CWE-566 通过用户控制SQL主密钥绕过授权机制

admin 2021年12月4日16:21:48CWE(弱点枚举)评论22 views2134字阅读7分6秒阅读模式

CWE-566 通过用户控制SQL主密钥绕过授权机制

Authorization Bypass Through User-Controlled SQL Primary Key

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown


The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.


When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records.

Database access control errors occur when:


  • cwe_Nature: ChildOf cwe_CWE_ID: 639 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 639 cwe_View_ID: 699 cwe_Ordinal: Primary


Technology: {'cwe_Name': 'Database Server', 'cwe_Prevalence': 'Often'}


范围 影响 注释
['Confidentiality', 'Integrity', 'Access Control'] ['Read Application Data', 'Modify Application Data', 'Bypass Protection Mechanism']




Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data. Use an "accept known good" validation strategy.



Use a parameterized query AND make sure that the accepted values conform to the business rules. Construct your SQL statement accordingly.


The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.

bad C#

conn = new SqlConnection(_ConnectionString);
int16 id = System.Convert.ToInt16(invoiceID.Text);
SqlCommand query = new SqlCommand( "SELECT * FROM invoices WHERE id = @id", conn);
query.Parameters.AddWithValue("@id", id);
SqlDataReader objReader = objCommand.ExecuteReader();

The problem is that the developer has not considered all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker can bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.


映射的分类名 ImNode ID Fit Mapped Node Name
Software Fault Patterns SFP25 Tainted input to variable


特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2021年12月4日16:21:48
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CWE-566 通过用户控制SQL主密钥绕过授权机制


匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: