tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/4069-arachni-does-not-detect-sql-injection-vulnerabilityArachni: Discussion 2016-08-02T12:11:25Ztag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-01T16:24:04Z2016-08-01T16:24:04ZArachni does not detect SQL injection vulnerability<div><p>Hello,</p>
<p>Is there a chance I could be given access to the web
application?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-01T16:36:59Z2016-08-01T16:37:48ZArachni does not detect SQL injection vulnerability<div><p>Thank you for getting back to me so soon!</p>
<p>You can run the application locally, it is just the spring
petclinic application. You can get the source code here: <a href="https://github.com/spring-projects/spring-petclinic">https://github.com/spring-projects/spring-petclinic</a>,
and you run it with ./mvnw tomcat7:run</p>
<p>The only change I have made to the code is in the method
findByLastName in the class JpaOwnerRepositoryImpl. The method now
looks like this:</p>
<pre>
<code> public Collection<Owner> findByLastName(String lastName) {
// using 'join fetch' because a single query should load both owners and pets
// using 'left join fetch' because it might happen that an owner does not have pets yet
String q = "SELECT DISTINCT owner FROM Owner owner left join fetch owner.pets WHERE owner.lastName LIKE " + "'" + lastName + "'";
Query badQuery = this.em.createQuery(q);
return badQuery.getResultList();</code>
</pre></div>tiafiringtag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-01T18:16:49Z2016-08-01T18:16:49ZArachni does not detect SQL injection vulnerability<div><p>I'm not sure what's going on with the
<code>sql_injection_differential</code> check yet, but I updated
the <code>sql_injection</code> check with Hibernate error
messages.<br>
I'm uploading new nightlies now and I'll let you know once they're
up so that you can test them.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-02T07:33:20Z2016-08-02T07:33:20ZArachni does not detect SQL injection vulnerability<div><p><a href="http://downloads.arachni-scanner.com/nightlies/">Nightlies</a> are
up.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-02T07:47:56Z2016-08-02T07:47:56ZArachni does not detect SQL injection vulnerability<div><p>Thanks! I have tried the scan again with the new nightlies, but
the result is the same as before, see attached log file
log_all_SQL_checks.txt.</p>
<p>I also tried running only the sql_injection_differential check,
but Arachni does not seem to be analyzing any responses, see
attached log file log_SQL_inj_differential_only.txt.</p></div>tiafiringtag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-02T07:52:34Z2016-08-02T07:52:34ZArachni does not detect SQL injection vulnerability<div><p>I found out why the <code>sql_injection_differential</code>
didn't work, http://localhost:9966/petclinic/owners.html is the
same as http://localhost:9966/petclinic/owners.htmlblablah, so the
system can't tell for sure that it's not some custom 404
handler.</p>
<p>I'll need to think about relaxing the check's analysis.</p>
<p>About the <code>sql_injection</code> check in the nightlies, it
should have worked, it's working fine for me.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-02T08:17:57Z2016-08-02T08:17:57ZArachni does not detect SQL injection vulnerability<div><p>My bad, I forgot to push the update to the repo, that's why the
<code>sql_injection</code> check didn't work.<br>
Pushing new nightlies now.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-02T08:28:08Z2016-08-02T08:28:08ZArachni does not detect SQL injection vulnerability<div><p>Okay, let me know when the new nightlies are up, and I'll try
again :-)</p></div>tiafiringtag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-02T10:36:42Z2016-08-02T10:36:42ZArachni does not detect SQL injection vulnerability<div><p>Nightlies are up, the <code>sql_injection_differential</code>
check should work too now.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-02T11:51:28Z2016-08-02T11:51:28ZArachni does not detect SQL injection vulnerability<div><p>Now the scan detects the the vulnerability. It is detected by
the <code>sql_injection</code> check, but not the
<code>sql_injection_differential</code> check. As input values
<code>-1839' or '1'='1</code> and <code>-1839' or '1'='2</code>
gives different results, should not this check detect something as
well?</p></div>tiafiringtag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-02T11:53:15Z2016-08-02T11:53:15ZArachni does not detect SQL injection vulnerability<div><p>Arachni is aware of redundant checks so if the
<code>sql_injection</code> test spots it first it'll try to avoid
other SQL injection checks.<br>
You can verify by running <code>sql_injection_differential</code>
on its own.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-02T12:10:35Z2016-08-02T12:10:35ZArachni does not detect SQL injection vulnerability<div><p>Tried running just the <code>sql_injection_differential</code>
check, and you are right, of course, the vulnerability is
detected.</p>
<p>Thank you so much for helping me! :-)</p></div>tiafiringtag:support.arachni-scanner.com,2012-07-01:Comment/404504102016-08-02T12:11:23Z2016-08-02T12:11:23ZArachni does not detect SQL injection vulnerability<div><p>My pleasure, thanks for the feedback.</p></div>Tasos Laskos