Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Java SQL/LDAP Injections

from [Andres Molinetti] Network Security [Permanent Link]
Subject: Java SQL/LDAP Injections
Date: Wed, 26 Apr 2006 17:25:55 +0000 
Dear list,

I am working on some Java code reviews and was looking for injection vectors
that may apply on it.

Take for example the following code:

---------------------
public User getUsers(String userID) {
...
NamedQuery query = new NamedQuery(User.class, "user.view.by.id ");
Map parameters = new HashMap();
parameters.put("userid", userID);
query.setParameters(parameters);
List list = Repository.select(query);
...
}
----------------------


That piece of code interacts with Hibernate to get a list of user objects
with that ID from a relational DB. Here is the extract of the HBM mapping
file:

--------------------
<property name="userID" type="string" length="15" column="USER_ID"/>
....
<query name="user.view.by.id"><![CDATA[
from com.test.user as userX
where userID = :userid
]]>
</query>
--------------------

I am wondering if this represents vulnerable code, exploited by, for
example, calling getUsers("' or '1'='1") or something of the sort.

Second, suppose the application interacts with an LDAP server, using the
following code:

------------------------------------
public boolean checkUser(String userID) {

          boolean result = false;
          Attributes srchAttrs = new BasicAttributes(true);
          String [] resAttrsID = {"uid"};

          searchAttrs.put("uid", userID);
          Enumeration srchResults = null;

          srchResults = ctx.search(LDAP.getBranch(), srchAttrs,
resAttrsID);
          if((srchResults != null) && ( srchResults.hasMoreElements() ==
true))
              result = true;

          result = false;

}
------------------------------------

Is this function vulnerable to LDAP Injection?

Looking foward to reading your opinions....

Andy.

_________________________________________________________________
Moda para esta temporada. Ponte al dma de todas las tendencias. http://www.msn.es/Mujer/moda/default.asp


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Paros 3.2.11 Release, contact
Next by Date:  RE: [WEB SECURITY] Fundamental error in Corsaire's paper?, Amit Klein (AKsecurity)
Previous by Thread:  Java SQL/LDAP Injections, Andres Molinetti
Next by Thread:  RE: Java SQL/LDAP Injections, Jayaraman, Anand X.
Indexes:  [Date] [Thread] [Top] [All Lists]