2

I'm a newbie to ESAPIm and I've been looking for answers for days. I got the following error: 

Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Documents and Settings\Administrator\Desktop\TEM - Workspace\testSecurity\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Found in 'user.home' directory: C:\Documents and Settings\Administrator\esapi\ESAPI.properties
Loaded 'ESAPI.properties' properties file
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Documents and Settings\Administrator\Desktop\TEM - Workspace\testSecurity\validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties
Found in 'user.home' directory: C:\Documents and Settings\Administrator\esapi\validation.properties
Loaded 'validation.properties' properties file
java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception

Hoping to find real answers as soon as possible. This is my code for login using ESAPI:

/* throws SQLExceptions */
public void login(String username, String password)
{
    try
    {
        if(con == null)
            connect();
        if(con != null)
        {
            Codec ORACLE_CODEC = new OracleCodec();

            String query = "SELECT * FROM tblmember where username = '"+ ESAPI.encoder().encodeForSQL(ORACLE_CODEC, username) +"'AND password '"+ESAPI.encoder().encodeForSQL(ORACLE_CODEC, password)+"' FROM ";

            stm = con.createStatement();
            rs = stm.executeQuery(query);

            if(rs.next())
            {
                System.out.println(rs.getString("address"));
                System.out.println(ESAPI.encoder().encodeForSQL(ORACLE_CODEC,"address"));
            }
        }
        else
        {
            System.out.println("Not Connected!");
        }
    }
    catch(Exception ex)
    {
        System.out.println(ex.getMessage() + " login");
    }           
}

public static void main(String[] args) throws SQLException 
{
    SQLInjection sq = new SQLInjection();
    sq.login("username", "password");
}

Thank you very much for your response :)

darcyy
  • 5,236
  • 5
  • 28
  • 41
T E M
  • 55
  • 1
  • 2
  • 8

3 Answers3

2

Just to give you a tip on using APIs, always make sure that you read the documentation(s) included. There you may find information that will give you an aid in using the API. I believe this was a dependency issue. You can check it here.

Hope this helps.

Johne Altamera
  • 204
  • 1
  • 2
  • 7
1

You are using the wrong API for this. Java already provides for you the correct mechanism to avoid escaping input in your queries using prepared statements. ESAPI is alright for validating the input, but you still don't want to concatenate string to do this. Frankly I don't like all the libraries ESAPI has to load in order to work.

public void login(String username, String password)/*throws SQLExceptions*/{
    try{
        if(con == null)
            connect();
        if(con != null){

            String query = "SELECT * FROM tblmember where username = ? AND password = ? FROM usertable";

            stm = con.prepreStatment(query);
            stm.setString(1, username);
            stm.setString(2, password);
            rs = stm.executeQuery(query);

            if(rs.next()){
                System.out.println(rs.getString("address"));                    
            }
        }else
            System.out.println("No user found with that username and password.");
        }
    }catch(Exception ex){
        System.out.println(ex.getMessage() + " login");
    }

}
public static void main(String[] args) throws SQLException {
    SQLInjection sq = new SQLInjection();

    sq.login("username", "password");
}
Hiro2k
  • 5,254
  • 4
  • 23
  • 28
  • So I don't have to use ESAPI in user inputs if there are preparedstatements? – T E M Dec 18 '12 at 03:51
  • Exactly, just remember the the stm variable is of type PreparedStatement. Also the query String is so much cleaner without all the concatenation. Also if you like the answer vote it up or accept it. – Hiro2k Dec 18 '12 at 03:56
  • hmm.. okay. im just thinking that using ESAPI and preparedstatements will help me to secure my web project.can you suggest any security function i can add for my project? – T E M Dec 18 '12 at 03:58
  • There is a lot more to securing your website than just SQL Injection attacks but preparedstatements are the best tool for that job and it's already built into Java so you don't have to include anything else. – Hiro2k Dec 18 '12 at 04:04
0

Hiro2K is absolutely right. The OracleCodec and other similar SQL DB codecs are not intended to be a substitute for parameterized types (in Java, using PrepareStatements). Rather, they are intended for those (hopefully very few) niche cases where you may not be able to use a PrepareStatement. One example might be where you have to call some third party API which you know calls an Oracle JDBC driver under the hood but you aren't sure whether that API is using parameterized types.

However, that said, I don't see anything that you did in how you called ESAPI that would have resulted in the DefaultEncoder CTOR throwing an InvocationTargetException. That is something that I've not seen before. It may be related to something in your ESAPI.properties file (for instance, if you tried to use an ESAPI 1.4 ESAPI.properties file with ESAPI 2.0.x).

Could you post your exception stack trace so I can take a look at it? You may have found a bug.

Thanks,

-kevin wall

Kevin W. Wall
  • 1,347
  • 7
  • 7