SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 164

changes.mady.by.user Barbara White

Saved on

compared with

New Version 165

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

However, if an attacker can substitute arbitrary strings for <USERNAME> and <PASSWORD>, they he can perform a SQL injection by using the following string for <USERNAME>:

...

Code Block
' OR '1'='1

This string would yield the following command:

...

Unfortunately, this code example permits a SQL injection attack by incorporating the unsanitized input argument username into the SQL command, allowing an attacker to inject validuser' OR '1'='1. The password argument cannot be used to attack this program because it is passed to the hashPassword() function, which also sanitizes the input.

...

The JDBC library provides an API for building SQL commands that sanitize untrusted data. The java.sql.PreparedStatement class properly escapes input strings, preventing SQL injection when used correctly.   This code example modifies the doPrivilegedAction() method to use a PreparedStatement instead of java.sql.Statement.   However, the prepared statement still permits a SQL injection attack by incorporating the unsanitized input argument username into the prepared statement.

...

Compliant Solution (PreparedStatement)

 This This compliant solution uses a parametric query with a  ꞌ?character as a placeholder for the argument. This code also validates the length of the username argument, preventing an attacker from submitting an arbitrarily long user name.

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS00-J

High

Probable

Medium

P12

L1

Automated Detection

ToolVersionCheckerDescription
Coverity7.5

SQLI
FB.SQL_PREPARED_STATEMENT_GENERATED_
FB.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE

Implemented
Findbugs1.0SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTEImplemented
Fortify1.0

HTTP_Response_Splitting
SQL_Injection__Persistence
SQL_Injection

Implemented
Klocwork 

SV.DATA.BOUND
SV.DATA.DB
SV.HTTP_SPLIT
SV.PATH
SV.PATH.INJ
SV.SQL

Implemented

...

CVE-2008-2370 describes a vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16. When a RequestDispatcher is used, Tomcat performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.

...

Android Implementation Details

This rule uses MS Microsoft SQL Server as an example to show a database connection. However, on Android, DatabaseHelper from SQLite is used for a database connection. Because Android apps may receive untrusted data via network connections, the rule is applicable.

...

[OWASP 2005]

A Guide to Building Secure Web Applications and Web Services

[OWASP 2007]

OWASP Top 10 for Java EE

[ Seacord 2015 ]Image result for video icon IDS00-J. Prevent SQL Injection LiveLesson

[W3C 2008]

Sectior 4.4.3, "Included If Validating"

 

...