Reputation: 1980
Find potential SQL inject problems in Java/JSP code
I'm working for a customer with a huge legacy codebase consisting of various Java en JSP based applications.
Most querying is done using the home-build 'orm' system. Some applications use Plain Old JDBC. Some applications are based on Hibernate (yes HQL build with plus signs is a potential problem as well). Some of the older applications are entirely writen in JSP.
I've found a couple of SQL inject bugs manually. But I could really use some sort of tool to search for potential weak spots.
Any ideas?
Upvotes: 2
Views: 1622
Answers (7)
Reputation: 37806
I recommend CAL9000. You can get details from the following link:
Upvotes: 0
Reputation: 2576
How large is your URL space? If possible, it's best to attempt SQL injection via HTTP GET and POST requests. There are some issues that can be found by source/byte code examination, but the only way to know for certain what kinds of potentially malicious input your application will accept is to use HTTP requests.
CAL9000 is a good SQL Injection / Cross-site Scripting testing tool if your set of URLs is small.
Companies that are serious about detecting mishandled malicious input will hire a 3rd party to do penetration testing. White Hat Security is a vendor I have worked with in the past and can recommend. We used them for a $100MM+ e-commerce web site. (I have no affiliation with White Hat and do not benefit in any way if you become their customer.)
All testing/hardening of your code aside, it is a very good idea to have an HTTP firewall in place like mod_security.
Upvotes: 2
Reputation: 25613
I would recommend FindBugs (there is also an eclipse plugin) which can track down these issues and many more.
We are using it at work, it's fast and it's worth the money (as in free). We've solved some common problems with its help.
Upvotes: 3
Reputation: 17820
You can go for prevention rather than cure. add a sanitization layer just below ur UI, so you wont end up with sql/scripts in user inputs. There must be examples in java, I have seen such an approach in CakePHP
Upvotes: 0
Reputation: 8290
I'd write some searches or load up an IDE that looked for use of java.sql.Statement as opposed to PreparedStatement.
Upvotes: 3
Reputation: 26632
When I was working on localization of "this-will-never-need-localization" application, we use a home-made tool to analyzing compiled code ( IL in .NET, it is same as byte-code in Java ).
You can find calling the specified methods which works with DB ( typicaly CRUD operations ) wicht has a string parameter with SQL command, and track the string instance up and check for concating.
We used the .NET Reflector for decompiling and tracking strings. But I don't know, if is available similar tool for Java :(.
Upvotes: 0
Related Questions
- Lib to protect SQL/javascript injection for java/jsp
- Trying to implement an SQL vulnerability in a java web application. Java + MySQL
- JAVA - Possible SQL Injection
- Java SQL injection code scanner?
- how to prevent SQL Injection in JSP?
- Native sql query- SQL Injection Attack
- How can I prevent SQL-injection in Java / JSP on the client side?
- SQL Injection and possible attacks
- Securing Tomcat Webapps
- Avoiding SQL Injection