71

First rant

Context: I work in a cyber security company which develop cyber security solutions.
I started testing the API of the dashboard we have. Within 15 minutes, after poking around with burp suite, found SQL injection in post data that leads to the whole DB dumping in sqlmap.

Told the boss and the API developer. Boss said, "it's ok to have bugs/holes in trial box". But this is on a machine that is gonna be sent to client for trial in a few days. I even compiled a report and how to fix it, which is like 2 lines of "if else" statement by the way. Told the API developer how to fix, he didn't care. 'I work on functionality first'. Doesn't look like he gonna fix.

A damn cyber security company, developing cyber security solution, do the "don't" in web security 101, which is dumping POST data directly into the SQL query, which requires only 5 minutes to fix. 🤦‍♂️🤦‍♂️🤦‍♂️

Comments
  • 19
    Post a full disclosure and contact your own company, get street cred 😎
  • 3
    Leave for a better place? Yes!
  • 5
  • 1
    Contact a higherup, send a company wide email with the issue. Someone will respond to it
  • 2
    @Codex404 Um actually I already sent the vulnerability report to everyone. It's either they don't care or they didn't read it yet. It's a small startup company.
  • 0
    @BigBoo lol the whole product is not being released yet. And it's embarrassing to disclose such very basic SQL vulnerability.
  • 0
    If it's a trial version app for client to verify, I doubt that it has to do anything with security rather than preferred functionality. Company wise it is expensive to conduct extensive testing on every non production iteration.
  • 1
    @psukys that may be true. But this is very basic kind of mistake a developer can make. Dumping POST data directly into SQL query without any form of checking or validation, it's like web app 101. And this is just after 15 minutes of poking around, I was not asking for extensive test. I was just reporting my finding and asking for it to be fixed.
  • 1
    @zerouplink

    Embarrassment is temporary.
    Street cred is forever.
  • 1
    Every combination of programming language and database driver have built in support for prepared statements with parameters queries.
    Not to mention using an ORM which makes almost always faster to ship product.
  • 0
    @Bitwise @SHA-16384 but when you want to work for another company you have to explain that you as tester did foresee that leak...
  • 0
    @login Yeah, exactly. You guys should have seen the code. It was something like this. `query += post_json.column + "," + post_json.sort + ";"`
  • 0
    @Bitwise Thanks for the suggestion. I guess it's out of my hands now. I'll just save up a nice "I told you so" moment. And it is a small startup company, so the headline is probably not happening lol.
  • 0
    @Bitwise or anyone researching a person they are hiring
Add Comment