|
Re: SQL Injection [message #1749876 is a reply to message #1749609] |
Tue, 13 December 2016 13:40 |
Aziz Hohenheim Messages: 12 Registered: November 2016 |
Junior Member |
|
|
Hmm.. this is a little bit strange. I build a rap application myself and injected a sql injection vulnerability explicitly.
Trying out some manual sql injection attacks haven't shown me such an error message, which you received. To be more specific.. I haven't received any error messages even when I injected special characters like ' into the text field.
Do you use graphical components from org.eclipse.swt.widgets.* ?
Here is something I found out regarding to the input encoding:
"All content that is displayed in the browser must have been set using an
API method such as Label.setText(). All these methods encode their
input, so that any malicious content would only be printed instead of
evaluated. Markup-enabled widgets parse the texts and ensure that only a
defined subset of HTML elements is used."
XSS is not injectable in this case but as far as your application does not handle the protection methods against sqlinjection itself, I would say there might be an exploitable vulnerability
Best regards,
Aziz
[Updated on: Tue, 13 December 2016 13:42] Report message to a moderator
|
|
|
|
|
|
|
Powered by
FUDForum. Page generated in 0.03518 seconds