Prev Next

Java / XML

How do you prevent Injection attacks?

Defending against SQL Injection-JDBC Prepared statements: The Java platform includes a defensive measure to protect yourself against the SQL injection attacks: JDBC prepared statements. JDBC prepared statements to work by precomputing the SQL query into a binary database proprietary format.

Prior to execution, user data is bound to the pre-computed query, and finally, the query is executed. Any reserved control characters or words passed by attackers are considered user data and not part of the SQL statement. Following is a safer SQL example:

//Prevent SQL Injection
String query = "SELECT * FROM users WHERE Name=?";
PreparedStatement pstmt = connection.prepareStatement(query);
ResultSet results = pstmt.executeQuery(); 

Encoding reserved control sequences within untrusted Input: Proper encoding of data needed to mitigate untrusted input attacks as user may input vulnerable script/malicious code.

To defend against these attacks, reserved character sequences must not be conflated with user data. Specifically, less than and greater than reserved characters in HTML must be changed to their corresponding HTML entity references -- \< and \> respectively. Reserved characters such as ;/?:@=&, unsafe characters such as blank/empty space, "<>#%{}|\^~[]` require encoding.

XML parser defence: XML external entity (XXE) attacks are used to exfiltrate sensitive data, execute server-side port scanning and perform denial-of-service and other attacks by leveraging an XML external entity reference.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

For example, the above XML fragment leveraged to exfilterated password file, the password file content will be dumped in to browser.

The best way to defend against XXE attacks is to leverage the security features provided by XML parsers. Specific defenses vary between XML parser implementations, but the platform offers a provision to configure security settings by passing arguments to DocumentBuilderFactory.setFeature().

It's right time to invest in Cryptocurrencies Dogecoin! Earn free bitcoins up to $250 now by signing up.

Earn bitcoins upto $250 (free), invest in other Cryptocurrencies when you signup with blockfi. Use the referral link: Signup now and earn!

Using BlockFi, don't just buy crypto - start earning on it. Open an interest account with up to 8.6% APY, trade currencies, or borrow money without selling your assets.

Join CoinBase! We'll both receive $10 in free Bitcoin when they buy or sell their first $100 on Coinbase! Available in India also. Use the referral Join coinbase!

Invest now!!! Get Free equity stock (US, UK only)!

Use Robinhood app to invest in stocks. It is safe and secure. Use the Referral link to claim your free stock when you sign up!.

The Robinhood app makes it easy to trade stocks, crypto and more.

Webull! Receive free stock by signing up using the link: Webull signup.

More Related questions...

Show more question and Answers...

Garbage collection

Comments & Discussions