- ABAP
- ActionScript
- Apex
- C#/VB.NET/ASP.NET
- C/C++
- COBOL
- Dart
- Golang
- Java/JSP
- JavaScript/TypeScript
- Objective-C
- PHP
- PLSQL/TSQL
- Python
- Ruby
- Scala
- Swift
- VisualBasic/VBScript/ASP
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a statement that relies on an integer and thus is not vulnerable to SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
DATA: id TYPE i.
...
id = request->get_form_field( 'invoiceID' ).CONCATENATE `INVOICEID = '` id `'` INTO cl_where.
SELECT *
FROM invoices
INTO CORRESPONDING FIELDS OF TABLE itab_invoices
WHERE (cl_where).
ENDSELECT.
...
The problem is that the developer has failed to consider all of the possible values of ID. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.abap.access_control_database
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var id:int = int(Number(params["invoiceID"]));
var query:String = "SELECT * FROM invoices WHERE id = :id";stmt.sqlConnection = conn;
stmt.text = query;
stmt.parameters[":id"] = id;
stmt.execute();
...
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.actionscript.access_control_database
Abstract
Without proper access control, executing a SOQL/SOSL statement that may contain a user-supplied primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to specify the value of a primary key in a SOQL/SOSL query.
Example 1: In the following code example, inputID value is originated from a pre-defined list, and a bind variable helps to prevent SOQL/SOSL injection.
...
result = [SELECT Name, Phone FROM Contact WHERE (IsDeleted = false AND Id=:inputID)];
...
The problem with the previous example is that using a pre-defined list of IDs is insufficient to prevent the user from modifying the value of inputID. If the attacker is able to bypass the interface and send a request with a different value he will have access to other contact information. Since the code in this example does not check to ensure that the user has permission to access the requested contact, it will display any contact, even if the user is not authorized to see it.
References
[1] Salesforce Developers Technical Library Secure Coding Guidelines - Authorization and Access Control
[2] Salesforce Developers Technical Library Testing CRUD and FLS Enforcement
[3] Salesforce Developers Technical Library Enforcing CRUD and FLS
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[8] Standards Mapping - CIS Kubernetes Benchmark
[9] Standards Mapping - Common Weakness Enumeration
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023
[11] Standards Mapping - DISA Control Correlation Identifier Version 2
[12] Standards Mapping - FIPS200
[13] Standards Mapping - General Data Protection Regulation (GDPR)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5
[16] Standards Mapping - OWASP Top 10 2004
[17] Standards Mapping - OWASP Top 10 2007
[18] Standards Mapping - OWASP Top 10 2010
[19] Standards Mapping - OWASP Top 10 2013
[20] Standards Mapping - OWASP Top 10 2017
[21] Standards Mapping - OWASP Top 10 2021
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0
[23] Standards Mapping - OWASP Mobile 2014
[24] Standards Mapping - OWASP Mobile 2024
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[37] Standards Mapping - SANS Top 25 2011
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3
[59] Standards Mapping - Web Application Security Consortium Version 2.00
[60] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.apex.access_control_database
Abstract
Without proper access control, executing an LINQ statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to specify the value of a primary key in an LINQ query.
Example 1: The following code executes an LINQ query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
...int16 id = System.Convert.ToInt16(invoiceID.Text);
var invoice = OrderSystem.getInvoices()
.Where(new Invoice { invoiceID = id });
...
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.dotnet.access_control_linq
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1.Data enters a program from an untrusted source.
2.The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
...
CMyRecordset rs(&dbms);
rs.PrepareSQL("SELECT * FROM invoices WHERE id = ?");
rs.SetParam_int(0,atoi(r.Lookup("invoiceID").c_str()));
rs.SafeExecuteSQL();
...
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.cpp.access_control_database
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1.Data enters a program from an untrusted source.
2.The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
...
ACCEPT ID.
EXEC SQL
DECLARE C1 CURSOR FOR
SELECT INVNO, INVDATE, INVTOTAL
FROM INVOICES
WHERE INVOICEID = :ID
END-EXEC.
...
The problem is that the developer has failed to consider all of the possible values of ID. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.cobol.access_control_database
Abstract
Without proper access control, executing a deleteDatabase method that contains a user-controlled database name can allow an attacker to delete any database.
Explanation
Database access control errors occur when:
1.Data enters a program from an untrusted source.
2.The data is used to specify the value of a database name.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[5] Standards Mapping - CIS Kubernetes Benchmark
[6] Standards Mapping - Common Weakness Enumeration
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023
[8] Standards Mapping - DISA Control Correlation Identifier Version 2
[9] Standards Mapping - FIPS200
[10] Standards Mapping - General Data Protection Regulation (GDPR)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5
[13] Standards Mapping - OWASP Top 10 2004
[14] Standards Mapping - OWASP Top 10 2007
[15] Standards Mapping - OWASP Top 10 2010
[16] Standards Mapping - OWASP Top 10 2013
[17] Standards Mapping - OWASP Top 10 2017
[18] Standards Mapping - OWASP Top 10 2021
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0
[20] Standards Mapping - OWASP Mobile 2014
[21] Standards Mapping - OWASP Mobile 2024
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[34] Standards Mapping - SANS Top 25 2011
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3
[56] Standards Mapping - Web Application Security Consortium Version 2.00
[57] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.dart.access_control_database
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can give an attacker access to unauthorized records.
Explanation
Database access control errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
...
id := request.FormValue("invoiceID")
query := "SELECT * FROM invoices WHERE id = ?";
rows, err := db.Query(query, id)
...
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[5] Standards Mapping - CIS Kubernetes Benchmark
[6] Standards Mapping - Common Weakness Enumeration
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023
[8] Standards Mapping - DISA Control Correlation Identifier Version 2
[9] Standards Mapping - FIPS200
[10] Standards Mapping - General Data Protection Regulation (GDPR)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5
[13] Standards Mapping - OWASP Top 10 2004
[14] Standards Mapping - OWASP Top 10 2007
[15] Standards Mapping - OWASP Top 10 2010
[16] Standards Mapping - OWASP Top 10 2013
[17] Standards Mapping - OWASP Top 10 2017
[18] Standards Mapping - OWASP Top 10 2021
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0
[20] Standards Mapping - OWASP Mobile 2014
[21] Standards Mapping - OWASP Mobile 2024
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[34] Standards Mapping - SANS Top 25 2011
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3
[56] Standards Mapping - Web Application Security Consortium Version 2.00
[57] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.golang.access_control_database
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1.Data enters a program from an untrusted source.
2.The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
...
id = Integer.decode(request.getParameter("invoiceID"));
String query = "SELECT * FROM invoices WHERE id = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setInt(1, id);
ResultSet results = stmt.execute();
...
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
Some think that in the mobile world, classic web application vulnerabilities, such as database access control errors, do not make sense -- why would the user attack themself? However, keep in mind that the essence of mobile platforms is applications that are downloaded from various sources and run alongside each other on the same device. The likelihood of running a piece of malware next to a banking application is high, which necessitates expanding the attack surface of mobile applications to include inter-process communication.
Example 2: The following code adapts Example 1 to the Android platform.
...
String id = this.getIntent().getExtras().getString("invoiceID");
String query = "SELECT * FROM invoices WHERE id = ?";
SQLiteDatabase db = this.openOrCreateDatabase("DB", MODE_PRIVATE, null);
Cursor c = db.rawQuery(query, new Object[]{id});
...
A number of modern web frameworks provide mechanisms to perform user input validation (including Struts and Struts 2). To highlight the unvalidated sources of input, Fortify Secure Coding Rulepacks dynamically re-prioritize the issues Fortify Static Code Analyzer reports by lowering their probability of exploit and providing pointers to the supporting evidence whenever the framework validation mechanism is in use. We refer to this feature as Context-Sensitive Ranking. To further assist the Fortify user with the auditing process, the Fortify Software Security Research group makes available the Data Validation project template that groups the issues into folders based on the validation mechanism applied to their source of input.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.java.access_control_database
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1.Data enters a program from an untrusted source.
2.The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
...
var id = document.form.invoiceID.value;
var query = "SELECT * FROM invoices WHERE id = ?";
db.transaction(function (tx) {
tx.executeSql(query,[id]);
}
)
...
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.javascript.access_control_database
Abstract
Without proper access control, the identified method can execute a SQL statement that contains an attacker-controlled primary key, thereby allowing the attacker to access unauthorized records.
Explanation
Database access control errors occur when:
1.Data enters a program from an untrusted source.
2.The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier. The identifier is selected from a list of all invoices associated with the current authenticated user.
...NSManagedObjectContext *context = [appDelegate managedObjectContext];
NSEntityDescription *entityDesc = [NSEntityDescription entityForName:@"Invoices" inManagedObjectContext:context];
NSFetchRequest *request = [[NSFetchRequest alloc] init];
[request setEntity:entityDesc];
NSPredicate *pred = [NSPredicate predicateWithFormat:@"(id = %@)", invoiceId.text];
[request setPredicate:pred];NSManagedObject *matches = nil;
NSError *error;
NSArray *objects = [context executeFetchRequest:request error:&error];if ([objects count] == 0) {
status.text = @"No records found.";
} else {
matches = [objects objectAtIndex:0];
invoiceReferenceNumber.text = [matches valueForKey:@"invRefNum"];
orderNumber.text = [matches valueForKey:@"orderNumber"];
status.text = [NSString stringWithFormat:@"%d records found", [objects count]];
}
[request release];
...
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.objc.access_control_database
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1.Data enters a program from an untrusted source.
2.The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
...
$id = $_POST['id'];
$query = "SELECT * FROM invoices WHERE id = ?";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('ss',$id);
$stmt->execute();
...
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
A number of modern web frameworks provide mechanisms to perform user input validation (including Struts and Struts 2). To highlight the unvalidated sources of input, Fortify Secure Coding Rulepacks dynamically re-prioritize the issues Fortify Static Code Analyzer reports by lowering their probability of exploit and providing pointers to the supporting evidence whenever the framework validation mechanism is in use. We refer to this feature as Context-Sensitive Ranking. To further assist the Fortify user with the auditing process, the Fortify Software Security Research group makes available the Data Validation project template that groups the issues into folders based on the validation mechanism applied to their source of input.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.php.access_control_database
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
procedure get_item (
itm_cv IN OUT ItmCurTyp,
id in varchar2)
is
open itm_cv for ' SELECT * FROM items WHERE ' ||
'invoiceID = :invid' ||
using id;
end get_item;
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.sql.access_control_database
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
...
id = request.POST['id']
c = db.cursor()
stmt = c.execute("SELECT * FROM invoices WHERE id = %s", (id,))
...
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.python.access_control_database
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
...
id = req['invoiceID'].respond_to(:to_int)
query = "SELECT * FROM invoices WHERE id=?"
stmt = conn.prepare(query)
stmt.execute(id)
...
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.ruby.access_control_database
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1.Data enters a program from an untrusted source.
2.The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
def searchInvoice(value:String) = Action.async { implicit request =>
val result: Future[Seq[Invoice]] = db.run {
sql"select * from invoices where id=$value".as[Invoice]
}
...
}
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.scala.access_control_database
Abstract
Without proper access control, the identified method can execute a SQL statement that contains an attacker-controlled primary key, thereby allowing the attacker to access unauthorized records.
Explanation
Database access control errors occur when:
1.Data enters a program from an untrusted source.
2.The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier. The identifier is selected from a list of all invoices associated with the current authenticated user.
...
let fetchRequest = NSFetchRequest()
let entity = NSEntityDescription.entityForName("Invoices", inManagedObjectContext: managedContext)
fetchRequest.entity = entity
let pred : NSPredicate = NSPredicate(format:"(id = %@)", invoiceId.text)
fetchRequest.setPredicate = pred
do {
let results = try managedContext.executeFetchRequest(fetchRequest)
let result : NSManagedObject = results.first!
invoiceReferenceNumber.text = result.valueForKey("invRefNum")
orderNumber.text = result.valueForKey("orderNumber")
status.text = "\(results.count) records found"
} catch let error as NSError {
print("Error \(error)")
}
...
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.swift.access_control_database
Abstract
Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Explanation
Database access control errors occur when:
1.Data enters a program from an untrusted source.
2.The data is used to specify the value of a primary key in a SQL query.
Example 1: The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
...
id = Request.Form("invoiceID")
strSQL = "SELECT * FROM invoices WHERE id = ?"
objADOCommand.CommandText = strSQL
objADOCommand.CommandType = adCmdText
set objADOParameter = objADOCommand.CreateParameter("id" , adString, adParamInput, 0, 0)
objADOCommand.Parameters("id") = id
...
The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark
[6] Standards Mapping - CIS Kubernetes Benchmark
[7] Standards Mapping - Common Weakness Enumeration
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023
[9] Standards Mapping - DISA Control Correlation Identifier Version 2
[10] Standards Mapping - FIPS200
[11] Standards Mapping - General Data Protection Regulation (GDPR)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5
[14] Standards Mapping - OWASP Top 10 2004
[15] Standards Mapping - OWASP Top 10 2007
[16] Standards Mapping - OWASP Top 10 2010
[17] Standards Mapping - OWASP Top 10 2013
[18] Standards Mapping - OWASP Top 10 2017
[19] Standards Mapping - OWASP Top 10 2021
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0
[21] Standards Mapping - OWASP Mobile 2014
[22] Standards Mapping - OWASP Mobile 2024
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2
[35] Standards Mapping - SANS Top 25 2011
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3
[57] Standards Mapping - Web Application Security Consortium Version 2.00
[58] Standards Mapping - Web Application Security Consortium 24 + 2
desc.dataflow.vb.access_control_database
