Solved

Security Metrics SQL Injection Vulnerability Error, But I Can't Duplicate It?

Posted on 2010-11-21
4
878 Views
Last Modified: 2012-05-10
Hello,

I am an Classic ASP programmer and I started a new ecommerce site on a Windows Enterprise Server 2003 using a mySQL Server on Fedora...  and I am required to get PCI Compliance with SecurityMetrics.com

My scan has failed 5 times, and with tweaking, I still cannot duplicate (with POST or GET) in any web browser to reproduce their errors.   I am familiar with escaping single quotes and SQL injection commands and have functions for the data retrieval.

SECURITY METRICS VULNERABILITY RESULTS
Description: SQL injection vulnerability in emailaddress parameter to  /signup.asp
Severity: Critical Problem Impact: A remote attacker could execute SQL commands
on the back-end database, possibly leading to password retrieval, authentication
bypass, unauthorized data access, or unauthorized data modification.
Background: Structured Query Language (SQL) is the most common language
understood by modern relational databases. It is made up of queries. A typical
query reads: SELECT * FROM table WHERE condition where table is a table
belonging to a relational database, and condition is a logic condition which is
either true or false for each row of the table.  The query would return any or all
rows for which the condition is true.  Resolution All user-supplied parameters
should be checked for illegal characters, such as a single quote ('), before being
used in an SQL query.
See the references below for fix information for specific products.
Vulnerability Details: Service: 80:TCP SENT: POST  /signup.asp
HTTP/1.0 Host: mydomain.com
User-Agent: Mozilla/4.0
Content-length: 245
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive firstname=default&lastname=default&emailaddress='&username=default&password=default&passwordverify=default&referurl=%3Cscript%3Eal ert%28%27SAINT2To%27%29%3C%2Fscript%3E  RECEIVED: error in your SQL syntax


The weirdest part about the vulnerabilities is that they ONLY appear on my signup page (POST) on ALL the input variables, EVEN if the variable isn't even used in any SQL query???

I called them and they claim that they're test logs into a Linux Terminal to post to my page and that they get errors... not telling me anything specific on the error or how I can create the same environment so that I may see what they are talking about.

I am not familiar with Terminal Services, Telnet, SSH, etc... SO, can someone tell me HOW to recreate what they are seeing?  I did a little research and downloaded Putty, but not sure how to use it or even sure if it's what I needed.

I just need a quick course on what to download, how to prepare the POST to my web page via Port 80 with my post data (like they did) so I can see if there is some error or not, because at this point, I can't create any MySQL errors on my end with what they are claiming.

This is so frustrating.... please help.

Thanks.
Ben


0
Comment
Question by:BenBlingBucks
  • 2
4 Comments
 
LVL 15

Expert Comment

by:crisco96
Comment Utility
You need to find out what they're actually looking for in the response that makes the scanning software think there's a sql injection.

Something I would suggest trying is use firefox and get the addon tamper data. Once you get that addon go to your page and click start tampering and click the submit button. From there you can directly inject whatever you want into the post ignoring any javascript or form field length restrictions.

The line: "Resolution All user-supplied parameters
should be checked for illegal characters, such as a single quote ('), before being
used in an SQL query." makes me doubt this scanning software because it appears to me that it thinks if you allow an apostrophe you're vulnerable. As long as your query is properly parameterized it's not sql injectable.
0
 
LVL 50

Expert Comment

by:Steve Bink
Comment Utility
If they are failing your server, they have the burden to show what vulnerability their scan manipulates.  However, the vulnerability report does show the "environment" they are using to discover the issue.  The POST information, once decoded, looks like this:

firstname=default&lastname=default&emailaddress='&username=default&password=default&passwordverify=default&referurl=<script>al ert('SAINT2To')</script>

From the other headers, it is clear they are posting to /signup.asp through normal HTTP.  Using crisco96's method (the Tamper Data add-on...a good tool), you should be able to duplicate the error rather easily.  

To describe what it happening, let's take a closer look at the data.  The strategy looks fairly basic, and has two parts.  First is the single-quote on email address.  When put into an SQL query, this will cause a syntax error at best.  In a real-world attack, the email address field would be engineered to close a quote, finish the "real" query without triggering a syntax error, and follow it up with a data exposure or escalation attack through your database engine.  This is a basic injection strategy, and the fact that the POST returns an SQL error shows that you are not escaping data properly.

The second part is the referurl field.  This test is usually to see if POST variables are inserted back into a response unmodified/escaped/entity-ized.  If the referurl makes it back to the response, the user will receive a javascript alert box stating "SAINT2To".

While crisco96 does have a point as far as "properly parameterized" queries, that particular statement does not cast doubt on the scanning engine.  The scanning companies are well aware of standard practices, proper practices, and what actually happens in the real world.  As programmers, we tend to take shortcuts if we're in a hurry, and it is a very simple thing to write out a query quickly to get the job done.  There's nothing wrong with that, per se, but you do have to make sure all input is scrubbed and safe'd before pushing anything to your database.  In the real world, my own maxim of "Trust Nothing" serves me well.  I make sure every piece of data entering my application is escaped or entitied before it goes anywhere.

I'm not sure of the ASP methods of accomplishing this, but it is pretty simple in PHP:

http://www.php.net/manual/en/mysqli.real-escape-string.php
http://www.php.net/manual/en/function.htmlentities.php (be sure to visit the "See Also" links at the bottom as well)

Escape *EVERYTHING*.  No exceptions.  Even if you're in a hurry.
0
 

Accepted Solution

by:
BenBlingBucks earned 0 total points
Comment Utility
Installed cURL, I ran a POST:

noc# curl -d "firstname=default&lastname=default&emailaddress='&username=default&password=default&passwordverify=default&referurl=%3Cscript%3Ealert%28%27SAINT2To%27%29%3C%2Fscript%3E" http://www.mydomain.com/signup.asp

No SQL error, nothing, just my standard redirect for any injection attempt, here's the results:
<head><title>Object moved</title></head>
  <body><h1>Object Moved</h1>This object may be found <a HREF="http://www.mydomain.com">here</a>.</body>

So, now I'm like scratching my head still wondering what is it that they see.

I ran another scan, it came back CLEAR and COMPLIANT.   Now I'm like "what's up with that?"

I made no changes, did nothing.   All that frustration for nothing.  I hope this never comes up again because if it does, I'm using another company.

Thanks for the advices people.

Ben
0
 

Author Closing Comment

by:BenBlingBucks
Comment Utility
I simply needed to know how to install a terminal client in windows to run the same post like the scanner.  I am familiar with everything else like I stated in the initial help request.  I figured it out myself.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Creating and Managing Databases with phpMyAdmin in cPanel.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now