5

I work with a company that creates marketing software, we recently created a forum so we could talk with users who need support.

I'm the main admin on this forum and a user, let's call them person1 has been trying to run PHP code in the comments. I originally thought maybe he was referring to the question with it, but then their comments all started getting marked as spam and needed review. After a handful of comments, I decided to IP Ban them.

Fast forward a month or so, and now someone has been filling out all the forms on our site, in the name slot they used the same username person1, but now they are trying to append html code into the inputs. Each form submission gets sent to email and it showed that he was able to execute an image tag and an a tag in the field. The images weren't malicious or anything, just cat pics, but the links were things like http://www.phishing-site.com and http://www.evil.com. And they also tried running a few SQL statements in the hopes of Dropping our DB.

I ended up looking up their username online and there are multiple accounts by the same name sitting in queue for bug bounties from companies like Paypal, Apple and Windows. Is it possible that they are just running a script to search for bugs in our system, or are they trying to do something more malicious? What could be a possible solution for this?

Anders
  • 64,406
  • 24
  • 178
  • 215
knocked loose
  • 265
  • 1
  • 8
  • 1
    They are hunting for code injection vulnerabilities. Are you in any bug bounty programs like bugfinders or do you offer any bounty yourselves? – iainpb Apr 12 '17 at 20:21
  • 4
    I can't necessarily say that the behavior is malicious, but I can say that it's dangerous. Regardless of his or her intent, this individual sounds very inexperienced in security, and I get the feeling that he/she is just running scripts/tutorials that he/she found on the internet. The best course of action may be to reach out to him/her to tell them to knock it off. Beyond that, it's monitoring your logs, blocking his or her IP, and making sure your software is secure. You could also consider contacting law enforcement. Keep your logs in case he/she does find and exploit a vulnerability. – Dan Landberg Apr 12 '17 at 20:25
  • I believe we're listed on a few sites offering bounties, is there a way we can go about quarantining this user, or should we just let it pass? – knocked loose Apr 12 '17 at 20:26
  • 8
    If this is a part of a bug bounty, reach out the user and let them know that they should not be attempting to drop any databases as part of the bug bounty. Reference the terms and conditions of the bug bounty as well, if possible. Most bounties exclude destructive behavior. – Dan Landberg Apr 12 '17 at 20:31
  • 2
    @user52472 - New to this site, but as a non-expert, to me your comment looks helpful enough to post as an answer (which I would like to upvote). – aparente001 Apr 12 '17 at 22:56
  • @aparente001, Added it as an answer. – Dan Landberg Apr 17 '17 at 21:49

1 Answers1

7

Assuming this user is legitimately trying to participate in a bug bounty, they should not be attempting drop a database via SQL injection. This user sounds like a very inexperienced penetration tester, and I get the feeling that he or she may not fully understand the impact of some of the scripts that he/she is running. The best course of action may be to reach out to the user, and let them know that some of their activities may not be in scope. I would reference the terms and conditions of the bug bounty as a part of that communication.

If this is a malicious actor, you may want to consider reaching out to them with the same type of message. They sound very inexperienced, and letting them know they are being watched may scare them off. Beyond that it's a matter of monitoring your logs, blocking his or her IP, and making sure your software is secure. You could also consider contacting law enforcement. Keep your logs in case he/she does find and exploit a vulnerability.

Dan Landberg
  • 3,312
  • 12
  • 17