|
Status: Incomplete Weakness ID: 564 (Weakness Variant)Description Summary Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands. Potential Mitigations Requirements specification: A non-SQL style database which is not subject to this flaw may be chosen. Architecture and Design Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data. Architecture and Design Duplicate any filtering done on the client-side on the server side. Implementation Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack. Implementation Use vigorous white-list style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request. Demonstrative Examples The following code excerpt uses Hibernate's HQL syntax to build a dynamic query that's vulnerable to SQL injection. Java Example: String street = getStreetFromUser(); Query query = session.createQuery("from Address a where
a.street='" + street + "'");
Relationships
Taxonomy Mappings
Time of Introduction Architecture and Design ImplementationContent History Submissions Anonymous Tool Vendor (under NDA). (Externally Mined) Modifications Sean Eidemiller. Cigital. 2008-07-01. (External) added/updated demonstrative examples Eric Dalci. Cigital. 2008-07-01. (External) updated Time_of_Introduction CWE Content Team. MITRE. 2008-09-08. (Internal) updated Relationships, Taxonomy_Mappings |
|
|
|||