Authorization Bypass Through User-Controlled SQL Primary KeyID: 566 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
The software uses a database table that includes records that
should not be accessible to an actor, but it executes a SQL statement with a
primary key that can be controlled by that actor.
Extended DescriptionWhen a user can set a primary key to any value, then the user can modify
the key to point to unauthorized records.Database access control errors occur when:Data enters a program from an untrusted source.The data is used to specify the value of a primary key in a SQL
query.The untrusted source does not have the permissions to be able to
access all rows in the associated table.
Applicable PlatformsTechnology Class: OftenTechnology Class: Database-Server
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
Scope | Technical Impact | Notes |
---|
ConfidentialityIntegrityAccess_Control | Read application
dataModify application
dataBypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Assume all input is malicious. Use a standard input validation
mechanism to validate all input for length, type, syntax, and business
rules before accepting the data. Use an "accept known good" validation
strategy. | | |
Implementation | | Use a parameterized query AND make sure that the accepted values
conform to the business rules. Construct your SQL statement
accordingly. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-566 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code uses a parameterized statement, which escapes
metacharacters and prevents SQL injection vulnerabilities, to construct and
execute a SQL query that searches for an invoice matching the specified
identifier [1]. The identifier is selected from a list of all invoices
associated with the current authenticated user.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:None