tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/3916-blind-sqli-differential-checks-false-negativesArachni: Discussion 2015-12-07T20:30:37Ztag:support.arachni-scanner.com,2012-07-01:Comment/386408192015-12-07T17:23:25Z2015-12-07T17:23:25ZBlind SQLi Differential Checks False Negatives<div><ol>
<li>I'll need to look into it but it should be possible.<br></li>
<li>I haven't come across that, can you think of a case?<br></li>
<li>I guess that's a good idea, you can't always rely on type
casting.</li>
</ol>
<p>Btw, I've identified a bug in the differential analysis
technique that caused some issues and I'll merge the fix soon,
changing <code>-1</code> to a larger random negative integer solved
it.</p>
<p>I'll let you know once the nightlies are up.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/386408192015-12-07T17:51:44Z2015-12-07T17:51:44ZBlind SQLi Differential Checks False Negatives<div><p>One thing I forgot to mention is that for cases where there are
several variants for each issue (<code>sql_injection</code>,
<code>sql_injection_timing</code>,
<code>sql_injection_differential</code>) you shouldn't expect
adequate coverage unless you're using all of the available
checks.<br>
And the differential analysis one isn't the most reliable.</p>
<p>Of course, this doesn't mean that improvements aren't
welcomed.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/386408192015-12-07T18:03:46Z2015-12-07T18:03:46ZBlind SQLi Differential Checks False Negatives<div><p>That's cool. Thanks. I'll check it again in the nightlies once
it's posted.</p>
<p>I agree and intend to use the other variants, however in cases
where a target's DB is mysql, I'm not going to be able to use the
mysql timing checks to detect blind SQLi due to the <a href="http://support.arachni-scanner.com/discussions/problems/3914-blind-sqli-timing-checks-and-dos">
previous issue</a> I logged where the payloads are causing resource
exhaustion. In cases like that, I would need to fallback to
differential analysis to detect a blind SQLi against a mysql
target.</p></div>wspirestag:support.arachni-scanner.com,2012-07-01:Comment/386408192015-12-07T18:12:06Z2015-12-07T18:12:06ZBlind SQLi Differential Checks False Negatives<div><p>Yeah I figured that was the case, pushing nightlies now, it'll
take a couple of hours until they're up so I'll let you know.<br>
And I didn't run the full test suite because that takes even longer
but preliminary tests pass and I don't think my changes broke
anything.</p>
<p>If the situation isn't improved I'd like to check out those test
cases (hackazon still?) myself and see if I can increase the
differential analysis coverage.</p>
<p>With that technique the situation gets tricky when there are
multiple inputs without default values so those cases are usually
skipped.</p>
<p>And there's also a threshold of change, Arachni does noise
reduction on the responses to make page comparisons reliable
without using levenshtein distance, but in this case a diff ratio
is also used.</p>
<p>So, there are a few things that can be tweaked.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/386408192015-12-07T18:33:39Z2015-12-07T18:33:39ZBlind SQLi Differential Checks False Negatives<div><p>Yeah. It's Hackazon that I'm currently seeing this on. I'm
running it locally, but you can grab a VM with it loaded from
<a href="http://www.vulnerablewebapps.org/">here</a>. Although you
can reconfigure where the vuln inputs are located with Hackazon,
with that image you can find a vuln test case here:</p>
<p>/category/view?id=[input]</p>
<p>It should return all rows for the true condition and a friendly
404 for the false condition.</p>
<p>Thanks again!</p></div>wspirestag:support.arachni-scanner.com,2012-07-01:Comment/386408192015-12-07T18:57:46Z2015-12-07T18:57:46ZBlind SQLi Differential Checks False Negatives<div><p>Ah, that probably explains it, that check will bail out on
anything other than a status 200.<br>
I guess I can allow a 404 for these types of cases.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/386408192015-12-07T20:28:56Z2015-12-07T20:28:56ZBlind SQLi Differential Checks False Negatives<div><p>I pulled down the changes from the experimental branch and ran
another scan with those. That seems to fix the issue:<br></p>
<pre>
<code> [~] Relevant issues:
[~] --------------------
[+] Blind SQL Injection (differential analysis) in link input 'id' using GET at the following pages:
[~] * http://172.x.y.z:8000/product/view
[~] * http://172.x.y.z:8000/category/view</code>
</pre>
<p>Thanks for the quick turnaround!</p></div>wspirestag:support.arachni-scanner.com,2012-07-01:Comment/386408192015-12-07T20:30:37Z2015-12-07T20:30:37ZBlind SQLi Differential Checks False Negatives<div><p>Sounds great, thanks for the feedback. :)</p></div>Tasos Laskos