diff --git a/Doc/Sda1/Ref/Fig/sqlInject.screen.png b/Doc/Sda1/Ref/Fig/sqlInject.screen.png
deleted file mode 100644
index a7f14bd172213218ce8e75d1d574e1bc352ebb5b..0000000000000000000000000000000000000000
Binary files a/Doc/Sda1/Ref/Fig/sqlInject.screen.png and /dev/null differ
diff --git a/Doc/Sda1/jdbc.xml b/Doc/Sda1/jdbc.xml
index 0cfe4abcdc08bd0ba1185e4bdb47c23ffb6f839e..8a3b5a3f200c49adb57230b9374a7ddc344ac7cb 100644
--- a/Doc/Sda1/jdbc.xml
+++ b/Doc/Sda1/jdbc.xml
@@ -1260,7 +1260,11 @@ static public int insertPerson(
<answer>
<para>Our last exercise's database schema <filename
xlink:href="https://gitlab.mi.hdm-stuttgart.de/goik/GoikLectures/blob/master/P/Sda1/Jdbc/Insert/Minimum/src/main/resources/schema.sql">resources/schema.sql</filename>
- may remain untouched.</para>
+ may remain untouched. Solution:</para>
+
+ <annotation role="make">
+ <para role="eclipse">Sda1/Jdbc/Insert/MinimumTest</para>
+ </annotation>
</answer>
</qandaentry>
</qandadiv>
@@ -1699,6 +1703,12 @@ public someClass {
disclosed.</para>
</listitem>
+ <listitem>
+ <para><productname
+ xlink:href="https://www.mysql.com">Mysql</productname> mitigates
+ the attack type's severity</para>
+ </listitem>
+
<listitem>
<para>Possible solutions:</para>
@@ -1712,96 +1722,74 @@ public someClass {
</listitem>
<listitem>
- <para>Many database vendors <link
- xlink:href="https://dev.mysql.com/doc/refman/5.1/de/connector-j-reference-using-ssl.html">supply
- SSL</link> or similar <trademark
+ <para>Use <trademark
xlink:href="https://en.wikipedia.org/wiki/Java_Database_Connectivity">JDBC</trademark>
- protocol encryption extensions. This requires additional
- configuration procedures like setting up server side
- certificates. Moreover similar to the http/https protocols
- encryption generally slows down data traffic.</para>
+ driver supporting <xref linkend="glo_TLS"/>.</para>
</listitem>
</itemizedlist>
</listitem>
+
+ <listitem>
+ <para>Irrelevant e.g. within DMZ.</para>
+ </listitem>
</itemizedlist>
</figure>
-
- <para>Conclusion: <productname
- xlink:href="https://www.mysql.com">Mysql</productname> mitigates the
- attack type's severity</para>
-
- <para>Solution: Use <xref linkend="glo_TLS"/> if driver
- supported.</para>
-
- <para>Of course this is only relevant if the transport layer is
- considered to be insecure. If both server and client reside within the
- same trusted infrastructure no action has to be taken. We also note
- that this kind of problem is not limited to <trademark
- xlink:href="https://en.wikipedia.org/wiki/Java_Database_Connectivity">JDBC</trademark>.
- In fact all protocols lacking encryption are subject to this type of
- attack.</para>
</section>
<section xml:id="sqlInjection">
<title>SQL injection</title>
- <para>Before diving into technical details we shed some light on the
- possible impact of this common attack type being described in this
- chapter. Our example is the well known Heartland Payment Systems data
- breach:</para>
-
- <figure xml:id="figHeartlandSecurityBreach">
- <title>SQL injection impact</title>
+ <figure xml:id="figSqlInject">
+ <title>SQL injection principle</title>
<mediaobject>
<imageobject>
- <imagedata fileref="Ref/Fig/heartland.fig"/>
+ <imagedata fileref="Ref/Fig/sqlinject.fig"/>
</imageobject>
</mediaobject>
</figure>
- <para>Why should we be concerned with SQL injection? In the
- introduction of <xref linkend="bib_Clarke09"/> a compelling argument
- is being given:</para>
-
- <blockquote>
- <para>Many people say they know what SQL injection is, but all they
- have heard about or experienced are trivial examples. SQL injection
- is one of the most devastating vulnerabilities to impact a business,
- as it can lead to exposure of all of the sensitive information
- stored in an application's database, including handy information
- such as usernames, passwords, names, addresses, phone numbers, and
- credit card details.</para>
- </blockquote>
-
- <para>In this lecture due to limited resources we only deal with
- trivial examples mentioned above. One possible way SQL injection
- attacks work is by inserting SQL code into fields being designed for
- end user input:</para>
-
- <figure xml:id="figSqlInject">
- <title>SQL injection principle</title>
+ <figure xml:id="sda1_fig_littleBobbyTables">
+ <title><link xlink:href="http://xkcd.com/327">Trouble at
+ school</link></title>
<mediaobject>
<imageobject>
- <imagedata fileref="Ref/Fig/sqlinject.fig"/>
+ <imagedata fileref="Ref/Fig/exploits_of_a_mom.png"/>
</imageobject>
</mediaobject>
</figure>
- <para>And a nice explanation from <link
- xlink:href="???">http://xkcd.com/327</link>:</para>
+ <para>Before diving into technical details we shed some light on the
+ possible impact of this common attack type being described in this
+ chapter. Our example is the well known Heartland Payment Systems data
+ breach:</para>
- <figure xml:id="sda1_fig_littleBobbyTables">
- <title>Trouble at school ...</title>
+ <figure xml:id="figHeartlandSecurityBreach">
+ <title>SQL injection impact</title>
<mediaobject>
<imageobject>
- <imagedata fileref="Ref/Fig/exploits_of_a_mom.png"/>
+ <imagedata fileref="Ref/Fig/heartland.fig"/>
</imageobject>
</mediaobject>
</figure>
+ <figure xml:id="sda1_jdbc_sqlInjectionRelevance">
+ <title>SQL injection relevance, <xref
+ linkend="bib_Clarke09"/></title>
+
+ <blockquote>
+ <para>Many people say they know what SQL injection is, but all
+ they have heard about or experienced are trivial examples. SQL
+ injection is one of the most devastating vulnerabilities to impact
+ a business, as it can lead to exposure of all of the sensitive
+ information stored in an application's database, including handy
+ information such as usernames, passwords, names, addresses, phone
+ numbers, and credit card details.</para>
+ </blockquote>
+ </figure>
+
<figure xml:id="sda1_fig_sqlInjectLessonsLearned">
<title>Lessons learned?</title>
@@ -1816,9 +1804,9 @@ public someClass {
<qandaentry>
<question>
<para>Use the application from <xref
- linkend="sda1SectUserInitiatedConnect"/> and <xref
- linkend="figSqlInject"/> to launch a SQL injection attack. We
- provide some hints:</para>
+ linkend="quandaentry_DupInsertUnitTest"/> and the idea of
+ <xref linkend="figSqlInject"/> to launch an SQL injection
+ attack. We provide some hints:</para>
<orderedlist>
<listitem>
@@ -1837,12 +1825,11 @@ public someClass {
<para>In order to execute these so called multi user
queries we explicitly have to enable a <productname
xlink:href="https://www.mysql.com">Mysql</productname>
- property. This may be achieved by extending our <trademark
- xlink:href="https://en.wikipedia.org/wiki/Java_Database_Connectivity">JDBC</trademark>
- URL:</para>
+ property thereby overriding the default security
+ configuration:</para>
<literallayout>jdbc:mysql://localhost:3306/hdm?useSSL=false&<emphasis
- role="bold">allowMultiQueries=true</emphasis></literallayout>
+ role="red">allowMultiQueries=true</emphasis></literallayout>
<para>The <productname
xlink:href="https://www.mysql.com">Mysql</productname>
@@ -1866,39 +1853,49 @@ public someClass {
</question>
<answer>
- <para>We construct a suitable string being injected to drop
- our <code>Person</code> table:</para>
+ <para>Logging tells us about SQL code being generated when
+ inserting a record based on e.g. user <emphasis
+ role="red">Eve</emphasis> having an email <emphasis
+ role="red">eve@my.org</emphasis>:</para>
- <programlisting language="sql">Jim', 'jim@c.com');DROP TABLE Person;INSERT INTO Person VALUES('Joe</programlisting>
+ <programlisting language="sql">main INFO insert.SimpleInsert - Executing »INSERT INTO Person VALUES('<emphasis
+ role="red">Eve</emphasis>', '<emphasis role="red">eve@my.org</emphasis>')«</programlisting>
- <para>This being entered into the name field kills our
- <code>Table</code> relation effectively. As the error message
- shows two INSERT statements are separated by a DROP TABLE
- statement. So after executing the first INSERT our database
- server drops the whole table. At last the second INSERT
- statement fails giving rise to an error message no end user
- will ever understand:</para>
+ <para>We craft our first input <code>username</code> replacing
+ <emphasis role="red">Eve</emphasis> to launch our
+ attack:</para>
- <figure xml:id="figSqlInjectDropPerson">
- <title>Dropping the <code>Person</code> table by SQL
- injection</title>
+ <programlisting language="sql"><emphasis role="red">Eve', 'eve@my.org');DROP TABLE Person;INSERT INTO Person VALUES('jim</emphasis></programlisting>
- <mediaobject>
- <imageobject>
- <imagedata fileref="Ref/Fig/sqlInject.screen.png"/>
- </imageobject>
- </mediaobject>
- </figure>
+ <para>A corresponding dialog reads:</para>
+
+ <screen>MinimumTest> java -jar /ma/goik/GoikLectures/P/Sda1/Jdbc/Insert/MinimumTest/target/insert_user-0.1.jar
+Enter a person's name or 'x' to exit: <emphasis role="red">Eve', 'eve@my.org');DROP TABLE Person;INSERT INTO Person VALUES('jim</emphasis>
+Enter <emphasis role="red">Eve', 'eve@my.org');DROP TABLE Person;INSERT INTO Person VALUES('jim's</emphasis> email or 'x' to exit: jim@company.com
+</screen>
+
+ <para>This <quote>successfully</quote> kills our
+ <code>Person</code> table:</para>
+
+ <screen>goik@goikschlepptop MinimumTest> cat A1.log
+main INFO insert.SimpleInsert - Executing »INSERT INTO Person VALUES('Eve', 'eve@my.org');DROP TABLE Person;INSERT INTO Person VALUES('jim', 'jim@company.com')«
+main ERROR insert.SimpleInsert - General database connection problem:
+java.sql.SQLSyntaxErrorException: Table 'hdm.Person' doesn't exist
+ at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:112) ~[insert_user-0.1.jar:?]
+...</screen>
<para>According to the message text the table
<code>Person</code> gets dropped as expected. Thus the
- subsequent (second) <code>INSERT</code> action is bound to
- fail.</para>
+ subsequent (second) <code>INSERT</code> action is then bound
+ to fail.</para>
+
+ <para>In practice this result may be avoided: The database
+ user in question will (hopefully!) not have sufficient
+ permissions to drop the whole table. Use <code>GRANT</code> /
+ <code>REVOKE</code> statements accordingly!</para>
- <para>In practice this result my be avoided. The database user
- will (hopefully!) not have sufficient permissions to drop the
- whole table. Malicious modifications by INSERT, UPDATE or
- DELETE statements are still possible.</para>
+ <para>Malicious modifications by INSERT, UPDATE or DELETE
+ statements of data records are still possible though!</para>
</answer>
</qandaentry>
</qandadiv>
diff --git a/P/Sda1/Jdbc/Insert/MinimumTest/src/main/java/de/hdm_stuttgart/sda1/insert/SimpleInsert.java b/P/Sda1/Jdbc/Insert/MinimumTest/src/main/java/de/hdm_stuttgart/sda1/insert/SimpleInsert.java
index 6620ed3722402509908b0e584ff7da275efcaa71..59157c9ac422cb92641b0444459a251b567cac99 100644
--- a/P/Sda1/Jdbc/Insert/MinimumTest/src/main/java/de/hdm_stuttgart/sda1/insert/SimpleInsert.java
+++ b/P/Sda1/Jdbc/Insert/MinimumTest/src/main/java/de/hdm_stuttgart/sda1/insert/SimpleInsert.java
@@ -77,7 +77,7 @@ public class SimpleInsert {
if (1 == insertCount) {
System.out.println("Successfully inserted new user '" + name + "'\n");
} else {
- System.out.println("Insetion failed, duplicate email '" + email + "' ?\n");
+ System.out.println("Insertion failed, duplicate email '" + email + "' ?\n");
}
}
System.out.println("Bye!");
diff --git a/P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/jdbc.properties b/P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/jdbc.properties
index 3ee6101a83cff1a1be012b2cd9bd4d8445e82374..d8fef888fb8a9b850d1524c63868ee3f36c39d00 100644
--- a/P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/jdbc.properties
+++ b/P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/jdbc.properties
@@ -1,3 +1,3 @@
-jdbcurl=jdbc:mysql://localhost:3306/hdm
+jdbcurl=jdbc:mysql://localhost:3306/hdm?allowMultiQueries=true
password=XYZ
username=hdmuser
\ No newline at end of file
diff --git a/P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/sqlinject.sql b/P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/sqlinject.sql
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391