Package org.kawanfw.sql.api.server
Class BasicSqlInjectionAnalyser
java.lang.Object
org.kawanfw.sql.api.server.BasicSqlInjectionAnalyser
public class BasicSqlInjectionAnalyser extends Object
Provides misc methods to anlyse basic elements of an SQL statement and to check SQL injection attempts.
- Since:
- 12.0
- Author:
- Nicolas de Pomereu
-
Constructor Summary
Constructors Constructor Description BasicSqlInjectionAnalyser(String sql)Constructor -
Method Summary
Modifier and Type Method Description voidanalyse()Analyze the SQL statement with the set parameters and keywordsstatic booleancontainsNestedComments(String sql)Says if the SQL statement contains nested commentsStringgetAnomalyDetected()Returns the anomaly detectedstatic booleanhasEqualValuesAroundEqual(String sqlTokens)Test the 1=1 variationsbooleanisSqlInjectionSuspect()Says if the SQL statement is a suspect for SQL injection attemptbooleanisWithComments()Returns if the SQL statement contains commentsbooleanisWithEqualValuesAroundEqual()Returns if there are some 1=1 variations in the querybooleanisWithForbiddenKeywords()Returns if the SQL statement contains at least one forbidden keywordbooleanisWithLineBreaks()Returns if the SQL statement has line breaksbooleanisWithNestedComments()Returns if the SQL statement is with nested commentsbooleanisWithOddQuotesNumber()booleanisWithSeparators()Returns if the SQL statement contains statement separatorsvoidsetDetectComments(boolean detectComments)Sets if comments should be detected.voidsetDetectDoubleQuotes(boolean detectDoubleQuotes)Sets if double quotes should be detected.voidsetDetectLineBreaks(boolean detectLineBreaks)Sets if line breaks should be detected.voidsetDetectNoSpaces(boolean detectNoSpaces)Sets if SQL statement without any space should be detected.voidsetDetectSeparators(boolean detectSeparators)Sets if commands separators (;) should be detected.voidsetDetectTabs(boolean detectTabs)Sets if tabs should be detected.voidsetForbiddenKeywordList(Set<String> forbiddenKeywordList)Sets the keyword list that are forbidden to use and will trigger a SQL injection suspicion
-
Constructor Details
-
BasicSqlInjectionAnalyser
Constructor- Parameters:
sql- the SQL statement to analyse
-
-
Method Details
-
setDetectTabs
public void setDetectTabs(boolean detectTabs)Sets if tabs should be detected. Defaults to true.- Parameters:
detectTabs- true if tabs should be detected, else false
-
setDetectSeparators
public void setDetectSeparators(boolean detectSeparators)Sets if commands separators (;) should be detected. Defaults to true.- Parameters:
detectSeparators- true if commands separators should be detected, else false
-
setDetectLineBreaks
public void setDetectLineBreaks(boolean detectLineBreaks)Sets if line breaks should be detected. Defaults to true.- Parameters:
detectLineBreaks- true if line breaks should be detected, else false
-
setDetectComments
public void setDetectComments(boolean detectComments)Sets if comments should be detected. Defaults to true.- Parameters:
detectComments- true if comments should be detected, else false
-
setDetectDoubleQuotes
public void setDetectDoubleQuotes(boolean detectDoubleQuotes)Sets if double quotes should be detected. Defaults to true.- Parameters:
detectDoubleQuotes- true if double quotes should be detected, else false
-
setDetectNoSpaces
public void setDetectNoSpaces(boolean detectNoSpaces)Sets if SQL statement without any space should be detected. Defaults to true.- Parameters:
detectNoSpaces- true if queries without any space should be detected, else false
-
setForbiddenKeywordList
Sets the keyword list that are forbidden to use and will trigger a SQL injection suspicion- Parameters:
forbiddenKeywordList- the keyword list that are forbidden to use and will trigger a SQL injection suspicion
-
getAnomalyDetected
Returns the anomaly detected- Returns:
- the anomaly detected
-
isWithNestedComments
public boolean isWithNestedComments()Returns if the SQL statement is with nested comments- Returns:
- true if the query is with nested comments, else false
-
isWithLineBreaks
public boolean isWithLineBreaks()Returns if the SQL statement has line breaks- Returns:
- true if the SQL statement has line breaks, else false
-
isWithComments
public boolean isWithComments()Returns if the SQL statement contains comments- Returns:
- true if the SQL statement contains comments, else false
-
isWithSeparators
public boolean isWithSeparators()Returns if the SQL statement contains statement separators- Returns:
- true if the SQL statement contains statement separators, else false
-
isWithForbiddenKeywords
public boolean isWithForbiddenKeywords()Returns if the SQL statement contains at least one forbidden keyword- Returns:
- true if the SQL statement contains at least one forbidden keyword, else false
-
isWithEqualValuesAroundEqual
public boolean isWithEqualValuesAroundEqual()Returns if there are some 1=1 variations in the query- Returns:
- true if there are some 1=1 variations in the query, else false
-
isSqlInjectionSuspect
public boolean isSqlInjectionSuspect()Says if the SQL statement is a suspect for SQL injection attempt- Returns:
- true if the SQL statement is a suspect for SQL injection attempt
-
analyse
public void analyse()Analyze the SQL statement with the set parameters and keywords -
isWithOddQuotesNumber
public boolean isWithOddQuotesNumber()- Returns:
- true if sql statement contains an odd number of single quote (') and thus cannot be processed
-
hasEqualValuesAroundEqual
Test the 1=1 variations- Parameters:
sqlTokens- sql substring without values inside quotes- Returns:
- true if sql line contains variations of 1=1
-
containsNestedComments
Says if the SQL statement contains nested comments- Parameters:
sql- SQL statement to analyze- Returns:
- true if the SQL statement contains nested comments, else false
-