I have a web application project developed using asp.net 4.0. everything are working fine. when i run for PCI scan then it failed with below notes
fyi. im not using inline sql or dynamic sql in the project. so, could you please help me how to resolve this issue?
"CGI Generic SQL Injection (blind, time based)"
Modify the affected CGI scripts so that they properly escape arguments.
Using the GET HTTP method, SecurityMetrics found that : + The following resources may be vulnerable to blind SQL injection (time based) : + The '__VIEWSTATE' parameter of the / CGI : /?__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=%2fwEdAAQcuuTfKFfe2W
6y%2fSLcpOlC2KLXnO0lQ7eWeTTjhe5DlGLYc1aSItsY7%2bwK2achdmwNGVEZ%2fHPoNipl VQI9uXkcj0SKloChVvSOkDJBdX7j%2fIPiwYBsUeIfnk6ydW3OH2c%3d&imgsp=&imgpt=&i mgeng=&__VIEWSTATEGENERATOR=8D0E13E6&__VIEWSTATE='%20AND%20SLEEP(3)=' -------- output -------- ------------------------
+ The 'd' parameter of the /WebResource.axd CGI : /WebResource.axd?t=636458198403505852&d=6Tj7Qu4pyo4xMUO90Ebd6aF1oUiftiyq ypPyYVAKhmyMPkOxVostyB_sH8sJDkxB5m2bNgrB4Z9YD2LFSdiUwR-fdkBtjbZ9N1RVXid0 7ISaCbKgc8sgqmh1RxsUGqzk0lk4wDVec48AJ6WZN_rryWTnSS4AhIVzItQ_mx9PW1E1'%20
AND%20SLEEP(3)=' -------- output -------- ------------------------
Seems https://www.tenable.com/plugins/nessus/43160 tells it is based on the response time which could generate false positive. Are you sure 100% you never ever build yourself any part of a SQL string
?
Explain maybe what you are using rather than telling us what you are not doing?
yes im 100% sure, there is not formation of sql string. because, its my index page, there are 3 buttons only, when clicking them it will navigate into seperate pages.
the pci service provider says that, its not responding in fixed period of time(sleep) so, that it comes as false positive. but, i dont know how to fix it?
What do you mean by no .add files? The error reference is to Viewstate and to WebResource.axd, which every web forms site has. If you are looking for a file named WebResource.axd in your site, you won't find it: it is not a file, but an HTTP handler, an
embedded resource in the Net framework.
Did you go through the links I posted above fully? That's all I could find on the issue. The fact that webresource.axd (not .sxd) isn't an actual file is not relevant to the answer.
Member
297 Points
1356 Posts
CGI Generic SQL Injection (blind, time based)
Jun 24, 2020 03:50 PM|winseealn@hotmail.com|LINK
Hello all,
I have a web application project developed using asp.net 4.0. everything are working fine. when i run for PCI scan then it failed with below notes
fyi. im not using inline sql or dynamic sql in the project. so, could you please help me how to resolve this issue?
"CGI Generic SQL Injection (blind, time based)"
Modify the affected CGI scripts so that they properly escape arguments.
Using the GET HTTP method, SecurityMetrics found that : + The following resources may be vulnerable to blind SQL injection (time based) : + The '__VIEWSTATE' parameter of the / CGI : /?__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=%2fwEdAAQcuuTfKFfe2W 6y%2fSLcpOlC2KLXnO0lQ7eWeTTjhe5DlGLYc1aSItsY7%2bwK2achdmwNGVEZ%2fHPoNipl VQI9uXkcj0SKloChVvSOkDJBdX7j%2fIPiwYBsUeIfnk6ydW3OH2c%3d&imgsp=&imgpt=&i mgeng=&__VIEWSTATEGENERATOR=8D0E13E6&__VIEWSTATE='%20AND%20SLEEP(3)=' -------- output -------- ------------------------ + The 'd' parameter of the /WebResource.axd CGI : /WebResource.axd?t=636458198403505852&d=6Tj7Qu4pyo4xMUO90Ebd6aF1oUiftiyq ypPyYVAKhmyMPkOxVostyB_sH8sJDkxB5m2bNgrB4Z9YD2LFSdiUwR-fdkBtjbZ9N1RVXid0 7ISaCbKgc8sgqmh1RxsUGqzk0lk4wDVec48AJ6WZN_rryWTnSS4AhIVzItQ_mx9PW1E1'%20 AND%20SLEEP(3)=' -------- output -------- ------------------------
All-Star
48530 Points
18077 Posts
Re: CGI Generic SQL Injection (blind, time based)
Jun 24, 2020 04:58 PM|PatriceSc|LINK
Hi,
Seems https://www.tenable.com/plugins/nessus/43160 tells it is based on the response time which could generate false positive. Are you sure 100% you never ever build yourself any part of a SQL string ?
Explain maybe what you are using rather than telling us what you are not doing?
Member
297 Points
1356 Posts
Re: CGI Generic SQL Injection (blind, time based)
Jun 24, 2020 09:32 PM|winseealn@hotmail.com|LINK
PatriceSC thanks for your response
yes im 100% sure, there is not formation of sql string. because, its my index page, there are 3 buttons only, when clicking them it will navigate into seperate pages.
the pci service provider says that, its not responding in fixed period of time(sleep) so, that it comes as false positive. but, i dont know how to fix it?
could you please help me on this.?
thanks
Member
297 Points
1356 Posts
Re: CGI Generic SQL Injection (blind, time based)
Jun 25, 2020 09:59 PM|winseealn@hotmail.com|LINK
any clue?
Contributor
5961 Points
2468 Posts
Re: CGI Generic SQL Injection (blind, time based)
Jun 26, 2020 03:27 AM|KathyW|LINK
Web Forms use ViewState and WebResource.axd. I could only find one reference to a vulnerability in the .axd file. It's 10 years old, so I'm not sure if it still applies, but if it does, read https://www.acunetix.com/blog/news/check-application-vulnerable-asp-net-padding-oracle-vulnerability/ for what to do.
There was a security patch for this, and it should also be resolved if you are using asp.net 4.0+.
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-070?redirectedfrom=MSDN
If you follow the information in those links and the PCI scan still complains, ignore it.
Member
297 Points
1356 Posts
Re: CGI Generic SQL Injection (blind, time based)
Jun 26, 2020 06:25 AM|winseealn@hotmail.com|LINK
Actually in my project there is no .add files and I'm using .net 4.0 only. So, it's strange.
Contributor
5961 Points
2468 Posts
Re: CGI Generic SQL Injection (blind, time based)
Jun 28, 2020 03:44 AM|KathyW|LINK
What do you mean by no .add files? The error reference is to Viewstate and to WebResource.axd, which every web forms site has. If you are looking for a file named WebResource.axd in your site, you won't find it: it is not a file, but an HTTP handler, an embedded resource in the Net framework.
Member
297 Points
1356 Posts
Re: CGI Generic SQL Injection (blind, time based)
Jun 29, 2020 11:41 PM|winseealn@hotmail.com|LINK
Hello KathyW
so, if there is no file name like webresource.xsd then may i know how to fix this issue?
thanks
Contributor
5961 Points
2468 Posts
Re: CGI Generic SQL Injection (blind, time based)
Jul 01, 2020 01:18 AM|KathyW|LINK
Did you go through the links I posted above fully? That's all I could find on the issue. The fact that webresource.axd (not .sxd) isn't an actual file is not relevant to the answer.