Dear Members,
I would like to seek some support for the following issues. We had develop a web portal using oracle ADF. In the login page, Our web vulnerability scanner (IBM APPScan) found a blind SQL injection on the login.jspx page. However, no harm were done to the database. Is there any method to sanitation the hazardous characters?
Risk: It is possible to view, modify or delete database entries and tables
Causes: Sanitation of hazardous characters was not performed correctly on user input
Difference: Parameter manipulated from: !zv1e9ctim to: %21zv1e9ctim%27+and+%27f%27%3D%27f
Parameter manipulated from: !zv1e9ctim'+and+'b'='f to: %21zv1e9ctim%27+and+%27b%27%3D%27f
Parameter manipulated from: !zv1e9ctim'+and+'b'='b to: %21zv1e9ctim%27+and+%27b%27%3D%27b
Reasoning: The test result seems to indicate a vulnerability because it shows that values can be appended to parameter values, indicating that they were embedded in an SQL query.HEX(0D)HEX(0A)In this test, three (or sometimes four) requests are sent. The last is logically equal to the original, and the next-to-last is different. Any others are for control purposes. A comparison of the last two responses with the first (the last is similar to it, and the next-to-last is different) indicates that the application is vulnerable.
Thank You
Hanafiah