Is it possible to perform a SQL Injection on a application that uses Entity Framework?

c# entity-framework entity-framework-6 sql-injection

Question

Can Entity Framework be hacked?

Is it possible to perform a SQL Injection on a application that uses EF?

If so, can someone please provide a full example of how that might be done? I couldn't find any specific to EF in C#.

1
0
7/22/2018 3:48:24 PM

Accepted Answer

Heed this:

It is quite easily possible if the developer uses EF as a wrapper around ADO.NET and uses FromSQL. Of course, this is not the intended nor normal use of EF, but I have seen it – Camilo Terevinto

REF: Raw SQL Queries


Additionally, while not really "sql injection", since one of the goals of such is to somewhat alter your data by altering your raw sql to produce some unintended result, you should also be aware of ASP.NET - Overposting/Mass Assignment Model Binding Security

Sample taken straight from link:

You model/class:

public class Person
{
    public int ID { get; set; }
    public string First { get; set; }
    public string Last { get; set; }
    public bool IsAdmin { get; set; }
}

Somewhere in your Controller:

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Create(Person person)
{
    if (ModelState.IsValid)
    {
        _context.Add(person);
        await _context.SaveChangesAsync();
        return RedirectToAction("Index");
    }
    return View(person);
}

If a theoretical EvilUser found out that Person had an "IsAdmin" property, they could "overpost" and add a field to the HTTP POST and set IsAdmin=true. There's nothing in the code here to prevent that.

So "evil user" doesn't even need to figure out sql injection to do some unintended result. Read up on the article on ways to prevent it (e.g. BindAttribute, View Models).

Hth.

2
7/22/2018 4:47:56 PM

Popular Answer

Depends on of the use of it. If you use LINQ yes, it´s safe against SQL INJECTION because it passes all data to the database via SQL parameters. LINQ queries are not composed by using string manipulation or concatenation, that's why they are not susceptible to traditional SQL injection attacks.



Related Questions





Related

Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow