0

We are using the web security scanner which found out one of my web page has a Bind SQLi. The scanner modified the parameter "news.aspx?id=123" to "news.aspx?i=123' or 1=1--", And the web server responses to the news information for id=1 information currently.

After investigation from development team, they said that there's no injection cannot access to Database which has already blocked by the .NET Built-in API SQL Parameter, and the back-end program will auto return the data of id=1 information to client side.

May I know can it be identified as false positive, or is it better to redirect to generic error pages? Or it is enough and acceptable for current stage?

Chris Mok
  • 83
  • 1
  • 3
  • 9
  • possible duplicate of [Are Parameters really enough to prevent Sql injections?](http://stackoverflow.com/questions/306668/are-parameters-really-enough-to-prevent-sql-injections) – Eric May 15 '15 at 03:31
  • If you know the structure of the table that is being queried, maybe you could run a quick test – Alvaro Montoro May 15 '15 at 03:43

2 Answers2

4

the back-end program will auto return the data of id=1 information to client side.

IMO, this is a lame behavior for the backend. I'd say the page should detect the error and redirect the user to an error page. Nevertheless, based on that description it is not a valid injection, so if the business can accept that behavior, then it is a false positive.

P.S. While this isn't a SQL injection, it is potentially an information disclosure bug if it's possible to get the page to display the data for id=1 and the user of the page shouldn't have access to that particular record.

Brad
  • 3,190
  • 1
  • 22
  • 36
0

So long as your underlying application code is parameterizing the values being sent to SQL (as your developers claim), then you do not need to worry about such warnings.

Nathan Taylor
  • 24,423
  • 19
  • 99
  • 156