I am performing a scan with ZAP on my Nextjs 14 web application and I am encountering this security issue:
| Field | Details |
|---|---|
| Risk Level | High |
| Vulnerability | SQL Injection - SQLite |
| Description | SQL injection may be possible. |
| URL | https://example.company.com/portal/_next/static/chunks/app/(private)/(with-page-layout)/account/page-716b952001ffc4b9.js |
| Method | GET |
| Parameter | __ID__ |
| Attack | case randomblob(1000000) when not null then 1 else 1 end |
| Evidence | The query time is controllable using parameter value [case randomblob(1000000) when not null then 1 else 1 end ], which caused the request to take [654] milliseconds, parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [851] milliseconds, when the original unmodified query with value [private] took [525] milliseconds. |
| Other Info | The query time is controllable using parameter value [case randomblob(1000000) when not null then 1 else 1 end ], which caused the request to take [654] milliseconds, parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [851] milliseconds, when the original unmodified query with value [private] took [525] milliseconds. |
| Instances | 1 |
| Solution | Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side. If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'. If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries. If database Stored Procedures can be used, use them. Do not concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality! Do not create dynamic SQL queries using simple string concatenation. Escape all data received from the client. Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input. Apply the principle of least privilege by using the least privileged database user possible. In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact. Grant the minimum database access that is necessary for the application. |
| Reference | OWASP SQL Injection Prevention Cheat Sheet |
| CWE Id | 89 |
| WASC Id | 19 |
| Plugin Id | 40024 |
I have tried sanitizing the IDs of any resource I have found on the server before making requests to the database, but the issue is still present.
This __ID__ parameter must be generated by next.js probably for dynamic pages. Is this a false positive? Did anyone encounter this security issue and can give me a hint to solve it?
may be possibleis important here. 2) It's a time based injection so your server or network could be the cause.