Constructing a dynamic Castle ActiveRecord statement with user input might allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
SQL Injection errors related to Castle ActiveRecord occur when:
1. Data enters a program from an untrusted source.
2. The data is used to dynamically construct a query.
Example 1: The following code dynamically constructs and executes a Castle ActiveRecord query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user.
...
string userName = ctx.getAuthenticatedUserName();
string queryString = "SELECT * FROM items WHERE owner = '"
+ userName + "' AND itemname = '"
+ ItemName.Text + "'";
SimpleQuery<Item> queryObject = new SimpleQuery(queryString);
Item[] items = (Item[])queryObject.Execute(query);
...
SELECT * FROM items
WHERE owner = <userName>
AND itemname = <itemName>;
itemName
does not contain a single-quote character. If an attacker with the user name wiley
enters the string "name' OR 'a'='a
" for itemName
, then the query becomes the following:
SELECT * FROM items
WHERE owner = 'wiley'
AND itemname = 'name' OR 'a'='a';
OR 'a'='a'
condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:
SELECT * FROM items;
items
table, regardless of their specified owner.[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A1 Injection
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A2 Injection Flaws
[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A6 Injection Flaws
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3540.1 CAT, APP3540.3 CAT II
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 89
[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 089
[7] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 089
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.1
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.6
[11] Standards Mapping - FIPS200 - (FISMA) SI
[12] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) SQL Injection
[13] P. Finnigan SQL Injection and Oracle, Part One Security Focus
[14] S. J. Friedl SQL Injection Attacks by Example
[15] P. Litwin Stop SQL Injection Attacks Before They Stop You MSDN Magazine
[16] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press