Comments on: The OWASP Top Ten and ESAPI – Part 2 – Injection Flaws http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/ Java, Security and Technology Wed, 25 Jan 2012 05:18:23 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: john http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/comment-page-1/#comment-37428 john Wed, 16 Mar 2011 06:13:36 +0000 http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/#comment-37428 @Ram Thanks for the kind words. Glad you found it helpful @Ram
Thanks for the kind words. Glad you found it helpful

]]> By: Ram Guduputi http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/comment-page-1/#comment-37424 Ram Guduputi Wed, 16 Mar 2011 04:42:41 +0000 http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/#comment-37424 What an excellent technical details on OWASP issues. This is the best place to learn about Application Security especially J2EE application. Please continue writing such articles to help your fellow professionals. What an excellent technical details on OWASP issues. This is the best place to learn about Application Security especially J2EE application.

Please continue writing such articles to help your fellow professionals.

]]> By: jose http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/comment-page-1/#comment-1102 jose Tue, 13 Apr 2010 15:01:56 +0000 http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/#comment-1102 Excellents articles! I hope that you'll still continue writting about that, because is a issue than there're not so much information about how can we used it. Good for you! and thank u Excellents articles!

I hope that you’ll still continue writting about that, because is a issue than there’re not so much information about how can we used it.

Good for you! and thank u

]]> By: KRvW http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/comment-page-1/#comment-14 KRvW Wed, 02 Dec 2009 13:13:01 +0000 http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/#comment-14 Excellent series of articles--thanks for taking the time to write and post them. Cheers, Ken van Wyk Excellent series of articles–thanks for taking the time to write and post them.

Cheers,

Ken van Wyk

]]> By: john http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/comment-page-1/#comment-13 john Tue, 01 Dec 2009 17:17:35 +0000 http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/#comment-13 @Jeff - thanks for the input - made a reference inline pointing to your comment and a statement hopefully better resembling the OWASP spirit. @Ben - thanks for the great catch - updated the code referencing your comment. @Jeff – thanks for the input – made a reference inline pointing to your comment and a statement hopefully better resembling the OWASP spirit.

@Ben – thanks for the great catch – updated the code referencing your comment.

]]> By: Ben http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/comment-page-1/#comment-12 Ben Tue, 01 Dec 2009 08:23:49 +0000 http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/#comment-12 Hello, thank you for the effort, cool series of articles. However, let me hint on a small mistake: The example you use for SQL injection is one I see a lot: Password: ' OR '1 = 1 ...making the resulting query: ...AND password = '' OR '1 = 1' But this is NOT a correct statement, the '1 = 1' might be "true" for some databases but not necessarily always. For example, this will NOT work on Microsoft SQL Server. On a side note, I have no idea where this strange wrong injection string is coming from but have even found it in scientific papers :) A correct injection string would, for example, be: Password: ' OR '1' = '1 ...making the resulting query: ...AND password = '' OR '1' = '1' ...which is a correct statement, no matter which database is used. --- Nonetheless, your example shows that some databases accept strange things as "true", which is a royal PITA when trying to filter input and shows that blacklisting is futile (think of signature-based IDSs, IPSs, WAFs,...). For example, MySQL (and I guess this was used for "finding" the wrong injection string) accepts, probably among others, the following values as "true": any positive or negative number except 0: where 1 where 2 where -34 any string starting with a positive or negative number except 0: where '1' where '1 = 1' -- looks familiar? where '2' where '-34something' Kind regards, Ben Hello,
thank you for the effort, cool series of articles. However, let me hint on a small mistake:

The example you use for SQL injection is one I see a lot:
Password: ‘ OR ’1 = 1
…making the resulting query:
…AND password = ” OR ’1 = 1′

But this is NOT a correct statement, the ’1 = 1′ might be “true” for some databases but not necessarily always. For example, this will NOT work on Microsoft SQL Server.

On a side note, I have no idea where this strange wrong injection string is coming from but have even found it in scientific papers :)

A correct injection string would, for example, be:
Password: ‘ OR ’1′ = ’1
…making the resulting query:
…AND password = ” OR ’1′ = ’1′

…which is a correct statement, no matter which database is used.


Nonetheless, your example shows that some databases accept strange things as “true”, which is a royal PITA when trying to filter input and shows that blacklisting is futile (think of signature-based IDSs, IPSs, WAFs,…).

For example, MySQL (and I guess this was used for “finding” the wrong injection string) accepts, probably among others, the following values as “true”:

any positive or negative number except 0:
where 1
where 2
where -34

any string starting with a positive or negative number except 0:
where ’1′
where ’1 = 1′ — looks familiar?
where ’2′
where ‘-34something’

Kind regards,
Ben

]]> By: Jeff Williams http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/comment-page-1/#comment-11 Jeff Williams Tue, 01 Dec 2009 04:28:07 +0000 http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/#comment-11 The OWASP ESAPI Project absolutely does recommend that people use PreparedStatement as the first and best option (it's all over the javadoc and the swingset sample app). However, ESAPI does provide database codecs because there are many situations when remediation is more easily done with an escaping method. There are also certain types of queries for which using PreparedStatement will cause significant performance problems (so be careful with those recommendations folks). Also, in some environments parameterized queries may not be available, so an escaping option is important. I looked into this pretty deeply back in 2002/2003 (http://lists.virus.org/webappsec-0301/msg00003.html). The upshot is that the JDBC spec doesn't explicitly require that PreparedStatement prevents injection, so there's certainly some risk in relying exclusively on them. That's why input validation, escaping, and access reference maps are important security controls. And of course there are degenerate cases like PreparedStatement.executeQuery( "exec ?" ); I looked into the MySQL driver back then and decided that it wasn't obviously vulnerable. I even took a swing at reversing the Oracle JDBC drivers, but I didn't get far enough to give anyone any confidence. This is exactly the lack of visibility that makes it so difficult to make progress in application security. The OWASP ESAPI Project absolutely does recommend that people use PreparedStatement as the first and best option (it’s all over the javadoc and the swingset sample app).

However, ESAPI does provide database codecs because there are many situations when remediation is more easily done with an escaping method. There are also certain types of queries for which using PreparedStatement will cause significant performance problems (so be careful with those recommendations folks). Also, in some environments parameterized queries may not be available, so an escaping option is important.

I looked into this pretty deeply back in 2002/2003 (http://lists.virus.org/webappsec-0301/msg00003.html). The upshot is that the JDBC spec doesn’t explicitly require that PreparedStatement prevents injection, so there’s certainly some risk in relying exclusively on them. That’s why input validation, escaping, and access reference maps are important security controls. And of course there are degenerate cases like PreparedStatement.executeQuery( “exec ?” );

I looked into the MySQL driver back then and decided that it wasn’t obviously vulnerable. I even took a swing at reversing the Oracle JDBC drivers, but I didn’t get far enough to give anyone any confidence. This is exactly the lack of visibility that makes it so difficult to make progress in application security.

]]>