I have created a signalR site that displays collected server data from our intranet. Everything works accordingly without issue.
There are no user inputs on the page. It's essentially a dashboard.
I have googled, searched IBM's site directly and asked in jabbR... but no results for why this might occur. I understand the critical message about injection... but there is no user input to inject, it's SignalR's connection establishment.
Any ideas? Possible false-positive?
IBM Security Appscan reports back:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8
Expires: -1
Server: Microsoft-IIS/8.5
X-Content-Type-Options: nosniff
X-AspNet-Version: 4.0.30319
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Thu, 21 Apr 2016 20:18:46 GMT
{
"Url": "/signalr",
"ConnectionToken": "0l6V6C/DRJsZ3dOFpL+UO+hpOt5NtkBiGLREN9L5no6/hD1a6ZYTdQJRX8bWG0nJfM+4aRRHvfoeTD9b2tjEf84aX+/ANWsnBe8QKupoTkguzE2P3G3zifuEH2lDMOlr7fCiQYbBUvi20Mb4bLlngw==",
"ConnectionId": "fce58409-d505-4534-a318-01b90e333c57",
"KeepAliveTimeout": 20.0,
"DisconnectTimeout": 30.0,
"ConnectionTimeout": 110.0,
...
AppScan sent three requests: Error, True, and False. All three responses were different from one another, which insinuates that the MongoDB injection succeeded.
Try to retest the particular vulnerability using appscan itself. Most of the times appscan show false positive results in terms of blindSQL injection and MongoDB NoSQL Injection.
If you are using appscan standard: right click on the particular vulnerability and hit retest.