We tracked the following data from Untrusted Sources:
GET /sqli/mysql?name=scooby_snacks
...which was accessed within the following code:
Layer.handle(), line 96
...and ended up in this database query:
SELECT "scooby_snacks" as "test";
What's the risk?
SQL injection is possible when developers hand-build SQL statements containing user-supplied data without validation or encoding. The goal of such attacks is to force the database to retrieve and output data to which the user would not otherwise have access. For example, an attacker could use SQL Injection on a vulnerable application in order to query the database for customer credit card numbers and other data, even if it wasn't part of the query the developer created. SQL injection also allows privilege escalation, account hijacking, and in some cases, it may be possible for an attacker to gain shell access to the database server.
Recommendation
The most effective method of stopping SQL injection attacks is to only use an
<a target="_new" href="http://en.wikipedia.org/wiki/Object-relational_mapping">Object-Relational Mapping</a> (ORM)
framework that safely handles database interaction. If you must execute queries manually, use an API that utilizes bind variables. Bind variables completely stop the injection of code if used properly.
You must still avoid concatenating user supplied input to queries and instead use the binding pattern to keep user input from being misinterpreted as SQL code.
Here's an example of an UNSAFE query:
var userId = 'some user provided value';
var sql = 'SELECT * FROM users WHERE id = ' + userId;
connection.query(sql, function (error, results, fields) {
// ...
});
Here's an example of the same query, made SAFE:
var userId = 'some user provided value';
var sql = 'SELECT * FROM users WHERE id = ' + connection.escape(userId);
connection.query(sql, function (error, results, fields) {
// ...
});
It's also helpful to ensure that the application is granted only the minimum database privileges necessary to perform its function. This may help reduce the impact of a successful SQL injection attack. At a minimum, access to powerful database APIs that interact with the operating or file systems should be revoked.
Vulnerability ID: SBJS-G158-6Q8M-JCI9
Application Name: AgentMessageGeneratorNode
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/d944b35a-2925-43da-a27b-0fa1fac7d8aa/vulns/SBJS-G158-6Q8M-JCI9
What Happened?
We tracked the following data from Untrusted Sources:
GET /sqli/mysql?name=scooby_snacks
...which was accessed within the following code:
Layer.handle(), line 96
...and ended up in this database query:
SELECT "scooby_snacks" as "test";
What's the risk?
SQL injection is possible when developers hand-build SQL statements containing user-supplied data without validation or encoding. The goal of such attacks is to force the database to retrieve and output data to which the user would not otherwise have access. For example, an attacker could use SQL Injection on a vulnerable application in order to query the database for customer credit card numbers and other data, even if it wasn't part of the query the developer created. SQL injection also allows privilege escalation, account hijacking, and in some cases, it may be possible for an attacker to gain shell access to the database server.
Recommendation
The most effective method of stopping SQL injection attacks is to only use an <a target="_new" href="http://en.wikipedia.org/wiki/Object-relational_mapping">Object-Relational Mapping</a> (ORM) framework that safely handles database interaction. If you must execute queries manually, use an API that utilizes bind variables. Bind variables completely stop the injection of code if used properly.
You must still avoid concatenating user supplied input to queries and instead use the binding pattern to keep user input from being misinterpreted as SQL code.
Here's an example of an UNSAFE query:
Here's an example of the same query, made SAFE:
It's also helpful to ensure that the application is granted only the minimum database privileges necessary to perform its function. This may help reduce the impact of a successful SQL injection attack. At a minimum, access to powerful database APIs that interact with the operating or file systems should be revoked.
First Event
Last Event
HTTP Request
GET http://20.42.27.158:8004/sqli/mysql?name=scooby_snacks HTTP/1.1 Accept-Encoding: identity Cookie: connect.sid=s%3A-UBHlXHc3kVpZUIZFFkgBKGYemEE3egS.fi5RdluiT%2Bin1w9REVK2Lof0MOYoymPqtDQULJkw%2FX8 Host: 20.42.27.158:8004 X-Screener-Uuid: 39e9e5b9-5a5a-4bdf-9896-bea500ea1792
References
https://www.owasp.org/index.php/Top_10_2013-A1-Injection