[OWASP-Security101] Validating a scanner's results

us1903 sharu89 at gmail.com
Tue Apr 10 17:13:46 UTC 2012


There are a few approaches to determine if this is a false positive. First
one being, to check the source code and see if parametrized queries are
used. If not, then chances are it might be SQL injection. Most of the
scanners find SQL injection based on change in responses i.e, it gives a
true condition and checks the response; it gives a false condition and
checks the response. If there is a difference in the responses then it
might report it as SQLi. The second way to eliminate false positive is to
check if the value of the parameter is interacting with the database at all.

One another approach but a time consuming one is when you do not have
access to the source code. In this case, if you are sure that there is no
input validation then you should be able to confirm SQLi using various
vectors. The simplest one being "<param_value> OR 1=1" for true condition
and "<param_value> OR 1=2" for false condition. Hope this helps.

--
Sharath Unni

On Fri, Apr 6, 2012 at 5:30 PM, <security101-request at lists.owasp.org> wrote:

> Send Security101 mailing list submissions to
>        security101 at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.owasp.org/mailman/listinfo/security101
> or, via email, send a message with subject or body 'help' to
>        security101-request at lists.owasp.org
>
> You can reach the person managing the list at
>        security101-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Security101 digest..."
>
>
> Today's Topics:
>
>   1. Re: Storing of password in application config file (Erki M?nniste)
>   2. Validating a scanner's results (Patrick Laverty)
>   3. uniquely identifing USB device (Erki M?nniste)
>   4. Re: Storing of password in application config     file
>      (Patrick Laverty)
>   5. Re: Validating a scanner's results (Patrick Laverty)
>   6. Re: Validating a scanner's results (dinis cruz)
>   7. Re: Validating a scanner's results (dinis cruz)
>   8. Re: Validating a scanner's results (Jim Manico)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 4 Apr 2012 08:36:01 +0000
> From: Erki M?nniste <Erki.Manniste at webmedia.ee>
> To: Wei Chea Ang <weichea at gmail.com>, "security101 at lists.owasp.org"
>        <security101 at lists.owasp.org>
> Subject: Re: [OWASP-Security101] Storing of password in application
>        config file
> Message-ID:
>        <4B3CB103650FEC44827FB41C7983170534519D at talex.webmedia.int>
> Content-Type: text/plain; charset="windows-1257"
>
> I was just reading about this here :
> http://www.troyhunt.com/2010/12/owasp-top-10-for-net-developers-part-6.html
> and
>
> http://www.troyhunt.com/2011/06/owasp-top-10-for-net-developers-part-7.html
> ?
>
> erki
>
>
> -----Original Message-----
> From: security101-bounces at lists.owasp.org [mailto:
> security101-bounces at lists.owasp.org] On Behalf Of Wei Chea Ang
> Sent: Tuesday, April 03, 2012 4:58 PM
> To: security101 at lists.owasp.org
> Subject: [OWASP-Security101] Storing of password in application config file
>
> Hi all,
>
> What is the recommended way of storing password in an application config
> file?
>
> Is it recommended to store the hash value or the encrypted value of the
> password?
>
> Will application be vulnerable to pass the hash attack if application
> authenticate by comparing the hash value?
>
> Thank you.
>
>
> --
> Best Regards,
> Wei Chea
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 5 Apr 2012 07:06:14 -0400
> From: Patrick Laverty <patrick_laverty at brown.edu>
> To: security101 at lists.owasp.org
> Subject: [OWASP-Security101] Validating a scanner's results
> Message-ID:
>        <CAHZK5OZyvuNWe0VrskJE+B2Whwb284xY84gTC=4-Gy-HOnKzRw at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> I have a scanner that I use to scan apps and it comes back with
> results (obviously). What I want to do is validate/re-test the
> positive results. For example, sometimes the scanner will tell me that
> a page is vulnerable to SQL Injection. So then I go and test it with
> the few ways that I know to inject a page and it'll come back as
> blocking the injection.
>
> So at that point, how do I know that it isn't a false positive or it's
> just that I don't know the right way? It feels like I could know 99
> different ways to inject a page but if I don't know #100, then I won't
> find it and I'll think it's a false positive. How do people deal with
> that?
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 5 Apr 2012 11:10:16 +0000
> From: Erki M?nniste <Erki.Manniste at webmedia.ee>
> To: "pen-test at securityfocus.com" <pen-test at securityfocus.com>,
>        "security101 at lists.owasp.org" <security101 at lists.owasp.org>,
>        "security-basics at securityfocus.com"
>        <security-basics at securityfocus.com>
> Subject: [OWASP-Security101] uniquely identifing USB device
> Message-ID:
>        <4B3CB103650FEC44827FB41C79831705346044 at talex.webmedia.int>
> Content-Type: text/plain; charset="windows-1257"
>
> Hi,
> I need to identify a usb stick uniquely and I have been trying to find out
> weather using just hardwareID is enough?
> I have heard of a driver that lets you emulate an usb device and set that
> ID, but quick googleing didn?t give any results. Does anybody know of
> something like that? Is it possible to (for someone with mediocre hacking
> skills) to manipulate with these values? Is there a better way to uniquely
> identify that device?
>
> Thanks,
> erki
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 5 Apr 2012 10:03:33 -0400
> From: Patrick Laverty <patrick_laverty at brown.edu>
> To: Wei Chea Ang <weichea at gmail.com>
> Cc: security101 at lists.owasp.org
> Subject: Re: [OWASP-Security101] Storing of password in application
>        config  file
> Message-ID:
>        <CAHZK5OZz2EuBtQdTGCLzHoVv-R7+Z+dzq+xRsCWDeeuS5hmTrQ at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> Just saw a presentation about this at AppSecDC.
>
> https://www.owasp.org/index.php/OWASP_Passw3rd_Project
>
>
> https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Friends_dont_let_friends_store_passwords_in_source_code
>
>
>
> On Tue, Apr 3, 2012 at 9:57 AM, Wei Chea Ang <weichea at gmail.com> wrote:
> > Hi all,
> >
> > What is the recommended way of storing password in an application config
> file?
> >
> > Is it recommended to store the hash value or the encrypted value of
> > the password?
> >
> > Will application be vulnerable to pass the hash attack if application
> > authenticate by comparing the hash value?
> >
> > Thank you.
> >
> >
> > --
> > Best Regards,
> > Wei Chea
> > _______________________________________________
> > Security101 mailing list
> > Security101 at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/security101
> > List Run By OWASP
> > List Admin: Michael.Coates at owasp.org
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 5 Apr 2012 11:19:59 -0400
> From: Patrick Laverty <patrick_laverty at brown.edu>
> To: dinis cruz <dinis.cruz at owasp.org>
> Cc: security101 at lists.owasp.org
> Subject: Re: [OWASP-Security101] Validating a scanner's results
> Message-ID:
>        <CAHZK5Obni4Yaqb6yevo3f0XCPZn3skLAp3RT1sC-a_f+FkiUKQ at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Thu, Apr 5, 2012 at 11:09 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> > What type of scanner was it?
> >
> > What kind of result did you get?
>
> Acunetix. The report gives the string it says was a positive hit. It
> says which variable triggered the positive result. However when I
> tried it, it didn't seem to work.
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 5 Apr 2012 16:09:21 +0100
> From: dinis cruz <dinis.cruz at owasp.org>
> To: Patrick Laverty <patrick_laverty at brown.edu>
> Cc: security101 at lists.owasp.org
> Subject: Re: [OWASP-Security101] Validating a scanner's results
> Message-ID:
>        <CA+f=kXAN83eBiTOvPD-xm4wXeym+M4O3A=qG_jpjXsNLvhv2xA at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> What type of scanner was it?
>
> What kind of result did you get?
>
> Dinis Cruz
>
> On 5 April 2012 12:06, Patrick Laverty <patrick_laverty at brown.edu> wrote:
>
> > I have a scanner that I use to scan apps and it comes back with
> > results (obviously). What I want to do is validate/re-test the
> > positive results. For example, sometimes the scanner will tell me that
> > a page is vulnerable to SQL Injection. So then I go and test it with
> > the few ways that I know to inject a page and it'll come back as
> > blocking the injection.
> >
> > So at that point, how do I know that it isn't a false positive or it's
> > just that I don't know the right way? It feels like I could know 99
> > different ways to inject a page but if I don't know #100, then I won't
> > find it and I'll think it's a false positive. How do people deal with
> > that?
> > _______________________________________________
> > Security101 mailing list
> > Security101 at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/security101
> > List Run By OWASP
> > List Admin: Michael.Coates at owasp.org
> >
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 5 Apr 2012 18:14:41 +0100
> From: dinis cruz <dinis.cruz at owasp.org>
> To: Patrick Laverty <patrick_laverty at brown.edu>
> Cc: security101 at lists.owasp.org
> Subject: Re: [OWASP-Security101] Validating a scanner's results
> Message-ID:
>        <CA+f=kXD5iqy21WxDXgK59SW95mdGx2NeuuuccM8y_sBcpJugEQ at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> well, you could be missing something on your test.
>
> That is one of the reasons why my approach with the O2
> platform<http://o2platform.wordpress.com>is to create unit/integration
> tests for the findings. Not only I get a
> repeatable test, but I also have a way to distribute those tests.
>
> In this case, something is broken. And it looks like it is either your test
> or Acunetix :)
>
> Question: are you able to run just that test in Acunetix? If so , put a web
> proxy in the middle and see if you can detect what is making that scanner
> trigger the SQL Injection vuln.
>
> Btw, do you have access to the App's source code? If so, you should be able
> to also confirm (or not) if that vulnerability actually exists.
>
> Dinis Cruz
>
> On 5 April 2012 16:19, Patrick Laverty <patrick_laverty at brown.edu> wrote:
>
> > On Thu, Apr 5, 2012 at 11:09 AM, dinis cruz <dinis.cruz at owasp.org>
> wrote:
> > > What type of scanner was it?
> > >
> > > What kind of result did you get?
> >
> > Acunetix. The report gives the string it says was a positive hit. It
> > says which variable triggered the positive result. However when I
> > tried it, it didn't seem to work.
> >
>
>
> ------------------------------
>
> Message: 8
> Date: Thu, 05 Apr 2012 13:27:10 -0400
> From: Jim Manico <jim.manico at owasp.org>
> To: Patrick Laverty <patrick_laverty at brown.edu>
> Cc: security101 at lists.owasp.org
> Subject: Re: [OWASP-Security101] Validating a scanner's results
> Message-ID: <4F7DD5EE.7070505 at owasp.org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Can you look at the source code and see how the query in being built in
> the application?
>
> If the query is not parametrized, it's very likely that that code IS
> vulnerable to sql injection.
>
> Aloha,
>
> --
> Jim Manico
>
> Connections Committee Chair
> Cheatsheet Series Product Manager
> OWASP Podcast Producer/Host
>
> jim at owasp.org
> www.owasp.org
>
>
> > I have a scanner that I use to scan apps and it comes back with
> > results (obviously). What I want to do is validate/re-test the
> > positive results. For example, sometimes the scanner will tell me that
> > a page is vulnerable to SQL Injection. So then I go and test it with
> > the few ways that I know to inject a page and it'll come back as
> > blocking the injection.
> >
> > So at that point, how do I know that it isn't a false positive or it's
> > just that I don't know the right way? It feels like I could know 99
> > different ways to inject a page but if I don't know #100, then I won't
> > find it and I'll think it's a false positive. How do people deal with
> > that?
> > _______________________________________________
> > Security101 mailing list
> > Security101 at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/security101
> > List Run By OWASP
> > List Admin: Michael.Coates at owasp.org
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
>
>
> End of Security101 Digest, Vol 3, Issue 2
> *****************************************
>


More information about the Security101 mailing list