Most common application security vulnerabilities are more or less variants on the same thing - "the anti pattern". The anti pattern is typically: 1 - an externally supplied input, and 2 - a powerful API operating directly on input supplied by previously mentioned input. The big point of the presso was to highlight why Criteria API (and Parameterized Queries if Criteria style APIs are not available) are to be used.
Presented at Opkoko 2012.
7. Code not Text
Root<Pet> pet = cq.from(Pet.class)
cq.where(cb.equals(pet.get(Pet_.name), input))
s = SELECT FROM pet WHERE pet.name = + input
executeSQL( s )
9. Remove String.Concat
s = SELECT FROM pet WHERE pet.name = @name
ps = prepare( s )
ps.bind(@name, input)
s = SELECT FROM pet WHERE pet.name = + input
executeSQL( s )
12. Defense in Depth
input = GET[ username ]
if (whitelist.bad( input )) {
secLog(reject)
throw new Exception()
}
13. Summary
Most common security coding vulns are
variants of the same anti-pattern
Use easy safe-by-design API
Entity & Criteria API SQLi is hard =)
Fear String.Concat
String operations are the mother of all evil
Parameterize if you must stick to text!
Defend in Depth!
The anti-pattern can also be broken by input
validation.