Last post Jul 01, 2020 01:18 AM by KathyW
Jun 24, 2020 03:50 PMfirstname.lastname@example.org|LINK
I have a web application project developed using asp.net 4.0. everything are working fine. when i run for PCI scan then it failed with below notes
fyi. im not using inline sql or dynamic sql in the project. so, could you please help me how to resolve this issue?
"CGI Generic SQL Injection (blind, time based)"
Modify the affected CGI scripts so that they properly escape arguments.
Using the GET HTTP method, SecurityMetrics found that : + The following resources may be vulnerable to blind SQL injection (time based) : + The '__VIEWSTATE' parameter of the / CGI : /?__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=%2fwEdAAQcuuTfKFfe2W
6y%2fSLcpOlC2KLXnO0lQ7eWeTTjhe5DlGLYc1aSItsY7%2bwK2achdmwNGVEZ%2fHPoNipl VQI9uXkcj0SKloChVvSOkDJBdX7j%2fIPiwYBsUeIfnk6ydW3OH2c%3d&imgsp=&imgpt=&i mgeng=&__VIEWSTATEGENERATOR=8D0E13E6&__VIEWSTATE='%20AND%20SLEEP(3)=' -------- output -------- ------------------------
+ The 'd' parameter of the /WebResource.axd CGI : /WebResource.axd?t=636458198403505852&d=6Tj7Qu4pyo4xMUO90Ebd6aF1oUiftiyq ypPyYVAKhmyMPkOxVostyB_sH8sJDkxB5m2bNgrB4Z9YD2LFSdiUwR-fdkBtjbZ9N1RVXid0 7ISaCbKgc8sgqmh1RxsUGqzk0lk4wDVec48AJ6WZN_rryWTnSS4AhIVzItQ_mx9PW1E1'%20
AND%20SLEEP(3)=' -------- output -------- ------------------------
Jun 24, 2020 04:58 PM|PatriceSc|LINK
Seems https://www.tenable.com/plugins/nessus/43160 tells it is based on the response time which could generate false positive. Are you sure 100% you never ever build yourself any part of a SQL string
Explain maybe what you are using rather than telling us what you are not doing?
Jun 24, 2020 09:32 PMemail@example.com|LINK
PatriceSC thanks for your response
yes im 100% sure, there is not formation of sql string. because, its my index page, there are 3 buttons only, when clicking them it will navigate into seperate pages.
the pci service provider says that, its not responding in fixed period of time(sleep) so, that it comes as false positive. but, i dont know how to fix it?
could you please help me on this.?
Jun 25, 2020 09:59 PMfirstname.lastname@example.org|LINK
Jun 26, 2020 03:27 AM|KathyW|LINK
Web Forms use ViewState and WebResource.axd. I could only find one reference to a vulnerability in the .axd file. It's 10 years old, so I'm not sure if it still applies, but if it does, read https://www.acunetix.com/blog/news/check-application-vulnerable-asp-net-padding-oracle-vulnerability/
for what to do.
There was a security patch for this, and it should also be resolved if you are using asp.net 4.0+.
If you follow the information in those links and the PCI scan still complains, ignore it.
Jun 26, 2020 06:25 AMemail@example.com|LINK
Jun 28, 2020 03:44 AM|KathyW|LINK
What do you mean by no .add files? The error reference is to Viewstate and to WebResource.axd, which every web forms site has. If you are looking for a file named WebResource.axd in your site, you won't find it: it is not a file, but an HTTP handler, an
embedded resource in the Net framework.
Jun 29, 2020 11:41 PMfirstname.lastname@example.org|LINK
so, if there is no file name like webresource.xsd then may i know how to fix this issue?
Jul 01, 2020 01:18 AM|KathyW|LINK
Did you go through the links I posted above fully? That's all I could find on the issue. The fact that webresource.axd (not .sxd) isn't an actual file is not relevant to the answer.