https://community.esri.com/t5/arcgis-rest-apis-and-services-questions/qualys-150568-content-based-blind-sql-injection-on/m-p/1619307#M4995 <P>Hi Ben,</P><P>Happened to see this question, I don't typically follow this space.&nbsp;</P><P>This is expected behavior in ArcGIS. There's nothing to fix.&nbsp;</P><P>Users expect to be able to see all of the records in a spatial table. In a banking use case, where I'm only expected to see details related to my own bank record, this would be a problem. However, in the ArcGIS use case, the expected behavior is to see, for example, all points in a map in a given spatial envelope.&nbsp;</P><P>&nbsp;</P> Thu, 29 May 2025 15:57:45 GMT RandallWilliams 2025-05-29T15:57:45Z https://community.esri.com/t5/arcgis-rest-apis-and-services-questions/qualys-150568-content-based-blind-sql-injection-on/m-p/1586681#M4948 <P>My organization uses Qualys to scan web applications. It picked up my REST endpoints and flagged them with a level 5 high vulnerability and now I have people in the security department telling me I need to fix it.</P><P>This is the summary of the problem:&nbsp;<A href="https://blog.qualys.com/product-tech/2023/02/09/blind-sql-injection-content-based-time-based-approaches" target="_blank">https://blog.qualys.com/product-tech/2023/02/09/blind-sql-injection-content-based-time-based-approaches</A></P><BLOCKQUOTE><P>True condition payload is ‘ AND 1=1</P><P>This condition is true, so available records are returned, which is the same as if the payload was the item by itself.</P><P>False condition payload is ‘ AND 1=2</P><P>The condition is false, so no records are returned and the output is nothing or a message such as No Results Found.</P><P><SPAN>Seeing the difference in results, the scanning engine draws the conclusion that there is a blind SQL injection vulnerability.</SPAN></P></BLOCKQUOTE><P>If I understand this correctly,&nbsp; for it not to get flagged, I'd need the REST API to return the same result set for the true query "1=1" and the false query "1=1 AND 1=2" in the "where=" request parameter.&nbsp;</P><P>Firstly, am I reading this right? Secondly, is there any advice on how to either fix this, so it's no longer flagged as a vulnerability or convince the security department that this is not a vulnerability?</P><P>I'm Using ArcGIS Server 11.4.0 with standardizedQueries: "true" set and querying FeatureServices. (I've also tried turning off standardizedQueries as well, and it gives the same result)</P><P>The exact queries the scan used are:</P><UL><LI>False: '1=11 or 11=12'</LI><LI>True: '1=11 or 11=11'.&nbsp;</LI></UL> Tue, 18 Feb 2025 22:14:36 GMT https://community.esri.com/t5/arcgis-rest-apis-and-services-questions/qualys-150568-content-based-blind-sql-injection-on/m-p/1586681#M4948 BenRomlein 2025-02-18T22:14:36Z https://community.esri.com/t5/arcgis-rest-apis-and-services-questions/qualys-150568-content-based-blind-sql-injection-on/m-p/1619307#M4995 <P>Hi Ben,</P><P>Happened to see this question, I don't typically follow this space.&nbsp;</P><P>This is expected behavior in ArcGIS. There's nothing to fix.&nbsp;</P><P>Users expect to be able to see all of the records in a spatial table. In a banking use case, where I'm only expected to see details related to my own bank record, this would be a problem. However, in the ArcGIS use case, the expected behavior is to see, for example, all points in a map in a given spatial envelope.&nbsp;</P><P>&nbsp;</P> Thu, 29 May 2025 15:57:45 GMT https://community.esri.com/t5/arcgis-rest-apis-and-services-questions/qualys-150568-content-based-blind-sql-injection-on/m-p/1619307#M4995 RandallWilliams 2025-05-29T15:57:45Z