CAPEC-109 - Object Relational Mapping Injection

An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.






  • Attack Methods 3
  • Injection
  • Analysis
  • API Abuse
  • Purposes 1
  • Exploitation
  • Sec Principles 3
  • Defense in Depth
  • Keep it Simple
  • Compartmentalization
  • Scopes 5
  • Modify application data
  • Integrity
  • DoS: instability
  • DoS: crash / exit / restart
  • Availability
  • Read application data
  • Read memory
  • Confidentiality
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality

Medium level: Knowledge of general SQL injection techniques and subtleties of the ORM framework is needed

An application uses data access layer generated by an ORM tool or framework

An application uses user supplied data in queries executed against the database

The separation between data plane and control plane is not ensured, through either developer error or an underlying weakness in the data access layer code generation framework

No specialized resources are required.

Provide various input to the system in an attempt to induce an error that would reveal stack trace information about the ORM layer (if any) used

Step 1 - Determine Persistence Framework Used

An attacker tries to determine what persistence framework is used by the application in order to leverage a weakness in the generated data access layer code or a weakness in a way that the data access layer may have been used by the developer..

Tecnique ID: 1 - Environment(s) env-Web

An attacker provides input to the application in an attempt to induce an error screen that reveals a stack trace that gives an indication of the automated data access layer used. Or an attacker may simply make some educated guesses and assume, for instance, that Hibernate is used and try to craft an attack from there.

Step 2 - Probe for ORM Injection vulnerabilities

The attacker injects ORM syntax into user-controllable data inputs of the application to determine if it is possible modify data query structure and content..

Step 1 - Perform SQL Injection through the generated data access layer

An attacker proceeds to exploit a weakness in the generated data access methods that does not properly separate control plane from the data plan, or potentially a particular way in which developer might have misused the generated code, to modify the structure of the executed SQL queries and/or inject entirely new SQL queries..

Tecnique ID: 1 - Environment(s) env-Web

An attacker uses normal SQL injection techniques and adjusts them to reflect the type of data access layer generation framework used by the application.

Outcome ID: 1

Type: Success

Attacker achieves goal of unauthorized system access, denial of service, etc.

Outcome ID: 2

Type: Failure

Attacker unable to exploit SQL Injection vulnerability.

Ensure that the ORM data access methods that are used by the application leverage parameter binding

Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework

Ensure to keep up to date with security relevant updates to the persistence framework used within your application.