10\/how_to_write_in.html<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Wie vermeidet man(n) Bobby Tables? Die Sicherheit von Webanwendungen und die Funktion von SQL-Injektionen. SQL Spritzen sind kein Hexenwerk und Handwerkszeug beim Pentesting.<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"aside","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[13,14],"tags":[713,727,728,730,707,706,712,723,738,724,716,719,843,714,721,844,734,841,735,726,702,709,737,739,710,729,733,736,842,720,718,732,731,711],"class_list":["post-998","post","type-post","status-publish","format-aside","hentry","category-datenschutz-datensicherheit","category-brain-10","tag-auweia","tag-wie-vermeidet-mann-bobby-tables","tag-bobby-tables-angriffe","tag-boesen-internet","tag-comic","tag-computer","tag-computerprobleme","tag-datenbankeingaben","tag-datenbankprobleme","tag-datenbestand","tag-drop","tag-drop-table","tag-kali-linux","tag-kaputt","tag-klein-bobby-tables","tag-metasploit","tag-parameter","tag-pentest","tag-quellen","tag-saeubern","tag-school","tag-schule","tag-sicherheit-von-webanwendungen","tag-sicherheitsprobleme","tag-sohnes","tag-sql-anweisungen","tag-sql-aufrufe","tag-sql-injektionen-webanwendungen","tag-sql-spritzen","tag-students","tag-table","tag-verfuettert","tag-vermeiden","tag-xkcd","post_format-post-format-aside"],"_links":{"self":[{"href":"https:\/\/loeben.net\/blog\/wp-json\/wp\/v2\/posts\/998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/loeben.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/loeben.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/loeben.net\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/loeben.net\/blog\/wp-json\/wp\/v2\/comments?post=998"}],"version-history":[{"count":7,"href":"https:\/\/loeben.net\/blog\/wp-json\/wp\/v2\/posts\/998\/revisions"}],"predecessor-version":[{"id":1409,"href":"https:\/\/loeben.net\/blog\/wp-json\/wp\/v2\/posts\/998\/revisions\/1409"}],"wp:attachment":[{"href":"https:\/\/loeben.net\/blog\/wp-json\/wp\/v2\/media?parent=998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/loeben.net\/blog\/wp-json\/wp\/v2\/categories?post=998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/loeben.net\/blog\/wp-json\/wp\/v2\/tags?post=998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}