Analysis Report
In the provided HTTP request, we have identified a potential security risk. While this request appears to be a standard query request on the surface, there are some details that warrant closer scrutiny. Specifically, an unusual string pattern in the query parameters suggests the possibility of a particular type of attack: SQL injection.
Attack Type: SQL Injection
Risk Level: High
Request Payload (code block):
GET /rest/experimental/search?cql=type=space%20and%20space.type=favourite%20order%20by%20favourite%20desc&expand=space.icon&limit=100&_=1720587156853 HTTP/1.1
Payload Intent:
In the aforementioned request, the key malicious payload is found in the URL's query string: cql=type=space%20and%20space.type=favourite%20order%20by%20favourite%20desc
. This portion is URL-encoded and, when decoded, becomes cql=type=space and space.type=favourite order by favourite desc
.
Payload Intent Explanation:
The attacker might be attempting to exploit the target application's SQL query handling vulnerabilities by inserting additional SQL statements into the query parameters. In this specific case, the payload aims to modify the original query logic, potentially bypassing certain filtering conditions to access more unauthorized data or to execute more complex database operations, such as modifying or deleting data.
It's important to note that SQL injection is a common attack method that allows attackers to execute arbitrary SQL statements on the target database, leading to severe consequences such as data leakage, data tampering, or service disruption. In this scenario, the attacker might be trying to obtain sensitive information related to "space" or exploring the database structure to further exploit other vulnerabilities.
To prevent such attacks, applications should rigorously validate and sanitize all user inputs, use parameterized queries or prepared statements, and limit the database account's permissions. This ensures that even if SQL injection occurs, the attacker cannot perform highly destructive operations.
Hi @dada
From reviewing this, I don't believe there is any clear evidence that this is a SQL injection route. Confluence is using it's own search/query language known as CQL, but this should not be confused with SQL. From what I can see I believe the analysis here is incorrect. Just because a user could make a get request to change the CQL payload of the GET request, it doesn't actually mean that Confluence would execute any SQL commands passed to it as a result. It might run a CQL search, but this endpoint doesn't have the ability to change data like a SQL command might potentially be able to do.
But if you have further concerns or questions on this topic, I would invite you review our page in https://www.atlassian.com/trust/security/report-a-vulnerability as we have several better locations for reporting potential vulnerabilities than our public community forum.
Cheers,
Andy
Hi @dada
As a followup to @Andy Heinzer's comment I'm just noting that we've gotten our internal security team to test the SQL injection attempt noted above. Their conclusion was that with the information provided and technique used they were not able to identify any SQL injection exploitation.
If you believe we've missed anything here, would like to provide further details, or find anything else that concerns you security wise with our applications then as @Andy Heinzer has encouraged above, please follow the Report a Vulnerability process.
Best regards,
Michael Andreacchio
Confluence DC Security Product Management
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.