• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Make Vulnerable to SQL Injection

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi guys. After testing few of SQL injection in my login page, it seems the SQL injection doesn't work which is good things.
However now if I want to make my login page vulnerable to SQL injection, because one of my software security assignment task is to find out weaknesses of OWASP TOP 10 weaknesses from our own developed application.
Below is my login page code:

 
author & internet detective
Posts: 42027
916
Eclipse IDE VI Editor Java
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jack,
You need to have a SQL statement in your code in order to be vulnerable to SQL Injection. I know how to do this Java, but not C# so I googled.

It looks like the way to do that is with a SQLCommand class. Here's an example
 
Saloon Keeper
Posts: 15732
368
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It looks like you're using Entity Framework, which creates SQL queries itself and protects you from SQL injection attacks.

You have a different problem though. You are storing your users' passwords in the database. Don't store passwords, encrypted or not.

It's easiest if you add ASP.NET Identity to your OWIN pipeline. If you don't have OWIN, get an implementation like Katana.
 
Creativity is allowing yourself to make mistakes; art is knowing which ones to keep. Keep this tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic