Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Java SQL/LDAP Injections
From: "Andres Molinetti" <andymolinetti () hotmail com>
Date: Mon, 24 Apr 2006 19:14:12 +0000
Dear list,
I am working on some Java code reviews and was looking for injection vectors that may apply on it. 

Take for example the following code:

---------------------
public User getUsers(String userID) {
...
NamedQuery query = new NamedQuery(User.class, "user.view.by.id");
Map parameters = new HashMap();
parameters.put("userid", userID);
query.setParameters(parameters);
List list = Repository.select(query);
...
}
----------------------
That piece of code interacts with Hibernate to get a list of user objects with that ID from a relational DB. Here is the extract of the HBM mapping file: 

--------------------
<property name="userID" type="string" length="15" column="USER_ID"/>
....
<query name="user.view.by.id"><![CDATA[
from com.test.user as userX
where userID = :userid
]]>
</query>
--------------------
I am wondering if this represents vulnerable code, exploited by, for example, calling getUsers("' or '1'='1") or something of the sort.
Second, suppose the application interacts with an LDAP server, using the following code: 

------------------------------------
public boolean checkUser(String userID) {

           boolean result = false;
           Attributes srchAttrs = new BasicAttributes(true);
           String [] resAttrsID = {"uid"};

           searchAttrs.put("uid", userID);
           Enumeration srchResults = null;
srchResults = ctx.search(LDAP.getBranch(), srchAttrs, resAttrsID); if((srchResults != null) && (srchResults.hasMoreElements() == true)) 
               result = true;

           result = false;

}
------------------------------------

Is this function vulnerable to LDAP Injection?

Looking foward to reading your opinions....

Andy.

_________________________________________________________________
Descarga gratis la Barra de Herramientas de MSN http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH 


-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! 

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]