Blind SQL Injection vulnerability
-
Friday, February 15, 2013 10:54 PM
I am running UAG 2010 SP1 on a hardened Win2008R2 appliance server.
My security group just informed me I have a vulnerability I need to address. It's a blind SQL injection. I am by no stretch a security expert so I am hoping the test is correct and not a false positive.
My box is configured to use NIS and the SQLInject pattern is set to block. I had a look at the URL Set settings for initparams and it is set to Handle, but at the bottom it says to accept unlisted parameters. I'm assuming this is the correct setting as I've never had to touch this rule before, and if I told it to reject unlisted parameters it would probably break the app.
The following is the "result" I received from the vulnerability test. Anyone have an idea how to resolve it?
Found blind SQL injection on
http://xx.xx.xx.xx/InternalSite/InitParams.aspx?referrer=/InternalSite/InternalError.asp&site%5Fname=portalprod&secure=0&error%5Fcode=18&ErrorType=HTMLErrorPage using method GET
Parameter secure behaves differently with the following payloads:
0 OR 42465=42465 - 0 AND 42465=42466
Found blind SQL injection on
http://xx.xx.xx.xx/null.htw?CiWebHitsFile=/InternalSite/InternalError.asp&CiRestriction=none&CiHiliteType=Full using method GET
Parameter CiHiliteType behaves differently with the following payloads:
Full OR 49762=49762 - Full AND 49762=49763
Found blind SQL injection on
http://xx.xx.xx.xx/null.htw?CiWebHitsFile=/InternalSite/InternalError.asp&CiRestriction=none&CiHiliteType=Full using method GET
Parameter CiRestriction behaves differently with the following payloads:
none OR 88400=88400 - none AND 88400=88401
All Replies
-
Sunday, February 17, 2013 10:37 AM
Hi Amig@. SQL Injection means that a malicious user can send SQL commands to a backend database using a front-end web application. Normally taking advantage of a bad validation of input parameters. For that, there is something absolutely mandatory: to have a backend SQL database. And this is not the case for UAG. There is no SQL backend database so there cannot be SQL injection. The results you have been given are likely to be from some kind of automated web vulnerability tool. They are trying to add some kind of "logic" into the parameters (a parameter logically OR'ed with 1 will be the same parameter. However the same parameter AND'ed with 0 should be a different value). If the input validation is not correctly done, the SQL will process the logical operation and this could mean that you can potentially insert other commands to the engine. The most typical SQL injection will send some output/errors back to the browser so you can take information from them. Blind injection is called when the output/errors are correctly handled by the application (for instance sending a generic "there have been an error. Try leater or go to home page") so the browser always receive the same information. In this case the injection can be tested with the AND an the OR. Think about this:
- article.php?articleid=56 This should list the article 56
- article.php?articleid=56 OR 1=1 With SQL injection this should list the article 56
- article.php?articleid=56 AND 1=0 With SQL injection this shouldn't list the article 56
So, even if there is no errors/output to the screen, the results will be different between the second and third query. In your case, the pages that UAG sends back to the web testing tool when manipulating the parameters are different depending on the query (maybe it is as simple as sending back a message that says "the path /path1" is not allowed or other one that says "the path /path2" is not allowed). And this pattern is falsely recognized by the application as an SQL Injection. Any experienced penetration tester will tell you that vulnerability discovery tools give false positives, but a good tester will always manually analyze the results before declaring that the web site is vulnerable.
Regards
// Raúl - I love this game
- Marked As Answer by Alphabet26 Tuesday, February 19, 2013 2:56 PM
-
Tuesday, February 19, 2013 2:57 PMThat is an awesome response. Thank you!
-
Tuesday, February 19, 2013 5:35 PM
Thanks for that. And glad to help!
// Raúl - I love this game
.png)
