Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Vulnerability findings by Rational Appscan on Authentication Credentials using .Net Language

Posted on 2012-12-21
Medium Priority
Last Modified: 2013-01-05
Hello Experts,

Our Security team is using Rational Appscan software for scanning applications from any kind of Vulnerability’s and sensitive information’s that may allow malicious users to obtain. However, the result I get from the software is classified under three categories:


Theses Vulnerabilities or categories are pointed to line number 2  as follow:
Sub Read()
        Using connection As New SqlConnection(ConfigurationManager.ConnectionStrings("LocalSqlServer").ToString())
            Const queryString As String = "SELECT Name from Users where SAPID = @SAPID"
            Dim command As New SqlCommand(queryString, connection)
            Dim parUsername As New SqlParameter("@SAPID", SqlDbType.VarChar, 20)
            parUsername.Value = TextBox1.Text
            Using reader As SqlDataReader = command.ExecuteReader(CommandBehavior.CloseConnection)
                ' Call Read before accessing data.
                If reader.HasRows Then
                    While reader.Read()
                        Label1.Text = reader("Name")
                    End While
                End If
            End Using
        End Using
    End Sub

Open in new window

The connection string in the web.config file is encrypted using RSA with a Machine-Level Key Container.

The connection string before it is encrypted is as as follow:
  <add name="LocalSqlServer" 
      connectionString=";Database=;User ID=;Password=;Trusted_Connection=False;"/>

Open in new window

Can someone tell me whey the SQL statement above is Vulnerable.

Question by:bduhaish
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 41

Expert Comment

by:Kyle Abrahams
ID: 38714434
What if textbox1.Text  =

''; select * from users

Author Comment

ID: 38715053
nothing will happen.
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 38716893
This has illustration on the insecure configuration weakness


Web.config is the pace which we should avoid having to put unencrypted connection strings or other sensitive data. There are just too many places where the Web.config is exposed including in source control, during deployment. imagine as the author shared also even the channel having ftp channel etc is not secure with transport layer security and in backups or via a server admin (these are just a few).

Furthermore, this is quite a risk  if server or app is exploited ...e.g. one past one mentioned on  the "padding oracle vulnerability" e.g. if an encrypted string can be passed to the server and its response can tell you whether the padding is valid or not, the request can be manipulated to continually change the bytes in the request and reissue them to the server until a successful response is returned.


You never going to be totally secured but leaving lesser gap for the attacker to exploit through secure coding will deter those attempt as much as possible.

Minimally in this case, we will want to encrypt those info as you stated in ASP.NET 2.0. It  introduced Protected Configuration model that allows you to encrypt data using two Protected Configuration Providers. E.g. RSAProtectedConfigurationProvider and DataProtectionConfigurationProvider

I also suggest this checking out MSDN "How To: Protect From SQL Injection in ASP.NET" or OWASP cheatsheet

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 38717072
Hello breadtan,

All what you mentioned is considered,

Again, whay this software known by IBM is telling me that this subroutine is Vulnerable !!!

The Classification is type 2 and the Severity is High.

All three vulnerability’s are pointing to the below line.


Using connection As New SqlConnection(ConfigurationManager.ConnectionStrings("LocalSqlServer").ToString())

Open in new window

LVL 38

Expert Comment

by:Rich Rumble
ID: 38717755
Typically Appscan give you a URL or a string to show you the exploit it tried and found. This isn't always the case, but more often than not it's in the report. Sometimes there are false positives, you have to test the string it used, look in your logs or your DB to see if it did work.
The authentication weaknesses could be plain-text cookies, or perhaps base64 credentials, or a cipher/implementation that has poor entropy (like DES or 56-bit RSA etc) The report should give you links to the answers your looking for.
LVL 16

Expert Comment

by:Kamal Khaleefa
ID: 38717817
placing the connection string in web.config is not recommended but since you are encrypting it then it seems ok

try to move your connection string into your classes also make validation on every text box to prevent special charachters
LVL 65

Expert Comment

ID: 38718023
As highlighted by experts in this discussion, the scanner would have a recommendation list  (e.g. Advisory, Fix Recommendation, Request/Response)stated to correspond to the findings. Also in various programming languages.  It should not be far off with what was already stated in the links in my last posting esp those from owasp and msdn. I see the key is that there are needs to have input type validation beside just key length restriction on the parameter in your existing code.

Even IBM has similar recommendation


As for weak authentication and unprotected parameter, that depends on how those parameters are secure at rest and in channel. The recommendation in the summary finding rightfully should have it too.

Author Comment

ID: 38724485
Thank you all for your answers.
As I mentioned before that it is a connection string issue and not parameters or SQL Injections. Now, because we just lunched this software, only view employees have license, me and others are waiting for something called flouting license. However, as requested I managed to get a report from the security group that explains the findings along with a report for the lines in aspx page.
The report is telling us to use SqlConnectionStringBuilder class.
OK, I heard about this class since .Net 2.0, but never used it before so I did my workaround and I end up with same result, I will show exactly what I did in details :
In Configuration File
  <add name="conStr" 
    connectionString="Persist Security Info=False;User ID=AAAAAAA;Password=*******;Initial Catalog=XXXXXXX;Server=ZZZZZZZZZ" />

<authentication mode="Windows"/>
		<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>
			<allow roles="Domain\Group"/>
			<deny users="?"/>
			<deny users="*"/>
		<customErrors mode="Off"/>

Open in new window

After Encrypting.
   <!-- contents -->

<connectionStrings configProtectionProvider="CustomProvider">
    <!-- encrypted contents -->

Open in new window

I then create a class file "Connections.vb" to create the connection.
Imports System.Configuration
Imports System.Data.SqlClient

Public Class Connections
    Shared sqlClient As String = ConfigurationManager.ConnectionStrings("conStr").ConnectionString
    Shared sqlConn As String = Nothing
    Shared builderStr As SqlConnectionStringBuilder = Nothing
    Shared connStr As SqlConnection = Nothing

    Public Shared Function [get]() As SqlConnection
        If sqlConn Is Nothing Then
            sqlConn = sqlClient
            builderStr = New SqlConnectionStringBuilder(sqlConn.ToString) -- line 22
            connStr = New SqlConnection(builderStr.ConnectionString) -- line 23
        End If
        Return connStr
    End Function
End Class

Open in new window

Then in my aspx file i called the connection as follow:
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        Const sqlQuery As String = "select * from users"

        Using command As New SqlCommand(sqlQuery, Connections.[get]())
            Dim sqlda As New SqlDataAdapter(command)
            Dim ds As New DataSet()
            sqlda.SelectCommand = command
            sqlda.Fill(ds, "users")
            GridView1.DataSource = ds
            GridView1.DataMember = "users"
        End Using
End Sub

Open in new window

I end up with the same problem, i went again and did some searching and i noticed that The ConnectionStringBuilder class allows you to parse the individual elements of a connection string and put them into the corresponding properties in the ConnectionStringBuilder. The ConnectionStringBuilder will then break it into the appropriate properties.

This approach i could not figure it out as there are no clear examples available except examples showing sensitive information like below:
Sub CreateConnectionString()
  Dim builder As New SqlConnectionStringBuilder
  builder.DataSource = "(local)"
  builder.InitialCatalog = "Northwind"
  builder.UserID = "user1"
  builder.Password = "P@ssw0rd"
End Sub

Open in new window

Can someone help me on how to pass the connection from the config file and use a class in order to call it in every page after extracting its appropriate properties.

Attached please find explanation files.
LVL 65

Expert Comment

ID: 38725612
Yet to have chance to read the doc but saw for sqlconnectionstringbuilder recommend avoiding use of username and password or minimally have them sanitise before use. not sure appscan is sensitive to that. if we use integrated authentication for the make of testing will the tool still complain...


There is an example of readding in the username answer password at the bottom of the article...wondering if tool will complain if use without hardcoding


Author Comment

ID: 38726852
Hello breadtan,

For your first question, i tried to use windows authentication and it complained due to an attacker may inject the connection by setting  Integrated Security to false or using extra semi-colons.

For the second question, i believe it is a sqlconnectionstringbuilder class exercise so from a security point it is solved but we need a developer to have a look on how to sanitized or extract the connection properties and then assign them into sqlconnection class.

LVL 65

Expert Comment

ID: 38728799
thanks for sharing. Looks like as long as they are parameter for SQL API  call (e.g. as in pt 1), Appscan will always be "not happy" with it since it flagged those option can be tampered.

Some sort of sanitisation (function to do the input validation) will still be needed so as to pass the scan as shared in pt 2.

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question