CWE-564 SQL注入:Hibernate
SQL Injection: Hibernate
结构: Simple
Abstraction: Variant
状态: Incomplete
被利用可能性: unkown
基本描述
Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 89 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 89 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 89 cwe_View_ID: 928 cwe_Ordinal: Primary
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Confidentiality', 'Integrity'] | ['Read Application Data', 'Modify Application Data'] |
可能的缓解方案
Requirements
策略:
A non-SQL style database which is not subject to this flaw may be chosen.
Architecture and Design
策略:
Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data.
MIT-15 Architecture and Design
策略:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Implementation
策略:
Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack.
Implementation
策略:
Use vigorous whitelist style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request.
示例代码
例
The following code excerpt uses Hibernate's HQL syntax to build a dynamic query that's vulnerable to SQL injection.
bad Java
Query query = session.createQuery("from Address a where a.street='" + street + "'");
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| Software Fault Patterns | SFP24 | Tainted input to command |
相关攻击模式
- CAPEC-109
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论