Top 10 2007-Injection Flaws - Revision history

Hugh Pearse: Removing HTML Injection as a form of injection - it is a misnomer (injection attackss access the layers underneath the application)

2013-02-14T18:33:00Z

Removing HTML Injection as a form of injection - it is a misnomer (injection attackss access the layers underneath the application)

Shady at 14:05, 28 April 2012

2012-04-28T14:05:26Z

Wichers at 02:42, 19 April 2010

2010-04-19T02:42:09Z

MediaWiki spam cleanup: Reverting to last version not containing links to www.textzelouel.com

2009-05-27T18:30:38Z

Reverting to last version not containing links to www.textzelouel.com

Deleted user at 19:07, 22 May 2009

2009-05-22T19:07:05Z

Wichers at 21:07, 30 April 2009

2009-04-30T21:07:20Z

Wichers: /* Protection */

2009-04-30T13:07:20Z

‎Protection

Wichers at 13:04, 30 April 2009

2009-04-30T13:04:57Z

KirstenS: /* References */

2009-03-20T08:48:58Z

‎References

KirstenS: /* Related Sites */

2008-12-14T22:43:43Z

‎Related Sites

@@ Line 1: / Line 1: @@
 {{Top_10_2007:TopTemplate|usenext=NextLink|next=-Malicious File Execution|useprev=PrevLink|prev=-Cross Site Scripting|usemain=MainLink|main=}}
-Injection flaws, particularly SQL injection, are unfortunately very common in web applications. There are many types of injections: [http://cwe.mitre.org/data/definitions/89.html SQL], [http://cwe.mitre.org/data/definitions/564.html Hibernate Query Language (HQL)], [http://cwe.mitre.org/data/definitions/90.html LDAP], [http://cwe.mitre.org/data/definitions/91.html XPath], [http://cwe.mitre.org/data/definitions/652.html XQuery], [http://cwe.mitre.org/data/definitions/91.html XSLT], [http://cwe.mitre.org/data/definitions/79.html HTML], [http://cwe.mitre.org/data/definitions/91.html XML], [http://cwe.mitre.org/data/definitions/78.html OS command injection] and many more.
+Injection flaws, particularly SQL injection, are unfortunately very common in web applications. There are many types of injections: [http://cwe.mitre.org/data/definitions/89.html SQL], [http://cwe.mitre.org/data/definitions/564.html Hibernate Query Language (HQL)], [http://cwe.mitre.org/data/definitions/90.html LDAP], [http://cwe.mitre.org/data/definitions/91.html XPath], [http://cwe.mitre.org/data/definitions/652.html XQuery], [http://cwe.mitre.org/data/definitions/91.html XSLT], [http://cwe.mitre.org/data/definitions/91.html XML], [http://cwe.mitre.org/data/definitions/78.html OS command injection] and many more.
 Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Attackers trick the interpreter into executing unintended commands via supplying specially crafted data. Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application. In the worst case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments.

@@ Line 73: / Line 73: @@
 *J2EE Prepared Statements, [http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html]
 *How to: Protect from SQL injection in ASP.Net, [http://msdn2.microsoft.com/en-us/library/ms998271.aspx http://msdn2.microsoft.com/en-us/library/ms998271.aspx]
 *PHP PDO functions, [http://php.net/pdo http://php.net/pdo]
 {{Top_10_2007:BottomTemplate|usenext=NextLink|next=-Malicious File Execution|useprev=PrevLink|prev=-Cross Site Scripting|usemain=MainLink|main=}}
 [[Category:OWASP Top Ten Project]]

@@ Line 80: / Line 80: @@
 *SQL Injection, [http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf]
 ]]
-{{Top_10_2007:BottomTemplate|usenext=NextLink|next=-Malicious File Execution|useprev=PrevLink|prev=-Cross Site Scripting|usemain=MainLink|main=}}
+[[Category:OWASP Top Ten Project]]

← Older revision		Revision as of 18:30, 27 May 2009
Line 1:		Line 1:
−	~~http://www.textzelouel.com~~
	{{Top_10_2007:TopTemplate\|usenext=NextLink\|next=-Malicious File Execution\|useprev=PrevLink\|prev=-Cross Site Scripting\|usemain=MainLink\|main=}}		{{Top_10_2007:TopTemplate\|usenext=NextLink\|next=-Malicious File Execution\|useprev=PrevLink\|prev=-Cross Site Scripting\|usemain=MainLink\|main=}}

← Older revision		Revision as of 19:07, 22 May 2009
Line 1:		Line 1:
		+	http://www.textzelouel.com
	{{Top_10_2007:TopTemplate\|usenext=NextLink\|next=-Malicious File Execution\|useprev=PrevLink\|prev=-Cross Site Scripting\|usemain=MainLink\|main=}}		{{Top_10_2007:TopTemplate\|usenext=NextLink\|next=-Malicious File Execution\|useprev=PrevLink\|prev=-Cross Site Scripting\|usemain=MainLink\|main=}}

@@ Line 31: / Line 31: @@
 == Protection ==
-Avoid the use of interpreters when possible. If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping (ORM) libraries. These interfaces handle all data escaping, or do not require escaping. Note that while safe interfaces solve the problem, validation is still recommended in order to detect attacks.
+Avoid the use of interpreters when possible. If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping (ORM) libraries that are immune to injection (be careful here - Hibernate, for example is NOT immune to injection by itself. You have to use named parameters to be safe in Hibernate). These interfaces handle all data escaping, or do not require escaping. Note that while safe interfaces solve the problem, validation is still recommended in order to detect attacks.
 Using interpreters is dangerous, so it's worth it to take extra care, such as the following:
@@ Line 41: / Line 41: @@
 *'''Show care when using stored procedures''' since they are generally safe from SQL Injection. However, be careful as they can be injectable (such as via the use of exec() or concatenating arguments within the stored procedure)
 *'''Do not use dynamic query interfaces''' (such as mysql_query() or similar)
-*'''Do not use simple escaping functions''', such as PHP's addslashes() or character replacement functions like str_replace("'", "''"). These are weak and have been successfully exploited by attackers. . For PHP, use mysql_real_escape_string() if using MySQL, or preferably use PDO which does not require escaping
+*'''Do not use simple escaping functions''', such as PHP's addslashes() or character replacement functions like str_replace("'", "''"). These are weak and have been successfully exploited by attackers. For PHP, use mysql_real_escape_string() if using MySQL, or preferably use PDO which does not require escaping
 *When using simple escape mechanisms, note that''' simple escaping functions cannot escape table names'''! Table names must be legal SQL, and thus are completely unsuitable for user supplied input
 *'''Watch out for canonicalization errors.''' Inputs must be decoded and canonicalized to the application's current internal representation before being validated. Make sure that your application does not decode the same input twice. Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked

@@ Line 1: / Line 1: @@
 {{Top_10_2007:TopTemplate|usenext=NextLink|next=-Malicious File Execution|useprev=PrevLink|prev=-Cross Site Scripting|usemain=MainLink|main=}}
-Injection flaws, particularly SQL injection, are common in web applications. There are many types of injections: SQL, LDAP, XPath, XSLT, HTML, XML, OS command injection and many more.
+Injection flaws, particularly SQL injection, are unfortunately very common in web applications. There are many types of injections: SQL, Hibernate Query Language (HQL), LDAP, XPath, XSLT, HTML, XML, OS command injection and many more.
 Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Attackers trick the interpreter into executing unintended commands via supplying specially crafted data. Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application. In the worst case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments.
@@ Line 46: / Line 46: @@
 Language specific recommendations:
-*Java EE - use strongly typed PreparedStatement, or ORMs such as Hibernate or Spring
+*Java EE - use strongly typed PreparedStatement, or ORMs such as Spring or named parameters within Hibernate.
-*.NET - use strongly typed parameterized queries, such as SqlCommand with SqlParameter or an ORM like Hibernate.
+*.NET - use strongly typed parameterized queries, such as SqlCommand with SqlParameter, or named parameters within Hibernate.
-*PHP - use PDO with strongly typed parameterized queries (using bindParam())
+*PHP - use PDO with strongly typed parameterized queries (using bindParam()).
 == Samples  ==
@@ Line 59: / Line 59: @@
 *[[SQL Injection]]
 *[[Reviewing Code for SQL Injection]]
 *[[Testing for SQL Injection (OWASP-DV-005)|Testing for SQL Injection]]
 == References ==
 *CWE: CWE-89 (SQL Injection), CWE-77 (Command Injection), CWE-90 (LDAP Injection), CWE-91 (XML Injection), CWE-93 (CRLF Injection), others.
-*WASC Threat Classification:
+*WASC Threat Classification: [http://www.webappsec.org/projects/threat/classes/sql_injection.shtml (1) SQL Injection]  [http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml (2) LDAP Injection] [http://www.webappsec.org/projects/threat/classes/os_commanding.shtml (3) OS Commanding]
-[http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml]
+*Advanced SQL Injection, [http://www.ngssoftware.com/papers/advanced_sql_injection.pdf http://www.ngssoftware.com/papers/advanced_sql_injection.pdf]
-[http://www.webappsec.org/projects/threat/classes/sql_injection.shtml http://www.webappsec.org/projects/threat/classes/sql_injection.shtml]
+*More Advanced SQL Injection, [http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf]
 *Hibernate, an advanced object relational manager (ORM) for J2EE and .NET, [http://www.hibernate.org/ http://www.hibernate.org/]
 *J2EE Prepared Statements, [http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html]
-*How to: Protect from SQL injection in ASP.Net,
+*How to: Protect from SQL injection in ASP.Net, [http://msdn2.microsoft.com/en-us/library/ms998271.aspx http://msdn2.microsoft.com/en-us/library/ms998271.aspx]
 *PHP PDO functions, [http://php.net/pdo http://php.net/pdo]