During the burp test, there are some SQL injection vulnerabilities reported by the tool even after using a prepared statement
For instance:
SELECT address, state, status, plan, remarks, FROM archive LEFT OUTER JOIN site_mappings ON site_dn = mrbts AND siteid = id where ((UPPER(technology) like UPPER(?))) ps.setString(1, "%" +value+ "%");
Below are a few lines of SQL injection used by the tool
1. '%2b(select*from(select(sleep(20)))a)%2b' 2. ' 3. "
I have a filter function for whitelisting and a SQLException value to prevent injection.
Pattern pattern = Pattern.compile("['\"*$]"); Matcher matcher = pattern.matcher(value); if (matcher.find()) { throw new SQLException("Invalid filter value"); }
This does not work for '%2b(select*from(select(sleep(20)))a)%2b' .
More about the problem:
The payload '+(select*from(select(sleep(20)))a)+ ' was represented in the parameter. It took the application 20,011 milliseconds to respond to the query, compared to 24 milliseconds for the original query, indicating that the SQL command entered caused a delay.
How to create a regular expression to prevent SQL injection?
source share