WORKTERRAProject Type: software

WORKTERRA

Uploaded image for project: 'WORKTERRA'
  1. WORKTERRA
  2. WT-4999

Blind SQL Injection

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Platform
    • Labels:
      None
    • Environment:
      Production
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete
    • Issue Importance:
      Must Have

      Description

      Praetorian initially detected a SQL injection vulnerability after submitting a variety of malicious input
      parameters to the GetEmployees endpoint. Praetorian used SQL injection payloads that caused the
      application to demonstrate a noticeable difference in response time depending on the results of the
      provided SQL query.

      Page Name: Search Employee

      Information Recovered:
      SQL Server version number, Database version, Server name

      System should not disclose this information to user.

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          vijayendra Vijayendra Shinde (Inactive) created issue -
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Field Original Value New Value
          Assignee Amnesh Goel [ amnesh.goel ] Vijayendra Shinde [ ID10506 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Open [ 1 ] In Development [ 10007 ]
          Hide
          Permalink
          vijayendra Vijayendra Shinde (Inactive) added a comment -

          Issue was caused due to improper casting done for ClassID fields. ClassID fileds are of integer type in database but value stored in string datatype resulted in SQL Injection.

          We have converted this in int which will show error when any user explicitly modify request.

          Show
          vijayendra Vijayendra Shinde (Inactive) added a comment - Issue was caused due to improper casting done for ClassID fields. ClassID fileds are of integer type in database but value stored in string datatype resulted in SQL Injection. We have converted this in int which will show error when any user explicitly modify request.
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Assignee Vijayendra Shinde [ ID10506 ] Prasad Pise [ prasadp ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Item State Parent values: Development(10200)Level 1 values: Ready for Local Testing(10209) Parent values: Production QA(10203)Level 1 values: Production Deployed(10221)
          gokul.sonawane Gokul Sonawane (Inactive) made changes -
          Item State Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602)
          rakeshr Rakesh Roy (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Status Local Testing [ 10200 ] Stage Testing [ 10201 ]
          ashwin.wankhede Ashwin Wankhede (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) Parent values: Production QA(10203)Level 1 values: Production Deployed(10221)
          khandu.kshirsagar Khandu Kshirsagar (Inactive) made changes -
          Item State Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) Parent values: LB QA(10201)Level 1 values: LB Deployed(11600)
          rakeshr Rakesh Roy (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: LB Deployed(11600) Parent values: Production QA(10203)Level 1 values: Production Deployed(10221)
          rakeshr Rakesh Roy (Inactive) made changes -
          Status Stage Testing [ 10201 ] Production Testing [ 10202 ]
          Hide
          Permalink
          prasadp Prasad Pise (Inactive) added a comment -

          Issue is already verified and closed from Praetorian team.

          Show
          prasadp Prasad Pise (Inactive) added a comment - Issue is already verified and closed from Praetorian team.
          prasadp Prasad Pise (Inactive) made changes -
          Resolution Fixed [ 1 ]
          Status Production Testing [ 10202 ] Production Complete [ 10028 ]
          prasadp Prasad Pise (Inactive) made changes -
          Status Production Complete [ 10028 ] Closed [ 6 ]
          prasadp Prasad Pise (Inactive) made changes -
          Item State Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) Parent values: Production Complete(10222)
          satyap Satya made changes -
          Environment_New Production [ 18442 ]
          Transition Time In Source Status Execution Times
          Vijayendra Shinde (Inactive) made transition -
          Open In Development
          		1m 42s 1
          Rakesh Roy (Inactive) made transition -
          In Development In LB Testing
          		1h 15m 1
          Rakesh Roy (Inactive) made transition -
          In LB Testing Stage Testing
          		8s 1
          Rakesh Roy (Inactive) made transition -
          Stage Testing In Production Testing
          		4d 20h 17m 1
          Prasad Pise (Inactive) made transition -
          In Production Testing Production Complete
          		2d 23h 1m 1
          Prasad Pise (Inactive) made transition -
          Production Complete Closed
          		2s 1

            People

            Assignee:
            prasadp Prasad Pise (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: