[Forgot Password]
Login  Register Subscribe

30480

 
 

423868

 
 

253164

 
 

909

 
 

197077

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Authorization Bypass Through User-Controlled SQL Primary Key

ID: 566Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Variant





Description

The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

Extended Description

When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records.

Database access control errors occur when:

Data enters a program from an untrusted source.

The data is used to specify the value of a primary key in a SQL query.

The untrusted source does not have the permissions to be able to access all rows in the associated table.

Applicable Platforms
Technology Class: Often
Technology Class: Database-Server

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
Integrity
Access_Control
 		Read application data
Modify application data
Bypass protection mechanism
 		 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 		 Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data. Use an "accept known good" validation strategy.
 		  
Implementation
 		 Use a parameterized query AND make sure that the accepted values conform to the business rules. Construct your SQL statement accordingly.
 		  

Relationships

Related CWETypeViewChain
CWE-566 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:
None

© SecPod Technologies