Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to notify someone that their website is vulnerable to SQL injection? [closed]

Original question:
An affiliate partner of us has a website that is vulnerable to SQL-injection.

We noticed this by accident (typo in an URL triggered an enormously informative error page).

Now we do not know this affiliate partner very well. We started doing business with them just a week ago. They themselves have very little technical skills; their website is developed for them by a third company that 'does websites'.

Now it is obvious that we should warn them about the problem. But we are a bit worried that if we inform them about the problem they get scared and do not trust us any more (shoot the messenger to make the problem go away).

Have any of you ever been in this situation? what did you do?

An additional thing is:
Because the company that developed the website does not appear to do input validating/sanitizing at all, we do not have a lot of confidence in this company. While it is not our concern, we feel that we should warn our affiliate partner for the potential lack of security and quality in the rest of their system. This would put us sort of head-on with their developer, and we do not want to get involved a them vs us situation.

Should we notify them of our additional concerns? or do you advice to let it be?



Update:
So, how did thing go?

We notified them of the existing problem, included background information, a detailed error report and tried to explain in plain human language what the problem was and why it is serious.

They thanked us, passed the information to their website developer who has since fixed it.
We are not quite sure of the quality of the fix, but there is nothing we can do about that and it is not our responsibility. (Although it does feel like our responsibility, even more so since we reported it).

However, the relationship has changed. They are less open and there responses far more reserved that before. We hope that this will change for the better in the future, but it sure feels like reporting the problem damaged the trust in this relationship.

So if you ever find yourself in the same position, be careful, take your time to explain the problem and be prepared for a less than optimal response.

like image 301
Jacco Avatar asked Feb 11 '09 14:02

Jacco


People also ask

What's a recommended way of dealing with SQL injection attacks?

The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.

What is an approach to avoid SQL injection vulnerabilities?

Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database. This can be accomplished in a variety of programming languages including Java, . NET, PHP, and more.

Which application will help identify whether a website is vulnerable to SQL injection attacks?

SQLMap. SQLMap is one of the popular open-source testing tools to perform SQL injection against a relational database management system.


1 Answers

You tell them. Period.

Will they shoot the messenger? Maybe. But if they do then do you really want to be in business with them?

More pragmatically, if they ever had a problem with their website that cost them a lot of money due to such an attack and if it ever came out that you knew about it and did nothing you'd potentially have some liability issues.

Not only is it the right thing to do (to tell them) but you have a professional responsibility to do so.

like image 150
cletus Avatar answered Oct 11 '22 14:10

cletus