wouldn't the devs be able to use parametrized queries or validate user input? can't they compare only the id and get the price from the db? and can't the qr codes be encrypted?
A developer can prevent this from doing damage by sanitizing the special characters in the data that is going to be inserted into the sql query. Sanitization is most commonly done by the library (code that the developer didn't write) that the developer uses to access the database, however if the developer isn't paying attention to how he is inserting the data into the sql query it may lead to the vulnerability displayed in the video which is known as an sql injection. As you mentioned, parametrized queries are the most common way the database libraries provide the possibility to insert data to the query without it being vulnerable to sql injections.
Can't you just use a simple length check on the variable or check if it fits into the scheme. Like is it a number? Or the simple escape checks already mentioned. This is so easily prevented. Also if it actually ever worked anywhere I bet you it was fixed in 30 minutes. And rolling out by then.
Im no expert but I didn't think it'd be this easy either and this could be prevented, gpt 3.5 pretty much says what these guys do.. "In summary, SQL injection vulnerabilities arise when user input is not properly sanitized or validated before being used in SQL queries, allowing attackers to manipulate the queries in unintended ways. It's crucial for developers to use parameterized queries or prepared statements and input validation to prevent SQL injection attacks."
Well, parameterized queries are a reliable and at the same time simple protection against SQL injections. But it is important to remember that depending on the logic of the application, OS injections are also possible, where a different approach to processing user input is required.
Also prices come from the database, as they may change, the qr code doesn't need to change nor should it contain the price, no database designer would include the price in the qr code allowing an attacker to change the price or even change the behavior. Its programming madness. no one would be so stupid to allow this.
LOL, clearly you have never worked on a programming team..... This sort of shit is sooooo common it is unbelievable.... and some of these ass clown programmers are pulling down >$150kusd a year....
My understanding is a qr code is used as a simple id code for a product, nothing else. As it is used to just identify just one item from a list of valid products from your database, if any other code including sql injection is attempted it would not work as your system simply will not use it, it just is looking for the product id and that is it. It would be stupid to design or allow a qr code to include sql code, to change critical database behavior, if it is attempted, it should be ignored, or come up with an invalid code error.
😂 you clearly have not understood the issue. The problem here is that without proper input sanitation such a system is vulnerable by default. It's not a feature developers add, but a threat that is often forgotten.
LOL... you are clearly NOT a hacker..... or even appear to have the skills needed to think of how this is working. What is worse you just watched an instructional video.... of how to do it and you STILL could not get your head round it. You potentially have a strong Future in top Management. This is even more dangerous, if you consider that there are morons walking about with powerful hand held computers , scanning QR codes all over the place. It is what happens when simps or millennials think they are "rockstar" computer programmers. I worked in a company where one of their "ROCKSTAR" programmers was writing business systems so full of exploits it was embarrassing... I tried to point it out but no one was listening.... in the end I left.... he later left and went to work for a big retailer. as programmer lead.... I see his handy work all over their customer facing systems... The frighting thing is that MOST large businesses are NOT interested in doing things right., I have seen systems that are complete shells , where management evaluate screen graphics as an indication of "professionalism"/ They are not interested , if you show them 2 IDENTICAL screens. but the code behind one of them is full of exploits But If I made the one full of exploits have flashy shit or colour... that's the one they would pick.
what is this video??? this does not make sense in at least shopping scenario, and likely for others. Why take QR payment for example? items in the stores are coded in standardized barcode, with only what item that is supposed to be, price data is in the POS system that asks for the price to DB. there is no way malicious actor can change price with QR code. also payment processors know these risks, so the payment authoriztion QR has 2 types. one where customer scan the store code and send the amount, which requires customer to show how much they send (apps prompt to show it to clerk) or the opposite, the store scans for your barcode with your UserID, again, not a QR, then the store system asks for the processing for said amount, the result will show up on customer's device. also if there are funny businesses, the payment will just error out like credit card gets rejected. don't get me wrong, SQL injection can be still possible if the system were configured in such a way so QR contains value that shouldn't be altered. But that kind of configuration needs to be configured per-store, per-item basis. so normal POS system with compatibility with payment processor is pretty safe from these kind of attacks. it will like I said, will reject the payment or error out. I think you are out of touch, and there were several mistakes in the vide. at least 5. Your videos are usually very good but not this one.
Even if a store used qr like this. if a qr only contains prod id and is compared to a db, how does this work at all? you change an id and it comes up as an error. Im so confused and this is a waste of time lol
There are no uniform standards - you can see this even without a trained eye just by looking at the different types of data in QR codes - someone stores a URL, someone a unique long value, and somewhere a simple number. It is also worth not forgetting about vending machines, where the budget can be much lower and things can be even worse. Personally, in practice, we have encountered not only SQL injection but even OS injection
@@Sumsubcom noooo thanks for the heads-up! i definitely wouldn’t have. Ur videos always go in my watch later list because I actually want to pay attention to the full thing. U dont just make background study videos 🖤
not surprising if you don't deal with databases...... This is SQL language.... and each database has a different version of the language. so for example If you are a C# ,C or C++ or java programmer you would NEVER see this.... unless you were working with databases.
@@hixe What do you mean? At 5:15 he says that in this hypothetical scenario the QR code stores only an identifier and not the price or anything like that.
@@HedgehogGolf5:35 "and all this can fit into a QR code" I know what's meant, but is really misleading. This video isn't about QR codes but SQL injections
What do if I have a link to my website attached to a QR code? Right now I want to put it on all of the print material (postcard and business card sized adverts) and put it where I can (ex. Coffee Shops, Gyms, Local stores). I get the feeling that this is a bad idea, and I'd like to know what I can do instead of this. I'm open to SERIOUS suggestions.
"An sql query is an entire language" ... What? ima head out. No one has been susceptible to sql injection in years, unless you have edit rights to a database, you aren't changing a thing in the database and QR codes are single data points well outside the perimeter of injecting sql. They are almost always a url nowadays. You won't have table names, credentials to get into any database or anything because no one does this with QR codes, and no decent company will be this dumb on this many levels. This video is clearly fearmongering piggybacking disinformation in order to plug a business. That's an unsub from me.
QR codes more often represent an identifier when the data itself is in some database. For example, a QR code when entering a museum or transport will not contain the number of passes in the code itself. This reduces the risk of data forgery
Your video had me on the edge of my seat, like waiting for a breath of fresh air! Your content is truly the pinnacle of excellence, and I always find myself eagerly anticipating each new release.
This video is fiction! Check out systems don't work that way! The price can't be changed by the QR code because the price is stored in the database which the scanning terminals only have read only access. Forget SQL injection because the data is always sanitised. At best, all you will get are errors if you dare scan a dodgy QR code and hopefully, it will trigger a store alarm in a secure environment! 😊 Also some cool self check out systems also have a scale to measure the total weight of items you checked out to ensure the weight corresponds with the weight of the items saved in the database. Forget about it.
I find that QR codes are typically just things like URLs or user names/ids/addresses; such as the case with COVID-19 vaccination QR codes. Seems a lot harder to hack the typical sort of uses like that. In theory injection could still be done, but only if there was no sanitation, and typical cases like URL accessers ("browsers") and apps that use user ids or what-not all have sanitation in them already, not required for the users/businesses to ever set up.
Everything that comes from the user could potentially be dangerous, never trust the user is they way to go here. Also you said you wont be doing a tutorial on this and then continue to make a tutorial
This is one of the best tech channels if not the best on yt tbh. Highly underated. Watched about 5 videos so far. All top quality and deserve millions of views. Keep creating these amazing videos ❤
As presented, this seems hypothetical. Are there examples of people changing prices or taking down a store? The risk/reward for cheap bananas seems skewed towards not attacking.
I never saw a shop using QR codes for it's prices, every store uses good old bar codes with and EAN/UPC code and the encoding capacity of these codes are far to short for a SQL injection. Moreover any professional developer sanitizes any external input, long gone are the days of script kiddies developing retail solutions.
_"Ignorance is strength"_ - 1984, a dystopian novel. There are many ignorant.. Their desire for shopping, convenience and personal security will enslave us all
You sound like a child but I'll try anyways, hacking is complicated and not very clear, basically hackers are creative programmers, just learn programming on projects that interest you f.a. Webdev and when you are good enough to understand basic concepts of how the internet, websites and computers work, and can work with them to a certain extent, you can look up stuff on "hacking" a popular example being SQL injections, and learn what they are and then you go from there, it's really not simple to just "hack" but learning these things is just helpful in general.
Who scanned all the QR codes? What's your fav? Drop the meme
wouldn't the devs be able to use parametrized queries or validate user input? can't they compare only the id and get the price from the db? and can't the qr codes be encrypted?
A developer can prevent this from doing damage by sanitizing the special characters in the data that is going to be inserted into the sql query. Sanitization is most commonly done by the library (code that the developer didn't write) that the developer uses to access the database, however if the developer isn't paying attention to how he is inserting the data into the sql query it may lead to the vulnerability displayed in the video which is known as an sql injection. As you mentioned, parametrized queries are the most common way the database libraries provide the possibility to insert data to the query without it being vulnerable to sql injections.
Very nice points! I don't really know the answer but they sound like very good solutions to me👍
Can't you just use a simple length check on the variable or check if it fits into the scheme. Like is it a number? Or the simple escape checks already mentioned. This is so easily prevented. Also if it actually ever worked anywhere I bet you it was fixed in 30 minutes. And rolling out by then.
Im no expert but I didn't think it'd be this easy either and this could be prevented, gpt 3.5 pretty much says what these guys do.. "In summary, SQL injection vulnerabilities arise when user input is not properly sanitized or validated before being used in SQL queries, allowing attackers to manipulate the queries in unintended ways. It's crucial for developers to use parameterized queries or prepared statements and input validation to prevent SQL injection attacks."
Well, parameterized queries are a reliable and at the same time simple protection against SQL injections. But it is important to remember that depending on the logic of the application, OS injections are also possible, where a different approach to processing user input is required.
Input sanitization? This video makes no sense.
it's garbage fear based shilling for their products
This video makes sense. Now input sanitization is required to stop this type of attack
Yup, control the input data. Never directly expose them.
@@Primeagen This doesn't just apply to QR codes though, anywhere in any application input sanitization is a must.
Also prices come from the database, as they may change, the qr code doesn't need to change nor should it contain the price, no database designer would include the price in the qr code allowing an attacker to change the price or even change the behavior. Its programming madness. no one would be so stupid to allow this.
yeah totally... i thought a qr just contained a product ID. Things go on sale.... prices change, same qr.
LOL, clearly you have never worked on a programming team.....
This sort of shit is sooooo common it is unbelievable.... and some of these ass clown programmers are pulling down >$150kusd a year....
My understanding is a qr code is used as a simple id code for a product, nothing else. As it is used to just identify just one item from a list of valid products from your database, if any other code including sql injection is attempted it would not work as your system simply will not use it, it just is looking for the product id and that is it. It would be stupid to design or allow a qr code to include sql code, to change critical database behavior, if it is attempted, it should be ignored, or come up with an invalid code error.
😂 you clearly have not understood the issue. The problem here is that without proper input sanitation such a system is vulnerable by default. It's not a feature developers add, but a threat that is often forgotten.
LOL... you are clearly NOT a hacker..... or even appear to have the skills needed to think of how this is working.
What is worse you just watched an instructional video.... of how to do it and you STILL could not get your head round it.
You potentially have a strong Future in top Management.
This is even more dangerous, if you consider that there are morons walking about with powerful hand held computers , scanning QR codes all over the place.
It is what happens when simps or millennials think they are "rockstar" computer programmers.
I worked in a company where one of their "ROCKSTAR" programmers was writing business systems so full of exploits it was embarrassing...
I tried to point it out but no one was listening.... in the end I left....
he later left and went to work for a big retailer. as programmer lead.... I see his handy work all over their customer facing systems...
The frighting thing is that MOST large businesses are NOT interested in doing things right., I have seen systems that are complete shells , where management evaluate screen graphics as an indication of "professionalism"/
They are not interested , if you show them 2 IDENTICAL screens. but the code behind one of them is full of exploits
But If I made the one full of exploits have flashy shit or colour... that's the one they would pick.
what is this video??? this does not make sense in at least shopping scenario, and likely for others.
Why take QR payment for example? items in the stores are coded in standardized barcode, with only what item that is supposed to be, price data is in the POS system that asks for the price to DB. there is no way malicious actor can change price with QR code.
also payment processors know these risks, so the payment authoriztion QR has 2 types.
one where customer scan the store code and send the amount, which requires customer to show how much they send (apps prompt to show it to clerk) or the opposite, the store scans for your barcode with your UserID, again, not a QR, then the store system asks for the processing for said amount, the result will show up on customer's device.
also if there are funny businesses, the payment will just error out like credit card gets rejected.
don't get me wrong, SQL injection can be still possible if the system were configured in such a way so QR contains value that shouldn't be altered.
But that kind of configuration needs to be configured per-store, per-item basis. so normal POS system with compatibility with payment processor is pretty safe from these kind of attacks.
it will like I said, will reject the payment or error out.
I think you are out of touch, and there were several mistakes in the vide. at least 5.
Your videos are usually very good but not this one.
Even if a store used qr like this. if a qr only contains prod id and is compared to a db, how does this work at all? you change an id and it comes up as an error. Im so confused and this is a waste of time lol
There are no uniform standards - you can see this even without a trained eye just by looking at the different types of data in QR codes - someone stores a URL, someone a unique long value, and somewhere a simple number. It is also worth not forgetting about vending machines, where the budget can be much lower and things can be even worse. Personally, in practice, we have encountered not only SQL injection but even OS injection
Well done taking the time with the QR thumbnail
Did you scan the other qr codes in the video? :)
@@Sumsubcom noooo thanks for the heads-up! i definitely wouldn’t have. Ur videos always go in my watch later list because I actually want to pay attention to the full thing. U dont just make background study videos 🖤
Well idea is cool but almost all stores use bar code not qr codes
In 3rd world countries ... yes.... but not in Asia...
That is definitely one good quality video that got me sticked to the screen wondering how. I m a programmer and still I haven't heard of that before
not surprising if you don't deal with databases......
This is SQL language.... and each database has a different version of the language.
so for example If you are a C# ,C or C++ or java programmer you would NEVER see this.... unless you were working with databases.
Dude, your video are usually great, but you are out of touch here. 100%.
What do you mean
@@Philippians4.13EnjoyerHe doesn't seem to understand how qr code actually work, they don't contain price data at all, and they are not identifier..
Agreed.
@@hixe What do you mean? At 5:15 he says that in this hypothetical scenario the QR code stores only an identifier and not the price or anything like that.
@@HedgehogGolf5:35 "and all this can fit into a QR code"
I know what's meant, but is really misleading. This video isn't about QR codes but SQL injections
Always wear white gloves to type steathly on the keyboard guys ...
Yeah........... *felt attacked*
@@Sumsubcom you won't ... just a Joke chill we are on the same side : i just don't like stereotypes but i understand it is for the show ...
What do if I have a link to my website attached to a QR code? Right now I want to put it on all of the print material (postcard and business card sized adverts) and put it where I can (ex. Coffee Shops, Gyms, Local stores). I get the feeling that this is a bad idea, and I'd like to know what I can do instead of this. I'm open to SERIOUS suggestions.
Excellent video, I hope to recommend more!
Thanks, will do!
"An sql query is an entire language" ... What?
ima head out. No one has been susceptible to sql injection in years, unless you have edit rights to a database, you aren't changing a thing in the database and QR codes are single data points well outside the perimeter of injecting sql. They are almost always a url nowadays. You won't have table names, credentials to get into any database or anything because no one does this with QR codes, and no decent company will be this dumb on this many levels.
This video is clearly fearmongering piggybacking disinformation in order to plug a business. That's an unsub from me.
QR codes more often represent an identifier when the data itself is in some database. For example, a QR code when entering a museum or transport will not contain the number of passes in the code itself. This reduces the risk of data forgery
People who scanned that thumbnail QR
👇
you're the coolest ones
Interesting, thanks!
Love the channel - keep it up!
Thanks man!
Your video had me on the edge of my seat, like waiting for a breath of fresh air!
Your content is truly the pinnacle of excellence, and I always find myself eagerly anticipating each new release.
That's so inspirational. Thank you very much. Our team is happy that you guys like our videos!
This video is fiction! Check out systems don't work that way! The price can't be changed by the QR code because the price is stored in the database which the scanning terminals only have read only access. Forget SQL injection because the data is always sanitised. At best, all you will get are errors if you dare scan a dodgy QR code and hopefully, it will trigger a store alarm in a secure environment! 😊 Also some cool self check out systems also have a scale to measure the total weight of items you checked out to ensure the weight corresponds with the weight of the items saved in the database. Forget about it.
bro thinks we're living in 2010, grocery stores aren't that stupid bud, everybody sanitizes their sql queries or uses some olm nowadays...
I find that QR codes are typically just things like URLs or user names/ids/addresses; such as the case with COVID-19 vaccination QR codes. Seems a lot harder to hack the typical sort of uses like that. In theory injection could still be done, but only if there was no sanitation, and typical cases like URL accessers ("browsers") and apps that use user ids or what-not all have sanitation in them already, not required for the users/businesses to ever set up.
me trying to scan all Qr codes showed in the video 💀
we love to leave hints
Everything that comes from the user could potentially be dangerous, never trust the user is they way to go here. Also you said you wont be doing a tutorial on this and then continue to make a tutorial
Interesting, Only if the cashier gets suspicious that a guy buys a TV for 0.01
The hacker hacked the keyboard 😂
And what about barcodes?
Looks like we cant (at least not yet)
This is one of the best tech channels if not the best on yt tbh. Highly underated. Watched about 5 videos so far. All top quality and deserve millions of views. Keep creating these amazing videos ❤
Thank you very much!
As presented, this seems hypothetical. Are there examples of people changing prices or taking down a store? The risk/reward for cheap bananas seems skewed towards not attacking.
Yes.........
and there are examples of hackers over pasting QR codes for car parking sites, where the user scans a QR code & downloads a malware app
I never saw a shop using QR codes for it's prices, every store uses good old bar codes with and EAN/UPC code and the encoding capacity of these codes are far to short for a SQL injection.
Moreover any professional developer sanitizes any external input, long gone are the days of script kiddies developing retail solutions.
_"Ignorance is strength"_ - 1984, a dystopian novel. There are many ignorant.. Their desire for shopping, convenience and personal security will enslave us all
Nice, free food for everyone 🙂
Sincerely I never seen a such dumb way to set prices in Italy... On the barcode there are only IDs and not prices... 😂
Can you do the same with barcodes?
Thanks for idea, we'll think of it!
Thank you
If a programmer creates this code, he should no more be one, because that’s basic sense to not trust user input
Sumsub next year completes 10 years for sumsub company
🎉
Awesome video sir
Thanks from our big team :)
Pretty sure flippers have screens... at least mine does
at that point just dont scan anything and steal it
I think I got enough information to replicate that trick
this is too advanced for regular ppl
200 times less . . really?
I never got beyond 100
and you guys are brainy tech folks? LOL
the amount of work that goes into these videos, is it worth the investment? (money-wise)
Is is more over great hack, which is Quishing attack
I didn’t even know it was possible!
I become a ethical hacker. I started learning python, please help me 😊
Start reading banned books go to hack forums sites learn c++ c go learn more programming learn a It alot course learn about ai
Hello thanks for the work which laptop is good for ethenal hacking I to buy I start my leaning thanks
This is neat, but way over my head.
cool
Acc live for these
Who will scan an "unsafe" QR code made by unknown person ?!!!???
People do. Make one with the tittle free food and see the number of people who would scan😢
I'm first
Not first
Can hack Al
Hi sir want learn hacking please help me
You sound like a child but I'll try anyways, hacking is complicated and not very clear, basically hackers are creative programmers, just learn programming on projects that interest you f.a. Webdev and when you are good enough to understand basic concepts of how the internet, websites and computers work, and can work with them to a certain extent, you can look up stuff on "hacking" a popular example being SQL injections, and learn what they are and then you go from there, it's really not simple to just "hack" but learning these things is just helpful in general.