demo-mend-kyal / Java-Demo

Apache License 2.0
0 stars 0 forks source link

Mend SAST Finding (Severity: High, Type: SQL Injection) #20

Closed kyallanum-MND closed 1 year ago

kyallanum-MND commented 1 year ago

Mend SAST Finding (Scan-Java-Demo-2023/05/03 05:10:59 PM):

Vulnerability Type: SQL Injection Vulnerable Project File: src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java:69 Vulnerable Sink Call: rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name + "' AND password='" + password + "'"); Data Flows: 3

Description: A sensitive sink function was discovered in line 69 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java. It causes a High severity SQL Injection vulnerability.

executeQuery method of Statement object could be abused to perform a SQL Injection attack:

rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name

Sample Data Flow: Tainted input "getParameter" was received in line 28 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java:

String password = StringUtils.trim(req.getParameter("password"));

the value is then passed on to the value of "password" in line 28 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

String password = StringUtils.trim(req.getParameter("password"));

which is further passed on to the value of "name" in line 39 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

bodyHtml.append("<input type=\"password\" name=\"password\" size=\"20\" maxlength=\"20\" autocomplete=\"off\">");

which is further passed on to the value of "name" in line 45 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

bodyHtml.append(selectUsers(name, password, req));

which is further passed on to the value of "name" in line 60 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

private String selectUsers(String name, String password, HttpServletRequest req) {

which is further passed on to the value of "name" in line 69 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name

and finally passed unsanitized into a sensitive sink function "stmt.executeQuery" in line 69 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java, causing a High severity SQL Injection vulnerability.

executeQuery method of Statement object could be abused to perform a SQL Injection attack:

rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name

Mitigation Recommendations:

Further Reading: