Monday 3rd December 2018
As a software developer I spend a lot of time writing defensive code: routines to check user input and handle it when it isn’t what’s expected. This blog post by Bill Sempf illustrates the kind of absurd lengths we sometimes have to go to if we want our software to be secure. I’ve reproduced some of the best responses here.
A Quality Assurance engineer walks into a bar…
- orders a beer.
- orders 0 beers.
- orders 99999999 beers.
- orders a lizard.
- orders -1 beers.
- orders a sdhgahfgasjfasd.
- unhooks the tap and orders a beer.
- breaks all the glassware and orders a beer.
- sets the bar on fire and orders a beer.
- orders someone else a beer.
- has everyone order a beer.
- orders a beer in Russian.
- orders a beer for later.
- orders every beer.
- orders a bier.
- orders a cerveza.
- orders a pivo.
- orders a cerveja.
- orders a pia.
- orders a øl.
- orders a ເບຍ.
- orders a 啤酒.
- … walks in to a bar.
- … runs into a bar.
- … flies into a bar.
- … jumps into a bar.
- … hops into a bar.
- … sprints into a bar.
- orders a b̶̛̳̫̭͈̝̗̤̲̺̜͍̹̻͇͖̼͈̙̜͆̾̔̑̊̌̿ͫ̒̀̒̄ͤͫͩͨ̏͘̕͞ě̴̸̟͖͕͇͊ͪ͒͜ē̸̌̆ͯ̏͛͌̚͞҉҉̝̤͓̥̱͔̱̩̹̮̲͚̙̫͚͕̭ͅr̷̢͖̺͉̺͚̱̲̯͙̲̱̹̩̼̥̊̂ͩ̐ͮ̏ͫ̐́
- … walks into the bar backwards.
- … sits at the bar overnight doing nothing to see what happens.
- tries to sell a beer.
- quickly orders a second beer before the first beer is served.
- orders two orders betwoers asynchronousbeersly. asynchronously.
- orders 9E99 beers.
- orders 1.33333333333 beers.
'); drop table orders
- orders Alexa play some music by Slayer.
- orders a beer, interrupts the order midway and walks out.
- orders a beer from a customer instead of the bartender.
- orders a
- bypasses the bartender, pours
<img src=x onerror=alert('xss')>for someone else.
And then the first real cusomer walks in and asks where the bathroom is. The bar bursts into flames killing everyone.