Tuesday, April 6, 2010

sanitize your code please...!


few days ago "accidentally" found a few sql injection in one of local ipta web site. I did informed the engineer/developers but no action taken. This morning i requested to do more intensive pen test, and they allowed it with the acknowledgement of IT director.

Managed to penetrate to their internal oracle db, that stores all the confidential informations, enough to proved to them how severe the exploit was. So i send them a reports with sample data gathered and all urls/uris/pages affected to their developers.

The action taken was to blocked/denied my vps static ip address (from where i did the penetration test) instead of repairing their codes that only takes few minutes to repair.

And tonight I still can penetrate through my DSL dynamic connection and it is not just about me , the whole world too...

this is lame guys ... please sanitize your codes...

07th April 2010:
-------------------
latest updates ... they actually blocked my ip only for one reason, my ip is making lots of connection and consuming/slowing down their bandwidth/server ... now the banned has been removed becoz of "miss-understanding" , but still exploitable...

ok enough of this crap i'm not security dude by profession, better concentrate on my own projects from now on...


No comments: