2.1. http://mdsec.net/addressbook/32/Default.aspx [Address parameter]
Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mdsec.net
Path:   /addressbook/32/Default.aspx

Issue detail

The Address parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Address parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

POST /addressbook/32/Default.aspx HTTP/1.1
Host: mdsec.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://mdsec.net/addressbook/32/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 116

__VIEWSTATE=%2FwEPDwUKMTI0NzE5MjI0MGRkoXv4BXfugQRsGddxJO96PBvk5rI%3D&Name=&Email=&Phone=&Search=Search&Address='&Age=

Response 1

HTTP/1.1 200 OK
Date: Wed, 10 Apr 2013 12:40:58 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Contacts</title>
...[SNIP]...
<b>Error: Unclosed quotation mark after the character string ''.
Incorrect syntax near ''.</b>
...[SNIP]...

Request 2

POST /addressbook/32/Default.aspx HTTP/1.1
Host: mdsec.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://mdsec.net/addressbook/32/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 116

__VIEWSTATE=%2FwEPDwUKMTI0NzE5MjI0MGRkoXv4BXfugQRsGddxJO96PBvk5rI%3D&Name=&Email=&Phone=&Search=Search&Address=''&Age=

Response 2

HTTP/1.1 200 OK
Date: Wed, 10 Apr 2013 12:40:58 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Contacts</title>
...[SNIP]...