I am trying to create a java servlet with a NoSQL injection vulnerability. I've connected the servlet with MongoDB and check if the login info submitted by the user exists, I'm doing the next query:
String andQuery = "{$and: [{user: \""+u+"\"}, {password: \""+p+"\"}]}";
Where u is the user and p is the password given by the user.
For what I've seen this is correct, and the NoSQL injection should exist, bu I really dont kno how to prove it.
I've tried submitting with burp this:
username[$ne]=1&password[$ne]=1
But its not working, and when I check the content of u and p after I submitted that the content of both variables is null.
I dont have the servlet configured to receive json objects so I need a solition that doesn't imply send a json object with burp.
PD: I tryed also to insert something like this:
{\"$gt\":\"\" }
in the user and password fields but the result query is
{"$and": [{"user": "{\"$gt\":\"\" }"}, {"password": "{\"$gt\":\"\" }"}]}
I guess this doesn't work because the {"$gt":"" } is in quotes, ¿how can I do the servlet to be vulnarable and with which input it would be vulnerabel?
Related
I have a spring boot service (2.4.5) that shows a checkmarx error, that we need to sanitize the request payload. How do we sanitize the request payload?
#ApiOperation(value = "Executes new report. The response contains the new job id.")
#PostMapping(value = "/execute")
public ResponseEntity<MyResponse<Object, Void>> execute(
#RequestBody final MyInput input) {.......}
I am getting the following checkmarx error message for "#RequestBody final MyInput input":
The application's executeNewReport method executes an SQL query with input, at line 82 of src\main\java\com\gayathri\controllers\JobController.java. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.
This apparent database access is seemingly encapsulated in an external component or API.
Thus, it seems that the attacker might be able to inject arbitrary data into the SQL query, by altering the user input input, which is read by the execute method, at line 75 of src\main\java\com\gayathri\controllers\JobController.java. This input then flows through the code to the external API, and from there to a database server, apparently without sanitization.
This may enable an SQL Injection attack, based on heuristic analysis.
I would like to sanitize my payload. Or is there no other option than to use a DTO , and then transform it to my database entity
Based on the description of the vulnerability, I'm assuming the exact vulnerability detected by Checkmarx is "Heuristic SQL Injection". It would be nice to see where the sink is (where the vulnerability is propagates) and not just the source ("#RequestBody final MyInput input").
The first approach is to use parameterization or prepared statements, and here is a link to a cheatsheet from OWASP that can be useful for you
What I think Checkmarx also looks out for is the use for the encodeForSQL function which will require you to use the OWASP Enterprise Security API library
If you're using MySQL:
input = ESAPI.encoder().encodeForSQL(new MySQLCodec(), input);
or change the database codec appropriately
I'm trying to update a field of my user DTO, but every time I update by doing userService.save(user), my login credentials become invalid in the database, because when I first get the user I get the encrypted password in the password field of my DTO, and when I save the user again I'm re-encrypting the encrypted password making the password different than before.
How can I go about fixing this? Should I decrypt the password when I first query the database in my user service? Is that safe?
Edit : found out you can't decode the password (I'm using BCryptPasswordEncoder) anyways. Is there a way to update all my fields without affecting the password?
Have you tried to update only the column without saving the entire entity?
There is an example of how to create such a query in the Spring Data JPA documentation:
https://docs.spring.io/spring-data/jpa/docs/2.1.1.RELEASE/reference/html/#jpa.modifying-queries
Addition:
If there is a way to save only the password without re-encrypting it? If so, you could perhaps try to:
- Obtain the encrypted password.
- Update the user entity (resulting in the encrypted password being encrypted a second time).
- Overwrite only the password in the user with the encrypted password obtained in step 1.
You should use entity listeners.
Look here https://www.concretepage.com/java/jpa/jpa-entitylisteners-example-with-callbacks-prepersist-postpersist-postload-preupdate-postupdate-preremove-postremove
Create entity listener class, implement preUpdate method.
You should inject applicationContext into class. You can find bean "passwordEncoder". Spring use it to encode password.
In pre update method you get your raw password, create encoded version like
passwordEncoder.encode(password) and set it back to the entity.
I have been trying to retrieve information from querying a specific Asset(Story/Defect) on V1 using the VersionOne.SDK.Java.APIClient. I have been able to retrieve information like ID.Number, Status.Name but not Requests.Custom_SFDCChangeReqID2 under a Story or a Defect.
I check the metadata for:
https://.../Story?xsl=api.xsl
https://.../meta.V1/Defect?xsl=api.xsl
https://.../meta.V1/Request?xsl=api.xsl
And the naming and information looks right.
Here is my code:
IAssetType type = metaModel.getAssetType("Story");
IAttributeDefinition requestCRIDAttribute = type.getAttributeDefinition("Requests.Custom_SFDCChangeReqID2");
IAttributeDefinition idNumberAttribute = type.getAttributeDefinition("ID.Number")
Query query = new Query(type);
query.getSelection().add(requestCRIDAttribute);
query.getSelection().add(idNumberAttribute);
Asset[] results = v1Api.retrieve(query).getAssets();
String RequestCRID= result.getAttribute(requestCRIDAttribute).getValue().toString();
String IdNumber= result.getAttribute(idNumberAttribute).getValue().toString();
At this point, I can get some values for ID.Number but I am not able to retrieving any information for the value Custom_SFDCChangeReqID2.
When I run the restful query to retrieve information using a browser from a server standpoint it works and it does retrieve the information I am looking for. I used this syntax:
https://.../rest-1.v1/Data/Story?sel=Number,ID,Story.Requests.Custom_SFDCChangeReqID2,Story.
Alex: Remember that Results is an array of Asset´s, so I guess you should be accessing the information using something like
String RequestCRID= results[0].getAttribute(requestCRIDAttribute).getValue().toString();
String IdNumber= results[0].getAttribute(idNumberAttribute).getValue().toString();
or Iterate through the array.
Also notice that you have defined:
Asset[] results and not result
Hi thanks for your answer! I completely forgot about representing the loop, I was too focus on the retriving information part, yes I was actually using a loop and yes I created a temporary variable to check what I was getting from the query in the form
Because I was getting the variables one by one so I was only using the first record. My code works after all. It was just that What I was querying didn't contain any information of my use, that's why I was not finding any. Anyway thanks for your comment and observations
I 'm trying to use the Baas Parse for my Android application.
I've followed the quickstart guide with success, so i'have successfully registered a TestObject into my Parse database.
Now, I try to adapt Parse to my needs and to register a User into Parse database with that code:
Parse.initialize(this, "NkThBbZ4gcXQf3s59UGTozpCjKQbECVP5SmuXCkY", "n7a65t3o8fZNAXTOygWIg2L9Kui316yepfgoSdhf");
ParseObject userParse = new ParseObject("User");
userParse.put("username", user.getPseudonyme());
userParse.put("password", user.getPassword());
userParse.saveInBackground();
But it doesn't insert my user into the User table, instead it creates a new table and insert my User in that new User table.
The first User table is a default table created by parse as far as i understand but i don't understand why is it impossible to use it.
The result is that i have 2 Users tables.
Thank you very much for your answers if anyone had the same problem.
Sebastien
The pre-made User table actually has an underscore before it. It is the _User table, not the User table. The underscore is to signify it's a special class that Parse gives you. Use _User instead of User.
On my User class I have a field that is a list of strings:
#Persistent
private List<String> openIds;
When I create a new user I do this:
User user = new User();
user.openIds.add(openid);
pm.makePersistent(user);
When I break after that last line and look, the openIds contains the openid I put in there.
But, when I later call User user = pm.getObjectById(User.class, id); with the correct id, the openIds field is an empty list.
Anyone know what could cause that?
EDIT: BTW I'm running on the Google App Engine
UPDATE: Looking at the datastore viewer, I can see the openid was correctly stored in the database. So its just not getting it out correctly...
UPDATE 2: Its working fine now. I'm pretty sure I didn't change anything. I think what must have happened is that there was an old version of the user object being pulled from the database. A user object that was put in before I had the code that saves the openid. Once I wiped the database things worked fine.
Not putting that field in the fetch plan ?
Accessing persistent fields directly, rather than going via setters ?