S
SQL Injection, cited, would be the most serious in the perspective of data integrity, if there is such an error could allow you to edit, delete and read information inappropriately.However, there is also http://www.acunetix.com/websitesecurity/blind-sql-injection/ , that unlike the first only "question" if something exists or not, so it will allow to discover other content, which can be as dangerous as.But there are other sides besides just deleting your data.
This depends on what YOU consider the word "Security", that is, what I will list here may (or not) be a security issue.CSRFThird parties using/collecting your data:Search data can be extremely detailed. This may allow others to have access to research information, including being able to monitor them if there is no limit.For demonstration I will use the website saraiva. with.br.Your search API is this:http://busca.saraiva.com.br/autocomplete?q={PESQUISA (ENCODE HTML)}&apikey=saraiva-v5
This link was obtained through network traffic monitoring, is not documented or publicly documented!Where's the mistake?You can make as many requests as you want, even if you do not visit the site, there is no IP monitoring, cookies or sessions. Fully open and exposed to everyone.So I can monitor a desired book, like the Atlas Revolt, in:http://busca.saraiva.com.br/autocomplete?q=a%20revolta%20atlas&apikey=saraiva-v5
This returns, TODAY, this:{"history": [], "products": [{"url": "//busca.saraiva.com.br/click?apikey=saraiva-v5&search_id=4322cd5c-5a89-4ee8-84cc-0dd8b501e647&pid=3093154&page=1&prodIdx=0&q=a+revolta+atlas&feature=autocomplete", "price": "71,90", "type": "product", "name": "A Revolta de Atlas - 03 Volumes", "image": "//dnsdprunamxb9.cloudfront.net/54x54/http%3A%2F%2Fimages.livrariasaraiva.com.br%2Fimagem%2Fimagem.dll%3FA%3D100%26PIM_Id%3D%26L%3D-1%26pro_id%3D3093154"}, {"url": "//busca.saraiva.com.br/click?apikey=saraiva-v5&search_id=4322cd5c-5a89-4ee8-84cc-0dd8b501e647&pid=4294739&page=1&prodIdx=1&q=a+revolta+atlas&feature=autocomplete", "price": "37,99", "type": "product", "name": "A revolta de Atlas", "image": "//dnsdprunamxb9.cloudfront.net/54x54/http%3A%2F%2Fimages.livrariasaraiva.com.br%2Fimagem%2Fimagem.dll%3FA%3D100%26PIM_Id%3D%26L%3D-1%26pro_id%3D4294739"}], "queries": []}
So I can take the "price", to monitor the price of this book and be alerted to lower, for example.Example silly, and no one cares about it.Now we go to the reverse?Example the store kinguin. net:Your search API is this:http://www.kinguin.net/catalogsearch/ajax/suggest/?q={PESQUISA}
This link was obtained through network traffic monitoring, is not documented or publicly documented!However, this has several limitations and makes it difficult to use.If you search for "Siege" in reference to the game "Rainbow Six Siege", in:http://www.kinguin.net/catalogsearch/ajax/suggest/?q=siege
You should get the result:<ul class="ajax-result-list">
<li class="ajax-result-item"><img src="http://cdn.kinguin.net/media/catalog/category/cache/1/image/95x66/9df78eab33525d08d6e5fb8d27136e95/rainbow_1.jpg" alt="Tom Clancy's Rainbow Six Siege Uplay CD Key" title="Tom Clancy's Rainbow Six Siege Uplay CD Key" width="95" height="66" />
<span class="ajax-result"><a href="http://www.kinguin.net/category/22529/tom-clancy-s-rainbow-six-siege-uplay-cd-key/">Tom Clancy's Rainbow Six Siege Uplay CD Key</a></span>
<span><span class="price " data-no-tax-price="120.76">R$120<span class="super">.76</span></span></span></li>
<li class="ajax-result-item"><img src="http://cdn.kinguin.net/media/catalog/category/cache/1/image/95x66/9df78eab33525d08d6e5fb8d27136e95/rainbow-six-siege_1.jpg" alt="Tom Clancy's Rainbow Six Siege Season Pass Uplay CD Key" title="Tom Clancy's Rainbow Six Siege Season Pass Uplay CD Key" width="95" height="66" />
<span class="ajax-result"><a href="http://www.kinguin.net/category/22307/tom-clancy-s-rainbow-six-siege-season-pass-uplay-cd-key/">Tom Clancy's Rainbow Six Siege Season Pass Uplay CD Key</a></span>
<span><span class="price " data-no-tax-price="87.78">R$87<span class="super">.78</span></span></span></li>
<li class="ajax-result-item"><img src="http://cdn.kinguin.net/media/catalog/category/cache/1/image/95x66/9df78eab33525d08d6e5fb8d27136e95/header_2298_4.jpg" alt="Tom Clancy's Rainbow Six Siege TR Uplay CD Key" title="Tom Clancy's Rainbow Six Siege TR Uplay CD Key" width="95" height="66" />
<span class="ajax-result"><a href="http://www.kinguin.net/category/23140/tom-clancy-s-rainbow-six-siege-tr-uplay-cd-key/">Tom Clancy's Rainbow Six Siege TR Uplay CD Key</a></span>
<span><span class="price " data-no-tax-price="62.66">R$62<span class="super">.66</span></span></span></li>
<li class="ajax-result-item"><img src="http://cdn.kinguin.net/media/catalog/category/cache/1/image/95x66/9df78eab33525d08d6e5fb8d27136e95/header_2298.jpg" alt="Tom Clancy's Rainbow Six Siege + Exclusive Gold Weapons Skin Pack Uplay CD Key" title="Tom Clancy's Rainbow Six Siege + Exclusive Gold Weapons Skin Pack Uplay CD Key" width="95" height="66" />
<span class="ajax-result"><a href="http://www.kinguin.net/category/22630/tom-clancy-s-rainbow-six-siege-uplay-cd-key/">Tom Clancy's Rainbow Six Siege + Exclusive Gold Weapons Skin Pack Uplay CD Key</a></span>
<span><span class="price " data-no-tax-price="125.36">R$125<span class="super">.36</span></span></span></li>
<li class="ajax-result-item"><img src="http://cdn.kinguin.net/media/catalog/category/cache/1/image/95x66/9df78eab33525d08d6e5fb8d27136e95/header_292x136_496.jpg" alt="Hero Siege Steam Gift" title="Hero Siege Steam Gift" width="95" height="66" />
<span class="ajax-result"><a href="http://www.kinguin.net/category/10152/hero-siege-steam-gift/">Hero Siege Steam Gift</a></span>
<span><span class="price " data-no-tax-price="8.95">R$8<span class="super">.95</span></span></span></li>
<li id="show-more-search" class="show-more"><span class="show-more-result">SHOW MORE</span></li>
</ul>
Now try accessing this API URL. You will probably get a page without any information. But believe me, this is the URL, but it is minimally protected, not as easy as that of the previous site. In addition, some APIs can expose unlisted data to the user, for example, a start of a promotion, a promo code, values in other currencies in other countries. That's why you have a good sense in what informs you in your surveys and limit access to users who really are on the site, per session, cookies, IPs and up to a limit of attempts. Now, in some cases do this will be exaggerated, so _Even problem, other examples:Imagine that your search also has traces of the latest user searches, issues with CSRF allow another site to get the information, as well as the previous case.If you allow other sites to connect or authorize JSONP and do not properly validate the data you may expose a user's preferences/recommendations, since such search filters will have a visitor-based order.Another case, imagine that on a social network users may know that they searched and viewed the profile. Only by focusing on who sought you could create something like:<img src="meusite.com/buscar?amigo=Inkeliz">
This would make me (Inkeliz) receive a notification when loading such content, for example. So if I have a site and add such code it would be possible to discover the account on such social network of each site visitor.An exit in this case would add a "random" code.For example:<?php $_SESSION['token'] = rand(); ?>
<input type="hidden" name="token" value="<?= $_SESSION['token'] ?>">
Then, on the search page:<?php if($_GET['token'] === $_SESSION['token']){} ?>
Again, it depends on which research it possesses.Does that look like a bizzaro example? Yes, but just so you realize that your site can come to the same mistake. How? Imagine that you want to include a list in order of "most wanted", or reward more sought-after posts without such token that can be easily manipulated.I couldn't find any site to cite a real, unprotected example, if you find it again to edit!Another thing is to allow others to know whether or not the user is connected through any link, including or not your search field, if they display or have a specific parameter for a connected user.For example Google, you can know whether or not you are logged in using the link:function logado(){
alert('Você está CONECTADO no Google');
}
function deslogado(){
alert('Você está DESconectado do Google :(');
}<img style="display: none;" onError='deslogado()' onLoad="logado()" alt="" src="https://accounts.google.com/CheckCookie?continue=https://www.google.com/intl/en/images/logos/accounts_logo.png" />Try accessing this post in an anonymous window to see the magic occur. The same process can occur with the tag script in your case, for example.The fix of this is complicated, so much so that even Google itself has such a problem, Twitter had something similar and was corrected. The Twitter output was to take all images and JS/CSS out of the twitter domain. with, creating another site/subdomain for this. In this way https://twitter.com/login?redirect_after_login=, link responsible for redirecting the user automatically if it is connected, does not work for files external to twitter. with. This link only allows the redirect_after_login do not contain http://img.twitter.comFor example.In Google there is no such treatment. What made it possible to include a Google Accounts logo outside the link accounts.google.com. O CheckCookie returns error if the user is not connected, then everything works.Don't get stuck with the examples mentioned!
