User Controlled Primary Key

java.user_controlled_primary_key

Severity

high

Resource

Misconfiguration

Language

Java

Description

This vulnerability arises when an application uses user-supplied input to control primary key values for database queries or operations, which may lead to unauthorized data access or modification.

Rationale

When user input is directly used to build database queries, including primary keys, it can result in unauthorized access or manipulation of protected data.

This problem is particularly dangerous when primary keys are integers or predictable values, as it enables users to perform unintended actions like accessing records that belong to other users, potentially exposing or corrupting sensitive information.

For example, consider this Java code snippet:

String userId = request.getParameter("userId");

PreparedStatement stmt = connection.prepareStatement("select * from invoices where uid=?");
preparedStatement.setInt(1, id); // FLAW

preparedStatement.executeQuery();

In this example, the userId parameter is user controlled, which may allow a user to access data of any user simply by changing the userId value.

Remediation

To mitigate the risks of CWE-566, it’s essential to avoid constructing database queries using user-supplied input directly or allow user input to control database primary key values. Best practices include:

If the SQL query is constructed without relying on user-controlled input, such as through the use of parameterized SQL, attackers cannot access unauthorized records.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-566 : Authorization Bypass Through User-Controlled SQL Primary Key.