Java Callable Statement Sql Injection
Description
Detects SQL injection vulnerabilities in Java applications where user-controlled input flows into database operations through JDBC or JDBCTemplate APIs without proper sanitization. This could allow attackers to manipulate SQL queries and potentially access, modify or delete sensitive data from the database.
Detection Strategy
• Identifies database operation calls including methods like execute(), executeQuery(), executeUpdate(), queryForList() and similar JDBC/JDBCTemplate methods
• Checks if the SQL query string or parameters passed to these methods originate from user input (like HTTP parameters or request data)
• Reports a vulnerability when user-controlled data flows into database operations without proper sanitization or parameterization
• For JDBCTemplate specifically, checks for query() method calls where the template object has 'jdbctemplate' in its type name
Vulnerable code example
import java.sql.Connection;
import java.sql.CallableStatement;
public class VulnerableServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) {
try {
String userInput = request.getHeader("query");
String sql = "{call " + userInput + "}"; // Vulnerable: Direct concatenation of user input into SQL call...✅ Secure code example
import java.sql.Connection;
import java.sql.CallableStatement;
public class SecureServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) {
try {
String userInput = request.getHeader("query");
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.