jbruinaud
commented
4 years ago Issue still exists.
SUMMARY
Issue has total 1 vulnerabilities left to be fix (Please scroll to the top for more information)
Open jbruinaud opened 4 years ago
jbruinaud
commented
4 years ago Issue still exists.
Issue has total 1 vulnerabilities left to be fix (Please scroll to the top for more information)
Parameter_Tampering issue exists @ WebGoatCoins/Autocomplete.ashx.cs in branch master
Method ProcessRequest at line 20 of WebGoatCoins\Autocomplete.ashx.cs gets user input from element Request. This input is later concatenated by the application directly into a string variable containing SQL commands, without being validated. This string is then used in method GetCustomerEmails to query the database da, at line 558 of App_Code\DB\MySqlDbProvider.cs, without any additional filtering by the database. This could allow the user to tamper with the filter parameter.
Severity: Medium
CWE:472
Checkmarx
Lines: 25
Code (Line #25):