Page History

...

Code Block
SELECT * FROM db_user WHERE username='<USERNAME>' AND password='<PASSWORD>'

If it returns any records, the user name and password are valid.

...

Fortunately, the JDBC library provides an API for building SQL commands that sanitize untrusted data. The java.sql.PreparedStatement class properly escapes input strings, preventing SQL injection when used properly. This is an example of component-based sanitization.

This compliant solution uses modifies the doPrivilegedAction() method to use a PreparedStatement instead of java.sql.Statement. This code also validates the length of the username argument, preventing an attacker from submitting an arbitrarily long user name.

Code Block

bgColor	#ccccff


class Login {
  public void doPrivilegedAction(String username, char[] password) throws SQLException {
    Connection connection = getConnection();
    if (connection == null) {
      // handle error
    }
    String pwd = hashPassword(password);

    // Ensure that the length of user name is legitimate
    if ((username.length() > 8) {
      // Handle error
    }

    String sqlString = "select * from db_user where username=? and password=?";
    PreparedStatement stmt = connection.prepareStatement(sqlString);
    stmt.setString(1, username);
    stmt.setString(2, pwd);
    ResultSet rs = stmt.executeQuery();
    if (!rs.next()) {
      throw new SecurityException("User name or password incorrect");
    }

    // Authenticated; proceed
  }
}

Use the set*() methods of the PreparedStatement class to enforce strong type checking. This mitigates the SQL injection vulnerability because the input is properly escaped by automatic entrapment within double quotes. Note that prepared statements must be used even with queries that insert data into the database.

...

CERT C Secure Coding Standard	STR02-C. Sanitize data passed to complex subsystems
CERT C++ Secure Coding Standard	STR02-CPP. Sanitize data passed to complex subsystems
CVE-2008-2370	describes a vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16. When a `RequestDispatcher` is used, Tomcat performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0615884b903d450d-a8e63844-41a24370-85a791f4-49785f09e4402fc54048071b"><ac:plain-text-body><![CDATA[	[ISO/IEC TR 24772:2010	http://www.aitcnet.org/isai/]	"Injection [RST]"	]]></ac:plain-text-body></ac:structured-macro>
MITRE CWE	CWE ID 116, "Improper Encoding or Escaping of Output"

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="069360386340c06d-c3692ca0-40174a5c-a2e6998b-62fb30ab377806bacd6697db"><ac:plain-text-body><![CDATA[	[[OWASP 2005	AA. Bibliography#OWASP 05]]		]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b8f5568475f14797-4cd5afe5-40744e67-87e08c27-f684ebb8515916d89a121f95"><ac:plain-text-body><![CDATA[	[[OWASP 2007	AA. Bibliography#OWASP 07]]		]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7d007bb331b8e20e-5d4e36c0-40244bc0-86bda3a6-a1b00ac62e39fe984fc7fe8e"><ac:plain-text-body><![CDATA[	[[OWASP 2008	AA. Bibliography#OWASP 08]]		]]></ac:plain-text-body></ac:structured-macro>
Testing for XML Injection (OWASP-DV-008)
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fe397466f3f47b9b-61a04f12-46b24aa2-91148c1e-96df47a59dc05e260389d3ea"><ac:plain-text-body><![CDATA[	[[W3C 2008	AA. Bibliography#W3C 08]]	4.4.3 Included If Validating	]]></ac:plain-text-body></ac:structured-macro>

...

Space shortcuts

Page tree

Versions Compared

Old Version 93

New Version 94

Key