-1

Hi Stack I need some help please.

Im building an intentionally vulnerable local app. And I need a parameter to not have validation because the app will be for developers to test security vulnerabilities like SQL injection and XSS. I am struglling to find a way to make a query vulnerable to SQL injection using local DB JPA UserRespository but the only query it lets me is the following.

@Repository
public interface UserRespository extends CrudRepository<User,Long>{
  
    @Query(value="SELECT * FROM USERS WHERE name = :name", nativeQuery=false)
   User VulnerableQuery(String name);

}

So I cant actually trigget an SQL injection. Does anybody know any other way?

Sherlocker
  • 185
  • 1
  • 1
  • 12
  • SQL injection is tested on whichever is exposing the persistence layer. In the case of Spring, you usually expose the persistence layer into the Controller, e.g. The REST endpoints. It is there, where you test for SQL injection, not at the repository (persistence layer) class. – Victor Polo De Gyves Montero Mar 11 '21 at 18:21
  • Hi Victor I understand that the problem is that JPA only allows to build queries based on its own. I can actually concat a username directly because It doesnt let me – Sherlocker Mar 11 '21 at 18:22
  • Just try to send to the REST endpoints whatever you think that will create a breach. If you are already using JPA and also POJOs with Spring, that is a task for Big Dogs, not for newbies. JPA+Hibernate and Spring are as hard as stone, to let pass a SQL Injection attack. – Victor Polo De Gyves Montero Mar 11 '21 at 18:23
  • You can write a native query directly in your code. See the answer here: https://stackoverflow.com/questions/41661193/is-spring-data-jpa-safe-against-sql-injection – default locale Mar 11 '21 at 18:24
  • No, there is no problem with JPA. JPA is doing its best to protect against SQL Injection, but you still can test it to find a vulnerability, just as it is, no need to remove anything at the Repository level. JPA converts any JPQL query into plain, vanilla SQL. So if there is a vulnerability in JPA, you can do your best to find it. Who knows, maybe you find a breach. – Victor Polo De Gyves Montero Mar 11 '21 at 18:26
  • TL;DR, to test SQL Injection at the Repository level, do your tests at the Controller level. – Victor Polo De Gyves Montero Mar 11 '21 at 18:28
  • @defaultlocale I am using default native queries from UserRepository in spring. – Sherlocker Mar 11 '21 at 18:43
  • @LuisCarlos You need to build a query using concatenation. AFAIK, you can't do this using a Query annotation. One way to accomplish this is to inject an entity manager and then write this query directly in code. Have you read the answer in the link I've posted above? – default locale Mar 11 '21 at 18:51
  • I have @defaultlocale but I am using UserRepository a local DB which means I cant customize it. – Sherlocker Mar 11 '21 at 18:54

1 Answers1

-1

If you use a native query like this?:

@Query(value="SELECT * FROM USERS WHERE name = :?1", nativeQuery=true)
sourheart
  • 114
  • 1
  • 7
  • No, this still passes the name as a parameter. To introduce a vulnerability you need to build a query an old, hard, stupid way with concatenation. – default locale Mar 11 '21 at 18:36
  • No, parameters (this thing: `:?1`) are injection proof. See this: https://stackoverflow.com/questions/52791121/is-java-spring-jpa-native-query-sql-injection-proof – default locale Mar 11 '21 at 18:41