Thread: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)
PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)
From
David Kerr
Date:
Howdy all, We're using Postgres 8.3 with all of our apps connecting to the database with Hibernate / JPA. Our security team is concerned about SQL Injection attacks, and would like to implement some mod_security rules to protect against it. From what I've read Postgres vanilla is pretty robust when it comes to dealing with SQL Injection attacks, and when you put an abstraction layer like Hibernate on top of it, you're basically rock solid against them. Does anyone have experience here? One of our security people found a generic mod_security config file that had a couple of postgres entries in it. Is there a full Postgres config for mod_security that the community recommends? Can anyone give me a good pros or cons of using mod_security when you have Postgres + Hibernate? At this stage in our project I'm trying to avoid making decisions based on statements like "PostgreSQL is 100% secure" or "More security can't hurt" any change like this impacts our delivery schedule, if we are going to do it we need to understand why and what benefits it brings. Thanks Dave
Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)
From
John R Pierce
Date:
David Kerr wrote: > Howdy all, > > We're using Postgres 8.3 with all of our apps connecting to the database > with Hibernate / JPA. > > Our security team is concerned about SQL Injection attacks, and would > like to implement some mod_security rules to protect against it. > > From what I've read Postgres vanilla is pretty robust when it comes to > dealing with SQL Injection attacks, > that would be a function of how you use Postgresql. if you do the typical PHP hacker style of building statements with inline values then executing them, you're vunerable unless you totally sanitize all your inputs. see http://xkcd.com/327/ if you use parameterized calls (easy in perl, java, etc but not so easy in php), you're should be immune. in the past there were some issues with specific evil mis-coded UTF8 sequences, but afaik, thats been cleared up for quite a while. > and when you put an abstraction layer like Hibernate on top of it, > you're basically rock solid against them. I would assume so, but I'm not familiar with the implementation details of Hibernate. > Does anyone have experience here? One of our security people found a > generic mod_security config file that had a couple of postgres entries > in it. Is there a full Postgres config for mod_security that the > community recommends? > > Can anyone give me a good pros or cons of using mod_security when you > have Postgres + Hibernate? > isn't mod_security purely for Apache httpd applications? if you're not using apache httpd, it seems like there's no point in using mod_security.
Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)
From
Sebastian Hennebrueder
Date:
John R Pierce schrieb: > David Kerr wrote: >> Howdy all, >> >> We're using Postgres 8.3 with all of our apps connecting to the database >> with Hibernate / JPA. >> >> Our security team is concerned about SQL Injection attacks, and would >> like to implement some mod_security rules to protect against it. >> >> From what I've read Postgres vanilla is pretty robust when it comes to >> dealing with SQL Injection attacks, >> > > that would be a function of how you use Postgresql. if you do the > typical PHP hacker style of building statements with inline values then > executing them, you're vunerable unless you totally sanitize all your > inputs. see http://xkcd.com/327/ > > if you use parameterized calls (easy in perl, java, etc but not so easy > in php), you're should be immune. in the past there were some issues > with specific evil mis-coded UTF8 sequences, but afaik, thats been > cleared up for quite a while. > > >> and when you put an abstraction layer like Hibernate on top of it, >> you're basically rock solid against them. > > I would assume so, but I'm not familiar with the implementation details > of Hibernate. > > > It dependends how you use Hibernate. If you do String concatenation instead of parameterized queries, then you can encounter the same injection problems like SQL. -- Best Regards / Viele Grüße Sebastian Hennebrueder ----- Software Developer and Trainer for Hibernate / Java Persistence http://www.laliluna.de
Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)
From
Scott Marlowe
Date:
On Fri, Feb 5, 2010 at 1:09 PM, John R Pierce <pierce@hogranch.com> wrote: > if you use parameterized calls (easy in perl, java, etc but not so easy in > php), you're should be immune. in the past there were some issues with > specific evil mis-coded UTF8 sequences, but afaik, thats been cleared up for > quite a while. Please don't FUD php. The usage of prepared statements is quite simple, either with the native pg set of functions, or the PDO abstraction layers. PHP has plenty of issues, this is not one of them.
Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)
From
David Kerr
Date:
On Fri, Feb 05, 2010 at 12:09:57PM -0800, John R Pierce wrote: - that would be a function of how you use Postgresql. if you do the - typical PHP hacker style of building statements with inline values then - executing them, you're vunerable unless you totally sanitize all your - inputs. see http://xkcd.com/327/ Right, so when dealing with a high security environment you want to assume someone made a mistake and left you vunerable in this area. - >Does anyone have experience here? One of our security people found a - >generic mod_security config file that had a couple of postgres entries - >in it. Is there a full Postgres config for mod_security that the - >community recommends? - > - >Can anyone give me a good pros or cons of using mod_security when you - >have Postgres + Hibernate? - > - - isn't mod_security purely for Apache httpd applications? if you're not - using apache httpd, it seems like there's no point in using mod_security. We'll have httpd handing off to Geronimo. From what i can gather mod_security will balk at any url that contains one of it's keywords. Dave
Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)
From
David Kerr
Date:
On Fri, Feb 05, 2010 at 09:19:40PM +0100, Sebastian Hennebrueder wrote: - John R Pierce schrieb: - >David Kerr wrote: - >>Howdy all, - >> - >>We're using Postgres 8.3 with all of our apps connecting to the database - >>with Hibernate / JPA. - >> - >>Our security team is concerned about SQL Injection attacks, and would - >>like to implement some mod_security rules to protect against it. - >> - >>From what I've read Postgres vanilla is pretty robust when it comes to - >>dealing with SQL Injection attacks, - >> - > - >that would be a function of how you use Postgresql. if you do the - >typical PHP hacker style of building statements with inline values then - >executing them, you're vunerable unless you totally sanitize all your - >inputs. see http://xkcd.com/327/ - > - >if you use parameterized calls (easy in perl, java, etc but not so easy - >in php), you're should be immune. in the past there were some issues - >with specific evil mis-coded UTF8 sequences, but afaik, thats been - >cleared up for quite a while. - > - > - >>and when you put an abstraction layer like Hibernate on top of it, - >>you're basically rock solid against them. - > - >I would assume so, but I'm not familiar with the implementation details - >of Hibernate. - > - > - > - It dependends how you use Hibernate. If you do String concatenation - instead of parameterized queries, then you can encounter the same - injection problems like SQL. Ok so Hibernante could suffer from the same issues as any framework. Thanks Dave