Penetration Testing: Re: is JSP&servelet web app SQL Injection Free?

[Phillip Ames <pentest () una-cerveza com>]

JarodZZ,
JSP & Servlet web applications are most definitely vulnerable to SQL 
injection attacks.  Just as with PHP/ASP, the developer may opt to 
construct SQL queries based on user input.  However, Java (like 
PHP5/ASP.NET) also allows for the use of what are called prepared 
statements, where the developer would write something like:
String sql = "SELECT * FROM table WHERE field = ?";

The '?' is a placeholder character that is then 'bound' to user input. 
By using the placeholder, when the query is executed, the database is 
able to differentiate between user input and the query that the 
developer wrote.
In short, no, Java is not any more or less invulnerable to SQL injection 
attacks, it is simply a matter of whether the developer is using the 
features of the language to protect against that type of attack.
You may find some more useful information here to understand how the 
attack/defense works in Java:
http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java

HTH,

-Phil



salamond wrote:
> Hi, all.
>
> I'm new to pen-testing.
>
> Just finished my tour with a couple of tools:
> webscarab
> sqlmap
> ratproxy
>
> But it shows OK for every page that I've been through.
>
> I went through a couple of SQL Injection tutorial, and most of them
> are focusing on
> php or asp pages.
>
> So here's my question, it may sound stupid, but
> is there no SQL Injection problems in JSP&Java sevelet web app?
>
> thanks
>
> JarodZZ
>
>



salamond wrote:
> Hi, all.
>
> I'm new to pen-testing.
>
> Just finished my tour with a couple of tools:
> webscarab
> sqlmap
> ratproxy
>
> But it shows OK for every page that I've been through.
>
> I went through a couple of SQL Injection tutorial, and most of them
> are focusing on
> php or asp pages.
>
> So here's my question, it may sound stupid, but
> is there no SQL Injection problems in JSP&Java sevelet web app?
>
> thanks
>
> JarodZZ