Surviving a Bobby Tables Attack
- in Tech
I basically ignored this website for 3 years from 2018, the year I started graduate school. I hoped to finally upgrade it this week. It had been built on Known, a simple blogging platform developed by an open-source community well-populated with IndieWeb enthusiasts. The simplicity, unfortunately, was this site’s undoing as the comments were wide open to an SQL injection called Bobby Tables.
Within an hour of learning my website was down, I learned about Bobby Tables attacks, thanks to my brother, Ray, an IT professional specializing in SQL who promptly provided valuable advice so that I would not waste time on a corrupted database file. (He beat me to posting a blog about the fiasco.) The injection not only disabled my site, but it also slowed down the entire server including other people’s websites. (My apologies!) A Dreamhost tech person spotted the anomaly and quickly removed the corrupted database. My other websites were down only 10 minutes.
A Bobby Tales injection can delete tables from a SQL database. I have no idea what tables were deleted from the Known database. All I know is that my website was up and running before going to sleep last night and when I woke up it was down. I wonder if WordPress began using prefixes on table names to reduce the destruction by injected SQL commands.
Since I never took this website very seriously, I never made a backup of the database. Fortunately, I had an RSS export of all the posts, which are not many, and I was able to rebuild the site using WordPress instead, despite my dislike of the Gutenberg interface. Thank you, developers, for your plug-ins!
This site is actually a kind of hybrid of WordPress and Known. Older posts’ images are still stored in directories created by Known scripts. This eased up the process getting everything back online. This will also make life easier when there’s time to get the Known platform back up with an automatic spam filter-slash-trasher. There are already 12 comments filtered by the Akismet plugin within hours of the site being rebuilt. Known has an Akismet plugin also, but it doesn’t automatically delete spam comments like they can be set up to be on WordPress. And though now I’ve finished school, other more important projects loom, like creating affordable housing. Since this site will continue to be on the backburner for the time being, it will need that automation.