Arachni does not detect SQL injection vulnerability

tiafiring's Avatar

tiafiring

01 Aug, 2016 04:18 PM

I have an application with a known SQL injection vulnerability, but when I run an Arachni scan with SQL checks the vulnerability is not detected. OWASP ZAP and SQLmap detects the vulnerability (boolean based blind).

The application that I am testing is the spring petclinic application, and I have introduced the sql injection vulnerability for the parameter lastName on page http://example.com:9966/petclinic/owners.html.

When I use "black' or '1'='1" as lastname, I get the names of all the owners. In addition, it is easy to get different results if I add a condition that evaluates to either true or false (blind sql injection). So, I think this is an actual vulnerability.

As you can see from attached log file (the scan was run from jenkins), I used this command:

/opt/arachni-nightly/arachni-2.0dev-1.0dev/bin/arachni http://example.com:9966/petclinic/owners --scope-include-pattern=/petclinic/owners* --input-value=lastName:black --checks=sql* --plugin=uniformity --plugin=timing_attacks --browser-cluster-pool-size=2

and the issue was not detected.

When I add the xss check to the command given above, Arachni does this, which it does not when I just use the sql checks:

[*] Blind SQL Injection (differential analysis): Gathering 'true' data for link with action 'http://example.com:9966/petclinic/owners.html' using seed: -1839' or '1'='1
[*] Blind SQL Injection (differential analysis): Gathering 'true' data for link with action 'http://example.com:9966/petclinic/owners.html' using seed: -1839" or "1"="1
[*] Blind SQL Injection (differential analysis): Gathering 'true' data for link with action 'http://example.com:9966/petclinic/owners.html' using seed: -1839 or 1=1
[*] Blind SQL Injection (differential analysis): Gathering 'false' data for link with action 'http://example.com:9966/petclinic/owners.html' using seed: -1839' or '1'='2
[*] Blind SQL Injection (differential analysis): Gathering 'false' data for link with action 'http://example.com:9966/petclinic/owners.html' using seed: -1839" or "1"="2
[*] Blind SQL Injection (differential analysis): Gathering 'false' data for link with action 'http://example.com:9966/petclinic/owners.html' using seed: -1839 or 1=2

But still, it does not detect the SQL vulnerability. However, it detects the vulnerability as an XSS issue. I can provide the log from this scan as well if you need it.

Do you know why the vulnerability is not detected by Arachni? I am new to Arachni, do you see if I have made some configuration error in the command?

I am using the newest nightly build (linux x86_64bit).

  1. Support Staff 1 Posted by Tasos Laskos on 01 Aug, 2016 04:24 PM

    Tasos Laskos's Avatar

    Hello,

    Is there a chance I could be given access to the web application?

  2. 2 Posted by tiafiring on 01 Aug, 2016 04:36 PM

    tiafiring's Avatar

    Thank you for getting back to me so soon!

    You can run the application locally, it is just the spring petclinic application. You can get the source code here: https://github.com/spring-projects/spring-petclinic, and you run it with ./mvnw tomcat7:run

    The only change I have made to the code is in the method findByLastName in the class JpaOwnerRepositoryImpl. The method now looks like this:

        public Collection<Owner> findByLastName(String lastName) {
            // using 'join fetch' because a single query should load both owners and pets
            // using 'left join fetch' because it might happen that an owner does not have pets yet
            String q = "SELECT DISTINCT owner FROM Owner owner left join fetch owner.pets WHERE owner.lastName LIKE " + "'" + lastName + "'";
            Query badQuery = this.em.createQuery(q);
            return badQuery.getResultList();
    
  3. Support Staff 3 Posted by Tasos Laskos on 01 Aug, 2016 06:16 PM

    Tasos Laskos's Avatar

    I'm not sure what's going on with the sql_injection_differential check yet, but I updated the sql_injection check with Hibernate error messages.
    I'm uploading new nightlies now and I'll let you know once they're up so that you can test them.

  4. Support Staff 4 Posted by Tasos Laskos on 02 Aug, 2016 07:33 AM

    Tasos Laskos's Avatar

    Nightlies are up.

  5. 5 Posted by tiafiring on 02 Aug, 2016 07:47 AM

    tiafiring's Avatar

    Thanks! I have tried the scan again with the new nightlies, but the result is the same as before, see attached log file log_all_SQL_checks.txt.

    I also tried running only the sql_injection_differential check, but Arachni does not seem to be analyzing any responses, see attached log file log_SQL_inj_differential_only.txt.

  6. Support Staff 6 Posted by Tasos Laskos on 02 Aug, 2016 07:52 AM

    Tasos Laskos's Avatar

    I found out why the sql_injection_differential didn't work, http://localhost:9966/petclinic/owners.html is the same as http://localhost:9966/petclinic/owners.htmlblablah, so the system can't tell for sure that it's not some custom 404 handler.

    I'll need to think about relaxing the check's analysis.

    About the sql_injection check in the nightlies, it should have worked, it's working fine for me.

  7. Support Staff 7 Posted by Tasos Laskos on 02 Aug, 2016 08:17 AM

    Tasos Laskos's Avatar

    My bad, I forgot to push the update to the repo, that's why the sql_injection check didn't work.
    Pushing new nightlies now.

  8. 8 Posted by tiafiring on 02 Aug, 2016 08:28 AM

    tiafiring's Avatar

    Okay, let me know when the new nightlies are up, and I'll try again :-)

  9. Support Staff 9 Posted by Tasos Laskos on 02 Aug, 2016 10:36 AM

    Tasos Laskos's Avatar

    Nightlies are up, the sql_injection_differential check should work too now.

  10. 10 Posted by tiafiring on 02 Aug, 2016 11:51 AM

    tiafiring's Avatar

    Now the scan detects the the vulnerability. It is detected by the sql_injection check, but not the sql_injection_differential check. As input values -1839' or '1'='1 and -1839' or '1'='2 gives different results, should not this check detect something as well?

  11. Support Staff 11 Posted by Tasos Laskos on 02 Aug, 2016 11:53 AM

    Tasos Laskos's Avatar

    Arachni is aware of redundant checks so if the sql_injection test spots it first it'll try to avoid other SQL injection checks.
    You can verify by running sql_injection_differential on its own.

  12. 12 Posted by tiafiring on 02 Aug, 2016 12:10 PM

    tiafiring's Avatar

    Tried running just the sql_injection_differential check, and you are right, of course, the vulnerability is detected.

    Thank you so much for helping me! :-)

  13. Support Staff 13 Posted by Tasos Laskos on 02 Aug, 2016 12:11 PM

    Tasos Laskos's Avatar

    My pleasure, thanks for the feedback.

  14. Tasos Laskos closed this discussion on 02 Aug, 2016 12:11 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac