WORKTERRAProject Type: software

WORKTERRA

Uploaded image for project: 'WORKTERRA'
  1. WORKTERRA
  2. WT-4999

Blind SQL Injection

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Platform
    • Labels:
      None
    • Environment:
      Production
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete
    • Issue Importance:
      Must Have

      Description

      Praetorian initially detected a SQL injection vulnerability after submitting a variety of malicious input
      parameters to the GetEmployees endpoint. Praetorian used SQL injection payloads that caused the
      application to demonstrate a noticeable difference in response time depending on the results of the
      provided SQL query.

      Page Name: Search Employee

      Information Recovered:
      SQL Server version number, Database version, Server name

      System should not disclose this information to user.

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          Hide
          Permalink
          vijayendra Vijayendra Shinde (Inactive) added a comment -

          Issue was caused due to improper casting done for ClassID fields. ClassID fileds are of integer type in database but value stored in string datatype resulted in SQL Injection.

          We have converted this in int which will show error when any user explicitly modify request.

          Show
          vijayendra Vijayendra Shinde (Inactive) added a comment - Issue was caused due to improper casting done for ClassID fields. ClassID fileds are of integer type in database but value stored in string datatype resulted in SQL Injection. We have converted this in int which will show error when any user explicitly modify request.
          Hide
          Permalink
          prasadp Prasad Pise (Inactive) added a comment -

          Issue is already verified and closed from Praetorian team.

          Show
          prasadp Prasad Pise (Inactive) added a comment - Issue is already verified and closed from Praetorian team.

            People

            Assignee:
            prasadp Prasad Pise (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: