+ - 0:00:00
Notes for current slide
Notes for next slide

SECURITY FOCUS

Injection

1 / 9

Injection

2 / 9

Injection

2 / 9

Injection

2 / 9

Injection

2 / 9

Every Feature is a Vulnerability

3 / 9

Every Feature is a Vulnerability

  • Features of applications are leveraged to gain data or control
3 / 9

Every Feature is a Vulnerability

  • Features of applications are leveraged to gain data or control
  • An exploit will be attempted for ANYTHING the application/server accepts as an input
3 / 9

Every Feature is a Vulnerability

  • Features of applications are leveraged to gain data or control
  • An exploit will be attempted for ANYTHING the application/server accepts as an input
    • Input fields
    • Request parameters
    • Payloads
    • Headers
    • Command Line Arguments
    • Environment Variables
3 / 9

Types of Injection

4 / 9

Types of Injection

  • Different types of user supplied data is NOT validated/filtered
4 / 9

Types of Injection

  • Different types of user supplied data is NOT validated/filtered
    • SQL
    • LDAP
    • XPath
    • NoSQL
    • OS commands
    • XML parsers
    • SMTP headers
4 / 9

Types of Injection

  • Different types of user supplied data is NOT validated/filtered
    • SQL
    • LDAP
    • XPath
    • NoSQL
    • OS commands
    • XML parsers
    • SMTP headers
  • legacy systems and modern tools are vulnerable
4 / 9

Attack Example

5 / 9

Attack Example

Change a query parameter in URL in order to alter the meaning of an SQL query

5 / 9

Attack Example

Change a query parameter in URL in order to alter the meaning of an SQL query

//normal url
http://example.com/app/accountView?id=824
//injection attack
http://example.com/app/accountView?id=' or '1'='1
5 / 9

Attack Example

Change a query parameter in URL in order to alter the meaning of an SQL query

//normal url
http://example.com/app/accountView?id=824
//injection attack
http://example.com/app/accountView?id=' or '1'='1

Parameter is used in a query without being validated

String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";
5 / 9

Attack Example

Change a query parameter in URL in order to alter the meaning of an SQL query

//normal url
http://example.com/app/accountView?id=824
//injection attack
http://example.com/app/accountView?id=' or '1'='1

Parameter is used in a query without being validated

String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";

Result of attack is access to all data in account table. THAT'S BAD

5 / 9

How to Prevent

6 / 9

How to Prevent

  • Awareness of what your source code does
6 / 9

How to Prevent

  • Awareness of what your source code does
  • Escape special characters to prevent interpreter commands from running
6 / 9

How to Prevent

  • Awareness of what your source code does
  • Escape special characters to prevent interpreter commands from running
  • Safe list of inputs that are allowed
6 / 9

How to Prevent

  • Awareness of what your source code does
  • Escape special characters to prevent interpreter commands from running
  • Safe list of inputs that are allowed
  • If using SQL add LIMIT to your queries to prevent mass data loss
6 / 9

How to Prevent

  • Awareness of what your source code does
  • Escape special characters to prevent interpreter commands from running
  • Safe list of inputs that are allowed
  • If using SQL add LIMIT to your queries to prevent mass data loss
  • Use least privilege, which means do NOT make your application db accounts admins
6 / 9

How to Prevent

  • Awareness of what your source code does
  • Escape special characters to prevent interpreter commands from running
  • Safe list of inputs that are allowed
  • If using SQL add LIMIT to your queries to prevent mass data loss
  • Use least privilege, which means do NOT make your application db accounts admins
  • SAST and DAST tools into the CI/CD pipeline to identify injection flaws
6 / 9

DON'T DO THIS

7 / 9

DON'T DO THIS

This assumes that stockCode was entered by a user and has NOT been filtered or validated

String hql = "from Stock s where s.stockCode = '" + stockCode + "'";
List result = session.createQuery(hql).list();
7 / 9

Prevention with Spring Data / Hibernate

8 / 9

Prevention with Spring Data / Hibernate

Use named or positional parameters, which relies on hibernate to sanitize the values

8 / 9

Prevention with Spring Data / Hibernate

Use named or positional parameters, which relies on hibernate to sanitize the values

String hql = "from Stock s where s.stockCode = :stockCode";
List result = session.createQuery(hql)
.setParameter("stockCode", "7277")
.list();
8 / 9

Prevention with Spring Data / Hibernate

Use named or positional parameters, which relies on hibernate to sanitize the values

String hql = "from Stock s where s.stockCode = :stockCode";
List result = session.createQuery(hql)
.setParameter("stockCode", "7277")
.list();
String hql = "from Stock s where s.stockCode = ? and s.stockName = ?";
List result = session.createQuery(hql)
.setString(0, "7277")
.setParameter(1, "DIALOG")
.list();
8 / 9

Spring Data JPA Repository

9 / 9

Spring Data JPA Repository

@Query annotation uses ordered or named parameters

9 / 9

Spring Data JPA Repository

@Query annotation uses ordered or named parameters

public interface UserRepository extends JpaRepository<User, Long> {
@Query("select u.username from User u where u.category = ?1")
List<String> findUsernames(String category);
//NOTE you generally don't need to use @Query unless you want less data back
@Query("select u from User u where u.firstname = :firstname or u.lastname = :lastname")
User findByLastnameOrFirstname(@Param("lastname") String lastname,
@Param("firstname") String firstname);
}
9 / 9

Injection

2 / 9
Paused

Help

Keyboard shortcuts

, , Pg Up, k Go to previous slide
, , Pg Dn, Space, j Go to next slide
Home Go to first slide
End Go to last slide
b / m / f Toggle blackout / mirrored / fullscreen mode
c Clone slideshow
p Toggle presenter mode
t Restart the presentation timer
?, h Toggle this help
Esc Back to slideshow