Potential SQL injection attack by brute-force querying the rest api

Question

Hi , 
 (reedited after more testing) 
 In v8.1 we're querying the rest api server as shown: 
 POST /AppServer/api/entities/Person?limit=15&displaycolumns=CCC_NIF;CentralAccount 
 
 Content-Type: application/json 
 
 { "where": "CentralAccount like '%usuario%'"}

but the AppServer is considering this a potential sql injection attack and adds a time penalty to every sucesive query, thus making the access nearly impossible:

"2019-12-16 09:49:49.8124 WARN (ObjectLog c3b242f1-8b87-4e2b-ac2b-8671daa05e48) : Potential SQL injection attack, adding time penalty of 00:00:02.0940000, WHERE clause: CentralAccount like '%usuario%'"

At first I thought it was related to a complex where query, but this one couldnt be simpler. If I remove the "like" operator then it works just fine. I dont know if this is a response sent from the sqlserver or the Appserver. Could I turn off this checking? 
 Thanks!

Trevor Pike · Answer

Hello, Is this a general problem with using LIKE operators in where clauses? Yes. Please see the following related to this as well: https://support.oneidentity.com/identity-manager/kb/288731/false-positive-of-sql-injection-attack-detection . But in general, it's a good idea to revise queries so less 'LIKE' operators are used. Trevor

Hanno Bunjes · Answer

In this particular case, the "Fullpath LIKE" query can be rewritten using the BaseTreeCollection table. Try this: 
 UID_AErole in (select UID_Org from basetreecollection where uid_parentorg in ( select uid_aerole from aerole where FullPath in ('Request & Fulfillment\IT Shop\ParentRoleA', 'Request & Fulfillment\IT Shop\ParentRoleB')))

Markus Weiss-Ehlers · Answer

Please check the following from the release notes of 9.1 Due to security issues, you cannot run any database queries directly from the user interface or from web applications. Specific SQL operators undergo a risk assessment that prevents them from being used by One Identity Manager components. This includes operators such as LIKE , NOT LIKE , < , <= , > , or >= . In order to continue using certain features in One Identity Manager components, users require the Common_AllowRiskyWhereClauses program function. Users who do not have this program function can only run database queries that are classified as trusted or pose no risk. Some of the features in One Identity Manager components, such as testing dynamic roles or running filter queries, are not possible without this function. For more information, see the One Identity Manager Authorization and Authentication Guide . and the part Preventing blind SQL injection of the One Identity Manager Authorization and Authentication Guide . https://support.oneidentity.com/technical-documents/identity-manager/9.1/authorization-and-authentication-guide/33#TOPIC-1872898

Markus Weiss-Ehlers · Answer

We are living in a world where we must protect our system against SQL injection attacks and an API endpoint like the REST API is one of those areas. The protection itself is of course updated between the versions of One Identity Manager if new threads arise. So it might be, that you are affected by one of those protection mechanisms. 
 I kindly suggest that you are contacting support to work with you solving your issue. I do know that we had some adaptions made post 8.1.1 that may help you in your current situation.

Potential SQL injection attack by brute-force querying the rest api

Top Replies