SQL Injection Attempt and Security

Hi @openedge1,

That is not what SQL injection is ??

Yes, our system will create invoices even if the payment is not complete, this can also give the user the opertunity to complete is later via the email the recive.

You can turn off the new user email and you can also set checkout to require login in Settings > Misc > Checkout Settings.

We have never really had any report of checkout spamming like you mention, if you can give more details, such as: was it multiple email addresses or the same email, hoe many were created, how fast were they created? If we need to add a captcha we will but it has not been an issue to this point.

If i can help further please let me know.

Thanks,

Stiofan

Hello,

It was an SQL Injection attempt. We have the invoices showing the code for the inject…so, yes, it was an SQL injection attempt. They slammed the payment page over and over with code to attempt to break the site, DDoS style. This of course generated emails for each attempt.

The attempt was done in the wee hours of the morning for us. We were notified of the issue via a mass mailing alert. The website was sending tons of emails due to the attempt. All invoices show SQL code in the payment amount field.

We debated about the “sign up to checkout”, but with the type of websites, this is not feasible. The website owner needs to allow their customers to make quick payments.

Thus, yes, a Captcha, which GiveWP has, would be very helpful in this respect.

I can open a support ticket on your site if you need more info.

Ah ok, i understand now. This sounds like a bot of some sort. We have internally tested all our checkout fields for SQL injection and also had a 3rd party audit done, so there should not be an issue there. It just looks like a bot was trying its luck with any input fields. Once they realise nothing works they will probably move on.

I have set a task for addng a recaptcha. If you want to open a ticket please title it “FAO Stiofan” and someone will assign it to me, i can then add any further details to the task.

Thanks,

Stiofan

OK. And yes, this is exactly what happened. The “bot” was able to continually slam the sites payment form to attempt to inject code. It basically creates a mess, with tons of empty invoices and junk code (for example: why does the form allow code as the payment amount without any system checks to verify the price is a real number?), mass emails and a ton of junk in the database .

Some method to check for a human is really needed.

As long as you are working on some form of captcha, I do not need to open a ticket…but, a captcha is really needed from what I can see.

No problem, i have added the task, it will probably be worked on early next week. In regards to the price, we escape it in other ways but not as a number because some currencies have decimals and commas in wierd places that does not fit into the standard numerical escape functions.

As i mentioned, its the first report of this type of thing, i will try and report back here once released.

Thanks,

Stiofan

This has been added and will be released at some point this week.

Thanks,

Stiofan