Attack try temporarily caused disabling of GC comment form?

[Isildur]

At the top of the current on-GC's-site comments (backed up here), there's a comment from a frequent commenter saying 

starving autist

Nice job breaking the comment form, haha.

8 Nov 2021 | 12:01 AM

At first I assumed that the reader was joking about something like Tom's page comment ("I just have to kill a guy bye", spoofing Annie's dropping of that bomb on Renard and abruptly turning her attention to Shell) or some aspect of the comic being likely to cause an overload of people commenting.

But then I noticed that further down, a long series of comments marked as from a submitter "lxbfYeaa" contain fragments of arithmetic operations or programming code. Some of them like "-5 OR 340=(SELECT 340 FROM PG_SLEEP(15))--" look like someone was attempting to do some SQL injection.

I'm hoping the coding of the site is solid enough that whoever was doing that didn't actually succeed at injecting any SQL, and that the comment form was temporarily temporarily disabled (maybe by an automatic rate limiter) simply as a precaution, because it was getting hammered with too many rapid, automated submissions.

It seems the day has come when a tougher CAPTCHA than "□ *Check this to prove that you are not Boxbot." is needed...

[Eversist]

Mr. Siddell reads the forum pretty regularly IIRC, but this seems a thing you could DM him about if you wanted. Seems important!

[warrl]

That certainly looks like a failed attempt at SQL injection to me.

Too bad the site didn't limit how frequently a single client could post messages, or how many such messages in a row on a single thread, or something like that - or recognize the attempt and reject the messages entirely.

[Isildur]

Nov 10, 2021 17:15:42 GMT Eversist said:

Mr. Siddell reads the forum pretty regularly IIRC, but this seems a thing you could DM him about if you wanted. Seems important!

Ok, sent him a DM, thanks.

[Isildur]

Just a warning: Don't quote even the tiniest fragment of the code from there here, or Cloudflare may block your IP from Proboards based on a heuristic analysis noticing what looks like SQL injection code. It's surprisingly sensitive; I just now was composing a new reply, and in doing so quoted just a single line (containing a negative one, a capital "or", a curious arithmetic operation that seems like just padding, and a trailing double minus sign) to comment on the fact that (while I'm not an expert by any means) I was puzzled what the long arithmetic operation achieves (other than maybe padding) since it appears to be arithmetically identical to "one equals one". I noted that the trailing double minus sign is used to disable quotation marks, according to a Stack Overflow thread ( stackoverflow.com/questions/31288409/ ) Trying to post that reply got the IP at the office I was in blocked.

Oh well. I guess I should email Proboards to ask them to unblock that IP. (I'm entering this from my phone now.)

Also, in my failed message, I noted that whoever is attempting tried it again in the latest GC comments.

[Tom Siddell]

Thanks for the heads up, I'll keep an eye on things. The comments area is set up in such a way that injection attacks shouldn't be able to do anything, though.

[Isildur]

Nov 12, 2021 14:12:40 GMT Tom Siddell said:

Thanks for the heads up, I'll keep an eye on things. The comments area is set up in such a way that injection attacks shouldn't be able to do anything, though.

You're welcome. Ok, good to hear. It does detract from the comment thread, though, when so much of the thread is occupied by dozens of those injection attempt messages, so I hope you'll consider a stronger anti-spamming measure than the checkbox, like reCAPTCHA. Unfortunately, there really are worse bots than Boxbot.

[warrl]

Or a function that examines a blob of text to determine if it's an attempt at some sort of code injection. (Could return "bad text" or could attempt to determine what kind of code - the former would be sufficient for this specific purpose, the latter would be more complex and have more OTHER uses.)

And if that function says the text to be posted is, the attempt to post could be rejected.