Applications use connection strings to specify credentials used to access databases. If the application includes unvalidated user input in connection strings, an attacker may be able to change what databases the application connects to. Connection string injection vulnerabilities apply to applications that connect to databases.
By manipulating the connection string, an attacker is able to cause the application to connect to an unintended data source. The attacker may be able to bypass authentication by re-routing the application to use his own database. The attacker may also get data from another database by re-routing the application to use it. The exact impact of a connection string injection vulnerability is difficult to predict because it is heavily dependent on application logic. Overall, the connection string vulnerability is difficult for an attacker to use, but it is still a serious vulnerability.
To prevent connection string injection vulnerabilities, validate all input, store connection strings securely, and don't use user input in connection strings.
Validate all input:
Store connection strings securely:
Don't use user input in connection strings:
To check for adequate protection against connection string injection vulnerabilities, find all connection strings used by the application and verify that all input is validated, connection strings are stored securely, and user input is not used in connection strings.
All input is validated:
Connection strings are stored securely:
User input is not used in connection strings:
Computer Based Training Links
Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.
Creating Secure Code – .NET 4.0 Foundations
This course describes .NET security features, including concepts such as Code Access Security (CAS) and .NET cryptographic technologies. It also provides secure coding best practices that will enable you to build more secure applications in .NET.
Fundamentals of Secure Database Development
This course introduces developers to the fundamentals of secure database development. The course begins with a discussion on the role of databases and how they are used in today's software systems. It also discusses the common database attacks that could be used to cause significant loss to organizations. Next, it reviews the best practices that developers should incorporate to mitigate the risks from database attacks, including practices that developers should avoid. Finally, the course concludes with a walk-through of a software system scenario that allows you to apply the database attacks and developer best practices discussed throughout the course.
Creating Secure Code – Oracle Foundations
This course consists of three modules. The first module introduces you to database security and the challenges faced in developing secure database-driven applications. The second module covers important application development security basics as well as best practices. The third module covers common security attacks that impact Oracle database developers and the recommended countermeasures to mitigate risks from those attacks.
Creating Secure Code – SQL Server
In this course, you will learn about securely developing applications using Microsoft SQL Server database versions 2008 and 2012. This course consists of three modules. The first module introduces you to database security and the challenges faced in developing secure database-driven applications. The second module covers important application development security basics as well as best practices. The third module covers common security attacks that impact SQL server database developers and the recommended mitigation to reduce risks from those attacks.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact firstname.lastname@example.org for help.