During a recent security assessment conducted by Spartans Security, our security consultant Subhash Paudel discovered multiple unauthenticated SQL Injection vulnerabilities on Order Up Online Ordering System version 1.0. These vulnerabilities occur due to improper handling of user-supplied input within backend database queries, allowing an unauthenticated attacker to manipulate SQL logic executed by the application.
The affected functionality processes the store_id parameter in a POST request without adequate server-side validation or the use of parameterised queries. As a result, crafted input provided by an unauthenticated user is directly incorporated into SQL statements executed by the backend database, exposing the application to injection-based attacks.
Security testing confirmed the presence of blind SQL Injection vulnerabilities using both boolean-based and time-based techniques. Boolean-based testing demonstrated that application responses varied based on true or false SQL conditions, indicating direct influence over query execution. Time-based testing further confirmed this behavior by successfully inducing controlled response delays, proving that injected SQL statements were executed server-side even when no error messages were returned.
Successful exploitation allowed our consultant to enumerate database structures and extract highly sensitive information. This included the ability to dump administrative account password hashes as well as critical API keys stored within the database, representing a severe compromise of application security. Although exploitation was observed to be limited to the application itself, the level of access obtained effectively granted full control over application data and administrative functionality.
The vulnerable endpoint was identified as /api/integrations/getintegrations, accessible via a POST request. Given that exploitation does not require authentication and results in exposure of sensitive credentials and administrative data, the overall risk associated with this vulnerability is considered Critical.
Spartans Sec recommends immediately patching the identified vulnerabilities in coordination with the vendor to prevent active or potential exploitation. Deployment of a Web Application Firewall (WAF) should also be considered for an additional layer of protection.
For long-term remediation, database interactions must use parameterised queries or prepared statements, enforce strict server-side input validation, apply least-privilege database access, and suppress verbose SQL error messages.
Reference:
