Absent Member.
Absent Member.
9099 views

I can find the SQL Injection manually but WebInspect doesn't report SQL Injection vulnerability in the same UI.

Jump to solution

I can find the SQL Injection manually but WebInspect doesn't report SQL Injection vulnerability in the same UI.

It is a search box. When I input 1 or 1 = 1 and click search, it response a valid data. I used WebInspect to scan with Standard policy and also scanned again with SQL Injection policy, it doesn't report SQL Injection vulnerability.  Could anyone let me know why this happens? Is there any configuration I should update? Thanks a lot.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

WebInspect will not identify just 1=1 as SQL Injection, although it might get flagged as an ODBC/Server Error or show up among the many probes the SQL Injection engine sends dynamically.  There had been an ancient check that tried "'OR%201=1", but it was not true SQL Injection testing.  The current Intelligent Engine performs a series for True/False probes, identifying the flaw as Possible SQL Injection if successful, then moves on to making SELECT queries against the input.  If those probes are successful, then it is flagged as Confirmed SQL Injection.  Sadly, the WebInspect UI only displays the final HTTP Request/Response pair of what could have been 15-30 probe Requests.   😕

First off, what sort of database are you facing?  WebInspect covers the five major ones including MSSQL, MySQL, Oracle, PostGres, and DB2.  As a sixth option, it can identify the flaw in Access databases as well, but the SQL Injector probably cannot extract the data from those.  If your target database is outside this list, go ahead and run the captures detailed below and provide the information to our Support team for study.

To best capture the retest, you could use two methods.  You will need to be certain that you have identified the correct, suspect page/session/input before you begin.

1.  Load the vulnerable page/Request into the SQL Injector tool, and configure SQL Injector to run through an instance of Web Proxy.  Click the Send button to begin the input probes.  The SQL Injector should then report if data extract is or is not possible.  If possible, the user moves on to the Pump Data or Get Tables buttons.  See the SQL Injector's Help Guide (F1) for a full walk-through of that process.

  If the finding is inconclusive, save the output from both the SQL Injector (*.SDF) and from Web Proxy (*.PSF) and submit them in a Fortify Support case (support.fortify.com).

2.  Load the vulnerable page/Request into the Scan Wizard as your Starting URL.  Set the scan mode to Audit-Only, and use the Standard or Aggressive SQL Injection scan Policy.  Before kicking off the scan, configure it to both have Traffic Monitor enabled and also to run through an instance of Web Proxy.  Run the scan.

  If the finding is inconclusive, export the WebInspect scan to *.SCAN output (include the Logs option when it asks) and also save the Web Proxy captures (*.PSF) and submit them in a Fortify Support case (support.fortify.com).


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

WebInspect will not identify just 1=1 as SQL Injection, although it might get flagged as an ODBC/Server Error or show up among the many probes the SQL Injection engine sends dynamically.  There had been an ancient check that tried "'OR%201=1", but it was not true SQL Injection testing.  The current Intelligent Engine performs a series for True/False probes, identifying the flaw as Possible SQL Injection if successful, then moves on to making SELECT queries against the input.  If those probes are successful, then it is flagged as Confirmed SQL Injection.  Sadly, the WebInspect UI only displays the final HTTP Request/Response pair of what could have been 15-30 probe Requests.   😕

First off, what sort of database are you facing?  WebInspect covers the five major ones including MSSQL, MySQL, Oracle, PostGres, and DB2.  As a sixth option, it can identify the flaw in Access databases as well, but the SQL Injector probably cannot extract the data from those.  If your target database is outside this list, go ahead and run the captures detailed below and provide the information to our Support team for study.

To best capture the retest, you could use two methods.  You will need to be certain that you have identified the correct, suspect page/session/input before you begin.

1.  Load the vulnerable page/Request into the SQL Injector tool, and configure SQL Injector to run through an instance of Web Proxy.  Click the Send button to begin the input probes.  The SQL Injector should then report if data extract is or is not possible.  If possible, the user moves on to the Pump Data or Get Tables buttons.  See the SQL Injector's Help Guide (F1) for a full walk-through of that process.

  If the finding is inconclusive, save the output from both the SQL Injector (*.SDF) and from Web Proxy (*.PSF) and submit them in a Fortify Support case (support.fortify.com).

2.  Load the vulnerable page/Request into the Scan Wizard as your Starting URL.  Set the scan mode to Audit-Only, and use the Standard or Aggressive SQL Injection scan Policy.  Before kicking off the scan, configure it to both have Traffic Monitor enabled and also to run through an instance of Web Proxy.  Run the scan.

  If the finding is inconclusive, export the WebInspect scan to *.SCAN output (include the Logs option when it asks) and also save the Web Proxy captures (*.PSF) and submit them in a Fortify Support case (support.fortify.com).


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.