package badCodeComplexity; /* This software was developed at the National Institute of Standards and * Technology by employees of the Federal Government in the course of their * official duties. Pursuant to title 17 Section 105 of the United States * Code this software is not subject to copyright protection and is in the * public domain. NIST assumes no responsibility whatsoever for its use by * other parties, and makes no guarantees, expressed or implied, about its * quality, reliability, or any other characteristic. * We would appreciate acknowledgement if the software is used. * The SAMATE project website is: http://samate.nist.gov */ /* * This servlet implements an SQL injection vulnerability * Parameters: * - name: source of the vulnerability * Example: * - url: http://server_address/path_to_servlet/SQLInjection_089?name=' OR ''=' */ import java.io.IOException; import java.sql.Connection; import java.sql.SQLException; import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; import javax.servlet.ServletException; import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.sql.DataSource; public class SQLInjection_ArrayIndex_089 extends HttpServlet { private static final long serialVersionUID = 1L; public SQLInjection_ArrayIndex_089() { super(); } // Method which will be called to handle HTTP GET requests protected void doGet (HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { Connection conn = null; // Get the parameter "name" from the data provided by the user String name = req.getParameter ("name"); // Initialize the output stream resp.setContentType ("text/html"); ServletOutputStream out = resp.getOutputStream (); out.println ("
"); } protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { } }"); try { // Set the context factory to use to create the initial context System.setProperty (Context.INITIAL_CONTEXT_FACTORY, "your.ContextFactory"); // Create the initial context and use it to lookup the data source InitialContext ic = new InitialContext (); DataSource dataSrc = (DataSource) ic.lookup ("java:comp/env/jdbc:/mydb"); // Create a connection to the SQL database from the data source conn = dataSrc.getConnection (); // Send an unsanitized SQL request to the database, which may result in SQL injection String array_buffer[][] = new String[ 1 ][ ]; array_buffer[ 0 ] = new String[ 128 ]; array_buffer[ 0 ][ 128 ] = name; conn.prepareStatement ("SELECT * FROM users WHERE firstname LIKE '" + array_buffer[ 0 ][ 128 ] + "'").executeQuery (); } catch (NamingException e) { out.println ("Naming exception"); } catch (SQLException e) { out.println ("SQL exception"); } finally { try { if (conn != null) conn.close (); } catch (SQLException se) { out.println("SQL Exception"); } } out.println ("