locked
CGI Generic SQL Injection (blind, time based) RRS feed

  • Question

  • User-1471881183 posted

    Hello all,

    I have a web application project developed using asp.net 4.0. everything are working fine. when i run for PCI scan then it failed with below notes

    fyi. im not using inline sql or dynamic sql in the project. so, could you please help me how to resolve this issue?

    "CGI Generic SQL Injection (blind, time based)"

    Modify the affected CGI scripts so that they properly escape arguments.

    Using the GET HTTP method, SecurityMetrics found that : + The following resources may be vulnerable to blind SQL injection (time based) : + The '__VIEWSTATE' parameter of the / CGI : /?__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=%2fwEdAAQcuuTfKFfe2W 6y%2fSLcpOlC2KLXnO0lQ7eWeTTjhe5DlGLYc1aSItsY7%2bwK2achdmwNGVEZ%2fHPoNipl VQI9uXkcj0SKloChVvSOkDJBdX7j%2fIPiwYBsUeIfnk6ydW3OH2c%3d&imgsp=&imgpt=&i mgeng=&__VIEWSTATEGENERATOR=8D0E13E6&__VIEWSTATE='%20AND%20SLEEP(3)=' -------- output -------- ------------------------ + The 'd' parameter of the /WebResource.axd CGI : /WebResource.axd?t=636458198403505852&d=6Tj7Qu4pyo4xMUO90Ebd6aF1oUiftiyq ypPyYVAKhmyMPkOxVostyB_sH8sJDkxB5m2bNgrB4Z9YD2LFSdiUwR-fdkBtjbZ9N1RVXid0 7ISaCbKgc8sgqmh1RxsUGqzk0lk4wDVec48AJ6WZN_rryWTnSS4AhIVzItQ_mx9PW1E1'%20 AND%20SLEEP(3)=' -------- output -------- ------------------------

    Wednesday, June 24, 2020 3:50 PM

All replies

  • User753101303 posted

    Hi,

    Seems https://www.tenable.com/plugins/nessus/43160 tells it is based on the response time which could generate false positive. Are you sure 100% you never ever build yourself any part of a SQL string ?

    Explain maybe what you are using rather than telling us what you are not doing?

    Wednesday, June 24, 2020 4:58 PM
  • User-1471881183 posted

    PatriceSC thanks for your response

    yes im 100% sure, there is not formation of sql string. because, its my index page, there are 3 buttons only, when clicking them it will navigate into seperate pages.

    the pci service provider says that, its not responding in fixed period of time(sleep) so, that it comes as false positive. but, i dont know how to fix it?

    could you please help me on this.?

    thanks

    Wednesday, June 24, 2020 9:32 PM
  • User-1471881183 posted

    any clue?

    Thursday, June 25, 2020 9:59 PM
  • User409696431 posted

    Web Forms use ViewState and WebResource.axd. I could only find one reference to a vulnerability in the .axd file.  It's 10 years old, so I'm not sure if it still applies, but if it does, read https://www.acunetix.com/blog/news/check-application-vulnerable-asp-net-padding-oracle-vulnerability/ for what to do.

    There was a security patch for this, and it should also be resolved if you are using asp.net 4.0+.

    https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-070?redirectedfrom=MSDN

    If you follow the information in those links and the PCI scan still complains, ignore it.

    Friday, June 26, 2020 3:27 AM
  • User-1471881183 posted
    Kathy thank you for your response

    Actually in my project there is no .add files and I'm using .net 4.0 only. So, it's strange.
    Friday, June 26, 2020 6:25 AM
  • User409696431 posted

    What do you mean by no .add files?  The error reference is to Viewstate and to WebResource.axd, which every web forms site has. If you are looking for a file named WebResource.axd in your site, you won't find it: it is not a file, but an HTTP handler, an embedded resource in the Net framework.

    Sunday, June 28, 2020 3:44 AM
  • User-1471881183 posted

    Hello KathyW

    so, if there is no file name like webresource.xsd then may i know how to fix this issue?

    thanks

    Monday, June 29, 2020 11:41 PM
  • User409696431 posted

    Did you go through the links I posted above fully?  That's all I could find on the issue.  The fact that webresource.axd (not .sxd) isn't an actual file is not relevant to the answer.

    Wednesday, July 1, 2020 1:18 AM