AWS Query Injection can occur within AWS as a result from misusing AWS’s Java SDK – AmazonSimpleDBClient. If the application is performing select requests with user inputs, the user inputs could be crafted to allow query access to other information outside the access scope of the permissions of the user.

Impact

CWE-943 : Improper Neutralization of Special Elements in Data Query Logic.

Fix for Java AWS Query Injection

The following example dynamically constructs and executes a SimpleDB select() query allowing the user to specify the productCategory. The attacker can modify the query, bypass the required authentication for customerID and view records matching any customer.

Vulnerable Code:

...
String customerID = getAuthenticatedCustomerID(customerName, customerCredentials);
String productCategory = request.getParameter("productCategory");
...
AmazonSimpleDBClient sdbc = new AmazonSimpleDBClient(appAWSCredentials);
String query = "select * from invoices where productCategory = '"
            + productCategory + "' and customerID = '"
            + customerID + "' order by '"
            + sortColumn + "' asc";
SelectResult sdbResult = sdbc.select(new SelectRequest(query));

Solution: This issue is analogous to SQL Injection however because SimpleDB does not support prepared statements, software developers will be required to sanitize user inputs before using it within a SimpleDB query. Our recommendation would be to use the Apache Commons library within it contains a commons escape string utility class called StringEscapeUtils.

Want to check your projects for free?