I am using selenium and java.
Every time when I execute my test it has to create new log in credentials.
I enter usernames (every time it is created randomly)
This is my method to create a unique username:
String username=’’ ’’ +(int)(Math.random()*Integer.MAX_VALUE);
String emailID=”USER”+username+”#gmail.com”;
driver.findElement(by.id(“userNameID)).sendKeys(emailID);
system.out.println(emailID);
It creates a unique username.
After it will ask for verification code, it is coming from DB and I have to pass it in “verification textbox”.
I have my JDBC Connections,
Usually when I already know my username
I use:
String query=”Select SecretCode from createlogincode where
username=qacustomer#gmail.com”;
String secretCode=rs.getString(1);
System.out.println(“Verification Code is ”+secretCode);
driver.findElement(by.id(“secretcode”)).sendKeys(secretCode);
and this methods works perfectly.
But with creating random usernames, I am not able to write a correct query to pass and get verification code. Is there is any method to store the new username then pass it into the query?
I was doing:
String query=”Select SecretCode from createlogincode where username=
+emailID”;
but this is absolutely incorrect.
Related
Sonarqube is giving me this error:
[BLOCKER] Change this code to not construct SQL queries directly from user-controlled data
Here is my code:
String countSQL;
countSQL = (String.format("SELECT count(*) as total FROM ltid_owner.enty %s",additionalWhereClauses));
jdbcTemplateTMI.queryForObject(countSQL, Integer.class);
In the above code additionalWhereClauses could be something like this shown below which I am building on the fly when the user clicks on the grid to perform filtering on different columns:
additionalWhereClauses = where UPPER(enty_num) like '003%'
Can you please let me know how to resolve this issue?
Your code combines strings into SQL statements. If any of these strings contains user provided input, an attacker can sneak in code to trigger an SQL injection attack and possibly run arbitrary code on your computer (obligatory Bobby Tables reference).
Simple example:
String sql = "SELECT * FROM users WHERE name = '" + name + "' AND password = '" + password + "'";
If I enter ' OR 1=1 -- for the name (and "..." for the password, but that doesn't really matter anymore) the code becomes a valid SQL statement:
SELECT *
FROM users
WHERE name = '' OR 1=1 -- ' AND password = '...'
but the user name / password check is completely disabled.
To avoid this, use prepared statements. They build the SQL command in a way that SQL injection is impossible.
Maybe this never happens in your code as you don't accept user input, but Sonar doesn't know this (and human reviewers won't either). I'd always use prepared statements. Just because your code only passed column headers from a frontend, doesn't mean an attacker cannot manually call your web service endpoints and pass whatever they want, it your code runs as an HTTP endpoint.
Yesterday searching through some repositories on Github I found some interesting stuff: one Java project (I won't mention the name of the repository but I've already notified the owner of it) contained a bad handling of HQL queries which could lead to SQL/HQL injections. The code was the following: (note that username and password come from the user)
Query query = session.createQuery("from Client where username = '" + username + "'");
List clients = query.list();
Client client = (Client) clients.get(0);
if (!validPassword(client.getPassword(), password)) {
return false;
}
//client is authenticated....
I think it is obvious that this query is injectable. I don't really know how this vulnerable query could be exploited because even if we inject the username, the
password is still checked. The database used was MySql (if it helps).
So my question is: how could this be exploited?
Even though HQL is more restrictive than SQL for injections, it can still be exploited.
Some example injections are explained at https://blog.h3xstream.com/2014/02/hql-for-pentesters.html
A similar question to this one has been asked already before at https://security.stackexchange.com/questions/24265/hql-injection-example
The answer to this question explains how characters of a password (hash) could be scanned. e.g. if for an Oracle database the value of username is:
admin' AND SUBSTR(password, 0, 1) = 'A
Then if
the first character of the password (hash) is not 'A' -> the clients List is empty and the clients.get(0) method call throws an IndexOutOfBoundsException
the first character of the password (hash) is 'A', but the provided password is false -> the user is not authenticated
the first character of the password (hash) is 'A' and the provided password is correct -> the user is authenticated
A hacker can repeat the query for each x and z in
SUBSTR(password, x, x + 1) = z
in the query above until the outcome is always case 2. where the user is not authenticated. This way he can find out the password hash for the user admin and may be able to crack his password.
Other exploits are possible, I am not going to list all of them...
Yes so...once you had start hibernate session, You can fetch data using query. Now you have written query for Client table.
For ex,
username = "ABC"
1) Your query from Client where username = 'ABC' will fetch data from Client whoes username is exact ABC.
If it found multiple same Username, it also return all.
2) It is going to store in list. 0 or more record will store in list.
3) Then whatever records came, it fetch only first record using
Client client = (Client) clients.get(0);
4) it check with client object record password with your expected password that may be suppose to save in some variable via method calling.
5) if it won't match then it return with false boolean flag otherwise code will go ahead with authenticated client execution.
Hope you got your answer.
I am doing automation testing at my work and i'm stuck in a scenario.
My first test consist of creating a new user account which creates a username and a password. P.S. My password is always the same
My second test is basically login as a user with the username and password that I created in the first test.
Also, as the account is created, the database gets updated, and i'm able to connect to the database and execute the query (select user_name from accounts where password = 'pass123' order by created_dttm desc;)
So, since i'm able to execute and get the value from the db, how can I fetch that value and insert it into my username field in order to login as a customer.
Because i'm stuck in this situation, I always have to edit my 2nd test case with a different username that is created in my first tc. I would like my test script to take the username from the db and insert it into the username field automatically.
I'm kinda new to Java and automation, therefore, any kind of help will be highly appreciated. Thanks a ton!
You need to just pass the username value read from database to the sendKeys function of Webdriver. For example, if you have stored the username value from database in String variable user and if you are using id property to recognize the username field, then you can enter that value in username field using following:
driver.findElement(By.id("u")).sendKeys(user);
In the above code, u is the id of username field. You can move your database access code to separate method as shown below:
public static String getUsernameFromDB() throws ClassNotFoundException, SQLException {
//Accessing driver from the JAR file
Class.forName("oracle.jdbc.OracleDriver");
System.out.println("Oracle JDBC driver loaded ok.");
Connection con=DriverManager.getConnection("jdbc:oracle:thin:#151.120.92.150:1602:pppst1","ppp_app","ppp_app_pppst1");
System.out.println("DB Connected Successfuly");
Statement stmt = con.createStatement();
ResultSet result = stmt.executeQuery("select user_name from accounts where password = 'pass123' order by created_dttm desc;");
String account = null;
while(result.next()){
account = result.getString("USER_NAME");
System.out.println("BAID: " + account);
}
con.close();
return account;
}
Your test case code will become:
String username = getUsernameFromDB();
driver.findElement(By.id("u")).sendKeys(username);
I've create an application LOGIN/REGISTER with this tutorial.
My problem is, if I put nothing on the register view of my app (name, username, age, password), it create an user on my table with nothing inside (just a number on "user_id" column) and I can sign in with nothing in "username" and "password" on the login view of my app.
And all my LOGIN/REGISTER android app becomes useless...
If you don't understand what I say, you can try my app.
For information, I've change some element to not give you all access to my app :
In "LoginRequest.class", I have change my website by xxx at this line :
private static final String LOGIN_REQUEST_URL ="http://xxxx.net/Login.php";
In "RegisterRequest.class", I have change my website by xxx at this line :
private static final String REGISTER_REQUEST_URL ="http://xxxx.net/Register.php";
In "Login.php", I have change my information at this line :
$con = mysqli_connect("mysql10.000host.com", "axxxxxxx_user", "passwordZ", "ayyyyyyy_data");
In "Register.php", I have change my information at this line :
$con = mysqli_connect("mysql10.000host.com", "axxxxxxx_user", "passwordZ", "ayyyyyyy_data");
Thank you for your help.
The only thing you need to do is validations
Put validation while registering and login. Don't call API if username, password and other fields are blank.
You need to check if user is entering a proper email-id , password should be more then 6 characters with combination of number and special character like stuff.
And in your server side do write procedures to validate the username or passwords.
You can also use an ORM which can protect you from injections.
Simple regex to vaid email-id would be
/^(?!(?:(?:\x22?\x5C[\x00-\x7E]\x22?)|(?:\x22?[^\x5C\x22]\x22?)){255,})(?!(?:(?:\x22?\x5C[\x00-\x7E]\x22?)|(?:\x22?[^\x5C\x22]\x22?)){65,}#)(?:(?:[\x21\x23-\x27\x2A\x2B\x2D\x2F-\x39\x3D\x3F\x5E-\x7E]+)|(?:\x22(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|(?:\x5C[\x00-\x7F]))*\x22))(?:\.(?:(?:[\x21\x23-\x27\x2A\x2B\x2D\x2F-\x39\x3D\x3F\x5E-\x7E]+)|(?:\x22(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|(?:\x5C[\x00-\x7F]))*\x22)))*#(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-[a-z0-9]+)*\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-[a-z0-9]+)*)|(?:\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\]))$/iD
I am trying to build a simple login form using Swing in Java. I created a Sample form with two fields.
usernamefield of type TextField
passfield of type PasswordField
Now I have a database and in that a login table which has following structure.
username | password
----------------------
abcd | xyz
Also I created a connection to database. and I am able to access table data by using ResultSet.
I made an object of database connection called conn.
I know that password is stored in the form of char array.
so when I try to match password by using following code it does not work.
if(usernamefield.getText() == conn.username && passfield.getPassword().toString == conn.password) {
system.out.println("Correct");
}else {
system.out.println("Incorrect");
}
Above code always go to else block.
I also noticed that passfield.getPassword() prints the correct password while passfield.getPassword().toString prints some random characters like [C#76dab03c
How to resolve it?
Use equals instead of == and it should work. Never use == on strings, it hardly ever produces the result you expect.
I think the more serious issue with your code is that you're storing passwords in plain text. That is a huge security risk. You should look into password hashing algorithms, for instance bcrypt.
You must compare string with .equals(), not ==, but you're doing this wrong anyway. The password should be hashed at the database, and you should be passing what the user entered to the database and having it do the matching, via a WHERE clause using the appropriate hash function. In other words, ask the database to fetch the user row with this username and password.