Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Remote Application Platform (RAP) » SQL Injection(RAP Application - SQL Injection)
SQL Injection [message #1749609] Thu, 08 December 2016 15:39 Go to next message
Kevin Gorman is currently offline Kevin GormanFriend
Messages: 2
Registered: December 2016
Junior Member
A security review of one of our RAP based applications was conducted and produced the following exception:

"The application fails to adequately sanitize user supplied input. There are numerous fields throughout the application where encoding schemes (i.e. Base64) and encrypted malicious URLs can be entered into the form fields. All form fields need to be scrubbed to ensure only valid data can be inputted."

We have a number of forms/text fields where users will cut and paste data into these fields. Do others 'scrub' the data to insure questionable code isn't injected into this fields? I know the likelihood of it being executed may be nil, but I am interested to hear what others are doing.

I appreciate any comments or suggestions..

Thanks,

Kevin.

Report message to a moderator

Re: SQL Injection [message #1749876 is a reply to message #1749609] Tue, 13 December 2016 13:40 Go to previous messageGo to next message
Aziz Hohenheim is currently offline Aziz HohenheimFriend
Messages: 12
Registered: November 2016
Junior Member
Hmm.. this is a little bit strange. I build a rap application myself and injected a sql injection vulnerability explicitly.

Trying out some manual sql injection attacks haven't shown me such an error message, which you received. To be more specific.. I haven't received any error messages even when I injected special characters like ' into the text field.

Do you use graphical components from org.eclipse.swt.widgets.* ?

Here is something I found out regarding to the input encoding:

"All content that is displayed in the browser must have been set using an
API method such as Label.setText(). All these methods encode their
input, so that any malicious content would only be printed instead of
evaluated. Markup-enabled widgets parse the texts and ensure that only a
defined subset of HTML elements is used."

XSS is not injectable in this case but as far as your application does not handle the protection methods against sqlinjection itself, I would say there might be an exploitable vulnerability

Best regards,
Aziz

[Updated on: Tue, 13 December 2016 13:42]

Report message to a moderator

Re: SQL Injection [message #1749958 is a reply to message #1749876] Wed, 14 December 2016 13:41 Go to previous messageGo to next message
Kevin Gorman is currently offline Kevin GormanFriend
Messages: 2
Registered: December 2016
Junior Member
Thanks Aziz,

Exception was a bad choice of words. During security testing the Departmental Information Security Officer pointed out a potential vulnerability. Options have been suggested by the vendor (developed product to create web applications from CA Gen models) to define our own client-side JavaScript validation to prevent SQL injection. I suspect we are at risk of SQL being injected but likely not easily executed.

Thanks again. I appreciate your time.

Kevin.

Report message to a moderator

Re: SQL Injection [message #1750082 is a reply to message #1749958] Thu, 15 December 2016 21:34 Go to previous messageGo to next message
Chris Fairhall is currently offline Chris FairhallFriend
Messages: 221
Registered: February 2011
Senior Member
A UI framework like RAP doesn't do anything to stop SQL injection. That's entirely up to your coding practices and what ever method of data access you choose.
No client-side validation can ever be trusted to prevent an SQL injection attack either.

Any vendor who tells you to mitigate SQL injection via browser executed JavaScript obviously doesn't know what they're talking about.

Report message to a moderator

Re: SQL Injection [message #1750633 is a reply to message #1750082] Fri, 23 December 2016 13:53 Go to previous messageGo to next message
Aziz Hohenheim is currently offline Aziz HohenheimFriend
Messages: 12
Registered: November 2016
Junior Member
A framework like RAP doesn't do anything against sql injection but it has some prevention methods against XSS.
I would like to know if there is any framework at all, which has some protection methods out-of-the-box against sql injection ?!

Do you know such a framework?
Best regards,
Aziz Hohenheim

Report message to a moderator

Re: SQL Injection [message #1750887 is a reply to message #1750633] Sat, 31 December 2016 07:08 Go to previous message
Chris Fairhall is currently offline Chris FairhallFriend
Messages: 221
Registered: February 2011
Senior Member
Using java.sql.PreparedStatement goes a long way to preventing SQL injection vulnerabilities.
Don't get tempted to build a query by concatenating user input.

If you're really paranoid, write all your queries as stored procedures, only use CallableStatement to execute them and only give the database user access to execute your procedures, don't give the user access to the tables.

If you're lazy, use a persistence framework like JPA or Hibernate.

I feel this is getting off topic, as it has nothing specifically to do with RAP.
RAP doesn't have a clue what SQL is, so it's not going to escape your inputs for you.

Report message to a moderator

Previous Topic:rap deployment as stand-alone jetty app
Next Topic:HTTP Status 500 - Unable to read the json message
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Apr 23 12:18:30 GMT 2024

Powered by FUDForum. Page generated in 0.04269 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly