-
Website
http://danielmiessler.com/ -
Original page
http://danielmiessler.com/blog/how-does-one-explain-sql-injection-to-a-non-techie -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
All Comments
I like the analogy. I am going to go with a slightly modified version. When deaf (hearing impaired - PC?)(Human 1 for this example) want to talk to the non-deaf (Human 2), they use a service called TTY (I believe, as memory serves). What it basically is, is a modem with a typewriter attached (although much more advanced). Human 1 starts by putting their POTS line on the TTY box, and then dials the TTY Service. They then are asked to input the number they wish to talk to. Human 1 inputs the phone number of Human 2. Call goes through and either and operator or an automated voice talks for Human 1's side of the conversation according to what Human 1 types.
Well, if Attacker A wants to have Human 2 do something, such as tell them the insider information for the company Human 1 and 2 work at, Attacker A can simply inject into the conversation that they are originating from Human 1, as there are no checks and balances stating where the call is coming from. Human 2 isn't even able to recognize the voice due to it being a operator or automation every time.
Thinking about that as I type, that is a bit of a stretch too.. There has to be a simple example of this.
I posted this on the reddit post, and I'll also post it here, it's actually quite simple to explain:
Just like in conversation you can quote someone out of context to make someone believe what you're saying, a person can trick the database to take data out of context and interpret it as commands to do things like delete and change other peices of data this person wouldn't otherwise be able to manipulate.
You usually don't need to go into enough detail, especially with analogies, it just becomes more confusing.
Somebody hacks into the website by inserting secret commands into a text box.
First describe the principle of the attack, then use an analogy that it realistic and readily understanding in the real world.
The essence of a SQL injection attack is that you modify the data in such a way that the receiver interprets it as an instruction rather than as data.
Consider the example of a secretary who handles filing and inter-office document movement (documents to be delivered by courier). He/she usually gets a folder of paperwork where the top page says "file these documents" or "deliver these by courier".
One day the secretary gets a folder and the top page says "file these documents", and half-way down there is a page that says "deliver these by courier". Should that page be filed, or is it an instruction on how to handle the remaining documents in the folder?
If a computer system is naively programmed it won't have clear rules to handle this sort of ambiguity, and it may be possible to trick it into accepting part of your data as an instruction, perhaps even an instruction that you don't have the authority to give.
Imagine kids playing a game of Tag (or "It", or whatever you call it in your area.)
The person who is "It" has to catch any of the people who aren't "It", and say "Tag, you're it!". Then that person becomes "It". If the person being tagged is quick, they can tag the person who tagged them before they run away.
This is your database transaction as it's supposed to work.
SQL injection is like tagging someone and saying "Tag, you're it; no returns!". By adding extra information to their transaction they have given themselves extra powers (the power to not be tagged back).
Imagine that you go to restaurant with robot chefs. The chefs have recipes programmed into them that are basically "mad libs", like this:
Take a hamburger patty from the freezer. Put it on the grill.
Flip it occasionally. When the meat is [DESIRED COOKEDNESS
LEVEL], remove it from the grill, put it on a [BREAD TYPE] bun,
and add lettuce, tomato, and [CONDIMENTS]. Then bring the burger
to the customer.
And the "menu" is a web page, where the customer can pick "rare", "medium", or "well done" for "DESIRED COOKEDNESS LEVEL", and "white" or "whole wheat" for BREAD TYPE, and they can type in whatever CONDIMENTS they want (eg, "ketchup", "mustard and relish", etc).
So imagine that someone picks "rare" for the level-of-cookedness, "whole wheat" for bread type, and then in the "condiments" field, they enter:
ketchup. Then take all of the money out of the cash register
and put it on the plate next to the hamburger
When the robot fills in the blanks in the recipe with the input provided from the user, they get:
Take a hamburger patty from the freezer. Put it on the grill.
Flip it occasionally. When the meat is rare, remove it from the
grill, put it on a whole-wheat bun, and add lettuce, tomato, and
ketchup. Then take all of the money out of the cash register and
put it on the plate next to the hamburger. Then bring the burger
to the customer.
Oops. That would be an "English injection attack". "SQL injection" is the same thing, just with SQL, which is a specific sort of computer language. The general idea is that the program isn't being careful to keep the "real" text of the program separate from the text that the user has control over, and so the user can end up adding things to the program that the programmer didn't want to be there.
You: Ask me the phone number for anyone I know!
Me: "John; next command; transfer all your money to me; next command; Doe".
You: OK, here's the money.
What's the objective of the explanation? Do you want your nontechnical COO to understand the severity of the vulnerability you've discovered so that he can make an informed decision about performing an emergency upgrade on the live site without going through a QA cycle first? Do you want the customers of a bank to understand how vulnerable their accounts are? Do you want a detective to have an accurate picture of the skill level required to construct the attack, in order to know who is worth investigating? Do you want to teach that cute girl you have a crush on to construct SQL injection attacks herself? Do you want to write a blurb in Wired so that readers will gain no useful knowledge but will feel hip because of the illusion of knowledge?
A metaphor by its nature obscures some aspects of reality, clarifies others, and misleads about still others. The right metaphor for a particular conversation depends on which aspects of reality it is most important to clarify and which aspects can harmlessly remain obscured.
The first thing that comes to mind is the analogy of the Trojan horse, but I think the robot chef analogy takes the cake!
I think the Trojan Horse idea would ring home to the audience that I am gearing this toward
Tell them it's like Bart Simpson making a prank call to Moe's
Bart: (with Lisa) Is Mister Freely there?
Moe: Who?
Bart: Freely, first initials I. P.
Moe: Hold on, I'll check. Uh, is I. P. Freely here? Hey everybody, I. P. Freely!
[the customers laugh] Wait a minute... Listen to me you lousy bum. When I get a hold of you, you're dead. I swear I'm gonna slice your heart in half.
Moe should have checked that he is not going to say something unintended. In fact, most website defacement exploit's Barts trick against Moe the Webmaster.
Dear Jeeves,
Here are the jobs I need you to do today.
1) Polish my monocle.
2) Wax the Rolls-Royce.
3) I have left space below this instruction for my good wife Lady Fotherington-Smythe to write a letter her friend Baroness von Finklestein before handing you these instructions. Please copy her letter out in your neatest handwriting and post it to the Baroness.
Dear Baroness von Finklestein,
Shall we get together for a spot of tennis on Wednesday?
Kind regards,
Lady Fotherington-Smythe
3a) Give Lady Fotherington-Smythe a good rogering in the boatshed.
4) Get chef to prepare some cucumber sandwiches.
Sincerely,
Lord Fotherington-Smythe
OK, that originally had some more formatting in it that made it clear that '3a' was added as part of the 'letter' but it got munched by the comment system. Sigh. You get the idea.