Is Cuba Framework protected from SQL injections and XSS?

Hello Cuba,
I would like to know how I can demonstrate to my collegues that cuba framework is a high level framework protected againts SQL injections and XSS. What is the best way to do this? And how is protection implemented?

Kind regards,
Wissam

All these concerns are described in our documentation: Web Security - CUBA Platform. Developer’s Manual

CUBA Platform as a framework follows good security practices and provides you with automatic protection against some of the most common vulnerabilities in web applications. Its architecture promotes a secure programming model, allowing you to concentrate on your business and application logic.

Cuba Web Client is a server-side application, where all of your application state, business and UI logic resides on the server. Unlike client driven frameworks, Web Client never exposes its internals to the browser, where vulnerabilities can be leveraged by an attacker.

1. Cross-Site Scripting (XSS)

Web Client has built-in protection against cross-site scripting (xss) attacks. It converts all data to use HTML entities before the data is rendered in the user’s browser.*.

2. Cross-Site Request Forgery (CSRF)

All requests between the client and the server are included with a user session specific CSRF token. All communication between the server and the client is handled by Vaadin Framework, so you do not need to remember to include the CSRF tokens manually.

3. Web Services

All communication in Web Client goes through one web service used for RPC requests. You never open up your business logic as web services and thus there are less attack entry points to your application.

4. SQL Injection

CUBA uses Eclipse Link ORM that is protected against SQL injections. Parameters of SQL queries are always passed to JDBC as parameters array and not interpolated into SQL queries.

If you want to somehow demonstrate protection against all the typical attacks you have to try them against CUBA application. For instance, try to exploit SQL special characters in standard forms / URL / etc to demonstrate protection against SQL injection.