You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Method completed at line 58 of /src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java gets user input from element action_string. This input is later concatenated by the application directly into a string variable containing SQL commands, without being validated. This string is then used in method injectableQueryAvailability to query the database executeQuery, at line 71 of /src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java, without any additional filtering by the database. This could allow the user to tamper with the filter parameter.
Result 1: Severity: MEDIUM State: CONFIRMED Status: RECURRENT Attack Vector:
Checkmarx (SAST): Parameter_Tampering
Security Issue: Read More about Parameter_Tampering
Checkmarx Project: smaguilarcx/Webgoat_eu_CxOne
Repository URL: https://github.com/smaguilarcx/Webgoat_eu_CxOne
Branch: main
Scan ID: 90adb9be-7e9c-4385-b96b-20f5c5abf263
Method completed at line 58 of /src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java gets user input from element action_string. This input is later concatenated by the application directly into a string variable containing SQL commands, without being validated. This string is then used in method injectableQueryAvailability to query the database executeQuery, at line 71 of /src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java, without any additional filtering by the database. This could allow the user to tamper with the filter parameter.
Result 1:
Severity: MEDIUM
State: CONFIRMED
Status: RECURRENT
Attack Vector:
1. action_string: /src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java[58,54]
2. action_string: /src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java[59,40]
3. action: /src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java[62,61]
4. action: /src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java[64,70]
5. query: /src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java[64,12]
6. query: /src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java[71,52]
7. executeQuery: /src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java[71,51]
Review result in Checkmarx One: Parameter_Tampering
The text was updated successfully, but these errors were encountered: