Forum Discussion

Chris_Phillips's avatar
Chris_Phillips
Icon for Nimbostratus rankNimbostratus
Jun 03, 2014

Posting well formed JSON document incorrectly triggering ASM SQL-INJ violation

Hi,

 

we've an SQL-INJ violation - 200002149 - being raised on ASM that I don't see a way to suppress nicely. The thing is the parameter name is being taken to be the first 50 characters or so of the JSON document that's being posted, so it's being interpreted at the wrong level as I see it. Given that I can't provide a specific parameter to match against, I'd have to presumably disable the vioaltion at URI level, which seems pretty unappealing, especially as it's a very valid check I'd like to keep in place.

 

The violation looks like this:

 

ContextParameter

 

Parameter LevelGlobal

 

Wildcard Parameter Name*

 

Actual Parameter Name{

 

"call": 0x9{ 0x9"callIdentifier":1636565498724567890123, 0x9"contactCentreIdentifier":"B", 0x9"employeeIdentifier":"000274", 0x9"lineOfBusinessIdentifier":TEST", 0x9"lineOfBusinessDescriptor":"T0x20E0x20S0x20T", 0x9"teamIdentifier":"TT1", 0x9"callType":"I", 0x9"callerTy

 

Parameter Value

 

Detected Keywords

 

So clearly the parameter name is junk, and there's not even any value extracted, so I'm a little lost how to get a hold of it.

 

update

 

Our devs have now find that the violation goes away if they remove a slash from the data way way down the list, changing "04/05" to just "0405" in the middle of a string of arbitrary english text.

 

We've avoided the issue by disabling that signature on the relevant URI but it feels like a horrible way to "fix" the issue.

 

This is all on 10.2.4 BTW, we were looking to upgrade to 11.2 to benefit from JSON inspection but other limitations prevent that.

 

3 Replies

  • Without JSON inspection, you may have gotten around the issue the best way you can. Is it a signature that you have to leave disabled due to all uploads causing this issue, or can you re-enable it after this one document has been uploaded?

     

  • Well this is all just test data in a dev environment. I expect that when it hits production we;ll have all sorts of extra fun :/

     

    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      No doubt you will. False positives are inevitable.