0

I am working on an ASP.NET web application, and a recent security scan (conducted using SecurityMetrics) flagged a vulnerability related to Blind SQL Injection (Time-Based). Here are the details of the report:

Impact (as per the scan report):

By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, the scanner was able to cause slower responses. This suggests that the application may be vulnerable to Blind SQL Injection. The issue occurs because certain parameters are not properly sanitized, allowing malicious inputs like WAITFOR DELAY or SLEEP to execute. This could allow attackers to:

Bypass authentication Access or modify confidential data Potentially take control of the database server Vulnerable Parameters Identified:

__EVENTVALIDATION parameter in URLs such as:

/?__EVENTARGUMENT=&__EVENTTARGET=&__VIEWSTATE=...&__EVENTVALIDATION=...');WAITFOR DELAY '00:00:03';--

__VIEWSTATE parameter in requests like:

/login.aspx?__EVENTVALIDATION=...&__VIEWSTATE=...'; AND SLEEP(3)='...

What I've Tried So Far:

Ensured basic SQL injection protection by using parameterized queries in most places, but it’s unclear if these apply to built-in ASP.NET fields like __VIEWSTATE and __EVENTVALIDATION. Enabled validateRequest="true" in the web.config to reject malicious inputs.

My Questions:

How can I protect built-in ASP.NET fields like __VIEWSTATE and __EVENTVALIDATION from being exploited through SQL injection? Are there any specific settings or approaches for these fields? Is it necessary to encrypt or sign __VIEWSTATE and __EVENTVALIDATION to prevent tampering? If so, what’s the best way to do this? Are there any tools or practices I can use to verify that all potential SQL injection vulnerabilities have been addressed in my application?

Additional Information:

The application uses ASP.NET Web Forms and interacts with a SQL Server database. The vulnerability seems to be exploiting WAITFOR DELAY or SLEEP commands to test for delays in SQL queries. Any guidance on how to resolve this vulnerability and prevent similar ones in the future would be greatly appreciated!

Improve this question
4
  • in a word... update. (use .net8-core or above... ditch the web forms) As is though you shouldn't even accept login parameters in a GET. You should also consider that a user can change any values in the form sent whether it's GET or POST, so make sure that can't trigger over-posting or injection vulnerabilities. Everything should be parameterized/prepared, btw. What's the use-case for not? Commented Jan 22 at 18:16
  • I am already using parameterized queries and not sending parameters in url. Commented Jan 22 at 18:30
  • if this is an intranet and you are not worried about insider threats, it could be secure if you run on the latest .net framework. (4.8?) Migrating to .net-core would be optimal. Commented Jan 22 at 18:33
  • 2
    If parameterized this could be a red herring where it's additional validation that's happening. (such as EnableViewStateMac which checks for client-side modifications) But you may want to review this old MS article as well: learn.microsoft.com/en-us/previous-versions/msp-n-p/… Commented Jan 22 at 19:21

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.