Researchers find SQL injection to bypass airport TSA security checks (www.bleepingcomputer.com)
from IllNess@infosec.pub to securitynews@infosec.pub on 31 Aug 17:49
https://infosec.pub/post/16934357

Researchers Ian Carroll and Sam Curry discovered the vulnerability in FlyCASS, a third-party web-based service that some airlines use to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). KCM is a Transportation Security Administration (TSA) initiative that allows pilots and flight attendants to skip security screening, and CASS enables authorized pilots to use jumpseats in cockpits when traveling.

Definitions:

SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.

-Wikipedia

#securitynews

threaded - newest

Crackhappy@lemmy.world on 31 Aug 17:52 next collapse

Jesus fucking Christ. It’s 2024. Sanitize your inputs people.

IllNess@infosec.pub on 31 Aug 17:59 collapse

Especially since backend web frameworks do all this for you.

RamblingPanda@lemmynsfw.com on 31 Aug 18:19 collapse

I’m curious what they are using. It’s pretty hard to set up modern frameworks so bad they’ll allow that stuff. I mean it’s possible, but significantly harder than doing it right.

wizardbeard@lemmy.dbzer0.com on 31 Aug 20:54 collapse

modern frameworks

Bold assumption they’re using anything remotely modern.

RamblingPanda@lemmynsfw.com on 31 Aug 23:26 collapse

Yeah, I know. But it would be interesting to know what they used.

IllNess@infosec.pub on 31 Aug 23:40 collapse

Looks like regular PHP.

builtwith

RamblingPanda@lemmynsfw.com on 31 Aug 23:51 collapse

The language of the gods!

fubarx@lemmy.ml on 31 Aug 18:19 collapse

Security theater: Shoes and belts off.

Security circus: Pilot Captain Bobby Tables.