PayPal plugs SQL Injection Hole

An Indian researcher, Prakhar Prasad found a Blind SQL Injection vulnerability in the Paypal Notifications (https://www.paypal-notify.com) application as part of a bug bounty program. The bug enabled him to access the Paypal Notifications system database. The Paypal team patched the vulnerability immediately due to the severity of the issue. The Register reports that the flaw was found in the module that sends an email confirming the email address of the account holder. Ultimately, this vulnerability could have enabled attackers to steal sensitive information from PayPal’s databases.

paypal sqli

This image shows the database name after the injection.

Screenshot from 2013-01-30 00-41-38

The blind SQL injection vulnerability that was detected existed in the official PayPal e-commerce website application, specifically in the email confirmation module. The vulnerability allowed remote attackers or a local low-privileged application user account to inject or execute (blind) SQL commands on the affected application databases.

There are frequent research reports in the news showing that SQL Injection remains one of the most prevalent vulnerabilities exploited by hackers. In at least one report, SQL Injection was tied for first place with DDOS attacks.

SQL Injection free tool

There are many free tools and cheat sheets that help people understand what SQL Injection is and how to test for it. SQL Invader is a free tool that automates the exploit of a SQL Injection vuln once you find it and makes it easy to present it to your team or CEO. Visit NT OBJECTives’ website to download it by completing a short form.

SQL Injection cheat sheet

In addition, there is a one page SQL Injection cheat sheet that lists the five most popular databases with their default admin credentials. Visit NT OBJECTives’ website to download it by completing a short form.

SQLInvader: http://www.ntobjectives.com/go/nto-sql-invader-free-download/
SQL Injection cheat sheet: http://www.ntobjectives.com/go/sql-injection-cheat-sheet/

About Kim Dinerman
Kim is currently the VP of Marketing at NT OBJECTives. She has been focused on application security since early 2005 where served as Director of Product Marketing at SPI Dynamics and as Global Campaigns Manager at Hewlett Packard. Prior to 2005, she was Director of Product Management at EzGov and she began her career at Accenture where she spent eight years IT consulting. Connect with Kim on Google+

Leave a comment

Your email address will not be published.

*