Connection String Parameter Pollution

ID

java.connection_string_parameter_pollution

Severity

critical

Resource

Resource Management

Language

Java

Tags

CWE:15, NIST.SP.800-53, OWASP:2021:A5, PCI-DSS:6.5.1

Description

External control of connection string.

Rationale

Database connectivity typically involves constructing a connection string – a snippet of text encoding the details of the connection to the database, such as hostname, database name, and credentials.

When user input is improperly included in a connection string, it can lead to parameter pollution. This means that the attacker can inject additional parameters or override existing ones, potentially accessing databases they shouldn’t or altering their privileges.

Vulnerable practice in Java might involve concatenating user input directly into a connection string, as shown below:

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;

public class ConnectionStringPollutionExample {
    public static void main(String[] args) {
        String userInput = "someuser"; // Assume this comes from an untrusted source
        String password = "somepassword"; // Assume this comes from an untrusted source

        String connectionString = "jdbc:mysql://localhost:3306/mydatabase?user=" + userInput + "&password=" + password;

        try (Connection conn = DriverManager.getConnection(connectionString)) {
            // Do something with the connection
        } catch (SQLException e) {
            e.printStackTrace();
        }
    }
}

In this example, the userInput and password inputs are directly embedded into the connection string. If an attacker is able to inject malicious content into either of these fields, they could manipulate the connection string to access arbitrary databases or alter security settings.

Remediation

Mitigating connection string parameter pollution involves several key practices:

  1. Use Parameter Objects: Avoid concatenating user input into connection strings. Instead, use APIs or configurations that separate parameters from the connection logic.

  2. Validate and Sanitize User Input: If user input must be incorporated into the connection process, ensure it is strictly validated and sanitized according to expected patterns.

  3. Environment Configuration: Use environment variables or configuration files to manage sensitive credential information away from user modification capabilities.

Here’s an improved version leveraging secure practices:

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.Properties;

public class SecureConnectionStringExample {
    public static void main(String[] args) {
        Properties connectionProps = new Properties();
        connectionProps.put("user", "fixedUser");  // Securely predefined user
        connectionProps.put("password", "fixedPassword"); // Securely predefined password

        String jdbcUrl = "jdbc:mysql://localhost:3306/mydatabase";

        try (Connection conn = DriverManager.getConnection(jdbcUrl, connectionProps)) {
            // Perform database operations with established connection
        } catch (SQLException e) {
            e.printStackTrace();
        }
    }
}

In this secure example, user credentials are no longer concatenated into the connection string. Instead, Properties are used to handle the credentials separately and securely. By defining user authentication details outside of user influence, the risk of connection string parameter pollution is significantly reduced.

By applying these practices, you can protect Java applications from connection string manipulation attacks, bolstering their security against unauthorized access or misconfiguration.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References