Skip to content

Eliminating SQL Injection the Contrast Way

    

SQL Injection is one of the most serious application security problems. The vulnerability exists anytime a developer takes untrusted data (like something you submit in a URL or a web form) and concatenates it into a database query.  The outcome is that the attacker can change the meaning of the query and steal data or corrupt your database.

Scanning and penetration testing can be used to detect SQL injection problems, but they're terribly error prone and are likely to miss many instances.  Static analysis and code review can also be used, but they are difficult and time consuming.

Contrast searches out these vulnerabilities a different way. The Contrast Engine watches all the methods in your application that might be involved in a SQL injection flaw. Then as your application runs, Contrast identifies any time untrusted data reaches a SQL query. It's like putting a tracing beacon on the untrusted data as it flows through your application.

In Java there are only a few calls that can be used to communicate with a database:

  • Statement.execute*
  • Statement.addBatch
  • Connection.prepare*

So Contrast watches these methods for any untrusted data. If any untrusted data shows up, Contrast reports a full trace of this SQL injection vulnerability back to the Contrast TeamServer. The trace includes all the steps in the vulnerability - including the actual data, the exact lines of code for each step, and the full HTTP request for replay and testing.

This approach has several advantages.  It's doesn't require any appsec expertise to set up or use. Installation and use are both incredibly fast.  And, it's far more accurate than those other techniques. Give it a try and you'll never think of application security tools the same way again!

runtime-application-self-protection-rasp

 

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.