False positive of SQL injection attack detection (4321360)

False positive of SQL injection attack detection

As an example, if using conditions for menu items and object lists containing the SQL SUBSTRING() method, this will be detected as SQL injection and the session aborted.

The displayed error may be: "Potential SQL injection attack by brute-force".

This is a product defect (31652).    

WORKAROUND

Avoid the SQL substring method.

STATUS

Please note that 'Improved protection against damaging SQL statements' was implemented as Enhancement ID 31652 in version 8.1.1: https://support.oneidentity.com/technical-documents/identity-manager/8.1.1/release-notes#TOPIC-1243838.

A caution about expectations of this enhancement:

One Identity Manager (1IM) allows for the definition of customer-specific WHERE clauses, which all run via one interface. The object layer is not able to detect if a certain command comes from a hacker or from a 1IM application which contains legitimate WHERE clauses.  A perfect balance between security and usability will not be possible for these reasons.

31652

The definition of the risks of the individual keywords is defined in the SQL function "QBM_FTSQLKeywords". The following statement can be used to display the individual risks:

select * from QBM_FTSQLKeywords(0)
order by 1

In principle, the SQL injection recognition behaves in this way:

Each SQL statement that is executed via the object layer is decomposed. Each SQL keyword is assigned a specific risk.

Of all the keywords occurring in the statement, the maximum risk value is used and added to the previous risk index of this database (DB) connection. If a certain limit is exceeded, the execution of the statement is delayed, starting at 0.5 seconds. However, the waiting time also increases as the risk index increases. If the risk index exceeds a maximum value, the session is terminated. After a certain time, the risk index is automatically reduced again, so that only a fast sequence of potentially dangerous statements leads to the problem.

This algorithm has been around for quite some time. However, due to feedback from other customers who checked their 1IM installation with penetration tests, we had to correct the risk values of some keywords.

For example, "like" was still harmless until version 8.1.0, but from version 8.1.1 on "like" has a risk of 0.04. Due to this change, we also had to adapt some statements in the standard version because otherwise unauthorized SQL injection detections would occur.

Since this is a security relevant feature, we will not disable it.

You have to check your statements and reformulate them so that there are no more risky statements.

Statements which triggered an SQL injection detection can also be found in the NLog log (as WARN).