Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

While performing a pentest for a Java based application I came across an SQL (ac

ID: 662111 • Letter: W

Question

While performing a pentest for a Java based application I came across an SQL (actually HQL) error by simply putting a single quote in one of the request parameters and breaking the syntax of the query. But as the application made use of Hibernate Query Language as an intermediate layer between the application and the database, I was unable to directly access the database.

HQL does not support Union or time delay based controls which we generally exploit as pentesters. I was only able to extract all the entries from the table in question. Note that as the injection was found in a simple search functionality there was no confidential data in the table. I was unable to extract any database or system related information.

My question here is, can using an abstraction layer like this be suggested as a preventive measure during the development phase of an application? Because in my understanding it can really minimize the damage potential of an SQLi vulnerability (At least in my given case where there is no real critical data in the database)

Am I missing out on something important here?

Explanation / Answer

Sticking with your example of Hibernate, some ways to query are safe; some ways are unsafe. I've not actually come across an example like you describe that is partially safe, but it makes sense. I've come across several that are effectively direct SQL injection.

So, with an abstraction layer in place, you are still relying on developers to use the safe query API. This is not all that different to standard SQL interfaces (like JDBC) where there is a safe API (parameterised queries) and an unsafe API (dynamically building SQL). Either way, you are relying on developers to use the right one.

You might wonder, has someone invented an abstraction library that only has a safe API? If there's no unsafe API then there's nothing for developers to abuse. As far as I know, no such library exists, and this is because there are odd occasions that the unsafe API is needed. Remember that using the unsafe API is not necessarily a security vulnerability - the code may only be using data from trusted sources, or it may do its own sanitisation.

So the defences are:

Related Questions

While most scientists agree that the last deglaciation was driven by an increase
Question #283708
While moving in, a new homeowner is pushing a box across thefloor at a constant
Question #1727743
While moving into a new apartment, you tie a rope to an eyelet attached to the s
Question #2147271
While moving into a new apartment, you tie a rope to an eyelet attached to the s
Question #2147272
While moving into a new apartment, you tie a rope to an eyelet attached to the s
Question #2147395
While moving into your new place, you have to push a 25-kg box across the foor.
Question #1779933
While multiple sheets are selected, you can modify all of the selected sheets by
Question #3911601
While not a scientifically controversial issue, climate change caused primarily
Question #113573

Navigate

Previous
While patrolling for illegal border crossings and drug dealers, agents of the U.
Next
While performing an HCl titration experiment, how would the results differ if: a

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.