ABSTRACT

Constructing a SQLite query statement that contains user input can allow an attacker to view unauthorized records.

EXPLANATION

Query string injection vulnerabilities occur when:
1. Data enters a program from an untrusted source.



2. The data is used to dynamically construct a SQLite query string.



There is an important distinction between injection attacks against a SQL database and injection attacks against a SQLite database. Unlike SQL injection, SQLite string injection allows malicious users to view unauthorized records, but does not allow them to alter the state of the database in any way.

Example 1: The following code dynamically constructs and executes a SQLite query that searches for invoices associated with a customer and a user-specified product category. The user can also specify the column by which the results should be sorted. Assume that the program has already properly authenticated and set the value of customerID prior to this code segment.


...
productCategory = this.getIntent().getExtras().getString("productCategory");
sortColumn = this.getIntent().getExtras().getString("sortColumn");
customerID = getAuthenticatedCustomerID(customerName, customerCredentials);
c = invoicesDB.query(Uri.parse(invoices), columns, "productCategory = '" + productCategory + "' and customerID = '" + customerID + "'", null, null, null, "'" + sortColumn + "'asc", null);
...


The query that this code intends to execute looks like:


select * from invoices
where productCategory = 'Fax Machines'
and customerID = '12345678'
order by 'price' asc


However, the query is constructed dynamically by concatenating a constant base query string and a user input string productCategory. So the query behaves correctly only if productCategory and sortColumn do not contain single-quote characters. If an attacker provides the string "Fax Machines' or productCategory = \"" for productCategory, and the string "\" order by 'price" for sortColumn, then the query becomes:


select * from invoices
where productCategory = 'Fax Machines' or productCategory = "'
and customerID = '12345678'
order by '" order by 'price' asc


or, in a more readable form,


select * from invoices
where productCategory = 'Fax Machines'
or productCategory = "' and customerID = '12345678' order by '"
order by 'price' asc


These inputs allow an attacker to bypass the required authentication for customerID and allows the attacker to view invoice records matching 'Fax Machines' for all customers.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A1 Injection

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A2 Injection Flaws

[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A6 Injection Flaws

[4] Android Developers-Reference: SQLite Database

[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3540.1 CAT, APP3540.3 CAT II

[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 89

[7] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 089

[8] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 089

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.2

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.1

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.6

[12] Standards Mapping - FIPS200 - (FISMA) SI

[13] SQL as Understood by SQLite

[14] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) SQL Injection