-
Type:
Bug
-
Status:
Closed
-
Priority:
Critical
-
Resolution:
Done
-
Affects Version/s:
None
-
Fix Version/s:
None
-
-
-
-
Module:
BenAdmin
- Security
-
-
Item State:
Production Complete
-
Issue Importance:
Must Have
Praetorian initially detected a SQL injection vulnerability after submitting a variety of malicious input
parameters to the GetEmployees endpoint. Praetorian used SQL injection payloads that caused the
application to demonstrate a noticeable difference in response time depending on the results of the
provided SQL query.
Page Name: Search Employee
Information Recovered:
SQL Server version number, Database version, Server name
System should not disclose this information to user.
{"report":{"apdex":1,"isInitial":true,"journeyId":"3d99ab77-f181-42ba-9640-051f76d48de4","key":"jira.project.issue.view-issue","navigationType":0,"readyForUser":702.1999998092651,"redirectCount":0,"resourceLoadedEnd":754.1999998092651,"resourceLoadedStart":126.19999980926514,"resourceTiming":[{"duration":151.80000019073486,"initiatorType":"link","name":"https://jira.workterra.net/s/3003653444a1e1a85555cab7dcfb3a21-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/2e46d90b5cae895c9c38649c9d510130/_/download/contextbatch/css/_super/batch.css","startTime":126.19999980926514,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":126.19999980926514,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":278,"responseStart":0,"secureConnectionStart":0},{"duration":151.9000005722046,"initiatorType":"link","name":"https://jira.workterra.net/s/dd6a0911920485696ac20493290df627-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/3abe50d469404b639745df44b51476b6/_/download/contextbatch/css/jira.browse.project,jira.view.issue,project.issue.navigator,jira.global,atl.general,-_super/batch.css?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&richediton=true","startTime":126.5,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":126.5,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":278.4000005722046,"responseStart":0,"secureConnectionStart":0},{"duration":151.80000019073486,"initiatorType":"link","name":"https://jira.workterra.net/s/d41d8cd98f00b204e9800998ecf8427e-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/8.5.0/_/download/batch/com.atlassian.auiplugin:split_aui.pattern.label/com.atlassian.auiplugin:split_aui.pattern.label.css","startTime":126.69999980926514,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":126.69999980926514,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":278.5,"responseStart":0,"secureConnectionStart":0},{"duration":151.80000019073486,"initiatorType":"link","name":"https://jira.workterra.net/s/bd548f27bbf8f278bd83b60dd3284ed8-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/1.0/_/download/batch/jira.webresources:global-static-adgs/jira.webresources:global-static-adgs.css","startTime":126.80000019073486,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":126.80000019073486,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":278.6000003814697,"responseStart":0,"secureConnectionStart":0},{"duration":151.5999994277954,"initiatorType":"link","name":"https://jira.workterra.net/s/70725731a158a7140f19ddbd4201ba27-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/1.0/_/download/batch/jira.webresources:global-static/jira.webresources:global-static.css","startTime":127.10000038146973,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":127.10000038146973,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":278.69999980926514,"responseStart":0,"secureConnectionStart":0},{"duration":160.80000019073486,"initiatorType":"script","name":"https://jira.workterra.net/s/f2623af22c15df767ec6ff268ae0b8bd-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/2e46d90b5cae895c9c38649c9d510130/_/download/contextbatch/js/_super/batch.js?locale=en-US","startTime":127.30000019073486,"connectEnd":127.30000019073486,"connectStart":127.30000019073486,"domainLookupEnd":127.30000019073486,"domainLookupStart":127.30000019073486,"fetchStart":127.30000019073486,"redirectEnd":0,"redirectStart":0,"requestStart":127.30000019073486,"responseEnd":288.1000003814697,"responseStart":288.1000003814697,"secureConnectionStart":127.30000019073486},{"duration":191.9000005722046,"initiatorType":"script","name":"https://jira.workterra.net/s/6ce676f2a5bcc9651cef6e7956f05def-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/3abe50d469404b639745df44b51476b6/_/download/contextbatch/js/jira.browse.project,jira.view.issue,project.issue.navigator,jira.global,atl.general,-_super/batch.js?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&locale=en-US&richediton=true","startTime":127.5,"connectEnd":127.5,"connectStart":127.5,"domainLookupEnd":127.5,"domainLookupStart":127.5,"fetchStart":127.5,"redirectEnd":0,"redirectStart":0,"requestStart":127.5,"responseEnd":319.4000005722046,"responseStart":319.30000019073486,"secureConnectionStart":127.5},{"duration":194.80000019073486,"initiatorType":"script","name":"https://jira.workterra.net/s/ecf7ec549751ae117b778f0525d6d371-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/4.1.5/_/download/resources/com.atlassian.plugins.atlassian-chaperone:hotspot-tour/hotspot-tour.js?batch=false&locale=en-US","startTime":127.69999980926514,"connectEnd":127.69999980926514,"connectStart":127.69999980926514,"domainLookupEnd":127.69999980926514,"domainLookupStart":127.69999980926514,"fetchStart":127.69999980926514,"redirectEnd":0,"redirectStart":0,"requestStart":127.69999980926514,"responseEnd":322.5,"responseStart":322.5,"secureConnectionStart":127.69999980926514},{"duration":195.19999980926514,"initiatorType":"script","name":"https://jira.workterra.net/s/6aa3fcf1fac5fd551eee0b69077524e6-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/aae1242f5fc81cc6a5bb8bc963ccda29/_/download/contextbatch/js/atl.global,-_super/batch.js?locale=en-US","startTime":127.80000019073486,"connectEnd":127.80000019073486,"connectStart":127.80000019073486,"domainLookupEnd":127.80000019073486,"domainLookupStart":127.80000019073486,"fetchStart":127.80000019073486,"redirectEnd":0,"redirectStart":0,"requestStart":127.80000019073486,"responseEnd":323,"responseStart":323,"secureConnectionStart":127.80000019073486},{"duration":195.5,"initiatorType":"script","name":"https://jira.workterra.net/s/d41d8cd98f00b204e9800998ecf8427e-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/1.0/_/download/batch/jira.webresources:calendar-en/jira.webresources:calendar-en.js","startTime":128,"connectEnd":128,"connectStart":128,"domainLookupEnd":128,"domainLookupStart":128,"fetchStart":128,"redirectEnd":0,"redirectStart":0,"requestStart":128,"responseEnd":323.5,"responseStart":323.5,"secureConnectionStart":128},{"duration":195.5999994277954,"initiatorType":"script","name":"https://jira.workterra.net/s/d41d8cd98f00b204e9800998ecf8427e-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/1.0/_/download/batch/jira.webresources:calendar-localisation-moment/jira.webresources:calendar-localisation-moment.js","startTime":128.10000038146973,"connectEnd":128.10000038146973,"connectStart":128.10000038146973,"domainLookupEnd":128.10000038146973,"domainLookupStart":128.10000038146973,"fetchStart":128.10000038146973,"redirectEnd":0,"redirectStart":0,"requestStart":128.10000038146973,"responseEnd":323.69999980926514,"responseStart":323.69999980926514,"secureConnectionStart":128.10000038146973},{"duration":195.80000019073486,"initiatorType":"script","name":"https://jira.workterra.net/s/ecf7ec549751ae117b778f0525d6d371-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/8.5.0/_/download/batch/com.atlassian.auiplugin:split_aui.pattern.label/com.atlassian.auiplugin:split_aui.pattern.label.js?locale=en-US","startTime":128.30000019073486,"connectEnd":128.30000019073486,"connectStart":128.30000019073486,"domainLookupEnd":128.30000019073486,"domainLookupStart":128.30000019073486,"fetchStart":128.30000019073486,"redirectEnd":0,"redirectStart":0,"requestStart":128.30000019073486,"responseEnd":324.1000003814697,"responseStart":324.1000003814697,"secureConnectionStart":128.30000019073486},{"duration":306.69999980926514,"initiatorType":"link","name":"https://jira.workterra.net/s/05c862146699bb029ceb0a489075e63b-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/bcd66e9a133a1b9f5fd14b56841e1c5b/_/download/contextbatch/css/jira.global.look-and-feel,-_super/batch.css","startTime":128.4000005722046,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":128.4000005722046,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":435.1000003814697,"responseStart":0,"secureConnectionStart":0},{"duration":196.10000038146973,"initiatorType":"script","name":"https://jira.workterra.net/rest/api/1.0/shortcuts/805012/a664c2c06e52d83566c477b9899c262e/shortcuts.js?context=issuenavigation&context=issueaction","startTime":128.5,"connectEnd":128.5,"connectStart":128.5,"domainLookupEnd":128.5,"domainLookupStart":128.5,"fetchStart":128.5,"redirectEnd":0,"redirectStart":0,"requestStart":128.5,"responseEnd":324.6000003814697,"responseStart":324.6000003814697,"secureConnectionStart":128.5},{"duration":306.6000003814697,"initiatorType":"link","name":"https://jira.workterra.net/s/9095228fa10daa2d3e3d7d5760c95e91-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/72477c22780abda5f51fe696920d843f/_/download/contextbatch/css/com.atlassian.jira.projects.sidebar.init,-_super,-jira.view.issue,-project.issue.navigator/batch.css?jira.create.linked.issue=true&richediton=true","startTime":128.69999980926514,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":128.69999980926514,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":435.30000019073486,"responseStart":0,"secureConnectionStart":0},{"duration":196.10000038146973,"initiatorType":"script","name":"https://jira.workterra.net/s/c19a1b46e985d7fb85efaf27c8febfdd-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/72477c22780abda5f51fe696920d843f/_/download/contextbatch/js/com.atlassian.jira.projects.sidebar.init,-_super,-jira.view.issue,-project.issue.navigator/batch.js?jira.create.linked.issue=true&locale=en-US&richediton=true","startTime":129,"connectEnd":129,"connectStart":129,"domainLookupEnd":129,"domainLookupStart":129,"fetchStart":129,"redirectEnd":0,"redirectStart":0,"requestStart":129,"responseEnd":325.1000003814697,"responseStart":325.1000003814697,"secureConnectionStart":129},{"duration":349.69999980926514,"initiatorType":"script","name":"https://jira.workterra.net/s/d41d8cd98f00b204e9800998ecf8427e-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/1.0/_/download/batch/jira.webresources:bigpipe-js/jira.webresources:bigpipe-js.js","startTime":129.80000019073486,"connectEnd":129.80000019073486,"connectStart":129.80000019073486,"domainLookupEnd":129.80000019073486,"domainLookupStart":129.80000019073486,"fetchStart":129.80000019073486,"redirectEnd":0,"redirectStart":0,"requestStart":129.80000019073486,"responseEnd":479.5,"responseStart":479.5,"secureConnectionStart":129.80000019073486},{"duration":366.5,"initiatorType":"script","name":"https://jira.workterra.net/s/d41d8cd98f00b204e9800998ecf8427e-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/1.0/_/download/batch/jira.webresources:bigpipe-init/jira.webresources:bigpipe-init.js","startTime":129.80000019073486,"connectEnd":129.80000019073486,"connectStart":129.80000019073486,"domainLookupEnd":129.80000019073486,"domainLookupStart":129.80000019073486,"fetchStart":129.80000019073486,"redirectEnd":0,"redirectStart":0,"requestStart":129.80000019073486,"responseEnd":496.30000019073486,"responseStart":496.30000019073486,"secureConnectionStart":129.80000019073486},{"duration":31.100000381469727,"initiatorType":"xmlhttprequest","name":"https://jira.workterra.net/rest/webResources/1.0/resources","startTime":449,"connectEnd":449,"connectStart":449,"domainLookupEnd":449,"domainLookupStart":449,"fetchStart":449,"redirectEnd":0,"redirectStart":0,"requestStart":449,"responseEnd":480.1000003814697,"responseStart":480.1000003814697,"secureConnectionStart":449},{"duration":101.60000038146973,"initiatorType":"link","name":"https://jira.workterra.net/s/10a53164f749b8e3714ef758ef17e5b9-CDN/-w431t5/805012/9a9e1fae3639050b38ac467c3aa37e79/fe5ac63c98407b87468d3a8082628b5e/_/download/contextbatch/css/jira.rich.editor.api,jira.project.sidebar,jira.rich.editor,-_super,-jira.view.issue,-jira.global,-atl.general,-com.atlassian.jira.projects.sidebar.init,-project.issue.navigator/batch.css?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&richediton=true","startTime":483.5,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":483.5,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":585.1000003814697,"responseStart":0,"secureConnectionStart":0}],"threshold":1000,"fetchStart":0,"domainLookupStart":0,"domainLookupEnd":0,"connectStart":0,"connectEnd":0,"requestStart":17,"responseStart":120,"responseEnd":121,"domLoading":123,"domInteractive":808,"domContentLoadedEventStart":808,"domContentLoadedEventEnd":882,"domComplete":1180,"loadEventStart":1180,"loadEventEnd":1182,"userAgent":"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)","marks":[],"measures":[],"correlationId":"f85975a5219349","effectiveType":"4g","downlink":10,"rtt":0,"serverDuration":78,"dbReadsTimeInMs":16,"dbConnsTimeInMs":19,"applicationHash":"156decd7d2b4272533aa6cefc8294af635e1da97","experiments":[]}}
Gokul Sonawane (Inactive)
made changes -
Khandu Kshirsagar (Inactive)
made changes -
Issue was caused due to improper casting done for ClassID fields. ClassID fileds are of integer type in database but value stored in string datatype resulted in SQL Injection.
We have converted this in int which will show error when any user explicitly modify request.