Naziv
|
SQL Injection through SOAP Parameter Tampering
|
Sažetak
|
An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
|
Preduvjeti
|
SOAP messages are used as a communication mechanism in the system|SOAP parameters are not properly validated at the service provider|The service provider does not properly utilize parameter binding when building SQL queries
|
Rješenja
|
['Properly validate and sanitize/reject user input at the service provider.', "Ensure that prepared statements or other mechanism that enables parameter binding is used when accessing the database in a way that would prevent the attackers' supplied data from controlling the structure of the executed query.", 'At the database level, ensure that the database user used by the application in a particular context has the minimum needed privileges to the database that are needed to perform the operation. When possible, run queries against pre-generated views rather than the tables directly.']
|