Re: [WEB SECURITY] Known Safe JDBC Drivers

[Rohit Sethi <rklists@xxxxxxxxx>]

Sorry for the misquote - yeah, what I'm looking at is if anybody has
done the work already to check the JDBC drivers for all major DB
vendors. Although whitebox review would be ideal, even running a
battery of blackbox tests on each driver would give us some insight
into the behavior. From what I gather that hasn't been done yet

On Wed, Nov 25, 2009 at 3:00 PM, planetlevel <planetlevel@xxxxxxxxx> wrote:
> This isn't true. ESAPI absolutely does recommend that people use
> PreparedStatement as the first and best option (it's all over the javadoc
> and the swingset sample app).
>
> However, ESAPI does provide database codecs because there are many
> situations when remediation is more easily done with an escaping method.
> There are also certain types of queries for which using PreparedStatement
> will cause significant performance problems (so be careful with those
> recommendations folks). Also, in some environments parameterized queries may
> not be available, so an escaping option is important.
>
> I looked into this pretty deeply back in 2002/2003
> (http://lists.virus.org/webappsec-0301/msg00003.html). The upshot is that
> the JDBC spec doesn't explicitly require that PreparedStatement prevents
> injection, so there's certainly some risk in relying exclusively on
> them. That's why input validation, escaping, and access reference maps are
> important security controls. And of course there are degenerate cases like
> PreparedStatement.executeQuery( "exec ?" );
>
> I looked into the MySQL driver back then and decided that it wasn't
> obviously vulnerable.  I even took a swing at reversing the Oracle JDBC
> drivers, but I didn't get far enough to give anyone any confidence.  This is
> exactly the lack of visibility that makes it so difficult to make progress
> in application security.
>
> --Jeff
>
> On Wed, Nov 25, 2009 at 11:32 AM, Rohit Sethi <rklists@xxxxxxxxx> wrote:
>>
>> Common advice in the Java world is to use properly bound variables in
>> PreparedStatements to protect against SQL Injection. Many people have
>> talked about the fact that the protection provided by
>> PreparedStatements is really dependent on how the JDBC drivers are
>> coded.
>>
>> ESAPI takes the approach to not rely on JDBC drivers and instead
>> provides its own encoding codecs for MySQL and Oracle. For other
>> databases,however, many people rely on the JDBC drivers.
>>
>> My question is: does anyone know of a study, list or project that
>> discusses which JDBC drivers are known to protect against SQL
>> Injection (in properly bound variables in prepared statements)?
>> Essentially I'm looking for a whitelist of JDBC drivers that, if used
>> properly, a developer can feel confident that they're not vulnerable
>> to SQL Injection.
>>
>> Thanks,
>>
>> --
>> Rohit Sethi
>> Security Compass
>> http://www.securitycompass.com
>>
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>
>
>
> --
>
> --pl
>



-- 
Rohit Sethi
Security Compass
http://www.securitycompass.com

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA