Wednesday, July 16, 2014

Hibernate Tutorial - How not to write HQL queries? (SQL Injection in Hibernate)

Hello World!

Before we begin, let me explain SQL Injection in simple words ?

I write my name as “Vinay, you are free to go”.  Judge announces my case by saying: “Calling Vinay, you are free to go.”  The Bailiff lets me go.

What happened here? - The Bailiff interpreted a part of my name (ie - "you are free to go") as a command and executed it. 
Similarly the SQL interpreter cannot differentiate between user supplied input and commands. During an SQL Injection attack the SQL interpreter is tricked into executing the input data as commands.

A lot of developers feel that their applications are safe from SQL Injection if they are using ORM solutions like Hibernate. However, nothing can be further from the truth.
The best approach to avoid SQL Injection is to use Parameterized Queries in both SQL and Hibernate.

The following Query written in HQL is vulnerable to HQL Injection.
String HQLquery;
HQLquery= "from Users where userID='"+userID+"' and password='"+password+"'";
session.createQuery(HQLquery);
The proper way to write this query is following.
HQLquery=session.createQuery("from Users where userID=:u and password=:p");
HQLquery=query.setParameter("u",userID);
HQLquery=query.setParameter("p",password);
In the above query the semi colon ":" indicates that "u" and "p" are place holders.

When the createQuery() method is executed, it fixes the meaning of the SQL query and any parameter substitution in the query after this will be treated as data only. In a parameterized query nothing can change the intent of the query because the SQL Interpreter can clearly differentiate between the Commands and the Data.

In normal SQL, the following would be a vulnerable query.
String loginQuery;
SQLQuery=("Select * FROM users WHERE userID='"+userID+"' AND password='"+password+"'");
To prevent SQL Injection use Parameterized queries in Java
String SQLQuery = "SELECT * FROM users WHERE userID= ? AND password= ?"; 
PreparedStatement pstmt = conn.prepareStatement( SQLQuery );         
pstmt.setString(1,userID);
pstmt.setString(2,password);

Hope this helps :)

Thanks for reading!
Vinay

Tuesday, April 8, 2014

Installing Insight Debugger on Ubuntu 12.04

Hello World,

I find GDB to be great debugging tool. I was using GDB while working on a buffer overflow exploit and I needed to see the contents of the stack and registers. I realized that a graphical interface would make GDB even more useful. I found a very useful tool - Insight which allows us to see the contents of the stack and registers in an very intuitive way.



However it turns out that Insight has been removed from Ubuntu Packages so you cannot install it directly using a simple command.

I tried downloading the source code for the latest version from the website but the insight-6.8-1a.tar.bz2 file was corrupted every time I downloaded it. So, I tried downloading the older version 6.7 but I had troubles compiling it. 

Finally, I managed to install it with an easier method and I would like to share it with you all.

1.  Navigate to the folder /etc/apt

2. Open the file etc/apt/sources.list using the following command

    sudo gedit sources.list

3.  Add the following lines at the end of the file and save it.

    deb http://ppa.launchpad.net/sevenmachines/dev/ubuntu natty main
    deb-src http://ppa.launchpad.net/sevenmachines/dev/ubuntu natty main

4.  Now update your apt sources using

    sudo apt-get update

5. Finally, install Insight using

    sudo apt-get install insight

6. Launch Insight using the command

    insight

Please let me know if this doesn't work anymore!

Thanks
Vinay