Time-based SQL Injection - Java

Time-based SQL Injection - Java

Need

Prevention of time-based SQL injection attacks

Context

  • Usage of Java for building cross-platform applications
  • Usage of javax.servlet.http.* for handling HTTP requests and responses in Java Servlets
  • Usage of java.sql.* for database connectivity and SQL operations in Java

Description

Non compliant code

        import javax.servlet.http.*;
import java.sql.*;

public class TimeBasedSQLInjection extends HttpServlet {

    private Connection connection;

    public void doGet(HttpServletRequest request, HttpServletResponse response) {
        String id = request.getParameter("id");

        try {
            Statement statement = connection.createStatement();
            ResultSet resultSet = statement.executeQuery("SELECT * FROM users WHERE id = " + id);
            // ... process resultSet ...
        } catch (SQLException e) {
            // ... error handling ...
        }
    }
}
        
        

This code is an example of a time-based SQL injection vulnerability. The problem lies in the doGet method of the TimeBasedSQLInjection servlet. This method retrieves a parameter id from the HTTP request and uses it directly in a SQL query without any sanitization or validation. This opens up the possibility for an attacker to inject arbitrary SQL code by manipulating the id parameter.

For instance, an attacker could send a request with an id parameter like 1; WAITFOR DELAY '00:00:10'--. This would cause the server to execute the SQL command WAITFOR DELAY '00:00:10' after retrieving the user with the ID 1, resulting in a delay of 10 seconds before the server responds. By observing the server's response time, the attacker could infer whether their injection was successful and if the vulnerability is present.

This vulnerability can lead to serious security breaches, including unauthorized access to sensitive data, data corruption, and denial of service. It is crucial to sanitize and validate all user inputs before using them in SQL queries to prevent SQL injection attacks.

Steps

  • Use parameterized queries or prepared statements to handle user input securely.
  • Sanitize and validate user input to prevent any malicious SQL injection attempts.
  • Implement proper error handling and logging to handle any SQL exceptions.
  • Limit the privileges of the database user used by the application to minimize the potential impact of an attack.
  • Regularly update and patch the database software to ensure any known vulnerabilities are addressed.
  • Implement a web application firewall (WAF) to detect and block any suspicious SQL injection attempts.
  • Perform regular security audits and penetration testing to identify and fix any potential vulnerabilities.

Compliant code

        import javax.servlet.http.*;
import java.sql.*;

public class TimeBasedSQLInjection extends HttpServlet {

    private Connection connection;

    public void doGet(HttpServletRequest request, HttpServletResponse response) {
        String id = request.getParameter("id");

        try {
            PreparedStatement preparedStatement = connection.prepareStatement("SELECT * FROM users WHERE id = ?");
            preparedStatement.setString(1, id);
            ResultSet resultSet = preparedStatement.executeQuery();
            // ... process resultSet ...
        } catch (SQLException e) {
            // ... error handling ...
        }
    }
}
        
        

The original code was vulnerable to Time-based SQL Injection attacks because it was directly concatenating user input into a SQL query. This could allow an attacker to manipulate the query, potentially causing delays in execution or even extracting sensitive data.

The fixed code uses a PreparedStatement instead of a Statement. This allows us to safely insert user input into the SQL query without risk of injection. The ? in the query is a placeholder that we fill in with the setString method. This method ensures that the input is properly escaped, preventing any SQL injection attempts.

In addition to this, it's important to sanitize and validate user input, implement proper error handling and logging, limit the privileges of the database user, regularly update and patch the database software, implement a web application firewall (WAF), and perform regular security audits and penetration testing. These steps will further enhance the security of your application.

References