zap tool showing security vulnerability but we can't find those vulnerability in our source code?

Question

vulnerability showing as:-

1. SQL Injection - SQLite

Method: GET

Parameter: query

Attack: ' | case randomblob(10000000) when not null then "" else "" end --

Evidence: The query time is controllable using parameter value [' | case randomblob(10000000) when not null then "" else "" end --], which caused the request to take [542] milliseconds, parameter value [' | case randomblob(100000000) when not null then "" else "" end --], which caused the request to take [900] milliseconds, when the original unmodified query with value [query] took [167] milliseconds.

2. SQL Injection - Oracle - Time Based

Method: GET

Parameter: query

Attack: field: [query], value [query and exists (SELECT UTL_INADDR.get_host_name('10.0.0.1') from dual union SELECT UTL_INADDR.get_host_name('10.0.0.2') from dual union SELECT UTL_INADDR.get_host_name('10.0.0.3') from dual union SELECT UTL_INADDR.get_host_name('10.0.0.4') from dual union SELECT UTL_INADDR.get_host_name('10.0.0.5') from dual) -- ]

3. Advanced SQL Injection - Oracle AND time-based blind

Method: GET

Parameter: query

Attack: query AND 2972=DBMS_PIPE.RECEIVE_MESSAGE(CHR(113)||CHR(65)||CHR(80)||CHR(114),5)

4. SQL Injection - MsSQL

Method: GET

Parameter: query

Attack: query WAITFOR DELAY '0:0:15' --

5. SQL Injection - Hypersonic SQL - Time Based

Method: GET

Parameter: query

Attack: field: [query], value ["; select "java.lang.Thread.sleep"(15000) from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME' -- ]

6. SQL Injection - PostgreSQL - Time Based

Method: GET

Parameter: query

Attack: field: [query], value [case when cast(pg_sleep(15) as varchar) > '' then 0 else 1 end]

7. SQL Injection - MySQL

Method: GET

Parameter: query

Attack: query / sleep(15)

8. Advanced SQL Injection - PostgreSQL > 8.1 stacked queries (comment)

Method: GET

Parameter: query

Attack: query;SELECT PG_SLEEP(5)--

9. Advanced SQL Injection - Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)

Method: GET

Parameter: query

Attack: Feb 2018;SELECT DBMS_PIPE.RECEIVE_MESSAGE(CHR(105)||CHR(122)||CHR(102)||CHR(108),5) FROM DUAL--

10. Advanced SQL Injection - Microsoft SQL Server/Sybase time-based blind.

Method: GET

Parameter: query

Attack: query) WAITFOR DELAY CHAR(48)+CHAR(58)+CHAR(48)+CHAR(58)+CHAR(91)+CHAR(83)+CHAR(76)+CHAR(69)+CHAR(69)+CHAR(80)+CHAR(84)+CHAR(73)+CHAR(77)+CHAR(69)+CHAR(93) AND (1972=1972

All of our source code following the given Example:-

public interface UserRepository extends JpaRepository<User, Long> { @Query("select u from User u where u.firstname = :firstname or u.lastname = :lastname") User findByLastnameOrFirstname(@Param("lastname") String lastname, @Param("firstname") String firstname); }

Answer 1

Pick one of the timebased attacks and rerun it - you can do that by rightclicking on the alert in ZAP and selecting 'Open/Resend with Request Editor'. Check to see how long the request took (its shown at the bottom of the dialog) - was it the same time (or a bit more) than the delay that the attack is using? If so try increasing the delay and resending - is it now taking the longer period of time?

If the time is being affected by the time specified in the attack then you will have an SQL injection vulnerability.

Why havnt I said anything about the source code you posted? Thats because I have no idea if thats all of the relevant code :)

You might also want to try using a static analyser on your code - it will probably show loads of false positives, but you can just focus on any SQL injection vulnerabilities it reports.