Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    [bogus] SQL Injection bug reported by VeraCode

    Following is the issue when the security audit was run over the source code in Smart GWT3.0 version.

    This database query contains a SQL injection flaw. The function call constructs a dynamic SQL query using a variable
    derived from user-supplied input. An attacker could exploit this flaw to execute arbitrary SQL queries against the
    database.
    isomorphic.jar com/.../tools/DataExport.java 312

    Can we have a resolution for this as the production deployment is kind of blocked because of this?

    #2
    This appears to be a bogus report.

    In general, security scanning tools produce a lot of bogus reports, because among other things they will scan methods that are not accessible from end user UI as though they were publicly accessible (this includes developer tools, code for command-line use, test code, etc).

    If you believe you've found a security vulnerability you should submit a test case showing how the code could be exploited.

    Comment


      #3
      Hello from Veracode

      Hi all,

      I am the founder and CTO of Veracode. I would like to take a look at the results that our code analysis has found in the Smart GWT3.0 code to determine if they are valid or not. I cannot do this unless I know which of our customers has performed the analysis and the name of their application.

      If the poster of the issue can help me out in finding this information I would be happy to investigate and determine if the analysis is correct.

      I can tell you for the types of issues that we purportedly found our false positive rate is less than 15% so it is very likely that they are real issues. We do complete dataflow analysis from user input to sensitive function call.

      Cheers,
      Chris

      Comment


        #4
        Hi "test", thanks for chiming in.

        Your user here can see your post and choose to share contact information if they need to, but you don't actually need their help to verify the many obvious false positives in your scan - the problem is that complete data flow analysis is useless if you are analyzing a tool that is meant for administrative use.

        Comment


          #5
          need information about the application

          Hi,

          You are assuming that I can find the app with this issue in our our database of 1000s of applications we have scanned this month. I need to have more information to follow up and review the code and results. I am more than happy to do this.

          I have over 10 years application security expertise and have written a book on the topic, "The Art of Software Security Testing". I think it is unwise to dismiss security reports that do not come with step by step exploit instructions. Unfortunately it seems I cannot be more helpful on your product's security without more information.

          Regards,
          Chris Wysopal
          CTO & co-founder, Veracode.

          Comment


            #6
            There wasn't a lack of analysis, it just took only a few seconds per report to see that it was hitting tools and internals not exposed to end users.

            As far as following up further, your customer isn't responding with details and we don't have them.

            Comment


              #7
              follow up

              I have made contact with our mutual customer and will be following up with them.

              Thanks,
              Chris

              Comment

              Working...
              X