IBM security scanning tool AppScan reports SQL injection vulnerability because of the "t" parameter to the ScriptResource.axd. Is there a justification from Microsoft that ScriptResource does not perform any SQL call? Is there another security risk with
the value of the "t" parameter being written back to response as is?
Alternatively, is there a way to disable ScriptResource.axd completely?
Sounds like the IBM tool needs tweaking as the vulnerability it reports is nonsense. The t parameter is a timestamp representing the last modified date of the assembly on disk. The value is not used in any SQL call.
Ended up checking whether the t parameter is a hex number. For my purposes it was sufficient to let ToInt64 function throw FormatException if t was malformed.
void Application_PreRequestHandlerExecute(object sender, EventArgs e)
{
// ScriptResource.axd has "t" parameter that AppScan flags as "SQL Injection" vulnerability
// The "t" parameter is a hex timestamp, so verify that it is such
if (HttpContext.Current.Request.RawUrl.Contains("ScriptResource.axd"))
{
string tValue = HttpContext.Current.Request.QueryString["t"];
if (!String.IsNullOrWhiteSpace(tValue))
Convert.ToInt64(tValue, 16);
}
}
Member
1 Points
4 Posts
Does ScriptResource.axd pose SQL Injection or other vulnerabilities?
Sep 02, 2013 02:01 PM|mark m|LINK
IBM security scanning tool AppScan reports SQL injection vulnerability because of the "t" parameter to the ScriptResource.axd. Is there a justification from Microsoft that ScriptResource does not perform any SQL call? Is there another security risk with the value of the "t" parameter being written back to response as is?
Alternatively, is there a way to disable ScriptResource.axd completely?
ScriptResource.axd SQLInjection AppScan
All-Star
189561 Points
27495 Posts
Moderator
Re: Does ScriptResource.axd pose SQL Injection or other vulnerabilities?
Sep 03, 2013 01:32 AM|Mikesdotnetting|LINK
Sounds like the IBM tool needs tweaking as the vulnerability it reports is nonsense. The t parameter is a timestamp representing the last modified date of the assembly on disk. The value is not used in any SQL call.
ScriptResource.axd SQLInjection AppScan
Member
1 Points
4 Posts
Re: Does ScriptResource.axd pose SQL Injection or other vulnerabilities?
Sep 17, 2013 10:03 AM|mark m|LINK
Ended up checking whether the t parameter is a hex number. For my purposes it was sufficient to let ToInt64 function throw FormatException if t was malformed.
void Application_PreRequestHandlerExecute(object sender, EventArgs e) { // ScriptResource.axd has "t" parameter that AppScan flags as "SQL Injection" vulnerability // The "t" parameter is a hex timestamp, so verify that it is such if (HttpContext.Current.Request.RawUrl.Contains("ScriptResource.axd")) { string tValue = HttpContext.Current.Request.QueryString["t"]; if (!String.IsNullOrWhiteSpace(tValue)) Convert.ToInt64(tValue, 16); } }ScriptResource.axd SQLInjection AppScan