Although Injection vulnerabilities are old, it’s one of the top ten security flaws in web applications.
Nowadays the volume of information generated in the world is enormous. We are constantly connected through mobile devices generating new information.
Behind the scenes, there are servers responsible for processing all this information. For example, handling the requests and their responses, storing, and securing the data.
The nature of the Internet exposes data to be attacked from different locations and various levels of scale and complexity. Web application security deals with websites, web applications, and web services.
Most Common Vulnerabilities of Web Apps
Here’s a list with the most common vulnerabilities of web applications,
- Injection Vulnerabilities
- Cross-site scripting (XSS)
- Denial of service (DoS) and Distributed Denial of Service (DDoS) attacks
- Broken user authentication
- Broken object-level authorization
- Excessive data exposure
- Security Misconfiguration
- Mass assignment
At this post, let’s focus on one of the most common “Injection Vulnerabilities”.
What Are Injection Vulnerabilities?
According to the OWASP Foundation, “these vulnerabilities occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”
These problems usually happen at,
- SQL statements
- NoSQL statements
- Command Injection
The main consequences are,
- Integrity. Once the attacker can access the information, it is possible to alter the data contained in it.
- Confidentiality. Imagine that you are storing sensitive information like a bank account, if the attacker has access to this sensitive information they can know everything about a particular customer, or even worse, all the customers!
- Authorization. If related information is stored and you suffer an attack this information can be stolen.
Java is one of the most popular languages used to build web applications in bigger companies, at the recent “Stack Overflow Developer Survey 2020” with nearly 65,000 participants” 44.1% of the responses said that “they love to use Java” as a programming language. Here’s an example using Java.
Simple Example of SQL Injection Using Java
Here is a simple SQL example using Java to understand this vulnerability.
In the following SQL statement,
String customerName = request.getParameter("name"); String query = "SELECT * FROM customers WHERE name = '" + customerName + "'";
If the customer name takes the following value.
String customerName = request.getParameter("name"); // Juan' String query = "SELECT * FROM customers WHERE name = '" + customerName + "'";
The query becomes,
SELECT * FROM customers WHERE name = 'Juan'';
When the database attempts to run you receive,
Incorrect syntax near ' at line 4
Improving Example of SQL Injection Using Java
The following image is the same improved query,
String customerName = request.getParameter("name"); String query = "SELECT * FROM customers WHERE name = ?"; PreparedStatement pstmt = connection.prepareStatement( query); pstmt.setString(1, customerName);
Using a prepared statement allows us to parameterize queries and give us a better performance, furthermore, the queries are protected.
Remember to use store procedures in order to reduce writing new queries and favor the re-usability of code.
Although it seems that you’re just adding extra code it’s more than a few extra lines. You’re making sure that the application is well done and locking and securing all the data involved.
To stay updated I can recommend visiting the OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software. Every year they publish a report that contains a list with the most common security flaws in web applications.
I have talked about one particular vulnerability but there are a lot more.
You have the power to make secure applications. Apply these good practices to improve your software and don’t become part of the security statistics.At Nearsoft we’re focusing on building high-quality products with awesome people. Feel free to contact me at [email protected] if you have any questions.