Skip to main content

SQL injection - Java Persistence API

Description

Dynamic SQL statements are generated without the required data validation and without using parameterized statements or stored procedures. When using LIKE-conditions with values that are coming from a not secure source in the Java Persistence API, the values should be sanitized so they can't contain any wildcards and thereby allow attackers to select more data than they should be able to. For this purpose the escape(String) method is available.

Impact

Extract sensitive information from the Database.

Recommendation

Perform queries to the database through sentences or parameterized procedures. Alternatively use escape(String) built-in function.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: H
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: X
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:X/RC:R
  • Score:
    • Base: 6.5
    • Temporal: 5.9
  • Severity:
    • Base: Medium
    • Temporal: Medium

Compliant code

The query statements are performed in a parameterized way, validating input data with at least a escape() call

import org.skife.jdbi.v2.sqlobject.SqlQuery;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Query;

import java.util.List;
public interface ParametersJpaRepository extends JpaRepository<Parameter, String> {
  /* Secure */
  @Query("select u from User u where u.firstname like %?#{escape([0])}% escape ?#{escapeCharacter()}")
  List<User> findContainingEscaped(String namePart);
}

Non compliant code

The application performsa query statement without validating input data

import org.skife.jdbi.v2.sqlobject.SqlQuery;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Query;
import java.util.List;

public interface ParametersJpaRepository extends JpaRepository<Parameter, String> {
  // Unsafe LIKE statement injection
  @SqlQuery("select u from User u where u.lastname like %:#{[0]}%")
  List<User> findByLastnameWithSpelExpression(@Param("lastname") String lastname);
}

Requirements

Fixes

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.

Last updated on