<rt id="bn8ez"></rt>
<label id="bn8ez"></label>

  • <span id="bn8ez"></span>

    <label id="bn8ez"><meter id="bn8ez"></meter></label>

    如何消除VeraCode檢測中的SQL Injection Issue(CWE ID 89)

    Veracode是一個檢測應用程序是否存在安全漏洞的工具,更多細節請訪問http://www.veracode.com

    這里主要總結一下如何消除Veracode檢測結果中的SQL Injection issue(CWE ID 89)

    首先,先看看VeraCode對SQL Injection Issue的定義:
    SQL Injection Description
    SQL injection vulnerabilities occur when data enters an application from an untrusted source and is used to dynamically
    construct a SQL query.  This allows an attacker to manipulate database queries in order to access, modify, or delete arbitrary data.  Depending on the platform, database type, and configuration, it may also be possible to execute administrative operations on the database, access the filesystem, or execute arbitrary system commands.  SQL injection attacks can also be used to subvert authentication and authorization schemes, which would enable an attacker to gain privileged access to restricted portions of the application.

    再瀏覽一下VeraCode對如何解決這個問題的建議:
    Recommendations
    Several techniques can be used to prevent SQL injection attacks. These techniques complement each other and address
    security at different points in the application. Using multiple techniques provides defense-in-depth and minimizes the likelihood
    of a SQL injection vulnerability.
    Use parameterized prepared statements rather than dynamically constructing SQL queries.  This will prevent the
    database from interpreting the contents of bind variables as part of the query and is the most effective defense against
    SQL injection.
    *
    Validate user-supplied input using positive filters (white lists) to ensure that it conforms to the expected format, using
    centralized data validation routines when possible.
    *
    Normalize all user-supplied data before applying filters or regular expressions, or submitting the data to a database. This
    means that all URL-encoded (%xx), HTML-encoded (&#xx;), or other encoding schemes should be reduced to the
    internal character representation expected by the application. This prevents attackers from using alternate encoding
    schemes to bypass filters.
    *
    When using database abstraction libraries such as Hibernate, do not assume that all methods exposed by the API will
    automatically prevent SQL injection attacks.  Most libraries contain methods that pass arbitrary queries to the database in an unsafe manner.


    通過對現有系統的實踐證明,對于這類SQL Injection Issue,消除時主要遵循以下幾個原則:

    1)優先使用PreparedSQLStatement,使用它提供的占位符來填充SQL中的參數。

    2)因為PrepareSQLStatement只支持標準的SQL,對于某些數據庫廠商中中特殊的SQL語句,比如"init device xxxx"等就無能為力了。
    這是我們可以使用java.text.MessageFormat.format(query, params)來填充SQL的參數。
     1      public static String parseQuery( String query, Object[] params)
     2      {
     3          try
     4          {
     5              return MessageFormat.format(query, params);
     6          }
     7          catch( Exception e)
     8          {
     9              System.out.println(e);
    10              return null;
    11          }
    12      }


       3)Veracode會檢測傳入SQL的變量是否存在安全隱患(比如是否從文件中讀取的,或者是否從注冊表里讀取的),這種情況需要重新定義1個變量,然后將其傳入SQL語句中,看如下例子
          String sql = "create {0} for instance {1} on {2}  = ''{3}''";
           String executedSql 
    = parseQuery(sql,
                     
    new String[]{instance.getDbName(),
                                  instance.getName(),
                                  instance.getDeviceName(),                           
                                  instance.getDeviceSize(),
    });

        這里,instance是一個已經存在的對象,如果它的變量是從文件中讀取的或者是依賴于程序外部的值,Veracode就認為存在安全隱患,因此我們需要做如下的調整:
     String dbName = FileUtil.removeControlCharacter(instance.getTempdbDbName());
           String instanceName 
    = FileUtil.removeControlCharacter(instance.getName());
           String devName 
    = FileUtil.removeControlCharacter(instance.getTempdbDeviceName());
           String executedSql 
    = parseSQLQuery(IConstants.CREATE_INSTANCE_SYS_TEMP_DB,
                     
    new String[]{dbName,instanceName,devName,deviceSize});
                    
        其中,FileUtil.removeControlCharacter()的作用是刪除String變量中的控制符,目的就是對原有的String變量進行一次過濾后,賦值給新的變量,然后再傳給SQL語句。
    public static final String removeControlCharacter(String input)
        {
            
    if (input == null)
            {
                
    return "";
            }
            StringBuilder sb 
    = new StringBuilder();
            
    for (int i=0; i<input.codePointCount(0, input.length()); i++)
            {
                
    int codePoint = input.codePointAt(i);
                
    if(!Character.isISOControl(codePoint))
                {
                    sb.appendCodePoint(codePoint);
                }
            }
            
    return sb.toString();
        }   

    posted on 2011-09-05 14:09 想飛就飛 閱讀(2389) 評論(1)  編輯  收藏 所屬分類: J2EE

    評論

    # re: 如何消除VeraCode檢測中的SQL Injection Issue(CWE ID 89) 2011-11-24 19:27 liangO

    天,什么東西要求這么嚴格啊  回復  更多評論   

    公告


    導航

    <2011年9月>
    28293031123
    45678910
    11121314151617
    18192021222324
    2526272829301
    2345678

    統計

    常用鏈接

    留言簿(13)

    我參與的團隊

    隨筆分類(69)

    隨筆檔案(68)

    最新隨筆

    搜索

    積分與排名

    最新評論

    閱讀排行榜

    評論排行榜

    主站蜘蛛池模板: 亚洲一区精品无码| 在线A级毛片无码免费真人| 亚洲精品专区在线观看| 激情婷婷成人亚洲综合| 精品国产免费一区二区| 亚洲aⅴ无码专区在线观看春色| 成人无遮挡裸免费视频在线观看 | 蜜臀98精品国产免费观看| 亚洲av无码成人黄网站在线观看 | 黄色网址在线免费观看| 日本中文一区二区三区亚洲 | 国产精品网站在线观看免费传媒| 亚洲日本va在线视频观看| 一个人看的www免费视频在线观看| 亚洲精品成人无码中文毛片不卡| a级成人毛片免费图片| 亚洲人成亚洲精品| 国产一卡2卡3卡4卡无卡免费视频| 2020天堂在线亚洲精品专区| 日本不卡高清中文字幕免费| 特黄aa级毛片免费视频播放| 国产亚洲色婷婷久久99精品91| 国产精品视频免费一区二区三区| 亚洲国产无线乱码在线观看| 亚洲日韩在线观看免费视频| 久久九九全国免费| 亚洲精品亚洲人成在线| 亚洲精品tv久久久久| 久久精品电影免费动漫| 亚洲 欧洲 日韩 综合在线| 免费a级毛片在线观看| 国产无遮挡无码视频免费软件| 亚洲午夜精品一区二区公牛电影院| 成人免费一区二区三区在线观看| 人人爽人人爽人人片A免费| 亚洲VA中文字幕无码一二三区| 久久WWW色情成人免费观看| 四虎国产精品永免费| 亚洲综合无码一区二区| 国产免费变态视频网址网站| 久久精品国产免费一区|