How to avoid SQL injection in $filter querystring

[andenis]

I'm using Breezejs and .Net Framework 4.5
Example:
ExecuteQuery url:
https://XXXXXX/breeze/Breeze/Departments?$filter=**BranchId eq 123L+or+1+eq+1&**$orderby=Name&$expand=Calls

SQL Generated:
WHERE ([Extent2].[CompanyId] = @p_linq0) AND (1 = CAST( [Extent1].[Status] AS int)) AND ([Extent1].[BranchId] = @plinq1 OR @plinq2 = @plinq_3)

SQL Generated parameters:
N'@p_linq0 bigint,@plinq1 bigint,@plinq2 int,@plinq3 int',@plinq0=826,@plinq1=123,@plinq2=1,@plinq_3=1

Thanks!

[gmareater]

i'm not expert (but good enough) so since it's using parameterized dynamic sql, you could assume it's safe and sql injection would not work

[andenis]

Ok, thanks your comments @gmareater , but sql injection is possible, only need to change the $filter in the url. I will change to use parameters in my service controller and not continue using the $filter field.

[gmareater]

attacker might be able change the value in the $filter, but at the end sql server wont execute it

[steveschmitt]

I think that Entity Framework sanitizes all the parameters and inputs to prevent sql injection, but there may be holes. Do you have an example of an attack that would work?

[andenis]

changed the $filter parameter, and the Controller return IQueryable (EF Query), but in my .js ExecuteQuery apply filters to this IQueryable.

Parameter: $filter
Attack value: ' , +and+1+eq+1 , +and+1+eq+2 , +or+1+eq+1 , +or+1+eq+2

[steveschmitt]

Yes, it is possible for something in JavaScript to intercept the request and change the URL before it is sent to the server. But this is possible for any HTTP request, and is not specific to $filter nor to Breeze.

Do you have an example where you can inject a sql "DROP TABLE" or "DELETE" command in $filter, and have SQL Server execute it?

[andenis]

Hi, No inject this commands, but if possible add "AND", "OR" to change the query