Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Java SQL/LDAP Injections

from [Andres Molinetti] Network Security [Permanent Link]
Subject: Java SQL/LDAP Injections
Date: Mon, 24 Apr 2006 19:14:12 +0000 
Dear list,

I am working on some Java code reviews and was looking for injection vectors that may apply on it.

Take for example the following code:

---------------------
public User getUsers(String userID) {
...
NamedQuery query = new NamedQuery(User.class, "user.view.by.id");
Map parameters = new HashMap();
parameters.put("userid", userID);
query.setParameters(parameters);
List list = Repository.select(query);
...
}
----------------------


That piece of code interacts with Hibernate to get a list of user objects with that ID from a relational DB. Here is the extract of the HBM mapping file:

--------------------
<property name="userID" type="string" length="15" column="USER_ID"/>
....
<query name="user.view.by.id"><![CDATA[
from com.test.user as userX
where userID = :userid
]]>
</query>
--------------------

I am wondering if this represents vulnerable code, exploited by, for example, calling getUsers("' or '1'='1") or something of the sort.

Second, suppose the application interacts with an LDAP server, using the following code:

------------------------------------
public boolean checkUser(String userID) {

           boolean result = false;
           Attributes srchAttrs = new BasicAttributes(true);
           String [] resAttrsID = {"uid"};

           searchAttrs.put("uid", userID);
           Enumeration srchResults = null;

srchResults = ctx.search(LDAP.getBranch(), srchAttrs, resAttrsID);
if((srchResults != null) && (srchResults.hasMoreElements() == true))
result = true;

           result = false;

}
------------------------------------

Is this function vulnerable to LDAP Injection?

Looking foward to reading your opinions....

Andy.

_________________________________________________________________
Descarga gratis la Barra de Herramientas de MSN http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Enabling PHP uploads, Johann Spies
Next by Date:  Re: OT: Inserting Ads without breaking the SSL, Zaninotti, Thiago
Previous by Thread:  Enabling PHP uploads, Johann Spies
Next by Thread:  Java SQL/LDAP Injections, Andres Molinetti
Indexes:  [Date] [Thread] [Top] [All Lists]