Does this sound believable?

I like fiction, here is an attempt at writing one. It is not totally original, I heard a similar story from a friend who tests security of networks.

He was presented with a login page that required username and password. He entered some text with special characters
etc. The query ran, generating a database exception. Exception was not caught and it appeared on the error page. He understood the database used. Perhaps the query was:

He got the syntax spec. and looked at few queries, tried writing a query or two. He read about the Where clause. He started trying different strings as inputs. In the meanwhile, he learnt about the different exceptions that DBMS could generate.

Then he entered the magic word in the password field: (X)* OR TRUE. The query ran again, not spitting an exception this time. He had broken into the system.

Let me know what you think.
Thanks!

This is an example of a SQL injection attack!

Oh!... then this is not fiction

LOL: Check out this link for SQL Injection: http://en.wikipedia.org/wiki/SQL_injection

I can say this is no fiction having worked in a project to fix these kind of vulnerabilities in a web application. It was fun and you would marvel at the way these hackers think and in turn make you think.

Not related here but another think we came across was the usage of profanity by hackers and had to write code to look for swear words in user inputs

Check out Web Goat! It provides a great way to learn about the various web application vulnarabilities.

http://code.google.com/p/webgoat/

http://xkcd.com/327/