NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > WWW-Mobile-Code> 2006-q2

Java SQL/LDAP Injections

From: Andres Molinetti (andymolinettihotmail.com)
Date: Mon Apr 24 2006 - 14:14:12 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear list,

I am working on some Java code reviews and was looking for injection vectors
that may apply on it.

Take for example the following code:

---------------------
public User getUsers(String userID) {
...
NamedQuery query = new NamedQuery(User.class, "user.view.by.id");
Map parameters = new HashMap();
parameters.put("userid", userID);
query.setParameters(parameters);
List list = Repository.select(query);
...
}
----------------------

That piece of code interacts with Hibernate to get a list of user objects
with that ID from a relational DB. Here is the extract of the HBM mapping
file:

--------------------
<property name="userID" type="string" length="15" column="USER_ID"/>
....
<query name="user.view.by.id"><![CDATA[
from com.test.user as userX
where userID = :userid
]]>
</query>
--------------------

I am wondering if this represents vulnerable code, exploited by, for
example, calling getUsers("' or '1'='1") or something of the sort.

Second, suppose the application interacts with an LDAP server, using the
following code:

------------------------------------
public boolean checkUser(String userID) {

            boolean result = false;
            Attributes srchAttrs = new BasicAttributes(true);
            String [] resAttrsID = {"uid"};

searchAttrs.put("uid", userID);
Enumeration srchResults = null;

            srchResults = ctx.search(LDAP.getBranch(), srchAttrs,
resAttrsID);
            if((srchResults != null) && (srchResults.hasMoreElements() ==
true))
                result = true;

result = false;

}
------------------------------------

Is this function vulnerable to LDAP Injection?

Looking foward to reading your opinions....

Andy.

_________________________________________________________________
Descarga gratis la Barra de Herramientas de MSN
http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]