troubleshooting Question

Vulnerability findings by Rational Appscan on Authentication Credentials using .Net Language

Avatar of bduhaish
bduhaishFlag for Saudi Arabia asked on
Vulnerabilities.NET ProgrammingASP.NET
11 Comments1 Solution2332 ViewsLast Modified:
Hello Experts,

Our Security team is using Rational Appscan software for scanning applications from any kind of Vulnerability’s and sensitive information’s that may allow malicious users to obtain. However, the result I get from the software is classified under three categories:

Authentication.Credentials.Unprotected
Authentication.Credentials.Weak
Injection.DBConnectionString

Theses Vulnerabilities or categories are pointed to line number 2  as follow:
Sub Read()
        Using connection As New SqlConnection(ConfigurationManager.ConnectionStrings("LocalSqlServer").ToString())
            Const queryString As String = "SELECT Name from Users where SAPID = @SAPID"
            Dim command As New SqlCommand(queryString, connection)
            Dim parUsername As New SqlParameter("@SAPID", SqlDbType.VarChar, 20)
            parUsername.Value = TextBox1.Text
            command.Parameters.Add(parUsername)
            command.Connection.Open()
            Using reader As SqlDataReader = command.ExecuteReader(CommandBehavior.CloseConnection)
                ' Call Read before accessing data.
                If reader.HasRows Then
                    While reader.Read()
                        Label1.Text = reader("Name")
                    End While
                End If
            End Using
        End Using
    End Sub
The connection string in the web.config file is encrypted using RSA with a Machine-Level Key Container.

The connection string before it is encrypted is as as follow:
<connectionStrings>
  <add name="LocalSqlServer" 
      connectionString=";Database=;User ID=;Password=;Trusted_Connection=False;"/>
</connectionStrings>
Can someone tell me whey the SQL statement above is Vulnerable.

Thanks.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 11 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 11 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros