paypal sqli

PayPal plugs SQL Injection Hole

An Indian researcher, Prakhar Prasad found a Blind SQL Injection vulnerability in the Paypal Notifications (https://www.paypal-notify.com) application as part of a bug bounty program. The bug enabled him to access the Paypal Notifications system database. The Paypal team patched the vulnerability immediately due to the severity of the issue. The Register reports that the flaw was found in the module that sends an email confirming the email address of the account holder. Ultimately, this vulnerability could have enabled attackers to steal sensitive information from PayPal’s databases.

paypal sqli

This image shows the database name after the injection.

Screenshot from 2013-01-30 00-41-38

The blind SQL injection vulnerability that was detected existed in the official PayPal e-commerce website application, specifically in the email confirmation module. The vulnerability allowed remote attackers or a local low-privileged application user account to inject or execute (blind) SQL commands on the affected application databases.

There are frequent research reports in the news showing that SQL Injection remains one of the most prevalent vulnerabilities exploited by hackers. In at least one report, SQL Injection was tied for first place with DDOS attacks.

SQL Injection free tool

There are many free tools and cheat sheets that help people understand what SQL Injection is and how to test for it. SQL Invader is a free tool that automates the exploit of a SQL Injection vuln once you find it and makes it easy to present it to your team or CEO. Visit NT OBJECTives’ website to download it by completing a short form.

SQL Injection cheat sheet

In addition, there is a one page SQL Injection cheat sheet that lists the five most popular databases with their default admin credentials. Visit NT OBJECTives’ website to download it by completing a short form.

SQLInvader: http://www.ntobjectives.com/go/nto-sql-invader-free-download/
SQL Injection cheat sheet: http://www.ntobjectives.com/go/sql-injection-cheat-sheet/

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>