Without proper access control, executing a SQLite statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.
Access control errors occur in SQLite queries when:
1. Data enters a program from an untrusted source.
2. The data is used to specify the value of a primary key in a SQLite query.
Example 1: The following code uses a parametrized statement, which escapes metacharacters and prevents query string injection vulnerabilities, to construct and execute a SQLite query that searches for an invoice that matches a user-specified identifier.
...
id = this.getIntent().getExtras().getInt("id");
cursor = db.query(Uri.parse(invoices), columns, "id = ? ", {id}, null, null, null);
...
id
. Although the query generates a list of invoice identifiers that belong to the current user, an attacker can bypass this behavior to request any desired invoice. Because the code in this example does not ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference
[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References
[4] Standards Mapping - FIPS200 - (FISMA) AC
[5] Android Developers-Reference: SQLite Database
[6] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I
[7] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 566
[8] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authorization
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.4
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8
[12] S. J. Friedl SQL Injection Attacks by Example