0

I am developing an ASP.Net Web forms Application. Code audit done by an external team and the resulting document shows Connection String Parameter pollution in Data access code.

The connection string is as follows.

<add name="SqlConString" connectionString="Data Source=AccDb;Initial Catalog=TestDb;uid=sa;pwd=abcd;Integrated Security=true;" providerName="System.Data.SqlClient"/>

As per suggestions, the connection string is encrypted using:

aspnet_regiis -pef "connectionStrings" "xxxx"

In DAL, the data access code is enclosed within

using (SqlCon = new SqlConnection(ConnStringSql))

But none of these fixes helped to pass the code audit

Saneesh
  • 1
  • I hope you are not using the `sa` account for routine application data access. That's a more egregious security issue, IMHO. – Dan Guzman Apr 23 '20 at 10:40
  • @Dan Guzman In the application a diffrent account is used. here, sa is used for the question only, – Saneesh Apr 23 '20 at 10:43
  • You don't need either `uid/pwd` pair, or `Integrated Security`, as they are mutually exclusive. Try removing one or the other and check whether the connection is established, and under which credentials. – Roger Wolf Apr 23 '20 at 10:50
  • The application uses sql credentials. Even removing Integrated Security, doesn't helps resolving parameter pollution problem. – Saneesh Apr 23 '20 at 10:54

0 Answers0