WaveMaker's use of service variables insulates applications from SQL injection types of attack (http://owasp.com/index.php/SQL_Injection). However, use of the runtime service exposes a insert()
, update()
, read()
, and delete()
method for every imported table. This can create a significant vulnerability, including exposing the user login table when using database security.
For example, using curl (http://curl.haxx.se/), a command-line tool for making HTTP requests, we could perform an update of the customer table by POST'ing directly to the runtime service URL. Here, we update the customer record with customer ID 3
with bogus data
> curl -H "Content-type: application/json" -d '{"params":["custpurchaseDB", "com.custpurchasedb.data.Customer", {"address":"12 Chump Lane", "city" : "Hackville", "company": "Fools R Us", "custid" : 3, "imageurl" : "", "state" : "TX", "twitter" : "ivebeenpawnd", "zip": "3333"}],"method":"update","id":1}' -X POST http://127.0.0.1:8094/SecureDbAccess...