Arachni does not detect SQL injection vulnerability
I have an application with a known SQL injection vulnerability, but when I run an Arachni scan with SQL checks the vulnerability is not detected. OWASP ZAP and SQLmap detects the vulnerability (boolean based blind).
The application that I am testing is the spring petclinic application, and I have introduced the sql injection vulnerability for the parameter lastName on page http://example.com:9966/petclinic/owners.html.
When I use "black' or '1'='1" as lastname, I get the names of all the owners. In addition, it is easy to get different results if I add a condition that evaluates to either true or false (blind sql injection). So, I think this is an actual vulnerability.
As you can see from attached log file (the scan was run from jenkins), I used this command:
/opt/arachni-nightly/arachni-2.0dev-1.0dev/bin/arachni http://example.com:9966/petclinic/owners --scope-include-pattern=/petclinic/owners* --input-value=lastName:black --checks=sql* --plugin=uniformity --plugin=timing_attacks --browser-cluster-pool-size=2
and the issue was not detected.
When I add the xss check to the command given above, Arachni does this, which it does not when I just use the sql checks:
[*] Blind SQL Injection (differential analysis): Gathering 'true' data for link with action 'http://example.com:9966/petclinic/owners.html' using seed: -1839' or '1'='1
[*] Blind SQL Injection (differential analysis): Gathering 'true' data for link with action 'http://example.com:9966/petclinic/owners.html' using seed: -1839" or "1"="1
[*] Blind SQL Injection (differential analysis): Gathering 'true' data for link with action 'http://example.com:9966/petclinic/owners.html' using seed: -1839 or 1=1
[*] Blind SQL Injection (differential analysis): Gathering 'false' data for link with action 'http://example.com:9966/petclinic/owners.html' using seed: -1839' or '1'='2
[*] Blind SQL Injection (differential analysis): Gathering 'false' data for link with action 'http://example.com:9966/petclinic/owners.html' using seed: -1839" or "1"="2
[*] Blind SQL Injection (differential analysis): Gathering 'false' data for link with action 'http://example.com:9966/petclinic/owners.html' using seed: -1839 or 1=2
But still, it does not detect the SQL vulnerability. However, it detects the vulnerability as an XSS issue. I can provide the log from this scan as well if you need it.
Do you know why the vulnerability is not detected by Arachni? I am new to Arachni, do you see if I have made some configuration error in the command?
I am using the newest nightly build (linux x86_64bit).
- log.txt 56.9 KB
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 01 Aug, 2016 04:24 PM
Hello,
Is there a chance I could be given access to the web application?
2 Posted by tiafiring on 01 Aug, 2016 04:36 PM
Thank you for getting back to me so soon!
You can run the application locally, it is just the spring petclinic application. You can get the source code here: https://github.com/spring-projects/spring-petclinic, and you run it with ./mvnw tomcat7:run
The only change I have made to the code is in the method findByLastName in the class JpaOwnerRepositoryImpl. The method now looks like this:
Support Staff 3 Posted by Tasos Laskos on 01 Aug, 2016 06:16 PM
I'm not sure what's going on with the
sql_injection_differential
check yet, but I updated thesql_injection
check with Hibernate error messages.I'm uploading new nightlies now and I'll let you know once they're up so that you can test them.
Support Staff 4 Posted by Tasos Laskos on 02 Aug, 2016 07:33 AM
Nightlies are up.
5 Posted by tiafiring on 02 Aug, 2016 07:47 AM
Thanks! I have tried the scan again with the new nightlies, but the result is the same as before, see attached log file log_all_SQL_checks.txt.
I also tried running only the sql_injection_differential check, but Arachni does not seem to be analyzing any responses, see attached log file log_SQL_inj_differential_only.txt.
Support Staff 6 Posted by Tasos Laskos on 02 Aug, 2016 07:52 AM
I found out why the
sql_injection_differential
didn't work, http://localhost:9966/petclinic/owners.html is the same as http://localhost:9966/petclinic/owners.htmlblablah, so the system can't tell for sure that it's not some custom 404 handler.I'll need to think about relaxing the check's analysis.
About the
sql_injection
check in the nightlies, it should have worked, it's working fine for me.Support Staff 7 Posted by Tasos Laskos on 02 Aug, 2016 08:17 AM
My bad, I forgot to push the update to the repo, that's why the
sql_injection
check didn't work.Pushing new nightlies now.
8 Posted by tiafiring on 02 Aug, 2016 08:28 AM
Okay, let me know when the new nightlies are up, and I'll try again :-)
Support Staff 9 Posted by Tasos Laskos on 02 Aug, 2016 10:36 AM
Nightlies are up, the
sql_injection_differential
check should work too now.10 Posted by tiafiring on 02 Aug, 2016 11:51 AM
Now the scan detects the the vulnerability. It is detected by the
sql_injection
check, but not thesql_injection_differential
check. As input values-1839' or '1'='1
and-1839' or '1'='2
gives different results, should not this check detect something as well?Support Staff 11 Posted by Tasos Laskos on 02 Aug, 2016 11:53 AM
Arachni is aware of redundant checks so if the
sql_injection
test spots it first it'll try to avoid other SQL injection checks.You can verify by running
sql_injection_differential
on its own.12 Posted by tiafiring on 02 Aug, 2016 12:10 PM
Tried running just the
sql_injection_differential
check, and you are right, of course, the vulnerability is detected.Thank you so much for helping me! :-)
Support Staff 13 Posted by Tasos Laskos on 02 Aug, 2016 12:11 PM
My pleasure, thanks for the feedback.
Tasos Laskos closed this discussion on 02 Aug, 2016 12:11 PM.