...
| Code Block | ||
|---|---|---|
| ||
class Login {
public Connection getConnection() throws SQLException {
DriverManager.registerDriver(new com.microsoft.jdbc.sqlserver.SQLServerDriver());
String dbConnection = PropertyManager.getProperrty("db.connection");
// can hold some value like "jdbc:microsoft:sqlserver://<HOST>:1433,<UID>,<PWD>"
return DriverManager.getConnection(dbConnection);
}
String hashPassword(char[] password) {
// create hash of password
}
public void doPrivilegedAction(String username, char[] password) throws SQLException {
Connection connection = getConnection();
if (connection == null) {
// handle error
}
String pwd = hashPassword(password);
String sqlString = "SELECT * FROM db_user WHERE username = '" + username +
"' AND password = '" + pwd + "'";
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(sqlString);
if (!rs.next()) {
throw new SecurityException("User name or password incorrect");
}
// Authenticated; proceed
}
}
|
This code example also does not address how to safely shut down the connection. For information on how to do this, see rule FIO06-J. Close resources when they are no longer needed.
Compliant Solution (PreparedStatement)
...
Use the set*() methods of the PreparedStatement class to enforce strong type checking. This mitigates the SQL injection vulnerability because the input is properly escaped by automatic entrapment within double quotes. Note that prepared statements must be used even with queries that insert data into the database.
This code example also does not address how to safely shut down the connection. For information on how to do this, see rule FIO06-J. Close resources when they are no longer needed.
XML Injection
Because of its platform independence, flexibility, and relative simplicity, the extensible markup language (XML) has found use in applications ranging from remote procedure calls to systematic storage, exchange, and retrieval of data. However, because of its versatility, XML is vulnerable to a wide spectrum of attacks. One such attack is called XML Injection.
...
| Code Block | ||
|---|---|---|
| ||
private void createXMLStream(BufferedOutputStream outStream, String quantity) {
// Write XML string if quantity contains numbers only (whitelisting)
// Blacklisting of invalid characters can also be done in conjunction
if (!Pattern.matches("[0-9]+", quantity)) {
// Format violation
}
String xmlString = "<item>\n<description>Widget</description>\n<price>500</price>\n" +
"<quantity>" + quantity + "</quantity></item>";
outStream.write(xmlString.getBytes());
outStream.flush();
}
|
XML External Entity Attacks (XXE)
An XML document can be dynamically constructed from smaller logical blocks called entities. Entities can be either internal, external, or parameter-based. External entities allow the inclusion of XML data from external files.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="980883412b018a67-5aaa1cce-45bd490a-b840ae17-8c31a993c1a63208b839a6fe"><ac:plain-text-body><![CDATA[ | [[OWASP 2005 | AA. Bibliography#OWASP 05]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d6036cf8e8b745dc-782fe8c5-451b4000-9b358edb-74d8d8a9240048bb549a7d0e"><ac:plain-text-body><![CDATA[ | [[OWASP 2007 | AA. Bibliography#OWASP 07]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b1f81762494dae86-2a46e345-409d4936-801b8b71-e5383ccb026cb61161ebe75b"><ac:plain-text-body><![CDATA[ | [[OWASP 2008 | AA. Bibliography#OWASP 08]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cfc485e70131b63d-6bdae26d-40ad4d9a-b399a6b3-131e23f144e24cadf48a3a06"><ac:plain-text-body><![CDATA[ | [[W3C 2008 | AA. Bibliography#W3C 08]] | 4.4.3 Included If Validating | ]]></ac:plain-text-body></ac:structured-macro> |
...