CONTRAST: SQL Injection from "title" Parameter on "/pages/search" page

Vulnerability ID: B4DP-VI71-0GTX-OJMY

Application Name: AgentMessageGeneratorRuby

Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/7b7c6b72-2652-4e2d-9b52-ada4357bd80a/vulns/B4DP-VI71-0GTX-OJMY

What Happened?

We tracked the following data from "title" Parameter:

POST /pages/search

title=CONTRAST-31675&descr=&utf8=%E2%9C%93&commit=Search

...which was accessed within the following code:

Sqlite3Adapter#execute(), line 232

...and ended up in this database query:

SELECT notes.* FROM notes where title like 'CONTRAST-31675'

What's the risk?

SQL injection is possible when developers hand-build SQL statements containing user-supplied data without validation or encoding. The goal of such attacks is to force the database to retrieve and output data to which the user would not otherwise have access. For example, an attacker could use SQL Injection on a vulnerable application in order to query the database for customer credit card numbers and other data, even if it wasn't part of the query the developer created. SQL injection also allows privilege escalation, account hijacking, and in some cases, it may be possible for an attacker to gain shell access to the database server.

Recommendation

It's also helpful to ensure that the application is granted only the minimum database privileges necessary to perform its function. This may help reduce the impact of a successful SQL injection attack. At a minimum, access to powerful database APIs that interact with the operating or file systems should be revoked.

First Event


Stack:
  MethodOverride.POST(method_override.rb:43)
  MethodOverride.method_override_param(method_override.rb:43)
  MethodOverride.method_override(method_override.rb:27)
  MethodOverride.call(method_override.rb:15)
  Runtime.call(runtime.rb:22)

Last Event


Stack:
  Sqlite3Adapter.execute(sqlite3_adapter.rb:232)
  Sqlite3Adapter.block in execute(sqlite3_adapter.rb:232)
  AbstractAdapter.block in log(abstract_adapter.rb:590)
  Instrumenter.instrument(instrumenter.rb:21)
  AbstractAdapter.log(abstract_adapter.rb:583)
  Sqlite3Adapter.execute(sqlite3_adapter.rb:232)
  PagesController.search(pages_controller.rb:215)
  BasicImplicitRender.send_action(basic_implicit_render.rb:4)
  Base.process_action(base.rb:188)

HTTP Request

POST http://localhost:3000/pages/search HTTP/1.1 ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 ACCEPT-ENCODING: gzip, deflate, br ACCEPT-LANGUAGE: en-US,en;q=0.9,es-419;q=0.8,es;q=0.7,fr;q=0.6 CACHE-CONTROL: max-age=0 CONNECTION: keep-alive COOKIE: _godzillaSession=c79624cdf624d680c9297fa8b9395560; Rubymine-227b963d=c6db1531-5ef3-47e3-a3ea-a7b1e168e146; __profilin=p%3Dt; _railsgoat_session=RTA1NjNLOWhQNkVFelZMcUdZREdGZEhDQ0JwUHFCTUxrOURvcmZzZVEvd3ptQUt6Z0ZxZjlqdGNqR1NnSy9DelFZcXJESGp5dnpUcnBtVWwwMkV2aGFYa3VIazQvY3B2MWxVeW9RMkRlc1ZEcUVFeHV2L0VkNUc2dVljMTlWMmtLQkVZVVk2cEJ3RmRlZEhPaVl6T3gxT0VwSTRhRm85bWt1d0p0SE9ZVVhUTnRpZ3lvRHNmVzdtb3k5TFRDLzhxRTVlejQvS3BBVGMyR0VIVlpVYnhCUThYNXFQTHl0TWt2dHVFUzNLYThENUNXbGd5SVhUR29FSjFKZVFBZ1hMQi0tSkJHeGRZL3J6c2ZJZmpmaC9XNGhZZz09--f26a37df09baa30c849c775eb85027206f0ec16d; _app_with_scaffold_session=bmhOTklieS8vV3A0NlZqNzk3QTI4TS96UXZZMnpacmY4RSs2UHFmcXMrbFhad3k0RG5HUjNFYldOS0FScWdXYndaZ215TkVXcG9jR09PdDBWb3JBb1E9PS0tZnZqMldFTkRudStkQlhEdEF3aWQ5UT09--a7930c3ba4d1f8d128ff44b4c81de651c423bc0c HOST: localhost:3000 ORIGIN: http://localhost:3000 REFERER: http://localhost:3000/pages/search UPGRADE-INSECURE-REQUESTS: 1 USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 VERSION: HTTP/1.1

commit=Search&descr=&title=CONTRAST-31675&utf8=%E2%9C%93

References

https://www.owasp.org/index.php/Top_10_2013-A1-Injection

Code-Racing / brickyard