Re: is JSP&servelet web app SQL Injection Free?

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Fan wrote:
> Of course not!
>
> In fact it has nothing to do with language, but with how app deal with
> paras etc, most app has problems we found are JSP and asp.
>
> Best!
> Frank
>
> On Mon, Jan 5, 2009 at 4:28 PM, salamond <jarodzz () gmail com> wrote:
> > Hi, all.
> >
> > I'm new to pen-testing.
> >
> > Just finished my tour with a couple of tools:
> > webscarab
> > sqlmap
> > ratproxy
> >
> > But it shows OK for every page that I've been through.
> >
> > I went through a couple of SQL Injection tutorial, and most of them
> > are focusing on
> > php or asp pages.
> >
> > So here's my question, it may sound stupid, but
> > is there no SQL Injection problems in JSP&Java sevelet web app?
> >
> > thanks
> >
> > JarodZZ

What a question!

SQL injection is an issue derived of input validation. No language or
implementation can free the programmer of non-properly validate the user
input for malicious cases.
They could only pose features that help the programmer with such task,
such as parameterized queries or stored procedures. If the creator
doesn't use this features properly; of course sqlinj is possible.
The issue is not an implementation flaw, so JDBC/ADO/Linq/DBM or
whatever not pose the problem, is the programmers who misuse these
technologies who introduce the vulnerability in the web apps.

Sincerely.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJY2IkH+KgkfcIQ8cRApP3AKDjth/UDMUUPH84lc7tTitqn+91NACg2aGi
VCpXt9aaHRNkfEcwQ7ZRVmQ=
=V2kC
-----END PGP SIGNATURE-----