locked
Sql Injection- Security RRS feed

  • Question

  • I have an urgent requirement that has to be implemented with regard to sql Injections.
    My application went for security scanning   process and found few security threats with regard to sql injection. we need your valuable support and guidelines to proceed further.
    Project Details: Windows application, VS2008
    Data Base: Sql Server 2008.
    Listed out the issues type and its details elaborately:
    Threat 1: During connection initialization 
    SqlConnection  connection = new SqlConnection(connectionString);

    At this line there is a chance of security threat. we are getting the connection string parameter from web.config as below
    private static readonly string connectionString = ConfigurationManager.AppSettings["ConnectionString"];

     Flaw Information
    Type: Untrusted Initialization 
    Issue: External Control of System or Configuration Setting 
    Attack Vector: system_data_dll.System.Data.SqlClient.SqlConnection.!newinit_0_1
    Function: int ExecuteNonQuery(string, System.Data.CommandType, string, 
    System.Data.SqlClient.SqlParameter[]) 
    Threat 2 : 
     Type: SQL Injection
     Issue: Improper Neutralization of Special Elements used in an SQL Command ('SQLInjection')
     Attack Vector: system_data_dll.System.Data.IDbCommand.ExecuteNonQuery
     Function: int FetchSPExecutedReturnValue(string, System.Collections.IDictionary)
    Threat Line:
     1. command.ExecuteNonQuery();

    There are few more similar threats same as above. pointed out the threat line:

    2.  dataReader = command.ExecuteReader();


    3.  adapter.Fill(ds); 


    4. dataReader = cmd.ExecuteReader(CommandBehavior.CloseConnection);

    I have doubt that the above lines of code are safe from sql injection ? if not how can an attacker attack .


    One more thing like we are not at all passing any hard coded queries to DB. All the inputs are passed as a parameters.
    I am not sure what kind of threat is there with this ( executeNonQuery(), Fill(dataset) and Connection initialization) and how to defend from malicious code/vulnerabilities. 

    Please help me out..... I will be waiting for your valuable support.

    Thanks,
    Purushotham. A
    Tuesday, March 4, 2014 6:30 AM

Answers

  • ...
    Threat 2 : 
     Type: SQL Injection
     Issue: Improper Neutralization of Special Elements used in an SQL Command ('SQLInjection')
     Attack Vector: system_data_dll.System.Data.IDbCommand.ExecuteNonQuery
     Function: int FetchSPExecutedReturnValue(string, System.Collections.IDictionary)
    Threat Line:...

    The Application you are using (which one is it), is referring to this vulnerability: http://cwe.mitre.org/data/definitions/89.html

    Maybe you can show the complete code including the procedure call itself


    Andreas Wolter (Blog | Twitter)
    MCM - Microsoft Certified Master SQL Server 2008
    MCSM - Microsoft Certified Solutions Master Data Platform, SQL Server 2012
    www.andreas-wolter.com | www.SarpedonQualityLab.com

    • Marked as answer by tracycai Monday, March 10, 2014 9:16 AM
    Tuesday, March 4, 2014 4:26 PM

All replies

  • see

    http://www.mikesdotnetting.com/Article/113/Preventing-SQL-Injection-in-ASP.NET

    http://msdn.microsoft.com/en-us/library/ff648339.aspx


    Please Mark This As Answer if it helps to solve the issue Visakh ---------------------------- http://visakhm.blogspot.com/ https://www.facebook.com/VmBlogs

    Tuesday, March 4, 2014 7:16 AM
  • Thanks for your quick reply....

    We are not passing the hard coded connection string value. We are getting it from Web.config.

    SqlConnection  connection = new SqlConnection(connectionString)

    private static readonly string connectionString = ConfigurationManager.AppSettings["ConnectionString"];

    when we pass on the connection string value as such is there any chance of threat from attackers.

    Thanks,
    purushotham.A 

    Tuesday, March 4, 2014 7:48 AM
  • ...
    Threat 2 : 
     Type: SQL Injection
     Issue: Improper Neutralization of Special Elements used in an SQL Command ('SQLInjection')
     Attack Vector: system_data_dll.System.Data.IDbCommand.ExecuteNonQuery
     Function: int FetchSPExecutedReturnValue(string, System.Collections.IDictionary)
    Threat Line:...

    The Application you are using (which one is it), is referring to this vulnerability: http://cwe.mitre.org/data/definitions/89.html

    Maybe you can show the complete code including the procedure call itself


    Andreas Wolter (Blog | Twitter)
    MCM - Microsoft Certified Master SQL Server 2008
    MCSM - Microsoft Certified Solutions Master Data Platform, SQL Server 2012
    www.andreas-wolter.com | www.SarpedonQualityLab.com

    • Marked as answer by tracycai Monday, March 10, 2014 9:16 AM
    Tuesday, March 4, 2014 4:26 PM