• State Suggested Answer
  • Replies 15 replies
  • Answers 4 answers
  • Subscribers 97 subscribers
  • Views 5838 views
  • Users 0 members are here
Options
Related

Potential SQL injection attack by brute-force querying the rest api

CVU
over 4 years ago

Hi ,

(reedited after more testing)

In v8.1 we're querying the rest api server as shown:

POST /AppServer/api/entities/Person?limit=15&displaycolumns=CCC_NIF;CentralAccount

Content-Type: application/json

{ "where": "CentralAccount like '%usuario%'"}
but the AppServer is considering this a potential sql injection attack and adds a time penalty to every sucesive query, thus making the access nearly impossible:
"2019-12-16 09:49:49.8124 WARN (ObjectLog c3b242f1-8b87-4e2b-ac2b-8671daa05e48) : Potential SQL injection attack, adding time penalty of 00:00:02.0940000, WHERE clause: CentralAccount like '%usuario%'"
At first I thought it was related to a complex where query, but this one couldnt be simpler. If I remove the "like" operator then it works just fine. I dont know if this is a response sent from the sqlserver or the Appserver. Could I turn off this checking?
Thanks!
  • 0 over 4 years ago

    Are you seeing this message even on your first request or did you find this in the log after doing many sub-sequent query checks?

  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    Hi Markus, 

    Thanks for replying.

    On the first request, but I cannot tell when it started. I got a SR from our Development dept. with the headsup.

    I've tried also in version 8.1.1 and it happens as well.

    This "POST" query: "">iam-desarrollo.eprinsa.org/.../Person

    with the following "where" clauses :

    1. "where": "CentralAccount = 'juancar'" , does not trigger the error
    2. "where": "CentralAccount like 'juancar'" , triggers the injection alarm and starts delaying answers 

    With my Rest client, I start sending example 1 requests and it works just fine, results ok. Then I start sending example 2 requests and the injection procedure begins. Right away I switch back to example 1 and the problem is gone, no time penalties. So it seems the like operator is not wanted.  

    At first I thought it could be related to a recent SR that I raised for defect 31881 in 8.1, but as it also happens in 8.1.1 and the dll's have been upgraded too I've discarded that thought.

    Regards!

  • 0 over 4 years ago in reply to CVU

    We are living in a world where we must protect our system against SQL injection attacks and an API endpoint like the REST API is one of those areas. The protection itself is of course updated between the versions of One Identity Manager if new threads arise. So it might be, that you are affected by one of those protection mechanisms.

    I kindly suggest that you are contacting support to work with you solving your issue. I do know that we had some adaptions made post 8.1.1 that may help you in your current situation.

  • 0 over 4 years ago

    We have a similar problem while migrating the web portal from 7.1.3 to 8.1.1.

    We get db journal errors and lockouts:

    SQL injection by brute force attack detected in WHERE clause: ...
    ...
    User session of ... was locked.

    The cause is a visibility condition on a menu entry, that probably gets executes every 20 seconds because of polling, that looks like this:

    Exists("PersonInAERole",
                 SqlAnd(SqlCompareUid("UID_Person", getuser()),
                               "UID_AERole in (select aer.UID_AERole
                                                              from AErole aer
                                                              where aer.FullPath like 'Request & Fulfillment\IT Shop\ParentRoleA%'
                                                              or aer.FullPath like 'Request & Fulfillment\IT Shop\ParentRoleB%' )"))

    Is this a general problem with using LIKE operators in where clauses?
    How can we prevent the detection of brute force/code injection, which is clearly not the case here?

  • 0 over 4 years ago in reply to Christian Stevens

    Hello,

    Is this a general problem with using LIKE operators in where clauses?

    Yes.

    Please see the following related to this as well: https://support.oneidentity.com/identity-manager/kb/288731/false-positive-of-sql-injection-attack-detection.

    But in general, it's a good idea to revise queries so less 'LIKE' operators are used.

    Trevor

  • 0 over 4 years ago in reply to Christian Stevens

    In this particular case, the "Fullpath LIKE" query can be rewritten using the BaseTreeCollection table. Try this:

    UID_AErole in (select UID_Org
    from basetreecollection
    where uid_parentorg in ( select uid_aerole from aerole where FullPath in ('Request & Fulfillment\IT Shop\ParentRoleA', 'Request & Fulfillment\IT Shop\ParentRoleB')))

  • 0 over 2 years ago

    Issue triggered in Manager tool on Custom Target System browsing both with direct DB and app server connections.    Logged support ticket for 8.1.4 Manager client.  

    App Server log shows iterative cases when viewing accounts similar to:

    WARN (ObjectLog 135169fe-a24d-49e5-8b76-0fdcb5ff08f2) : Potential SQL injection attack by brute-force, adding time penalty of 00:00:10.0390000, WHERE clause: ((cn like 'Permission -%' and UID_UNSGroupB in (select UID_UNSGroupB from UNSAccountBInUNSGroupB where UID_UNSAccountB = 'c6b536a8-eb4f-4e64-8c57-dd375789fe8f')))

  • 0 8 months ago

    We have a quite similar situation when using the '>' operator in the where clause in version 9.1, it triggers a 501 Internal error response with message 

    "message": "Potentially dangerous behavior was detected. The request will be ignored."

  • 0 8 months ago in reply to hector bernal

    Please check the following from the release notes of 9.1

    • Due to security issues, you cannot run any database queries directly from the user interface or from web applications. Specific SQL operators undergo a risk assessment that prevents them from being used by One Identity Manager components. This includes operators such as LIKE, NOT LIKE, <, <=, >, or >=.

      In order to continue using certain features in One Identity Manager components, users require the Common_AllowRiskyWhereClauses program function.

      Users who do not have this program function can only run database queries that are classified as trusted or pose no risk. Some of the features in One Identity Manager components, such as testing dynamic roles or running filter queries, are not possible without this function. For more information, see the One Identity Manager Authorization and Authentication Guide.

    and the part Preventing blind SQL injection of the One Identity Manager Authorization and Authentication Guide.


    https://support.oneidentity.com/technical-documents/identity-manager/9.1/authorization-and-authentication-guide/33#TOPIC-1872898

  • 0 8 months ago in reply to Markus Weiss-Ehlers

     : Is this also required for opening the WebPortal after a new installation?
    I'm getting the following error message after login in with a user that has only these roles: Birthright Assignments /  Everyone (Change) / Everyone (Lookup)

    2023-08-08 15:31:09.1457 ERROR ( ObjectLog ) : SQL injection detcted in WHERE clause: (orderstate = N'Assigned') and (UID_PersonInserted = 'e080ba54-58f7-4809-b9e3-6d39314cf6b4') and (isnull(ValidUntil, '1899-12-30 00:00:00.000') < '2023-08-22 13:31:09.144') and (isnull(ValidUntil, '1899-12-30 00:00:00.000') > '1899-12-30 00:00:00.000') 
2023-08-08 15:31:09.2067 ERROR (    WebLog ) : An error occurred while processing the request: GET https://xxx.xxx.xxx/ApiServer/portal/person/config System.Exception: An error occurred while processing the request: GET https://xxx.xxx.xxx/ApiServer/portal/person/config ---> VI.Base.ViException: Potentially dangerous behavior was detected. The request will be ignored. ---> VI.Base.ViException: SQL injection detected in WHERE clause: (orderstate = N'Assigned') and (UID_PersonInserted = 'e080ba54-58f7-4809-b9e3-6d39314cf6b4') and (isnull(ValidUntil, '1899-12-30 00:00:00.000') < '2023-08-22 13:31:09.144') and (isnull(ValidUntil, '1899-12-30 00:00:00.000') > '1899-12-30 00:00:00.000')