Database Error Pattern should not be displayed
jbuns opened this issue · 2 comments
jbuns commented
Stratos Version
4.4.0
Frontend Deployment type
- Cloud Foundry Application (cf push)
- Kubernetes, using a helm chart
- Docker, single container deploying all components
- npm run start
- Other (please specify below)
Backend (Jet Stream) Deployment type
- Cloud Foundry Application (cf push)
- Kubernetes, using a helm chart
- Docker, single container deploying all components
- Other (please specify below)
Expected behaviour
AppScan DAST scan should not flag Database Error Pattern Found vulnerability
Actual behaviour
AppScan DAST scan flags Database Error Pattern Found vulnerability
Steps to reproduce the behavior
AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/apps. The test result seems to indicate a vulnerability because the response contains SQL Server errors.
Which yields:
...Sec-Fetch-Mode: corsConnection: keep-aliveSec-Fetch-Site: same-originReferer: https://ui.169.53.186.50.nip.io/homeAccept: application/json, text/plain, */*Accept-Language: en-USSec-Fetch-Dest: emptyHTTP/1.1 200 OKConnection: keep-aliveAccess-Control-Allow-Credentials: truePragma: no-cacheAccess-Control-Allow-Origin: Vary: OriginContent-Length: 192X-Frame-Options: SAMEORIGINCache-Control: no-storeStrict-Transport-Security: max-age=15724800; includeSubDomainsDate: Wed, 10 Mar 2021 14:47:50 GMTContent-Type: text/plain; charset=utf-8{"t73XFqlpQugy2ywCJMheffz2HZU":{"error":{"statusCode":500,"status":"500 Internal Server Error"},"errorResponse":{"description":"Database error","error_code":"CF-DatabaseError","code":10011}}}...
Log output covering before error and any error statements
Insert log hereCopy
Detailed Description
Context
Possible Implementation
richard-cox commented
There is no SQL server error. Please be careful when creating issues using automated tools to first read what it produces and then apply some context.
manojtyagi2021 commented
This issue was reported by AppScan DAST scan tool on the below Stratos URLs as well.
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/apps
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/routes
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/organizations
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/users
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/apps/acf69e3a-fee9-4985-b283-0dea348f2c6e/routes
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/apps/acf69e3a-fee9-4985-b283-0dea348f2c6e/service_bindings
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/user_provided_service_instances
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/service_instances
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/organizations/18b4d7de-65cd-4b8a-ade5-f56dcc0d84da/users
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/organizations/18b4d7de-65cd-4b8a-ade5-f56dcc0d84da/space_quota_definitions
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/events
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/routes/dca3cee1-30ea-45c2-b266-3a24f9d2f8b2/apps
- https://ui.169.53.186.50.nip.io/pp/v1/proxy/v2/services