Why am I seeing =N/A= instead of the body of a request in a reported vulnerability?

  • Updated

 

At times you may see the request body show up with =N/A= under the HTTP Info tab of a vulnerability. This can happen if the body of the request is obfuscated to our agent. 

(example)

SQL Injection from Request Body on "/test/user/api/vulnEndpoint page 

POST /test/user/api/vulnEndpoint HTTP/1.0
X-Ws-Instance: routing_local
X-Forwarded-Proto: https
Host: localhost
X-Api-Token: 34567890poiuytdsdrtyuiopnbfer56uiokjhgfdrtyuiolkhgr567ujhfr56
X-Forwarded-Port: 443
Content-Type: application/json
X-Forwarded-For: 127.0.0.1
Content-Length: 105
X-Ruxit-Apache-Servernameports: localhost:443
Tracestate: a4067583-f1d1k1k1h1s2=az=cid-v1:326c1b24-cd4d-4cf9-b53a-53c85ec7549e

=N/A=

This is expected when the body comes from any object without strictly defined contents such as a String. In the above example, the body would be derived from an InputStream, notably the ServletInputStream, and until read exhibits no contents.

[Creation] javax.servlet.ServletInputStream org.apache.catalina.connector.RequestFacade.getInputStream() --> org.apache.catalina.connector.CoyoteInputStream@at1232
[P2O] void org.glassfish.jersey.message.internal.EntityInputStream.<init>("org.apache.catalina.connector.CoyoteInputStream@at1232") --> org.glassfish.jersey.message.internal.EntityInputStream@6a123
[P2O] void org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream.<init>("org.glassfish.jersey.message.internal.EntityInputStream@6a123","com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider@e5f2ef09") --> org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream@abc123
[P2O] void org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream.<init>("org.glassfish.jersey.message.internal.EntityInputStream@6a123","com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider@e5f2ef09","null") --> org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream@abc123
[P2R] com.fasterxml.jackson.core.JsonParser com.fasterxml.jackson.core.JsonFactory.createParser("org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream@6a123") --> com.fasterxml.jackson.core.json.UTF8StreamJsonParser@abc123
[O2R] java.lang.String com.fasterxml.jackson.core.json.UTF8StreamJsonParser.getText() --> groupLabel

 

As the InputStream is unread, we have no context as to the contents of the stream. We cannot read the stream as InputStream’s in Java and may only be read once. Any attempt to do so would block the application under instrumentation from reading the stream itself.

  It's best to use the Details tab to see what data was passed in and used without proper sanitation in these situations. 

 

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request