-
Type:
Enhancement
-
Status: Closed
-
Priority:
Critical
-
Resolution: Unresolved
-
Component/s: None
-
Labels:None
-
Module:BenAdmin - Security
-
Reported by:Harbinger
-
Item State:Development - Ready for Local Testing
-
Issue Importance:Must Have
When we add input on notes category like asdf' or '1'='1 , category is getting added successfully.
We should block use of OR with '. it should show sql injection character message.
| Field | Original Value | New Value |
|---|---|---|
| Summary | SQL Injection OR condition generic implementation | SQL Injection : Block use of OR condition as input with quote |
| Module | Parent values: BenAdmin(10100) | Parent values: BenAdmin(10100)Level 1 values: Security(10112) |
| Item State | Parent values: Development(10200)Level 1 values: In Progress(10206) | Parent values: Development(10200)Level 1 values: Ready for Local Testing(10209) |
| Status | New Request [ 10029 ] | Pending for Approval [ 10002 ] |
| Status | Pending for Approval [ 10002 ] | Rejected [ 10004 ] |
Duplicate with : WT-3873: Verify OR logical condition with single quote for SQL Injection
| Status | Rejected [ 10004 ] | Closed [ 6 ] |
| Transition | Time In Source Status | Execution Times |
|---|
|
20d 23h 53m | 1 |
|
11s | 1 |
|
33s | 1 |
Affected files:
1. trunk\WORKTERRAweb\Web\SharedFunctionWebTier\SharedFunctionWebTier\Modules\CustomModelBinder.cs
2. trunk\WORKTERRAweb\Web\Web Projects\Web.config
We have added new tag in config which will decide if we need to validate or condition or not. This tag is added to give flexibility of use of OR in input.
<add key="ValidateOROperatorForSQLInjection" value="true" />