1

I'm trying to find security issues on my friend's site. There is an input box for subscription. I can enter my email address:

Henry<IMG SRC=# onmouseover="alert('xxs')">@gmail.com

After trying different things, I noticed > < " get rejected.

But it accepts ' $ / # +

If I put my mail as

Henry'sor $/man#@gmail.com

Server accepts the request.

And show response as You are successfully subscribed

It mean my email stored to the database.

Any possibilities for Sql injection? Or any other vulnerabilities? Or Blind injections?

user183535
  • 57
  • 3
  • Does the server change its behaviour when you use single quotes? If no, then there is likely no vulnerability. – schroeder Aug 18 '18 at 19:31
  • You confuse the terms "sanitised" and "escaped". From the response of the system, you cannot conclude either of those things are/are not happening. All you know is that they are accepted. – schroeder Aug 18 '18 at 19:37
  • You are right. I only know they are accepted single qoute ' and when I put henry'@gmail.com the server show response like "you are successfully subscribed." So that mean website stored my email. So the site is secure maybe. Thanks for answering my question. – user183535 Aug 18 '18 at 19:49
  • Hey!! I'm wrong. Input only reject < and > but it accept / , * , + and ' – user183535 Aug 18 '18 at 19:54
  • Also accept # and $ but all get stoed. – user183535 Aug 18 '18 at 19:56
  • Just to add, depending on how the webpage is written, if using a GET request the URL can also be susceptible to xss or sql injection. – Connor J Aug 20 '18 at 10:55

1 Answers1

1

Single quotes are allowed by RFC 5322 to allow for people's names that have single quotes (e.g. Peter O'Toole).

Please refer to: https://stackoverflow.com/questions/4816424/are-single-quotes-legal-in-the-name-part-of-an-email-address

Unless the server changes its behaviour when you use a certain character, then there is no reason to assume that there is a vulnerability.

schroeder
  • 123,438
  • 55
  • 284
  • 319