ABSTRACT

Constructing a SimpleDB select statement that contains user input can allow an attacker to view unauthorized records.

EXPLANATION

Query string injection vulnerabilities occur when:
1. Data enters a program from an untrusted source.



2. The data is used to dynamically construct a SimpleDB query string.



Example 1: The following code dynamically constructs and executes a SimpleDB select() query that searches for invoices that match a user-specified product category. The user can also specify the column by which the results are sorted. Assume that the application has already properly authenticated and set the value of customerID prior to this code segment.


...
String customerID = getAuthenticatedCustomerID(customerName, customerCredentials);
...
AmazonSimpleDBClient sdbc = new AmazonSimpleDBClient(appAWSCredentials);
String query = "select * from invoices where productCategory = '"
+ productCategory + "' and customerID = '"
+ customerID + "' order by '"
+ sortColumn + "' asc";
SelectResult sdbResult = sdbc.select(new SelectRequest(query));
...


The query that this code intends to execute looks like:


select * from invoices
where productCategory = 'Fax Machines'
and customerID = '12345678'
order by 'price' asc


However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if productCategory and price do not contain single-quote characters. If, however, an attacker provides the string "Fax Machines' or productCategory = \"" for productCategory, and the string "\" order by 'price" for sortColumn, then the query becomes the following:


select * from invoices
where productCategory = 'Fax Machines' or productCategory = "'
and customerID = '12345678'
order by '" order by 'price' asc


or, in a more human-readable form,


select * from invoices
where productCategory = 'Fax Machines'
or productCategory = "' and customerID = '12345678' order by '"
order by 'price' asc


These inputs allow an attacker to bypass the required authentication for customerID, and allows the attacker to view invoice records matching 'Fax Machines' for all customers.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A1 Injection

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A2 Injection Flaws

[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A6 Injection Flaws

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3540.1 CAT, APP3540.3 CAT II

[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 89

[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 089

[7] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 089

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.2

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.1

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.6

[11] Secure Use of Cloud Storage

[12] Standards Mapping - FIPS200 - (FISMA) SI

[13] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) SQL Injection