On the other hand, if you go out of your way to pollute the data and the hacker debugs the resulting errors and finds you as the culprit, they may target you as a form of petty revenge.
In R, libraries will often tell you when there is a parsing anomaly and which line it occurs with. The first thing I do is examine those lines closely!
They are kinda trolling, Kinda not. A rainbow table is just a huge list of precomputed passwords to hash.
MD5 hash of "pass": 1a1dc91c907325c69271ddf0c944bc72
SHA-1 hash of "pass": d74db87a56f6d8a52ca4bbafc86a27f4b66c58a4
SHA-256 hash of "pass": 3f5d8cc9ea971f85b91fe9a761e29f882abeae92e4b99b5678f7bf3f53b1519f
but if you add "salt" to the password, (i.g. some randomly generated data), your password will be deterministically unqiue, and thus a rainbow table wouldn't ever work. The infrared and ultraviolet part is pure troll tho.
Having special characters is a good idea but having a comma just to break a CSV is dumb. This would only happen if the hacker used a bad exporter or created their own (very poorly).
AFAIK it's only "ambiguous" in the sense that if you get a csv file you can't determine the exact parsing behavior to use, but if you know what program created the csv (or what encoder options were used), it's not ambiguous to parse.
>but things get really hairy really fast when you start adding types or BLOBs in the CSV.
AFAIK BLOBs are hex encoded, which make them a non issue.
True - a friend of mine worked in a dangerous part of the world and was car-jacked in a manual car. As soon as the car-jacker was behind the wheel they realised they couldn't drive the car and gave up.
My brother had a stick shift. Kids broke into his car and proceeded to drive it 15 feet into a pole and abandon it. Whole thing was caught on camera too.
But can’t the hacker just write a small function to fix that? If I found a comma in the third position in a hash crack I might assume it’s part of the password and not a column separator.
comma being a very common and probably common when many organization are enforcing special character policy . For those big exports , they are probably not dumping out as csv , it would be light weight db file . I assume sqllite
Yea good assumption, SQLMap for instance, defaults --dump to .csv with sqlite as an option if you're just looking for a simpler test point. Plenty of other tooling options out there too. Tooling providing your encoding during dump will overcome the ',' concern though, no?
Have you ever used quotes in a password. I did. IOS was constantly changing quotes into smart quotes. Super annoying for those times when I had to actually type in my password.
The reason you might want to put such character in a password is not in case it might leak, but in order to break the idiotic system which stores and handles those passwords in plain text. I would use a double quote and a single quote. That will break things if passwords are wrapped in quotes without escaping.
PRO TIP: You can also use % to punish incorrect use of printf(3), $ to punish use of "eval" in Perl and bash, <> to break HTML parsing, * to punish overzealous filename globbing, & to set off forkbombs on the unsuspecting victims, +++ATH0 to make their modems hang up, and ! to prevent transmission via UUCP.
And then back into a corner, splash a can of paint in every direction, put your head between your knees, and wait for WWIII. (If it doesn't start by the time the paint dries, do it all over again tomorrow.)
reply