locked
SharePoint SQL injection in custom webpart RRS feed

  • Question

  • I am testing a custom SharePoint form that is vulnerable to SQL injection (Oracle back-end). I need some specific guidance on remediation, as it is not completely obvious to me for SharePoint. I think the answer is

    - SharePoint validation controls

    - Parameterise the SQL query

    For the latter, I can see that there are number of queries listed in the SharePoint configuration page, and the input is passed as '[VALUE]', e.g. select users from db.user_table where reference = '[VALUE]'. Is there a special way to parameterise that in SharePoint?

    Thanks

    Friday, August 16, 2013 9:31 AM

Answers

  • if you use SharePoint object model, it is no SQL injection vulnerabilities, SharePoint by default do it for us. Sql injection will occur when custom code is deployed within the SharePoint environment.

    As for any ASP.NET control or application, you should validate all user input before performing operations with it, this validation can help to protect against not only accidental misuse, but also deliberate attacks such as sql injection, cross-site scripting, buffer overflow and so on, here is the checklist for SharePoint web parts:
    http://msdn.microsoft.com/en-us/library/dd583141(v=office.11).aspx

    Best Practices for Developing Web Parts for SharePoint products and Technologies:
    http://msdn.microsoft.com/en-us/library/dd583135(v=office.11).aspx

    Thanks,


    Qiao Wei
    TechNet Community Support

    • Marked as answer by Qiao Wei Sunday, August 25, 2013 2:02 PM
    Monday, August 19, 2013 7:43 AM

All replies

  • if you use SharePoint object model, it is no SQL injection vulnerabilities, SharePoint by default do it for us. Sql injection will occur when custom code is deployed within the SharePoint environment.

    As for any ASP.NET control or application, you should validate all user input before performing operations with it, this validation can help to protect against not only accidental misuse, but also deliberate attacks such as sql injection, cross-site scripting, buffer overflow and so on, here is the checklist for SharePoint web parts:
    http://msdn.microsoft.com/en-us/library/dd583141(v=office.11).aspx

    Best Practices for Developing Web Parts for SharePoint products and Technologies:
    http://msdn.microsoft.com/en-us/library/dd583135(v=office.11).aspx

    Thanks,


    Qiao Wei
    TechNet Community Support

    • Marked as answer by Qiao Wei Sunday, August 25, 2013 2:02 PM
    Monday, August 19, 2013 7:43 AM
  • Thanks for the reply.

    How would you 'convert' custom SQL into the object model form?

    Monday, August 19, 2013 8:55 AM
  • Hi craigggers,

    SharePoint contains its own API that when deploying project using SharePoint object model, it doesn't communicate with sql directly.

    Thanks,


    Qiao Wei
    TechNet Community Support

    Friday, August 23, 2013 11:49 AM