Qualys Blog

www.qualys.com

Testing AJAX Applications with JSON Input for Vulnerabilities Using Qualys WAS

Qualys Web Application Scanning 4.9 has added the capability to run web app vulnerability scans on AJAX applications that use JSON input. Specifically, WAS 4.9 can test for SQL injection (SQLi), local file injection (LFI) and PHP command injection. Many web application scanners are capable of detecting SQL injection, LFI, PHP command injection and other vulnerabilities in web applications that use standard GET/POST requests, but they fail to find the same in applications that use JSON input in POST data. To analyze and detect vulnerability in JSON requests, WAS 4.9 added the capability to execute some AJAX scripts in automatic scanning without manual intervention. This capability relies on the SmartScan feature, which customers need to enable in their subscriptions.

About AJAX Apps with JSON Input

Many newer web applications heavily rely on AJAX (Asynchronous Javascript And XML). AJAX is one of the many technologies used to create RIA (Rich Internet Applications). Javascript and XMLHttpRequest object together allow web developers to create asynchronous web applications. The web application will make asynchronous requests; parse the response obtained from server and update the web page content. Many developers have tried to move away from XML and replaced it with several other formats and one of them is JSON (JavaScript Object Notation). JSON is easy for humans to read and write and is lightweight in data interchange between client and server.

A typical AJAX request with JSON input and POST method consists of:

  • URL – Typically this would be something like http://www.example.com/rest/user/change_password
  • POST data – {“email”:”xyz@example.com”, “oldpassword”:”oldpassword”, “newpassword”:”newpassword”}

The normal response for the above request might look something like:

  • Password changed successfully.

SQL Injection Detection

Qualys WAS tests if the web application is vulnerable to SQL injection attack by appending the email parameter with SQL injection payload of a single quote (‘), which results in the following data in the POST request:

  • POST data – {“email”:”xyz@example.com“,”oldpassword”:”oldpassword”, “newpassword”:”newpassword”}

The response from vulnerable server using SQLITE as a backend would be:

{"error":{"message":"SQLITE_ERROR: unrecognized token: 
\"d5b5fffc89f961903fb3c9a173f1b667\"","stack":"Error: SQLITE_ERROR: 
unrecognized token: \"d5b5fffc89f961903fb3c9a173f1b667\"\n at 
Error (native)","errno":1,"code":"SQLITE_ERROR","sql":"UPDATE 
Users set password = '5e9d11a14ad1c8dd77e98ef9b53fd1ba' WHERE 
email = 'xyz@example.com'' AND 
password = 'd5b5fffc89f961903fb3c9a173f1b667'"}}

In this case, the WAS engine would report QID 150003 with JSON fuzzing on the example website.

Local File Inclusion Detection

A typical e-commerce web application might have following request for searching of products:

  • POST data – {“query”:”tv”,”order”:”asc”,”limit”:50}

WAS tests if the query parameter is vulnerable to LFI (Local File Inclusion) by sending the following to test it:

  • POST data – {“query”:”/../../../../../../../etc/passwd”,”order”:”asc”,”limit”:50}

The response from server will include the content of the /etc/password file if the server is linux:

You search for:
/../../../../../../../etc/passwd</br>root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

In this case, the WAS engine will report QID 150011.

PHP Command Injection Detection

WAS test if the same e-commerce application is vulnerable to command injection vulnerability in the query parameter by trying the following:

  • POST data – {“query”:”|netstat -an “,”order”:”asc”,”limit”:50}

The response from server will include the output of netstat command execution on the server:

You searched for: |netstat -an

Active Internet connections (servers and established)
Proto  Recv-Q  Send-Q  Local Address     Foreign Address     State
tcp      0       0     0.0.0.0:22           0.0.0.0:*        LISTEN
tcp      0       0     127.0.0.1:631        0.0.0.0:*        LISTEN
tcp      0       0     127.0.0.1:25         0.0.0.0:*        LISTEN

In this case, the WAS engine will report QID 150055.

Leave a Reply