AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Hibernate SQL Injection

The attacker can inject unauthorized partial SQL query strings and steal data, such as user passwords, or run unauthorized commands on database server. This can lead to total ownage of database and other servers in the corporate environment.

Severity

Critical

Fix Cost

Low

Trust Level

High

SQL Injection is the most popular attack vector that hackers exploit. It is also by far the most known attack method that developers and business owners are aware of.

The SQL standard supports complex queries and it is the de facto query standard against stored data in web applications.

SQL Injection can exist in dynamic SQL query constructions and stored procedures. It is also important to know that using ORM frameworks such as Hibernate doesn’t %100 prevent SQL injection. It is still developer’s job to be careful not to construct sql queries dynamically. For example analyze the code snippet below;

                            
String query = "from Users where uname = '" + request.getParameter("name") + "'";
List users = hibernate.find(query);
if (users.length == 0)  
return  ERROR_LOGIN;
if (!checkPasswd(users.get(0).getPasswd(), pass))
return ERROR_LOGIN; 
            
            

There’s still a room for hacker to manipulate the query by providing smart values for request.getParameter("name").

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two piece of information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial SQL filter in the program, result in SQL injection. The attacker can potentially manipulate the SQL query and access the information that he can’t access otherwise.

For example, by sending admin' or 2 > 1 ) -- as request.getParameter("name"), the attacker may authenticate as admin user although he is not the user having the username admin. This is just one of the possibilities that attacker can do with the vulnerable code such as above.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!