Can you inspect SearchPane data before it is sent to the server?

Can you inspect SearchPane data before it is sent to the server?

wblakencwblakenc Posts: 78Questions: 17Answers: 1

Hello all. I am trying to resolve a 'potential' blind SQL injection issue found by our automated software scanner. The scanner says my application might be vulnerable due to:

The test result seems to indicate a vulnerability because it shows that values can be appended to parameter values,
indicating that they were embedded in an SQL query.

I am using SearchPanes to filter employee information based on their organization, pay plan, etc. and the scanner is saying because they can append data to the selected value parameter it fails. The server will reject the message from the user so its not a true SQL injection but here we are.

Anyway, the question is: can you inspect the data before it is sent to the server? Ideally I could use a regex library to remove hazardous characters etc.

Thanks!

This question has an accepted answers - jump to answer

Answers

  • allanallan Posts: 63,368Questions: 1Answers: 10,449 Site admin
    Answer ✓

    If there is an SQL injection vector there, then inspecting it before it goes to the server will not resolve the attack. It is trivial to use cURL or some other library to make a malicious request (or someone could just bypass your Javascript check - they wouldn't even need a separate program).

    The only way to to protect against SQL injection is on the server-side. You must treat all user submitted data as potentially dangerous. Most SQL interfaces provide some kind of binding mechanism to allow for that and we use that in our own .NET / PHP / NodeJS libraries for Editor to protect against SQL injection.

    What server-side code are you using for SearchPanes?

    Allan

  • wblakencwblakenc Posts: 78Questions: 17Answers: 1

    Allan,
    As always thanks for your response. On the server side (using ColdFusion) the parameters are bound and there are type checks on all input being received from the user. So, from my perspective, there is no SQL injection issue. For some reason this automated scanner thinks something called 'Blind SQL Injection' is occurring. And from what I can tell the only way to prevent it is to prevent users from attempting to append anything to the data being sent. All of it seems like nonsense to me, but I wanted to check with the forum to see if there was anything I was missing. Ill keep doing research to see how to prevent this moving forward.

    I appreciate the response!

  • allanallan Posts: 63,368Questions: 1Answers: 10,449 Site admin
    edited April 2023

    I'd be interesting to know if you find anything out. I've just been reading over the OWASP guide on Blind SQL injection. I seems to me that the scanner is overreacting a little with its warning, assuming the data submitted is bound and the column names are looked up (not used from the client - maybe that is the bit it is worried about).

    Allan

Sign In or Register to comment.