WFS and SQL Injection

Session Type: 
Lightning Talk
Presenter(s): 
Olivier Courtin, Oslandia

OGC WFS-T allows client apps to have write access on features stored server side through a Web Service API.

Commonly such features are stored in a spatial databases.

Forthcoming WFS 2.0 would even add stored query sent from the WFS client, which could then execute them on demand.

All theses great features have security counterparst, and could lead to SQL Injection vulnerabilities.

The issues raised and answered in this lightning talk will be :

  • Where are the main SQL Injection risks in WFS specs implementations ? (WFS-T, Filter Encoding and WFS 2.0 ?
  • What tools or tests could help to detect them?

 

Speaker Bio: 

Olivier is the main developper and maintainer of TinyOWS since 2007. He's also involved in PostGIS project, as both projects are somewhere tied.

 
Olivier is with Vincent Picavet owner of Oslandia, a small company focused on Open Source GIS.

Schedule info