-
Type:
Enhancement
-
Status: Closed
-
Priority:
Medium
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: BenAdmin
-
Labels:None
-
Module:BenAdmin - Security
-
Reported by:Support
-
Item State:Production Complete - Closed
We need to verify OR condition for SQL injection. Scenario which was tried to save is as mentioned below-
asdf' OR '1'='1
We have verified OR with single quote and at least one space before and after OR.
need discussion before starting this patch, will start from monday
checked following pages:
-Plan Design [check for all benefit types]
-Form Builder pages creation flow
Will check few more pages tomorrow and will update the jira
Also, checked following pages:
-Add/Change? Benefit Plans
-Benefit Type Builder
-Employee self serve mode
-export/import template local & global
l-anding pages
-rates page
-Pages which accepts email id like TemplateSettings , TemplateDelivery
-Company information pages
-email format message page
testing is done on lb , we will make it ready for stage once security testing gets completed by Rupali W.
Testing is still in progress. Please refer attached doc for tested areas till now WT-3873.doc
Prasad Pise kindly update.
I have verified few “Input Text fields” on following pages/forms in Workterra web application for the SQL Injection related issue WT-3873.
• Company Information
• Classes
• Add/Update Company
• Add Employee/Update Employee
• Employee Demographics
• Employee Education : > Certification Information page is still prone to SQL injections as it accepts text like
asdf' OR '1'='1
" or ""="
• Employee Emergency Contact
• Employment Management
• Change Classes
• Change Status
• Compensation History
• View History WT-3873.doc
• Template Management
• Group Template Management
• Manual Import/Export
• Employee Self Serve Mode Could not be tested due to server error for the “Town of Cary” company
There still some fields where input validation needs to be implemented.
Hi Prasad Pise,
By looking at attached snaps,
1. We can see, asdf'OR'1'='1 string has been inserted as string value. It is not injection in SQL. With above query, sql execution will fail because there is no. space between asdf' OR '1'='1. In sql injection second boolean expression OR '1'='1 doesn't insert into database because it is logical condition.
In case of SQL injection result sould be only asdf.
2. On Employment management screen, when we add characters, system thrown server error. I want to get more inputs on this, how we identified this is SQL Injection error.
3. Deepali Tidke, Prasad is facing server error while testing self serve mode. Please get this issue resolved so that he can test sql injection in self serve mode.
CC: Samir, Rakesh Roy,
Prasad PiseVijayendra Shinde as of now on LB self serve mode works on only 1 company i.e. ASML comp, Prasad Pise you can check self serve mode on this company.
CC: SamirRakesh Roy
Hi Prasad,
Are we using any tool for SQL injection?
Regards,
Samir
From: Vijayendra Shinde (JIRA) jira@workterra.atlassian.net
Sent: Monday, August 22, 2016 12:17 PM
To: samir@harbingergroup.com
Subject: [JIRA] Vijayendra Shinde mentioned you on WT-3873 (JIRA)
cid:image001.png@01D1FCA8.35503810
<https://workterra.atlassian.net/secure/ViewProfile.jspa?name=vijayendra>
Vijayendra Shinde mentioned you on
<https://workterra.atlassian.net/browse/WT-3873> EnhancementWT-3873
<https://workterra.atlassian.net/browse/WT-3873> Re: Verify OR logical
condition with single quote for SQL Injection
Hi <https://workterra.atlassian.net/secure/ViewProfile.jspa?name=prasadp>
Prasad Pise,
By looking at attached snaps,
1. We can see, asdf'OR'1'='1 string has been inserted as string value. It is
not injection in SQL. With above query, sql execution will fail because
there is no. space between asdf' OR '1'='1. In sql injection second boolean
expression OR '1'='1 doesn't insert into database because it is logical
condition.
In case of SQL injection result sould be only asdf.
2. On Employment management screen, when we add characters, system thrown
server error. I want to get more inputs on this, how we identified this is
SQL Injection error.
3. <https://workterra.atlassian.net/secure/ViewProfile.jspa?name=deepalit>
Deepali Tidke, Prasad is facing server error while testing self serve mode.
Please get this issue resolved so that he can test sql injection in self
serve mode.
CC: <https://workterra.atlassian.net/secure/ViewProfile.jspa?name=samir>
Samir,
<https://workterra.atlassian.net/secure/ViewProfile.jspa?name=rakeshr>
Rakesh Roy,
<https://workterra.atlassian.net/browse/WT-3873#add-comment> Add Comment
<https://workterra.atlassian.net/browse/WT-3873#add-comment> Add Comment
This message was sent by Atlassian JIRA (v1000.253.3#100011-sha1:6da8fdb)
Atlassian logo
Samir, I haven't used any tool for this verification.
SamirVijayendra Shinde
I have verified following few more pages and found issues in red marked areas.
- Employee Self Serve Mode (ATG JE Dunn)
- User Access Policy - > Add New Policy – Server Error when Single Quote is inserted in Policy Name field.
- Benefit Type Builder
*ISSUE: Text field “Benefit Type Name” shows validation message when a character (t,g,l) is present in text
PFA updated document for more details WT-3873.doc .
These issues needs to be fixed before moving on production environment.
Affected Files:
/branches/LB/Config Files WT Stage/Web Server/Web.config
/branches/LB/Web/SharedFunctionWebTier/SharedFunctionWebTier/Modules/CustomModelBinder.cs