Open in app

Sign in

Write

Sign in

The Importance of Sanitization

Zvonimir Rudinski
4 min readNov 17, 2021

--

Well, hello there dear readers…Long time no see eh?

Today, I have an interesting story for you. One that involves one of my favorite topics: security & vulnerabilities. Anyways, not to bother you too much, let’s get right into the story.

The story takes place a few years back, when I was still a young teen, blasting Nirvana on my headphones and just discovering the wonderful world of penetration testing. I was in my second year of high school.

My high school has an interesting tradition called Project Week — a programming/mechanical engineering competition where students show off their side-projects in hopes of winning interesting prizes.

That year something interesting had happened — the submissions were online.

The submission form was very traditional. Few inputs and a captcha. The funniest thing is that I didn’t actually plan on doing anything malicious. It just so happened that I had apostrophes in my project description.

I submitted the form and uh-oh…Something went wrong?

I went to check the Network tab and find the response.

Oh! This was bad.

So like any normal human being, I closed the tab and went along my way right?

Nope — sqlmap time it is.

In hindsight it was probably a stupid idea to attack the website without any consent but hey I was in high school, the worst that could happen is expulsion…right?

Anyway, I used Burp to capture the request and save it to a file which I later used as an input to sqlmap.

What I saw next was horrifying to look at.

Multiple databases, some not even related to the submission page, cleartext passwords, all student e-mails and more…

Yikes! If a data breach would occur that would be very bad PR for the school. Especially for a school that teaches programming to kids.

I promptly reported the issue to the school, explaining how I did it and why it’s a bad thing.

If a 15yr old needs to explain to you why you should sanitize your input, we have a serious problem.

Having their security breached by a 15yr old must’ve really hurt so instead of asking for help they’ve did what any institution would’ve done.

I got suspended.

The good thing is that I wasn’t disqualified from the competition though.

A few months later after the incident they found a very interesting fix for the online submissions — removing them altogether.

The next year the submissions were handled the old-fashioned way. You go to the principal’s office and request a submission form, fill it out and give it back.

Not the way I would go about handling it but hey, I offered my help and they didn’t want it.

Thank you once again for reading and it would mean a lot if you could leave a comment or an applaud, and I’ll see you in the next one.

Security
Sql Injection
Schools
Programming

--

--

Zvonimir Rudinski
Zvonimir Rudinski

Written by Zvonimir Rudinski

5 Followers
2 Following

A full-stack web developer with years of experience under his belt. My interests include: programming, science, music and the occult.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams