Using Hibernate to execute a dynamic SQL statement built with
user-controlled input can allow an attacker to modify the statement's meaning or
to execute arbitrary SQL commands.
Time of Introduction
Architecture and Design
Implementation
Demonstrative Examples
Example 1
The following code excerpt uses Hibernate's HQL syntax to build a
dynamic query that's vulnerable to SQL injection.
(Bad Code)
Java
String street = getStreetFromUser();
Query query = session.createQuery("from Address a where
a.street='" + street + "'");
Potential Mitigations
Phase
Description
Requirements specification: A non-SQL style database which is not
subject to this flaw may be chosen.
Architecture and Design
Follow the principle of least privilege when creating user accounts to
a SQL database. Users should only have the minimum privileges necessary
to use their account. If the requirements of the system indicate that a
user can read and modify their own data, then limit their privileges so
they cannot read/write others' data.
Architecture and Design
Duplicate any filtering done on the client-side on the server
side.
Implementation
Implement SQL strings using prepared statements that bind variables.
Prepared statements that do not bind variables can be vulnerable to
attack.
Implementation
Use vigorous white-list style checking on any user input that may be
used in a SQL command. Rather than escape meta-characters, it is safest
to disallow them entirely. Reason: Later use of data that have been
entered in the database may neglect to escape meta-characters before
use. Narrowly define the set of safe characters based on the expected
value of the parameter in the request.
Description
