Dela via


Connection String Injection Attack

Today I was looking at some new classes in .NET 2.0 and stumbled across DbConnectionStringBuilder class. This class provides compile time checks around building connection strings with user input. If you are constructing connection string dynamically by accepting server name from the  user you could be vulnerable to this attack. Here is an example on how to mitigate that using SqlConnectionStringBuilder class.

 System.Data.SqlClient.SqlConnectionStringBuilder builder =
  new System.Data.SqlClient.SqlConnectionStringBuilder();
builder["Data Source"] = "(local)";
builder["Integrated Security"] = true;
builder["Initial Catalog"] = "AdventureWorks";
builder["Persist Security Info"] = "false";
Console.WriteLine(builder.ConnectionString);

If you re using user input to create a connection string, you must use this class. Additionally you should perform input validation before passing data to this class. For more information about this class and generic connection string security check the following links.

Connection String Builders (ADO.NET)

Using the SqlConnectionStringBuilder to guard against Connection String Injection Attacks

Securing Connection Strings

Thanks

Anil