developerWorks > Rational > Forums > Rational AppScan and AppScan Enterprise >

How does Appscan Test for Blind SQL Injection - Revisited?


Search for within

My developerWorks

Welcome, Guest

	Sign in or register

This question is not answered.

Reply to this Thread

Post New Thread

Watch list

Forum settings

Help

	Replies: 2 - Pages: 1 - Last Post: Nov 6, 2009 3:48 PM Last Post By: Ed_Grigoleit	Threads: [ Previous \| Next ]

Ed_Grigoleit

Posts: 34
Registered: Feb 05, 2009 04:23:58 PM

How does Appscan Test for Blind SQL Injection - Revisited?
Posted: Sep 23, 2009 11:55:17 AM

I have read the technote entitled "What is the Blind SQL Injection vulnerability and how does AppScan test for it?" It made sense, but after sampling several Blind SQL Injection non-vulnerable variants, it appears that there are at least two other acceptable scenarios.

1. Only 1 test is run and the test is passed -- I believe this would be the case where Appscan’s first test (a true condition) is expecting the same result as the original, but gets an error page. Appscan stops testing assuming that the payload is detected and the application redirects to a custom error page, or the application can’t handle the payload and is thrown to an error page. In either case, the SQL code is not being processed.

2. The response to all tests is the same as the original – I believe this is the case where Appscan assumes the application detects the additional SQL, strips it off or ignores it, and processes the request normally.

Is my reasoning correct?

Thanks,
EdG

jabbaTheHut

Posts: 1
Registered: Nov 01, 2009 11:19:22 PM

Re: How does Appscan Test for Blind SQL Injection - Revisited?
Posted: Nov 01, 2009 11:28:15 PM

in response to: Ed_Grigoleit's post

Hi

That sounds similar to some of my Blind SQL Injection results:

I recently conducted an AppScan (v 7.8.0.2) scan for one of my web apps, which identified a Blind SQL injection security vulnerability.

AppScan asks the user to "Verify that the last test response is similar to the original response, and that the next-to-last is different."

In particular, the actual responses AppScan returned were:

Original Response = "Invalid path …… was requested" (An error message)
Test Reponse (last) = <HTML blurb>
Test Reponse (next-to-last) = <HTML blurb>

, where the <HTML blurb>s for the last and next-to-last may be the same or different.

According to the verification check, since neither of the test responses (<HTML blurb>) match the original response ("Invalid path …… was requested"), the test result may indicate that the test failed (i.e. no blind SQL injection).

I have assumed this to be a false positive … Is this assumption correct?

Ed_Grigoleit

Posts: 34
Registered: Feb 05, 2009 04:23:58 PM

Re: How does Appscan Test for Blind SQL Injection - Revisited?
Posted: Nov 06, 2009 03:48:37 PM

in response to: jabbaTheHut's post

If I think Appscan has identified a false positive, I will reproduce Appscan's testing manually using a tool like Paros Proxy and base my decision on those results.

You can, of course, create a false positive report and send in off to the IBM Rational team for assessment. The can usually give you an answer pretty quickly.

EdG

Pages: 1

Back to Thread List

Threads: [ Previous | Next ]

Tags

Use the search field to find all types of content in My developerWorks with that tag.

Use the slider bar to see more or fewer tags.

Popular tags shows the top tags for this particular type of content or application that you're viewing.

My tags shows your tags for this particular type of content or application that you're viewing.

Popular forum tags

My forum tags

Popular forum tags

My forum tags

More

Less

Update your My developerWorks profile and start connecting with others.