我们最近收到了 IBM AppScan DAST 的结果,其中一些结果没有多大意义。
高 -- SQL 盲注(基于时间)
Parameter: form:propertyTree:0:j_idt126
Risk(s): It is possible to view, modify or delete database entries and tables
Fix: Review possible solutions for hazardous character injection
SQL 盲注(基于时间)的第二种情况
URL: https://***/javax.faces.resource/components.js.xhtml
Parameter: v
Risk(s): It is possible to view, modify or delete database entries and tables
Fix: Review possible solutions for hazardous character injection
The following changes were applied to the original request:
- Set the value of the parameter 'v' to '7.0.9%27+where+sleep%280%29%3D0+--+'
- Set the value of the parameter 'v' to '7.0.9%27+where+sleep%28181%29%3D0+limit+1+--+'
- Set the value of the parameter 'v' to '7.0.9%27+where+sleep%280%29%3D0+--+'
Reasoning:
The first and third test responses were timed out and the second test response was received
normally
推理:第一次和第三次测试响应超时,第二次测试响应正常接收
SQL 盲注第三种情况(基于时间)
URL: https:/**/externalcasestart.xhtml
Parameter: javax.faces.source
Risk(s): It is possible to view, modify or delete database entries and tables
Fix: Review possible solutions for hazardous character injection
The following changes were applied to the original request:
- Set the value of the parameter 'javax.faces.source' to
'form%3AmainGridBodyTable+and+sleep%280%29'
- Set the value of the parameter 'javax.faces.source' to
'form%3AmainGridBodyTable+and+1%3D2+or+sleep%28181%29%3D0+limit+1+--+'
- Set the value of the parameter 'javax.faces.source' to
'form%3AmainGridBodyTable+and+sleep%280%29'
Reasoning:
The first and third test responses were timed out and the second test response was received
normally
Request/Response:
Request/Response:
POST /***/externalcasestart.xhtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Connection: keep-alive
Faces-Request: partial/ajax
X-Requested-With: XMLHttpRequest
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
javax.faces.partial.ajax=true& javax.faces.source=form%3AmainGridBodyTable+and+sleep%280%29 &javax
.faces .parti al.exe cute=f orm%3A mainGr idBody Table& javax. faces. partia l.rend er=for m%3Ama
inGrid BodyTa ble&fo rm%3Am ainGri dBodyT able=f orm%3A mainGr idBody Table& form%3 AmainG ridBod
yTable _pagin ation= true&f orm%3A mainGr idBody Table_ first= 0&form %3Amai nGridB odyTab le_r
寻找反馈和一些见解。
最佳答案
我不能说这个特定的发现是否是误报,但我们看到了很多这样的误报 - 当扫描以使系统过载的速率运行时,它会产生多种多样的响应。对于某些参数,正确的注入(inject)会超时,因此它看起来像测试人员的 SQL 注入(inject)。
这种类型的结果应该通过手动检查、单独的工具(例如 SQLmap)或至少使用相同的工具运行第二次以查看它是否复制来跟进。如果那不可能,请通过代码审查来验证它,然后继续你的生活。
关于primefaces - IBM AppScan - SQL 盲注(基于时间)- JSF 2.2 和 Primefaces - JBOSS 7.2 EAP,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61705618/