SQL Injection Questions About Code?

For most of us, there are times in our careers when we need to verify the work of others.

I was recently asked a question about the vulnerability of a Java application to SQL injection attacks.

Remember that SQL injection is a specialized form of injection attack that takes advantage of the syntax of SQL to inject commands that can read or modify a database, or otherwise compromise the meaning of the original query. Input is either ineffectively filtered, or when user input is not strongly typed. Either way, the rogue SQL is “unexpectedly” executed. In some cases this can result in spectacular amounts unauthorized data access. Because of the potential for financial loss, legal liability, and damage to your company’s reputation, resisting SQL injection attacks should be an important component or your standard development practices.

Under most circumstances in a Java application server environment, this translates into vigorous white-list input validation, PreparedStatements, parameterized queries, stored procedures, and employing the principle of least privilege when executing SQL against the target database.

The PreparedStatement object is used to send SQL statements to the database. A PreparedStatement is special type of statement is derived from the more general class, Statement.

Under extreme time pressure, thorough security code reviews are often impractical. Assessment of a particular application for resistance to SQL injection may translate into verifying only that PreparedStatement objects are used and, where rational, parameterized queries are employed.

Check for “Statements” that begin any line (ignoring white space). Use grep or your favorite text-analysis tooling. You don’t want to find any.

Verify that the application does not contain SQL handling like that outlined in code fragment 1 below:

Code Fragment 1

Statement updateSomething = connection.createStatement(
"UPDATE STUFF SET SALES =" + NEW_VAL + " WHERE THING = " + THING_NAME);
updateSomething.executeQuery();

Something like code fragment 2 below would be a signal, not proof, that this application might include some SQL injection resistance.

Code Fragment 2

PreparedStatement updateSomething = connection.prepareStatement(
"UPDATE STUFF SET SALES = ? WHERE THING = ?");
updateSomething.setInt(1, 50);
updateSomething.setString(2, "TwelveInchRuler");
updateSomething.executeUpdate():

— References —

Injection vulnerabilities: http://www.owasp.org/index.php/Injection_Flaws

SQL injection vulnerabilities: http://en.wikipedia.org/wiki/SQL_injection

From Sun Microsystems: http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: