<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hello Jules<div class=""><br class=""></div><div class="">I’ve conducted an OWASP web application test against our installation of zend.to, using ZAP (<a href="https://www.zaproxy.org" class="">https://www.zaproxy.org</a>).</div><div class=""><br class=""></div><div class="">It has indicated one potential high risk, as a potential SQL injection vulnerability.</div><div class=""><br class=""></div><div class="">Do you have any thoughts on this, and whether it is a false positive, please?</div><div class=""><br class=""></div><div class="">Best wishes</div><div class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class="">Neil<br class=""><br class=""><br class=""></div></div>

</div>

<table width="100%" class="results" style="border: none; font-size: 13px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;"><tbody class=""><tr bgcolor="#e8e8e8" class=""><td width="20%" style="padding: 3px 4px; word-break: break-word;" class="">Description</td><td width="80%" style="padding: 3px 4px; word-break: break-word;" class=""><p class="">SQL injection may be possible.</p></td></tr><tr valign="top" class=""><td colspan="2" style="padding: 3px 4px; word-break: break-word;" class=""></td></tr><tr bgcolor="#e8e8e8" class=""><td width="20%" class="indent1" style="padding: 4px 20px; word-break: break-word;">URL</td><td width="80%" style="padding: 3px 4px; word-break: break-word;" class=""><a href="https://filetransfer.decoded.legal/pickup.php?getdata=%5B%5D%27+AND+%271%27%3D%271&getdata=%7B%22getdata%22%3A%22%5B%5D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%7B%5C%5C%5C%22getdata%5C%5C%5C%22%3A%5C%5C%5C%22%5B%5D%5C%5C%5C%22%2C%5C%5C%5C%22getput%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22goingto%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22gothere%5C%5C%5C%22%3A%5C%5C%5C%22pickup.php%5C%5C%5C%22%2C%5C%5C%5C%22locale%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22postdata%5C%5C%5C%22%3A%5C%5C%5C%22%7B%5C%5C%5C%5C%5C%5C%5C%22auth%5C%5C%5C%5C%5C%5C%5C%22%3A%5C%5C%5C%5C%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%5C%5C%5C%5C%22%7D%5C%5C%5C%22%2C%5C%5C%5C%22template%5C%5C%5C%22%3A%5C%5C%5C%22claimid_box.tpl%5C%5C%5C%22%7D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getput=&goingto=&gothere=pickup.php&locale=&postdata=%7B%22auth%22%3A%22%22%7D&postdata=%7B%22auth%22%3A%2295ca1f5b66aba21cc2698ead33d03285%22%7D&postdata=%7B%22auth%22%3A%22a6d31fa9ec46a6cffb3668e43af5c28b%22%7D&template=claimid_box.tpl" class="">https://filetransfer.decoded.legal/pickup.php?getdata=%5B%5D%27+AND+%271%27%3D%271&getdata=%7B%22getdata%22%3A%22%5B%5D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%7B%5C%5C%5C%22getdata%5C%5C%5C%22%3A%5C%5C%5C%22%5B%5D%5C%5C%5C%22%2C%5C%5C%5C%22getput%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22goingto%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22gothere%5C%5C%5C%22%3A%5C%5C%5C%22pickup.php%5C%5C%5C%22%2C%5C%5C%5C%22locale%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22postdata%5C%5C%5C%22%3A%5C%5C%5C%22%7B%5C%5C%5C%5C%5C%5C%5C%22auth%5C%5C%5C%5C%5C%5C%5C%22%3A%5C%5C%5C%5C%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%5C%5C%5C%5C%22%7D%5C%5C%5C%22%2C%5C%5C%5C%22template%5C%5C%5C%22%3A%5C%5C%5C%22claimid_box.tpl%5C%5C%5C%22%7D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getput=&goingto=&gothere=pickup.php&locale=&postdata=%7B%22auth%22%3A%22%22%7D&postdata=%7B%22auth%22%3A%2295ca1f5b66aba21cc2698ead33d03285%22%7D&postdata=%7B%22auth%22%3A%22a6d31fa9ec46a6cffb3668e43af5c28b%22%7D&template=claimid_box.tpl</a></td></tr><tr bgcolor="#e8e8e8" class=""><td width="20%" class="indent2" style="padding: 4px 40px; word-break: break-word;">Method</td><td width="80%" style="padding: 3px 4px; word-break: break-word;" class="">GET</td></tr><tr bgcolor="#e8e8e8" class=""><td width="20%" class="indent2" style="padding: 4px 40px; word-break: break-word;">Parameter</td><td width="80%" style="padding: 3px 4px; word-break: break-word;" class="">getdata</td></tr><tr bgcolor="#e8e8e8" class=""><td width="20%" class="indent2" style="padding: 4px 40px; word-break: break-word;">Attack</td><td width="80%" style="padding: 3px 4px; word-break: break-word;" class="">[]' AND '1'='1</td></tr><tr bgcolor="#e8e8e8" class=""><td width="20%" class="indent1" style="padding: 4px 20px; word-break: break-word;">URL</td><td width="80%" style="padding: 3px 4px; word-break: break-word;" class=""><a href="https://filetransfer.decoded.legal/pickup.php" class="">https://filetransfer.decoded.legal/pickup.php</a></td></tr><tr bgcolor="#e8e8e8" class=""><td width="20%" class="indent2" style="padding: 4px 40px; word-break: break-word;">Method</td><td width="80%" style="padding: 3px 4px; word-break: break-word;" class="">POST</td></tr><tr bgcolor="#e8e8e8" class=""><td width="20%" class="indent2" style="padding: 4px 40px; word-break: break-word;">Parameter</td><td width="80%" style="padding: 3px 4px; word-break: break-word;" class="">claimID</td></tr><tr bgcolor="#e8e8e8" class=""><td width="20%" class="indent2" style="padding: 4px 40px; word-break: break-word;">Attack</td><td width="80%" style="padding: 3px 4px; word-break: break-word;" class="">ZAP" AND "1"="1" -- </td></tr><tr bgcolor="#e8e8e8" class=""><td width="20%" style="padding: 3px 4px; word-break: break-word;" class="">Instances</td><td width="80%" style="padding: 3px 4px; word-break: break-word;" class="">2</td></tr><tr bgcolor="#e8e8e8" class=""><td width="20%" style="padding: 3px 4px; word-break: break-word;" class="">Solution</td><td width="80%" style="padding: 3px 4px; word-break: break-word;" class=""><p class="">Do not trust client side input, even if there is client side validation in place. </p><p class="">In general, type check all data on the server side.</p><p class="">If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'</p><p class="">If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.</p><p class="">If database Stored Procedures can be used, use them.</p><p class="">Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!</p><p class="">Do not create dynamic SQL queries using simple string concatenation.</p><p class="">Escape all data received from the client.</p><p class="">Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.</p><p class="">Apply the principle of least privilege by using the least privileged database user possible.</p><p class="">In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.</p><p class="">Grant the minimum database access that is necessary for the application.</p></td></tr><tr bgcolor="#e8e8e8" class=""><td width="20%" style="padding: 3px 4px; word-break: break-word;" class="">Other information</td><td width="80%" style="padding: 3px 4px; word-break: break-word;" class=""><p class="">The page results were successfully manipulated using the boolean conditions [[]' AND '1'='1] and [[]' AND '1'='2]</p><p class="">The parameter value being modified was NOT stripped from the HTML output for the purposes of the comparison</p><p class="">Data was returned for the original parameter.</p><p class="">The vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter</p></td></tr></tbody></table><div class=""><br class=""></div></div></body></html>