-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathInsecureSQLConnection.qhelp
More file actions
44 lines (35 loc) · 1.66 KB
/
InsecureSQLConnection.qhelp
File metadata and controls
44 lines (35 loc) · 1.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
SQL Server connections where the client is not enforcing the encryption in transit are susceptible to multiple attacks, including a man-in-the-middle, that would potentially compromise the user credentials and/or the TDS session.
</p>
</overview>
<recommendation>
<p>Ensure that the client code enforces the <code>Encrypt</code> option by setting it to <code>true</code> in the connection string.</p>
</recommendation>
<example>
<p>The following example shows a SQL connection string that is not explicitly enabling the <code>Encrypt</code> setting to force encryption.</p>
<sample src="InsecureSQLConnectionBad.cs" />
<p>
The following example shows a SQL connection string that is explicitly enabling the <code>Encrypt</code> setting to force encryption in transit.
</p>
<sample src="InsecureSQLConnectionGood.cs" />
</example>
<references>
<li>Microsoft, SQL Protocols blog:
<a href="https://blogs.msdn.microsoft.com/sql_protocols/2009/10/19/selectively-using-secure-connection-to-sql-server/">Selectively using secure connection to SQL Server</a>.
</li>
<li>Microsoft:
<a href="https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(v=vs.110).aspx">SqlConnection.ConnectionString Property</a>.
</li>
<li>Microsoft:
<a href="https://msdn.microsoft.com/en-us/library/ms130822.aspx">Using Connection String Keywords with SQL Server Native Client</a>.
</li>
<li>Microsoft:
<a href="https://msdn.microsoft.com/en-us/library/ms378988(v=sql.110).aspx">Setting the connection properties</a>.
</li>
</references>
</qhelp>