Handling of Different Injection Attacks in Grails

While implementing Security in my Sample Application I have read various types of Injection attacks that an application may suffer.

Reference: Grails In Action

1. SQL Injection Attack:

def username="gautam"
Post.findAll(" from Post as post WHERE post.user.username='${username}' ")

This Query uses a local username property to control which posts are returned.

Try this Query in Grails Console.

An attacker can modifies the URL of the request so that the username parameter has the value :

def username = " ' or ' test' = ' test"
Post.findAll(" from Post as post WHERE post.user.username='${username}' ")

The Query is Same, but this time username doesn’t look like  an Id at all. Look what happens when we substitute the value into the query:

.. WHERE post.user.username = ' '  or  ' test' = ' test'

Now all Post are returned, which will bring your server to a grinding halt.

By escaping input values before inserting it into the query, you can foil the attack.

The modified version of the HQL query that safe from the attack by escaping the value of username:

def username = " ' or ' test' = ' test"
Post.findAll(" from Post as post WHERE post.user.username=? ", [username])

This is the Hibernate equivalent of a JDBC parameterized query.

2. Cross-Site Scripting (XSS) Attack

Another form of injection attack which targets HTML and javascript is when user Post this message

alert("alert")

A dialog pops up showing the message “alert”. Now every time you refresh your page, that message will pop up.

The solution of this is either:

– you can call the encodeASHTML() method on the text you want to display,

"${username.encodeASHTML()}"

But the implementation of the Grails tags like textField tag does the equivalent of encodeASHTML() method.
i.e,

<g:TextField name="username" value="${post.user.username}">

is  equivalent of this:

attrs["value"].encodeASHTML()

An alternative is to use the defaultCodec page directive to enable HTML escaping on a page-by-page basis:

<% @ defaultCodec="html" %>

OR

-by adding/changing this entry in grails-app/conf/Config.groovy:

grails.views.default.codec="html"

By setting the default codec Grails uses to encode data in GSP views to HTML, you can ensure all GSP expression are HTML
escaped by default (This makes the Setting Global)
URL Escaping

Show Album

Simply by fiddling with the title parameter in a GET request an attacker could perform an XSS attack.To avoid this you can use encodeASURL() method on any data to be included in the URL.

Show Album

3. Other Form of Vulnerable Attack:

Alternative approach is to find out what platform the web application is based on. If you know that then you can narrow your hacking attempts to know the vulnerabilities of the platform.
There might be some other weakness in the Application like, try pointing your browser at this URL while your application is up and Running:

http://localhost:8080/application-name/path/unknown

Any Attacker knows that the application is a java web application running on Jetty/Apache. Also,If application throws an exception ,Grails will display its standard error page. Then attacker also knows that your application uses Grails.

Solution to this Problem is mapping response codes to controllers like:

class UrlMappings{
"404" (controller:"errors",action:"notFound")
"500" (controller:"errors",action:"internalError")
}

But this mechanism can be bypassed, if you hard-coded to display the view like error.GSP if an exception is thrown by a GSP page, then it will declare to the user that your application is implemented with Grails.
You can modified your GSP to send a “500” error if environment is set to PRODUCTION:

${Response.sendError(500)}

Hope it Helps!!!