Topic
  • No replies
nphillips
nphillips
3 Posts

Pinned topic Upgrade to V 9.0 - Blind SQL Injection hang

‏2014-04-16T14:55:49Z |

Hi,

I'm experiencing a hang during execution of the blind SQL injection tests against my server. I submitted a PMR regarding this but the conclusion so far has been that it's a server side hang and I need to investigate at the server. I wanted to address this to a broader audience in case anybody else has experienced this type of behavior and may have an idea of how to go about addressing it.

  • I did not experience this against the same server, in the same configuration, the week before running V 8.8. Or at any time in the past several months.
  • I installed V 9.0 and attempted to run the same scan (V9 migrated the scan file up to the new version).
  • If I turn off Blind SQL injection the scan runs as before.
  • If I turn on ONLY blind SQL injection the scan usually hangs immediately, although I've seen cases where it did succeed.
  • If I turn on traffic capture I get a curious line in the log file saying "Failed to send request (Timeout)". Snippet below:
---- Begin Thread [4980] <2014-04-11 10:11:59.845> ---- SecAnalyzerWorker::RefreshOrigResponse
====> Failed to send request (TimedOut) (length == 1873)
POST /IFC/Ext/Pages/HomePage.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
... Rest of request information clipped ...

 

I'm running in an IIS ASP.NET server environment.. If I run "appcmd list requests" at this point I'll see a pending request, which is consistent with a server side hang. But if I dump the application pool I'm not seeing any of our application code in the call stack of any of the worker threads. It looks like an idle server. ASP.NET tracing indicates that the processing pipeline is being traversed. It's as if ASP thinks it's done processing but the client isn't hearing back. And only on blind SQL injection? Weird.

I'm considering rolling back to V8.8 but wanted to know if anybody else out there has ever seen something similar or might have suggestions.

Thanks,

-Nick Phillips

  • Marek Stepien
    Marek Stepien
    149 Posts

    Re: Upgrade to V 9.0 - Blind SQL Injection hang

    ‏2014-04-16T17:59:30Z  

     

    Please open a support ticket (PMR) for this issue at IBM Service Request