So, I ordered an item from an e-commerce website, and they sent me a link to track my order. The link takes the order-id as a get parameter and has CWE-342, but that's not the concern. I just added a quote after the tracking number and received an SQL error. It did not reveal any code, which is good, and the site gives an alert() instead of a webpage. But I believe there might be a possible SQL injection attack as input might not be filtered.
Clearly, I can't try to exploit it using SQL map as I believe that wouldn't be legal, right?
Should I contact the website and inform them of a "potential" attack? I also believe that the website in question is just using an API to show us results, and the SQL error is coming from another website as the "alert()" box had a different URL as the alert title.
[link] [comments]
from hacking: security in practice https://ift.tt/80NcVfW
Comments
Post a Comment