This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Talk:Query Parameterization Cheat Sheet
I use OWASP Lapse+ and CodePro Analitycs for code audit my Java System.
In the audit signalize
1) SQL Injection
2) Cross Site Scripting
3) Avoid Building Queries From User Input
4) HTTP Response Splitting
5) Path Manipulation
6) Request Parameters In Session
== (1) SQL Injection - (3) Avoid Building Queries From User Input ==
For this bugs I have remove Statement class and put PreparedStatement Class as you indicated, but OWASP Lapse+ continue signalize bug security SQL Injection whereas Code Pro Analytics not signalize bug.
Indeed when I did the pen test went wrong.
I did pen test with SQLMAP and Burp Suite.
With Burp Suite I have take the request and I have execute SQLMAP on windows as:
python ./sqlmap.py -r test.txt -p parameter3 --dbms=oracle --users x y z t
the request
POST /SoftwareComposer/SoftwareComposerSearchServlet HTTP/1.1 Host: myapp.mydomain.com:9080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://myapp.mydomain.com:9080/SoftwareComposer/SoftwareComposerSearchServlet Cookie: JSESSIONID=0000lIqbat_ue4tPrUpzPv_pp7m:-1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 410
command=search¶meter1=¶meter2=¶meter3=¶meter4=¶meter5=¶meter6=¶meter7=
The test signalize the security bug.
I used to solve the problem with a filter
http://antisqlfilter.sourceforge.net/howto.html
I configured AntiSQLFilter in my WebApp and I have repeat the penetration test overcoming.
