Shulou(Shulou.com)06/01 Report--

Let's use the database operation class jdbcTemplate that comes with SpringMVC as an example. For example, there are two functions in the following Dao.

The function save uses the form of binding variables to prevent sql injection, while the queryForInt_ function receives id parameters to directly concatenate sql statements, and sql injection occurs during testing.

Public static void save (String username,String password) {

JdbcTemplate.update ("insert into test_table (user_name,password) values (?)"

New Object [] {username,password})

}

Public static int queryForInt_ (String id) {

Return jdbcTemplate.queryForInt ("select count (0) from test_table where id =" + id)

}

# only posted DAO layer code for convenience

Therefore, in the development process of java code, we try to avoid using the form of concatenated sql statements to execute database statements. If you need to query the database in the form of concatenated sql statements, OWASP provides an Esapi package that protects against sql injection, and the encodeForSQL method in this package protects against sql injection.

Then we will analyze the encodeForSQL method.

First of all, we introduce the use of this method, which is called as follows, which is not used by different databases.

/ / prevent Oracle injection

ESAPI.encoder () .encodeForSQL (new OracleCodec (), queryparam)

/ / prevent mysql injection

ESAPI.encoder (). EncodeForSQL (new MySQLCodec (Mode.STANDARD), queryparam) / / Mode.STANDARK is the standard anti-injection method, which is commonly used in mysql.

/ / prevent DB2 injection

ESAPI.encoder () .encodeForSQL (new DB2Codec (), queryparam)

/ / an example of a method to prevent Oracle injection. For convenience, only the splicing part of the sql statement is given.

Codec ORACLE_CODEC = new OracleCodec ()

String query = "SELECT user_id FROM user_data WHERE user_name ='" + ESAPI.encoder (). EncodeForSQL (ORACLE_CODEC,req.getParameter ("userID")) + "'and user_password ='" + ESAPI.encoder (). EncodeForSQL (ORACLE_CODEC,req.getParameter ("pwd")) + "'"

Let's use mysql as an example to analyze the defense of the encodeForSQL function. Specific function pass

The program is not tracked and directly analyzes which method was called in the end. According to the code, the last call is the encodeCharacter method.

Public String encodeCharacter (char [] immune, Character c) {

Char ch = c.charValue ()

/ / check for immune characters

If (containsCharacter (ch, immune)) {

Return "" + ch

}

/ / check for alphanumeric characters

String hex = Codec.getHexForNonAlphanumeric (ch)

If (hex = = null) {

Return "" + ch

}

Switch (mode) {

Case ANSI: return encodeCharacterANSI (c)

Case STANDARD: return encodeCharacterMySQL (c)

}

Return null

}

In the above method, the containsCharacter function is a whitelist of strings without verification, and the Codec.getHexForNonAlphanumeric function looks for whether there is hexadecimal in the character pass and does not return a null value.

EncodeCharacterANSI and encodeCharacterMySQL are the focus of defense. Let's take a look at the difference between these two functions. If we choose Mode.ANSi mode, the string enters the following function, which escapes single apostrophe and double apostrophe.

Private String encodeCharacterANSI (Character c) {

If (c = ='\')

Return "\'\"

If (c = ='\ "')

Return ""

Return "" + c

}

If you select Mode.STANDARD mode, the string goes into the following function, which converts more symbols such as single apostrophe and double apostrophe, percent sign, backslash, and so on, so it is recommended to use standard mode.

Private String encodeCharacterMySQL (Character c) {

Char ch = c.charValue ()

If (ch = = 0x00) return "\ 0"

If (ch = = 0x08) return "\ b"

If (ch = = 0x09) return "\ t"

If (ch = = 0x0a) return "\ n"

If (ch = = 0x0d) return "\ r"

If (ch = = 0x1a) return "\ Z"

If (ch = = 0x22) return "\"

If (ch = = 0x25) return "\%"

If (ch = = 0x27) return "\"

If (ch = = 0x5c) return "\"

If (ch = = 0x5f) return "\ _"

Return "\" + c

}

We introduced the use of binding variables and the use of esapi to defend against sql injection. My suggestion is to try to use binding variables in the form of anti-injection, the security performance is better.

0x02: cross-site scripting attack

With regard to the defense against cross-site scripting attacks, we analyze the defense methods of esapi.

The defense method of esapi is to encode at different output points according to different output points. Let's look at how to use it:

The xss output point is in the html web page

ESAPI.encoder () encodeForHTML (String input)

Xss output point is in the html attribute

ESAPI.encoder () encodeForHTMLAttribute (String input)

The xss output point is in the JavaScript code

ESAPI.encoder () encodeForJavaScript (String input)

The xss output point is in the CSS code

ESAPI.encoder () encodeForCSS (String input)

The xss output point is in the VBScript code

ESAPI.encoder () encodeForVBScript (String input)

Xss output point is in XPath

ESAPI.encoder () encodeForXPath (String input)

Xss output point is in XML

ESAPI.encoder () encodeForXML (String input)

Xss output point is in the XML attribute

ESAPI.encoder () encodeForXMLAttribute (String input)

Directly encode url with URL

ESAPI.encoder () encodeForURL (String input)

If the java output is on the html page, use the method shown in the following example.

String username = ESAPI.encoder () .encodeForHTML (req.getParameter ("name"))

Next we will study the specific implementation of this method.

Public String encodeCharacter (char [] immune, Character c) {

/ / check for immune characters

If (containsCharacter (c, immune)) {

Return "" + c

}

/ / check for alphanumeric characters

String hex = Codec.getHexForNonAlphanumeric (c)

If (hex = = null) {

Return "" + c

}

/ / check for illegal characters

The encoding of non-numeric characters in / / ascii code is generally non-print characters, that is, ascii characters that cannot be converted to uncoide are directly replaced by\ ufffd.

If (c = 0x7f & & c

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.