Avoid second order numeric user inputs in SQL queries

CRITICAL

Rule Definition
The software constructs all or part of an SQL command via numeric user-controllable inputs. These inputs are not neutralized or are incorrectly neutralized. As a consequence, a user may access to another user's data or record, affecting the confidentiality, integrity, and availability of data.

Remediation
Assume all input is malicious. Avoid using inputs. If it is not possible, use an "accept known good" input validation strategy, i.e., use stringent white-lists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack. Note that the classical SQL sanitization does not apply for this quality rule.

Violation Code Sample

// ---------------------------------------------------------------------------- // C# using System; using Microsoft.Data.SqlClient; // The argument userId is given by a SQL query private static void OutputPassword(int userId) // 1. Numeric user input { using var connection = new SqlConnection(GetConnectionString()); connection.Open(); var query = "SELECT * FROM users WHERE id = @id"; using var command = new SqlCommand(query, connection); command.Parameters.AddWithValue("@id", userId); // 2. Numeric user input added using var reader = command.ExecuteReader(); // 3. Numeric user input used in SQL query while (reader.Read()) { Console.WriteLine("Password=" + reader["password"]); } }

Fixed Code Sample

// ---------------------------------------------------------------------------- // C# using System; using Microsoft.Data.SqlClient; // The argument userId should be hard-coded or checked using a specific // validation method if given by a SQL query private static void OutputPassword(int userId) //1. OK { using var connection = new SqlConnection(GetConnectionString()); connection.Open(); var query = "SELECT * FROM users WHERE id = @id"; using var command = new SqlCommand(query, connection); command.Parameters.AddWithValue("@id", userId); // 2. OK using var reader = command.ExecuteReader(); // 3. OK while (reader.Read()) { Console.WriteLine("Password=" + reader["password"]); } }

Reference

CWE-639: Authorization Bypass Through User-Controlled Key https://cwe.mitre.org/data/definitions/639.html CWE-566: Authorization Bypass Through User-Controlled SQL Primary Key https://cwe.mitre.org/data/definitions/566.html Open Web Application Security Project (OWASP) - Testing for Insecure Direct Object References https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References Open Web Application Security Project (OWASP) - API1:2023 Broken Object Level Authorization https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/

Related Technologies

Health Factor

Total Quality Index

Technical Criterion
Secure Coding - Input Validation

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

99.96%

Financial Services

100.00%

Government

100.00%

Want more stats? Register now!