Professional Documents
Culture Documents
Vulnerability Report
Vulnerability Report
Vulnerability Name
• Parameter: hs_amp
• Method: GET
•
• Risk: High
REQUEST
• GET /blog/influencer-marketing-rent-or-
own?hs_amp=true'%20-->">'>'"
DISCUSSION
• Parameter: hs_amp
POC
request
.
response
Cross Site Scripting (3)
• Resource : /blog/the-executives-no-
nonsense- guide-to-referral-marketing-1
• Parameter : hs_amp
POC
request
.
response
Cross Site Scripting (4)
• Resource : /hs-fs/
• Parameter: ref
POC
request
.
response
.
Shell Injection
• Classification : Information
• Resource : /@marketplace/nosuchpage123
• Parameter: jschl_answer
• Method : POST
• Risk : High
REQUEST
• POST /@marketplace/nosuchpage123 [md=7pmMnfTCM4rTu7QKAxtBbX3JPeCAR1l5AtVoT.Qtsts-1652605806-0-
AZYcstztD2CEwyAbWn1CpvLCgsmB_NDEqE0y4_Pd89FXbSj94KnYUogSekr4VP_x8cly1IOLnI8kfRy4kgL3zqX2M4kgl6q_frA6by06qc9a02ZePA9gpI
dVjeZP1aUFbNUJH6tcjiMgBDd4dKsbvkvfLt8BGaxf9KqQROHUr1bB_jfmZGpzTo4I-lZpINb6E32LsTQwOCPb0gPOlu-6xjlp1-
v3_pnX6X8fxUUBWuNzEbxp4G7RNn5jegiRi-
geHqSApbfsCwlwtT6U7PxY8BBDgm3PMmYVZ2Q6lV2cXjSHJCabNen6xvkendMNihaKbGJwp49y0bPS4bklf0mwM8ur4Es7_t8wn1GdF0Y7xQqCYL
phi_vAtYrDenlC6Nbw0Y8lShUD-s6okRlbN3M_97kq6bnxeV0O32Uu-Rt-
WJa8OjUxrRaqq2riaBcmSaUHOm0uTsD0Hq7lf8B8xqLPVRCAfM0DZODoS_wnRQVCbmQeVbrKGJaTCk--
MU_ejQ5Qkw36dgA6ZPjeL35Wfsfiz_stpUK5LkwiHyWt8KIjCCZZIpWfYFmZQBzxTL-MtyMAlXQJ5gTsj98Jl6rOSFEowwHn5wG9RLHw4cNb1y0Ru-
osTT3qsyNYc4z0aTjlUkFfjDUj70IH4wopgGswODcbOa_vidBph5PQRhXqkbndAlwW r=pFymDSZqJ2_lFSgFc0wKRg4eD7HzN.eqjjZOLwc4UuY-
1652605806-0-Act2bN2pxEqJ/C/qcwpu5vh7YG3MhASXf3wV9Kqbf8jVZsa/
tzCWPgVRLq1w5RIJJGdPz36j72l+aHNRNGeS60upHOiDXK7W4WssKKxbCyGYwncgh1InTm4/
CYHqgQutA8F3SNA8N2N6AboWK7IA7cHIFhdvrdwHO8KP2JXJogKAYxdUsRa2wQXHFYWTNrlMJzqbAQry+ByUympiVe8/
Dfupe6qaRTaKOU8Sr7DSe0Mrw22L5w85wZ6dsB/Tmaxu1rT/DNsleJRmqbjXzNTA31w47BmCYfGgYG0fJfjJHcqtdudr5rJm570wPOy6IhG/
5sZWG7cOB6ZEwjv7Uv+7h2+xOqkZoL9Vr+fSgWIQRUMaB5xQJ2YZhiSKykISivk4CKpu7D/B2Snx18FsFpaA4URrS23tW7N9ouCdimFgU/
YnmebcdtjCYRO6yvZxwq9z0L19J7n+DD+DxhXDizbJ5OMJpQWh7+NFCRLKkKh/FAzL70c1FVuevzugm/
kr3cXwDP2KruB3n+p9gElurdXOsSnFVGXwuN896iKPXepyq4eVO26+
+2Un9RgfACJKJcPhehs9RtqmS8YZhs0JKkLVg7xnMH6CvNsZUBQRw03hBIAFDuInPEqAFaq9eGscl2uET95wCzp6fbm+mKWdFUeDpYTGivromfXYug
yJb/SfGfPszuYUN2YzTCRrvW8L75lo2qfN9mk7snsogo/CUH0RiZWJt3V2xwuP2+P6v7TF8vJy6Ya1pvjM8nDOcbZIdT+
+ZfU7x2qkko9AorCHeRygrfedsR80jeOZBNi0lvwfU2oWL+yYtkYKw91u/AN/e95uB3+YYFduqV/VCAZqoWssNCkuXB6x/
qQzJbNbHmbzLZcxXjOel61fBGql3pGGvMxmv3Tq6Dz+FOsWjhokrCqNwWG94Du0IHbehjdDLHntgX6QCMX19Zynd3+Ivcgzszx9Q3DS/K3vSolN/
WWtGKZwAqLDaH0oC/ss/bKPfErYU1+T0S1PD/JoGQIt2DdT8WrSiZgArcbYzkL/DYliLGzwAJ36io7XvCYtDhiRHgzloZ8CQ4l//
XNTGVePCoPFVoTeOE31F6S9rbVU2FdRNWFyHbQQev0HyQpTTy8YjAI7ubV8hyyGvzBVfJqj+eYvupyOqU27RgHolESSOeOw5OlhyI1PUdkjkSGohX
++JclEr1ZlIu5p8a/
IfsZdXv3ywCNyfyTOcdsvDKycmGQVxHJGpGywhU9+DTIHZpu6NJL+vdmxRijRhIzGCJf06hlgFqqUinbFOBc9q5IuWkyceL2ZCikmwG18FI/
zuxvR9YgTKwZigM3xI9haFLTJCWvUksgFcq3yRzIF1XoRoNvSqFgaXSXlKNOLJ2p954RtP3WTgP1uMMin3NF+AuwX71Da0jMEDA==
jschl_vc=c696c0c05130c3ecafa7ef3aa61ccf97 pass=1652605807.988-iUXWGJRjLk jschl_answer=1'true' ]
DISCUSSION
• Parameter : md
• Method : POST
• Risk : High
REQUEST
• .
Request Forbidden
DISCUSSION
• The developer should review the request and response against the code
to manually verify whether or not a vulnerability is present.
• The best defense against SQL injection vulnerabilities is to use
parameterized statements.
• Sanitizing input can prevent these vulnerabilities. Variables of string types
should be filtered for escape characters, and numeric types should be
checked to ensure that they are valid.
• Use of stored procedures can simplify complex queries and allow for
tighter access control settings.
• Configuring database access controls can limit the impact of exploited
vulnerabilities. This is a mitigating strategy that can be employed in
environments where the code is not modifiable.
• Object-relational mapping eliminates the need for SQL.
REFERENCES