A grey-hat hacker has discovered Critical SQL injection and cross site scripting vulnerability in the official website of The U.S. Navy (navy.mil).
"Recently I was pentesting one of navy.mil subdomains and found serious sql injection that allowed me to extract sensitive data from website database.Sql injection is located in post parameters of a form value.Attacker just needs to craft valid query and submit it to the server." the hacker wrote in an email.
He also discovered two xss vulnerabillites located on same subdomain , one is post xss and other is get xss , both reflective
"I have reported this to website security and I hope it will be resolved soon.After the fix I will disclose link locations on my blog http://m4x0n3.blogspot.com/." hacker said.
"Never trust user input." The hacker said as message to webmasters.