Connection String Parameter Pollution

csharp.connection_string_parameter_pollution

Severity

critical

Resource

Resource Management

Language

CSharp

Description

External control of connection string.

Rationale

Database connectivity typically involves constructing a connection string – a snippet of text encoding the details of the connection to the database, such as hostname, database name, and credentials.

When user input is improperly included in a connection string, it can lead to parameter pollution. This means that the attacker can inject additional parameters or override existing ones, potentially accessing databases they shouldn’t or altering their privileges.

Vulnerable practice in C# might involve concatenating user input directly into a connection string, as shown below:

using MySql.Data.MySqlClient;

// Assume this comes from an untrusted source
(string username, string password) = LoadFromUntrustedSource();

// VULNERABLE: Untrusted values directly embedded in connection string
string connectionString = $"Server=localhost;Database=mydatabase;User Id={username};Password={password};";

using (MySqlConnection conn = new MySqlConnection(connectionString))
{
    conn.Open();
    // ... attacker may have access to an unintended database
}

In this example, the username and password inputs are directly embedded into the connection string. If an attacker is able to inject malicious content into either of these fields, they could manipulate the connection string to access arbitrary databases or alter security settings.

Remediation

Mitigating connection string parameter pollution involves several key practices:

Use Parameter Objects: Avoid concatenating user input into connection strings. Instead, use APIs or configurations that separate parameters from the connection logic.
Validate and Sanitize User Input: If user input must be incorporated into the connection process, ensure it is strictly validated and sanitized according to expected patterns.
Environment Configuration: Use environment variables or configuration files to manage sensitive credential information away from user modification capabilities.

Here’s a fix for the above example, using MySqlConnectionStringBuilder instead of concatenating into the connection string:

var builder = new MySqlConnectionStringBuilder
{
    Server = "localhost",
    Database = "mydatabase",
    UserID = username,    // Still must validate
    Password = password    // Still must validate
};
string safeConnectionString = builder.ConnectionString;

In this secure example, user credentials are no longer concatenated into the connection string. Instead, MySqlConnectionStringBuilder is used to handle the credentials separately and securely. By defining user authentication details outside of user influence, the risk of connection string parameter pollution is significantly reduced.

By applying these practices, you can protect C# applications from connection string manipulation attacks, bolstering their security against unauthorized access or misconfiguration.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-15 : External Control of System or Configuration Setting.
Connection String Parameter Pollution Attacks, by C. Alonso, Blackhat DC 2010.
OWASP Top 10 2021 - A03 : Injection.