Hi I am having bit of confusion in Blind Sql injection.i got scan report from ibm appscan.how to solve this help me..I am using parameterised store procedure only..

Question

5.00/5 (1 vote)

See more:

, +

Blind SQL Injection
Severity: High
URL: https://10.161.9.120:8085/ind/online_regn_vgi.aspx
Entity: txtAdd2 (Parameter)
Risk: It is possible to view, modify or delete database entries and tables
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection
Difference: Parameter manipulated from: 1234 to: 1234%2F**%2Fand%2F**%2F7659%3D7659
Parameter manipulated from: 1234/**/and/**/0=7659 to: 1234%2F**%2Fand%2F**%2F0%3D7659
Parameter manipulated from: 1234/**/or/**/7659=7659 to: 1234%2F**%2For%2F**%2F7659%3D7659
Parameter manipulated from: 1234/**/and/**/0=0 to: 1234%2F**%2Fand%2F**%2F0%3D0
Reasoning: The test result seems to indicate a vulnerability because it shows that values can be appended to parameter values,
indicating that they were embedded in an SQL query. In this test, three (or sometimes four) requests are sent. The last is
11/13/2014 7
TOC
TOC
logically equal to the original, and the nexttolast
is different. Any others are for control purposes. A comparison of the last
two responses with the first (the last is similar to it, and the nexttolast
is different) indicates that the application is
vulnerable.

Posted 16-Mar-15 23:33pm

RajkumarGnanaraj

Add a Solution

Comments

Tadit Dash (ତଡିତ୍ କୁମାର ଦାଶ) 17-Mar-15 7:54am

Have you parametrized the value of TextBox txtAdd2?

RajkumarGnanaraj 17-Mar-15 10:02am

ya i parameterized that text box and also validated with regex..

ZurdoDev 17-Mar-15 7:58am

What exactly is your question? We can't see any of your code so we have no idea what is going on.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

hypermellow · Answer 1 · 2015-03-17T02:35:00

You have already posted the cause and the fix for the reported issue.

[quote]
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection
[/quote]

The issue here is about the lack of validation on your applications user input controls, in this specific instance, a control with an ID of txtAdd2.

For example, if this controls purpose is to accept an number, that is then passed to your store procedure, then you should validate the user has entered a number - before attempting to pass it's value to your procedure.

There are a few articles here that explain the different types of asp.net validation controls available, and examples of their usage ... This is a good example article.

... hope it helps.