Potential SQL injection attack by brute-force querying the rest api

Hi ,

(reedited after more testing)

In v8.1 we're querying the rest api server as shown:

POST /AppServer/api/entities/Person?limit=15&displaycolumns=CCC_NIF;CentralAccount

Content-Type: application/json

{ "where": "CentralAccount like '%usuario%'"}
but the AppServer is considering this a potential sql injection attack and adds a time penalty to every sucesive query, thus making the access nearly impossible:
"2019-12-16 09:49:49.8124 WARN (ObjectLog c3b242f1-8b87-4e2b-ac2b-8671daa05e48) : Potential SQL injection attack, adding time penalty of 00:00:02.0940000, WHERE clause: CentralAccount like '%usuario%'"
At first I thought it was related to a complex where query, but this one couldnt be simpler. If I remove the "like" operator then it works just fine. I dont know if this is a response sent from the sqlserver or the Appserver. Could I turn off this checking?
Thanks!
Parents
  • We have a similar problem while migrating the web portal from 7.1.3 to 8.1.1.

    We get db journal errors and lockouts:

    SQL injection by brute force attack detected in WHERE clause: ...
    ...
    User session of ... was locked.

    The cause is a visibility condition on a menu entry, that probably gets executes every 20 seconds because of polling, that looks like this:

    Exists("PersonInAERole",
                 SqlAnd(SqlCompareUid("UID_Person", getuser()),
                               "UID_AERole in (select aer.UID_AERole
                                                              from AErole aer
                                                              where aer.FullPath like 'Request & Fulfillment\IT Shop\ParentRoleA%'
                                                              or aer.FullPath like 'Request & Fulfillment\IT Shop\ParentRoleB%' )"))

    Is this a general problem with using LIKE operators in where clauses?
    How can we prevent the detection of brute force/code injection, which is clearly not the case here?

  • Hello,

    Is this a general problem with using LIKE operators in where clauses?

    Yes.

    Please see the following related to this as well: https://support.oneidentity.com/identity-manager/kb/288731/false-positive-of-sql-injection-attack-detection.

    But in general, it's a good idea to revise queries so less 'LIKE' operators are used.

    Trevor

Reply Children
No Data