CWE•Variant•Incomplete•1 recent CVE
CWE-566Authorization Bypass Through User-Controlled SQL Primary Key
Description
The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
[object Object]
Common consequences
- Confidentiality,Integrity,Access Control→Read Application Data,Modify Application Data,Bypass Protection Mechanism
Potential mitigations
- ImplementationAssume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data. Use an "accept known good" validation strategy.
- ImplementationUse a parameterized query AND make sure that the accepted values conform to the business rules. Construct your SQL statement accordingly.