CWE-566 通过用户控制SQL主密钥绕过授权机制

Authorization Bypass Through User-Controlled SQL Primary Key

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

扩展描述

When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records.

Database access control errors occur when:

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 639 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 639 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Technology: {'cwe_Name': 'Database Server', 'cwe_Prevalence': 'Often'}

常见的影响

范围 影响 注释
['Confidentiality', 'Integrity', 'Access Control'] ['Read Application Data', 'Modify Application Data', 'Bypass Protection Mechanism']

可能的缓解方案

Implementation

策略:

Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data. Use an "accept known good" validation strategy.

Implementation

策略:

Use a parameterized query AND make sure that the accepted values conform to the business rules. Construct your SQL statement accordingly.

示例代码

The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.

bad C#

...
conn = new SqlConnection(_ConnectionString);
conn.Open();
int16 id = System.Convert.ToInt16(invoiceID.Text);
SqlCommand query = new SqlCommand( "SELECT * FROM invoices WHERE id = @id", conn);
query.Parameters.AddWithValue("@id", id);
SqlDataReader objReader = objCommand.ExecuteReader();
...

The problem is that the developer has not considered all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker can bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
Software Fault Patterns SFP25 Tainted input to variable