Parameter_Tampering @ /Controllers/PasswordResetsController.cs

[msant262]

Checkmarx (SAST): Parameter_Tampering
Security Issue: Read More about Parameter_Tampering
Checkmarx Project: Nova-8/Damm-Vulnerable-CSharp-API
Repository URL: https://github.com/Nova-8/Damm-Vulnerable-CSharp-API
Branch: master
Scan ID: 2f22541b-da6c-459f-9285-99da61e0ed7d

---

Method Post at line 63 of /Controllers/PasswordResetsController.cs gets user input from element passwordResetRequest. This input is later concatenated by the application directly into a string variable containing SQL commands, without being validated. This string is then used in method Post to query the database FirstOrDefault, at line 72 of /Controllers/PasswordResetsController.cs, without any additional filtering by the database. This could allow the user to tamper with the filter parameter.

Result 1:
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. passwordResetRequest: /Controllers/PasswordResetsController.cs[63,65]
    2. passwordResetRequest: /Controllers/PasswordResetsController.cs[71,35]
    3. email: /Controllers/PasswordResetsController.cs[71,56]
    4. Lambda: /Controllers/PasswordResetsController.cs[71,21]
    5. Where: /Controllers/PasswordResetsController.cs[71,13]
    6. FirstOrDefault: /Controllers/PasswordResetsController.cs[72,13]
    Review result in Checkmarx One: Parameter_Tampering