Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| ChildOf | Allowed | B | 89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 990 | SFP Secondary Cluster: Tainted Input to Command |
| MemberOf | Prohibited | C | 1027 | OWASP Top Ten 2017 Category A1 - Injection |
| MemberOf | Prohibited | C | 1347 | OWASP Top Ten 2021 Category A03:2021 - Injection |
| MemberOf | Prohibited | C | 1409 | Comprehensive Categorization: Injection |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | BS | BOSS-240 | Weaknesses in Software Written in SQL |
| MemberOf | Prohibited | BS | BOSS-272 | Weaknesses in Database Server |
| MemberOf | Prohibited | BS | BOSS-318 | Modify Application Data (impact) |
| MemberOf | Prohibited | BS | BOSS-328 | Read Application Data (impact) |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 1347 | OWASP Top Ten 2021 Category A03:2021 - Injection |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 990 | SFP Secondary Cluster: Tainted Input to Command |
| Scope | Likelihood | Impact | Note |
|---|---|---|---|
| ConfidentialityIntegrity | N/A | Read Application DataModify Application Data | N/A |
A non-SQL style database which is not subject to this flaw may be chosen.
Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data.
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack.
Use vigorous allowlist style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request.
N/A
N/A
The following code excerpt uses Hibernate's HQL syntax to build a dynamic query that's vulnerable to SQL injection.
| Reference | Description |
|---|
| Ordinality | Description |
|---|
This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
| Taxonomy Name | Entry ID | Fit | Entry Name |
|---|---|---|---|
| Software Fault Patterns | SFP24 | N/A | Tainted input to command |