From vulnerability discovery to virtual patch: An example
Consider a simple login page written in JSP:
<%
connectToDatabase();
String username = request.getParameter("username");
String password = request.getParameter("password");
String query = String.format("SELECT * FROM user WHERE username = '%s' AND password = '%s'", username, password);
ResultSet rs = statement.executeQuery(query);
if (rs.first()) {
out.println("You were logged in!");
}
else {
out.println("Login failed");
}
%>
The above code retrieves the username and password from the parameters passed to the page (appropriately named username and password), and then looks them up in the database for a matching username entry that has the correct password. If a match is found, the login is successful and the user gets access to the restricted area.
Though the above might look like reasonable code, it actually suffers from a fatal flaw in the form of what is known as an "SQL injection" vulnerability. This type of vulnerability...
