Rick Sanchez explains command injection

Rick and Morty returned this weekend, and the third season premiere unexpectedly showcased just how devastating a successful command injection attack can be.

Held prisoner in a simulation of his own memories, sometimes-great, always-mad scientist Rick Sanchez is forced to relive the moment he created his portal gun so his alien captors can discover its secrets. As his former self makes frantic calculations on the garage floor, his adversaries greedily rub their hands together as they get the precious input they seek.

In fact, Rick’s alien accomplice is so keen to relay the information that he snaps a picture of it on his phone and beams it back to his celebrating colleagues outside of the simulator. But there’s a problem – they can’t hear his requests for extraction over the radio.

“The code you just uploaded wasn’t actually my portal gun formula,” Rick smugly explains to his captor. “It was a virus giving me full control over the brainalyser!”

Sure, the circumstances are typically silly, but this snippet from Rick and Morty perfectly summarises one of the most commonly repeated mottoes at the recent SANS Cyber Retraining Academy: All user input is evil and cannot be trusted.

What Rick’s alien captors should have done is built some kind of filter into the brainalyser to prevent malicious code from being parsed and executed.

If that last sentence sounded ridiculous, that’s because it is – but it’s a neat analogy for some of the biggest cyber breaches in recent years. For example, the TalkTalk breach, which involved the personal details of nearly 160,000 customers, was the result of a SQL injection attack. In short: A teenager managed to execute some code where he shouldn’t have been able to.

So next time you’re about to deploy an app or service, stop and think: What harm could a hacker (or a mad and quite probably drunk scientist) do if they supplied the wrong input?