Secure Code Note: OWASP Top 10 #1 Injections and Jave EE
This blog illustrates the possible injection risk in a Jave EE project: SQL injection, NoSQL Injection, Command Injection, File Injection, and LDAP Injection
A1: 2017 — Injections
SQL Injection
Example:
String query = "SELECT * FROM users WHERE id ='" + id+ "'";
ps = con.prepareStatement(query);
Correction:
ps = con.prepareStatement("select * from users where id = ?");ps.setString(1, mailId);
NoSQL Injection
Example:
String query = "function() { return this.token == '" + token + "' }";
query.where(jsQuery);
Correction: Using morphia query API.
Query<Session> query = sessionDAO.createQuery();
query.criteria("token").equal(token);
OS Command Injection
Example: take an input directly
Process process = Runtime.getRuntime().exec(command);
Correction: Using enumerated list for the user to choose
private static final String HELP = "0 Display System Info \n"
+ "1 Display Free memory \n"
+ "2 List all files in current directory \n"
+ "3 Display current service status \n"
+ "help Provides Help information";private void runCmd(){switch (command) {
case "0":
commandValue = "systeminfo"; break; case "1":
this.response = "Free memory (MB): " + Runtime.getRuntime().freeMemory() / (1024 * 1024); return; case "2":
commandValue = "ls"; break;
case "2":
commandValue = "systemctl status wildfly"; break;
case "help":
this.response = HELP;
return;default:
this.response = "'" + command + "' is not recognized as an internal command. \n For help type 'help'";
return;
}
}
Remote File Inclusion: The uploaded file should be checked before being saved
The checkpoints could be:
- Checking file format with its extension: pdf, word…
- Checking file name format if existing
- Sanitizing the file name by removing possible change to the directory
The other type of attack is using a query parameter.
<iframe id="frame1" name="frame1"
scrolling="auto" src="#{param['page']}">
Solution:
<iframe id="frame1" name="frame1"
scrolling="auto" src="#{Bean.file}">
Local File Inclusion:
Sample: always using a hardcoded path instead of a URL parameter which is accessed by an external user
Example:
<ui:include src=”#{param[‘page’]}” />
Solution
<ui:include src=”/user/user.xhtml” />
LDAP Injection
The query to LDAP should be filtering and sanitized. for example, the mail/username should be sanitized using OWASP ESAPI.
New examples are keeping added.