jbruinaud
commented
4 years ago Issue still exists.
SUMMARY
Issue has total 1 vulnerabilities left to be fix (Please scroll to the top for more information)
Open jbruinaud opened 4 years ago
jbruinaud
commented
4 years ago Issue still exists.
Issue has total 1 vulnerabilities left to be fix (Please scroll to the top for more information)
Parameter_Tampering issue exists @ WebGoatCoins/ChangePassword.aspx.cs in branch master
Method ButtonChangePassword_Click at line 21 of WebGoatCoins\ChangePassword.aspx.cs gets user input from element Value. This input is later concatenated by the application directly into a string variable containing SQL commands, without being validated. This string is then used in method UpdateCustomerPassword to query the database command, at line 295 of App_Code\DB\MySqlDbProvider.cs, without any additional filtering by the database. This could allow the user to tamper with the filter parameter.
Severity: Medium
CWE:472
Checkmarx
Lines: 29
Code (Line #29):