Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
NoMad141764yThey're not that smart, so I wonder, who did they pay? Which security company was so low on cash and so desperate to do their dirty work?
-
Why didn't the attackers redirect the main landing page, just some irrelevant deep link? Allah is mighty, Allah is great, lives in a trailer on social aid?
-
@Fast-Nop That's what the code does actually... Auto-redirect the homepage to that website link.
-
@GiddyNaya credibleorganic.in isn't redirected to that link, at least not in my browser. Not even with uBlock Origin disabled. Or is that because you fixed it already?
-
The real question is why there are still sql injection vulnerabilities in 2021. Sanitizing data isn’t hard
-
Also they had a database injection vector and all they did with it was edit some html? That’s some serious lack of imagination right there
-
@Fast-Nop I don't know "credibleorganic.in" neither does the client. The affected website is a school website (*not putting the URL here) and visiting the landing page redirects to that credibleorganic link.
I've been able to fix the code and ultimately change the db password but I'm still yet to find out how they where able to update the tables with malicious values.
Just as @demoralizeddev pointed out; the client's website was poorly written. Notice the PHP echo block, that db value should have been sanitised/html_escaped rather than echoed directly because when not sanitised the browser executes any command that appears there, in this case "a meta redirect tag". Assuming the attacker injected a JavaScript redirect that would have been harder to detect cause the redirect would have been instant. -
Crismon2364yWhats the FE? doesnt it sanitize automatically like most modern FE frameworks/libraries do?
I think sanitization should be done on the FE or the first entry point to the BE or am I mistaken? -
@Crismon If you check my recent comment you'd notice from the image that it's plain HTML without any Frontend framework.
Related Rants
-
wrkuijpers82Me: *Watching a movie* Main Character: "Oh no, we have to hack the CIA to figure out how this machine works! ...
-
molynerd12Writing some code on a flight "ARE YOU HACKING?!?!" "Ugh... Well yeah but not in the way you're thinking" "Om...
-
FMashiro10So apparently this is an official company in the UK
Client website has been hacked!
https://credibleorganic.in/js/...
rant
page redirect
sql injection
hacking