Last post Sep 17, 2013 10:03 AM by mark m
Sep 02, 2013 02:01 PM|mark m|LINK
IBM security scanning tool AppScan reports SQL injection vulnerability because of the "t" parameter to the ScriptResource.axd. Is there a justification from Microsoft that ScriptResource does not perform any SQL call? Is there another security risk with
the value of the "t" parameter being written back to response as is?
Alternatively, is there a way to disable ScriptResource.axd completely?
Sep 03, 2013 01:32 AM|Mikesdotnetting|LINK
Sounds like the IBM tool needs tweaking as the vulnerability it reports is nonsense. The t parameter is a timestamp representing the last modified date of the assembly on disk. The value is not used in any SQL call.
Sep 17, 2013 10:03 AM|mark m|LINK
Ended up checking whether the t parameter is a hex number. For my purposes it was sufficient to let ToInt64 function throw FormatException if t was malformed.
void Application_PreRequestHandlerExecute(object sender, EventArgs e)
// ScriptResource.axd has "t" parameter that AppScan flags as "SQL Injection" vulnerability
// The "t" parameter is a hex timestamp, so verify that it is such
string tValue = HttpContext.Current.Request.QueryString["t"];