93a982316b
You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6641/csharp) (updated a few minutes after each push). See: * Research ticket: https://sonarsource.atlassian.net/browse/APPSEC-732 * New rule ticket: https://sonarsource.atlassian.net/browse/APPSEC-748 * Implementation ticket: https://sonarsource.atlassian.net/browse/SONARSEC-3863
36 lines
2.0 KiB
Plaintext
36 lines
2.0 KiB
Plaintext
An attacker can use specially-crafted values to change how the database connection is made. These values can add new
|
|
parameters to the connection string, or can override parameters that had already been specified.
|
|
|
|
==== Escalation of privilege
|
|
|
|
Some database servers allow authentication via an OS user account instead of a username and password. The database
|
|
connection is authenticated as the user running the application. When this authentication mode is used, any username or
|
|
password in the connection string are ignored.
|
|
|
|
If an attacker can force the use of this authentication mode, the connection will be made as the user that the web
|
|
application is running under. This will often be the `LocalSystem` or `NetworkService` account on Windows. Such accounts
|
|
are often given a high level of privileges on the database server.
|
|
|
|
==== Credential theft
|
|
|
|
If an attacker can change the database server in the connection string, they can have the web application connect to a
|
|
server that they control. The web application will then authenticate with that server, allowing those credentials to be
|
|
stolen.
|
|
|
|
==== Bypassing data validation
|
|
|
|
Many web applications implicitly trust data that's stored in the database. The data is validated before it is stored,
|
|
so no additional validation is performed when that data is loaded.
|
|
|
|
If an attacker can change the database server in the connection string, they can have the web application connect to a
|
|
database server that they control. Invalid data in this database could be passed to other services or systems, or could
|
|
be used to trigger other bugs and logic flaws in the web application.
|
|
|
|
==== Network traffic sniffing
|
|
|
|
The connection string can control how the connection to the database server is secured. For example, it can control
|
|
whether connections to Microsoft SQL Server use transport layer security (TLS).
|
|
|
|
If an attacker can disable these network security measures and they have some way to monitor traffic between the web
|
|
server and the database server, they will be able to see all information that's written to and read from the database.
|