SQL Injection in COBOL
Play COBOL Labs on this vulnerability with SecureFlag!
SQL commands stored in host variables and built at run time expose the application to the risk of SQL Injection attacks.
Vulnerable example
Here, a dynamic SQL statement is built concatenating user-provided string, then prepared and executed.
ACCEPT TRANS-CUST-ID
STRING ' SELECT CUST-ID INTO WS-CUST-ID'
'FROM CUSTOMER'
'WHERE CUST-ID = "'" TRANS-CUST-ID "'"
DELIMITED BY SIZE
INTO WS-STR-TXT
END-STRING
MOVE LENGTH OF WS-STR-TXT TO WS-STR-LEN
EXEC SQL PREPARE ADDSTMT FROM :WS-STR END-EXEC
EXEC SQL EXECUTE ADDSTMT END-EXEC
The statement EXECUTE IMMEDIATE can also be used to run an SQL statement from a string on the fly.
EXEC SQL EXECUTE IMMEDIATE :WS-STR END-EXEC
Prevention
Dynamic SQL Statements should be avoided, especially when PREPARE or EXECUTE IMMEDIATE is used.
Make sure to check or sanitize the user input accordingly before using it as part of a statement.
Reference
CWE - CWE-89: Improper Neutralization of Special Elements used in an SQL Command