: I found a SQL injection bug on a public facing website, what should I do? I found (ridiculously easy to discover) a SQL injection bug on a public facing website. I strongly suspect that in
I found (ridiculously easy to discover) a SQL injection bug on a public facing website. I strongly suspect that in the same database are stored credit card numbers of their customers (although not mine).
I wrote to a service email address but got no response and the site is still on with the same error.
What should I do now? Is there any legal requirement for the company to respond/to do something (we are talking about the German branch of an American company)?
More posts by @Moriarity557
2 Comments
Sorted by latest first Latest Oldest Best
Sadly, most organizations are non-proactive to issues like these. One of the sites I've worked on allows all sql attacks, the only protection is the user account does not allow anything but "select from "
THE FUN ANSWER ;) If you want real results, abuse the security hole. That will get there attention alot faster, like email them the result of one of your attacks. Or say Subject line: "Hey check out the cool new tables I created in your database"
Try and get in touch with the people who created the website as opposed to a normal support line which will be more tailored to the product/service they provide and won't know what to do with the issue you raise. Maybe contact them and specifically ask to be transferred to the people in charge of the website, they may very well crap themselves when they realise what can be done.
If that fails, try looking at the domains whois records for a technical email, maybe a humans.txt or just look at the source code for a meta tag.
One thing you should not do is use the exploit to gather any data - even as an example, you could get is just as much trouble with the law as if you hacked the site yourself.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.