Skip to main content


Eclipse Community Forums

      Home
Home » Eclipse Projects » Remote Application Platform (RAP) » SQL Injection(RAP Application - SQL Injection)
SQL Injection [message #1749609] Thu, 08 December 2016 10:39 Go to next message
Eclipse UserFriend
A security review of one of our RAP based applications was conducted and produced the following exception:

"The application fails to adequately sanitize user supplied input. There are numerous fields throughout the application where encoding schemes (i.e. Base64) and encrypted malicious URLs can be entered into the form fields. All form fields need to be scrubbed to ensure only valid data can be inputted."

We have a number of forms/text fields where users will cut and paste data into these fields. Do others 'scrub' the data to insure questionable code isn't injected into this fields? I know the likelihood of it being executed may be nil, but I am interested to hear what others are doing.

I appreciate any comments or suggestions..

Thanks,

Kevin.
Re: SQL Injection [message #1749876 is a reply to message #1749609] Tue, 13 December 2016 08:40 Go to previous messageGo to next message
Eclipse UserFriend
Hmm.. this is a little bit strange. I build a rap application myself and injected a sql injection vulnerability explicitly.

Trying out some manual sql injection attacks haven't shown me such an error message, which you received. To be more specific.. I haven't received any error messages even when I injected special characters like ' into the text field.

Do you use graphical components from org.eclipse.swt.widgets.* ?

Here is something I found out regarding to the input encoding:

"All content that is displayed in the browser must have been set using an
API method such as Label.setText(). All these methods encode their
input, so that any malicious content would only be printed instead of
evaluated. Markup-enabled widgets parse the texts and ensure that only a
defined subset of HTML elements is used."

XSS is not injectable in this case but as far as your application does not handle the protection methods against sqlinjection itself, I would say there might be an exploitable vulnerability

Best regards,
Aziz

[Updated on: Tue, 13 December 2016 08:42] by Moderator

Re: SQL Injection [message #1749958 is a reply to message #1749876] Wed, 14 December 2016 08:41 Go to previous messageGo to next message
Eclipse UserFriend
Thanks Aziz,

Exception was a bad choice of words. During security testing the Departmental Information Security Officer pointed out a potential vulnerability. Options have been suggested by the vendor (developed product to create web applications from CA Gen models) to define our own client-side JavaScript validation to prevent SQL injection. I suspect we are at risk of SQL being injected but likely not easily executed.

Thanks again. I appreciate your time.

Kevin.
Re: SQL Injection [message #1750082 is a reply to message #1749958] Thu, 15 December 2016 16:34 Go to previous messageGo to next message
Eclipse UserFriend
A UI framework like RAP doesn't do anything to stop SQL injection. That's entirely up to your coding practices and what ever method of data access you choose.
No client-side validation can ever be trusted to prevent an SQL injection attack either.

Any vendor who tells you to mitigate SQL injection via browser executed JavaScript obviously doesn't know what they're talking about.
Re: SQL Injection [message #1750633 is a reply to message #1750082] Fri, 23 December 2016 08:53 Go to previous messageGo to next message
Eclipse UserFriend
A framework like RAP doesn't do anything against sql injection but it has some prevention methods against XSS.
I would like to know if there is any framework at all, which has some protection methods out-of-the-box against sql injection ?!

Do you know such a framework?
Best regards,
Aziz Hohenheim
Re: SQL Injection [message #1750887 is a reply to message #1750633] Sat, 31 December 2016 02:08 Go to previous message
Eclipse UserFriend
Using java.sql.PreparedStatement goes a long way to preventing SQL injection vulnerabilities.
Don't get tempted to build a query by concatenating user input.

If you're really paranoid, write all your queries as stored procedures, only use CallableStatement to execute them and only give the database user access to execute your procedures, don't give the user access to the tables.

If you're lazy, use a persistence framework like JPA or Hibernate.

I feel this is getting off topic, as it has nothing specifically to do with RAP.
RAP doesn't have a clue what SQL is, so it's not going to escape your inputs for you.
Previous Topic:rap deployment as stand-alone jetty app
Next Topic:HTTP Status 500 - Unable to read the json message
Goto Forum:
  


Current Time: Wed Jul 23 12:37:19 EDT 2025

Powered by FUDForum. Page generated in 0.24581 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly