Device: HP ProBook 440 G7
Version: 10.0.19042 Build 19402
Browser: Google Chrome Version 88.0.4324.192 (Official Build) (64-bit)
User type: User
Description
Entering programming language resembling SQL injection into eBay's search bar restricts the user's access in the form of a bug.
Expected behavior
It is usually expected that when entering a search query the program will provide a match, a cross-reference, or some form of message stating that the result wasn't found allowing the user to continue their search.
Actual Behavior
Errors result when text that resembles SQL injection is entered into the search bar.
Error #1: SQL injection text (Robert'); DROP TABLE Students;--)remains in the search bar despite attempts to start a new search.
Error #2: The user is taken to a page that says Access Denied after hitting enter on a new search.
Right click in the search bar and select Bug Magnet> Format exploit> SQL Injection.
Once the SQL injection text is in the search bar hit enter.
Random results should be displayed. Erase the text in the search bar and enter a new search. (For example: I used 'Highboy dresser'.
User is taken to a page that says 'Access Denied'.
Attempting to hit the Back button will take the user back to step 4 in the same scenario, same with Refresh.
Screenshots
1. Example of the right click drop-down menu.
2. Example of page in step 5.
3. Example of SQL Injection text in search bar.
*Why this bug is important...
SQL Injection attacks can be completely avoided using certain programming techniques.
While eBay's page does defend itself, the fact that it is responsive at all presents an issue, the programming should be updated.
An average user may use characters and words similar to that found in the SQL Injection text and trigger the bug. A user (especially a new user) may be lost after experiencing difficulty using the search bar.
Environment
Device: HP ProBook 440 G7 Version: 10.0.19042 Build 19402 Browser: Google Chrome Version 88.0.4324.192 (Official Build) (64-bit) User type: User
Description
Entering programming language resembling SQL injection into eBay's search bar restricts the user's access in the form of a bug.
Expected behavior
It is usually expected that when entering a search query the program will provide a match, a cross-reference, or some form of message stating that the result wasn't found allowing the user to continue their search.
Actual Behavior
Errors result when text that resembles SQL injection is entered into the search bar. Error #1: SQL injection text (Robert'); DROP TABLE Students;--)remains in the search bar despite attempts to start a new search. Error #2: The user is taken to a page that says Access Denied after hitting enter on a new search.
Steps to Reproduce Issue
Screenshots
1. Example of the right click drop-down menu.
2. Example of page in step 5.
3. Example of SQL Injection text in search bar.
*Why this bug is important...
SQL Injection attacks can be completely avoided using certain programming techniques. While eBay's page does defend itself, the fact that it is responsive at all presents an issue, the programming should be updated.
An average user may use characters and words similar to that found in the SQL Injection text and trigger the bug. A user (especially a new user) may be lost after experiencing difficulty using the search bar.