Reputation: 411
IBM AppScan - Blind SQL Injection (Time Based) - JSF 2.2 & Primefaces - JBOSS 7.2 EAP
Orginal Post IBM AppScan
We recently received result from IBM AppScan DAST and some of the result don't make much senses.
High -- Blind SQL Injection (Time Based)
Parameter: form:propertyTree:0:j_idt126
Risk(s): It is possible to view, modify or delete database entries and tables
Fix: Review possible solutions for hazardous character injection
2nd case for Blind SQL Injection (Time Based)
URL: https://***/javax.faces.resource/components.js.xhtml
Parameter: v
Risk(s): It is possible to view, modify or delete database entries and tables
Fix: Review possible solutions for hazardous character injection
The following changes were applied to the original request:
- Set the value of the parameter 'v' to '7.0.9%27+where+sleep%280%29%3D0+--+'
- Set the value of the parameter 'v' to '7.0.9%27+where+sleep%28181%29%3D0+limit+1+--+'
- Set the value of the parameter 'v' to '7.0.9%27+where+sleep%280%29%3D0+--+'
Reasoning:
The first and third test responses were timed out and the second test response was received
normally
Reasoning: The first and third test responses were timed out and the second test response was received normally
3rd case for Blind SQL Injection (Time Based)
URL: https:/**/externalcasestart.xhtml
Parameter: javax.faces.source
Risk(s): It is possible to view, modify or delete database entries and tables
Fix: Review possible solutions for hazardous character injection
The following changes were applied to the original request:
- Set the value of the parameter 'javax.faces.source' to
'form%3AmainGridBodyTable+and+sleep%280%29'
- Set the value of the parameter 'javax.faces.source' to
'form%3AmainGridBodyTable+and+1%3D2+or+sleep%28181%29%3D0+limit+1+--+'
- Set the value of the parameter 'javax.faces.source' to
'form%3AmainGridBodyTable+and+sleep%280%29'
Reasoning:
The first and third test responses were timed out and the second test response was received
normally
Request/Response:
Request/Response:
POST /***/externalcasestart.xhtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Connection: keep-alive
Faces-Request: partial/ajax
X-Requested-With: XMLHttpRequest
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
javax.faces.partial.ajax=true& javax.faces.source=form%3AmainGridBodyTable+and+sleep%280%29 &javax
.faces .parti al.exe cute=f orm%3A mainGr idBody Table& javax. faces. partia l.rend er=for m%3Ama
inGrid BodyTa ble&fo rm%3Am ainGri dBodyT able=f orm%3A mainGr idBody Table& form%3 AmainG ridBod
yTable _pagin ation= true&f orm%3A mainGr idBody Table_ first= 0&form %3Amai nGridB odyTab le_r
Looking for feedback and some insight.
Upvotes: 3
Views: 712
Answers (1)
Reputation: 799
I can't say whether this specific finding is a false positive, but we see a lot of false positives like this - when the scan is run at rates which overload the system then it creates a lot of variety in responses. For some parameters the correct injections will time out so that it looks like a SQL injection to the tester.
This type of result should be followed up by a manual check, a separate tool (e.g. SQLmap), or at least a second run with the same tool to see if it replicates. If that's not possible, validate it with a code review and move on with your life.
Upvotes: 0
Related Questions
- jmeter script for JSF with PrimeFaces
- IBM Appscan Security Vulnerability SQL injection
- web application J SF prime faces
- Debugging JSF + PrimeFaces applications
- Appscan source edition - SQL Injection
- JSF, Mojarra, Myfaces, Tomahawk, Primefaces: summary
- Primefaces interface test on pc?
- How to get rid of blind sql injection?
- Using primefaces with jsf 2.0 in Eclipse
- Dirty Checks: JSF + Primefaces application?