Kyle Fuller Kyle Fuller - 3 months ago 7
SQL Question

How to prevent SQL Injection when using MVC's bundling

We have an MVC 5 site and currently we are using bundles for our css and java script which is all working just fine. The issue is that when doing so, it creates something like:

/bundles/stylesheet?v=_NMyDE-CcoALPkYZqbmiXkI3LfoWnS1GFeEZNVMaBT81

We also use a third party site to verify that our site is trusted and secure and the other day it flagged us for the fact that using the above with '+and+'b'<'a on the end returns a 200 response instead of a 500.

So i guess i have two questions, is this a security flaw in MVC's bundles that is susceptible to SQL injection and if so, is there a workaround or fix?

Answer

The v parameter sent in that web request is just used as a way to help the browser know when to request a new resource--commonly called "cache busting." The number that MVC puts in the bundle links will change any time the files used in the bundle are changed, but the server doesn't even pay any attention to the parameter at all when the actual request is made.

Because of this, the auditing software sees a pattern that indicates it can send "anything" to the server, and it never gets checked to see if it is valid. In some cases, this can be indicative that their sql injection "got through," but in this case it's a false positive.

The bundling framework doesn't touch SQL at all, so there's absolutely no way that this represents a SQL injection vulnerability.

For more information, see the "Bundle Caching" section of this article.