The mobile application must prevent SQL injection.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35668	SRG-APP-000251-MAPP-00056	SV-46955r1_rule		Medium

Description
Format string vulnerabilities usually occur when invalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an attacker can manipulate a format string, this may result in a buffer overflow causing a denial of service for the application. Format string vulnerabilities may lead to information disclosure vulnerabilities. Format string vulnerabilities may be used to execute arbitrary code. If the application code does not contain format string vulnerabilities, then the risk of buffer overflows and other software exploits is significantly mitigated. Please refer to CWEs: 20, 74, 78, 88, 119, 120, 125, 129, 131, 134, 135, 170, 170, 176, 193, 195, 242, 249, 251, 415, 560, 686, 733, 787, and 805 for further information. Additional information on CWEs is found in the MAPP SRG Overview.

Description

Format string vulnerabilities usually occur when invalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an attacker can manipulate a format string, this may result in a buffer overflow causing a denial of service for the application. Format string vulnerabilities may lead to information disclosure vulnerabilities. Format string vulnerabilities may be used to execute arbitrary code. If the application code does not contain format string vulnerabilities, then the risk of buffer overflows and other software exploits is significantly mitigated. Please refer to CWEs: 20, 74, 78, 88, 119, 120, 125, 129, 131, 134, 135, 170, 170, 176, 193, 195, 242, 249, 251, 415, 560, 686, 733, 787, and 805 for further information. Additional information on CWEs is found in the MAPP SRG Overview.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44010r2_chk )
This IA control does not apply when the SQL database resides on a remote system. In that case, SQL must be controlled on the remote system, not the remote device. If the application uses a local SQL database, perform a dynamic program analysis to assess if the application is vulnerable to SQL injection by performing the following. Fill in login and other input fields with potentially valid user names (e.g., admin, system, root, and administrator) with a comment field to ignore the rest of the SQL query. Also, fill in the password fields with any values and submit the form. username' -- username' # username'/* ' or 1=1-- ' or 1=1# ' or 1=1/* ') or 1=1-- ') or 1=1# ') or 1=1/* If the dynamic program analysis reveals that the application bypasses user authentication with these inputs or provides an authenticated user access or elevated access to the application to data, this is a finding. In addition to the above dynamic program analysis, review application documentation or interview the application representative and request a demonstration for how the application: - uses prepared statements for SQL queries. - does not provide direct access to tables (e.g., access is provided by views and stored procedures). - does not use concatenation or use replacement to build SQL queries. Next, perform a static program analysis to assess how the application does exactly what is listed above. If the static program analysis cannot provide results or the application representative cannot demonstrate the application uses prepared statements for SQL queries, this is a finding. If the static program analysis cannot provide results or the application representative cannot demonstrate the application does not use concatenation or use replacement to build SQL queries, this is a finding. If the static program analysis cannot provide results or the application representative cannot demonstrate the application does not directly accesses tables in a database, this is a finding.

Check Text ( C-44010r2_chk )

This IA control does not apply when the SQL database resides on a remote system. In that case, SQL must be controlled on the remote system, not the remote device. If the application uses a local SQL database, perform a dynamic program analysis to assess if the application is vulnerable to SQL injection by performing the following. Fill in login and other input fields with potentially valid user names (e.g., admin, system, root, and administrator) with a comment field to ignore the rest of the SQL query. Also, fill in the password fields with any values and submit the form. username' -- username' # username'/* ' or 1=1-- ' or 1=1# ' or 1=1/* ') or 1=1-- ') or 1=1# ') or 1=1/* If the dynamic program analysis reveals that the application bypasses user authentication with these inputs or provides an authenticated user access or elevated access to the application to data, this is a finding. In addition to the above dynamic program analysis, review application documentation or interview the application representative and request a demonstration for how the application:
- uses prepared statements for SQL queries.
- does not provide direct access to tables (e.g., access is provided by views and stored procedures).
- does not use concatenation or use replacement to build SQL queries.

Next, perform a static program analysis to assess how the application does exactly what is listed above. If the static program analysis cannot provide results or the application representative cannot demonstrate the application uses prepared statements for SQL queries, this is a finding. If the static program analysis cannot provide results or the application representative cannot demonstrate the application does not use concatenation or use replacement to build SQL queries, this is a finding. If the static program analysis cannot provide results or the application representative cannot demonstrate the application does not directly accesses tables in a database, this is a finding.

Fix Text (F-40210r1_fix)
Modify the source code to remove SQL injection vulnerabilities.